The California Attorney General has addressed a wide range of questions from businesses and other interested parties, in responding to comments to final California Consumer Privacy Act (CCPA) regulations. Here are three involving opt-out links, deletion of personal information and the meaning of the the phrases “reasonably anticipated within the context of a business” and “reasonably aligned with the expectations of the consumer,” and whether IP addresses are personal information.
Q: Is it possible to use traditional opt out links (e.g to opt out of cookies) instead of the “Do Not Sell My Personal Information” link?
California Attorney General: No. This is inconsistent with the language and intent of CCPA.
Q: Can you provide further guidance to clarify the meaning of “reasonably anticipated within the context of a business” and “reasonably aligned with the expectations of the consumer.” These are two open-ended exceptions to the obligation to delete personal information pursuant to a consumer request to delete which have the potential to be very useful to businesses.
AG: No. Further guidance would not be helpful.
Q: Does an IP address constitute personal information subject to all CCPA obligations?
Some comments to the regulations requested a statement that IP addresses are never personal information; and that targeted advertising and real-time bidding therefore do not constitute a sale.
The California Attorney General responded: “It’s complicated.”
- Personal information is a broad term and includes IP addresses
- Proposed amendment to the law to carve targeted advertising out of the definition of sale has failed
- The provision in the previous version of the Regs carving out IP from the definition of personal information was deleted in order to finalize the Regs by July 1.
- Further analysis is required as to whether our not additional regulations are needed on this topic.