The California Attorney General has addressed a wide range of questions from businesses and other interested parties, in responding to comments to final California Consumer Privacy Act (CCPA) regulations. Here are three involving opt-out links, deletion of personal information and the meaning of the the phrases “reasonably anticipated within the context of a business” and “reasonably aligned with the expectations of the consumer,” and whether IP addresses are personal information.

Q: Is it possible to use traditional opt out links (e.g to opt out of cookies) instead of the “Do Not Sell My Personal Information” link?

California Attorney General: No. This is inconsistent with the language and intent of CCPA.

Q: Can you provide further guidance to clarify the meaning of “reasonably anticipated within the context of a business” and “reasonably aligned with the expectations of the consumer.” These are two open-ended exceptions to the obligation to delete personal information pursuant to a consumer request to delete which have the potential to be very useful to businesses.

AG: No. Further guidance would not be helpful.

Q: Does an IP address constitute personal information subject to all CCPA obligations?

Some comments to the regulations requested a statement that IP addresses are never personal information; and that targeted advertising and real-time bidding therefore do not constitute a sale.

The California Attorney General responded:  “It’s complicated.”

• Personal information is a broad term and includes IP addresses
• Proposed amendment to the law to carve targeted advertising out of the definition of sale has failed
• The provision in the previous version of the Regs carving out IP from the definition of personal information was deleted in order to finalize the Regs by July 1.
• Further analysis is required as to whether our not additional regulations are needed on this topic.