California Consumer Privacy Act

For companies scrambling to button up their California Consumer Privacy Act (CCPA) compliance by the July 1 enforcement date,  some news out of the state capital of Sacramento:

Per a memorandum issued June 24, 2020 by the California Secretary of State, the California Privacy Rights Act (CPRA), often dubbed “CCPA 2.0”, has collected a sufficient

A comment requested that the California Attorney General clarify the specific requirements for making privacy notices “easy to read and understandable to the average consumer” under the California Consumer Privacy Act regulations.

The Attorney General responded:
  • The provisions of Section 999.305(a)(2) are sufficient to make this clear.
  • Also, notices cannot be misleading.
Contrast:
  •  European Union: 

A comment asks the California Attorney General if directing a consumer to an online form could constitute a valid notice at collection under the recently finalized California Consumer Privacy Act regulations.

The Attorney General says it can’t confirm or deny.

The AG says nothing prevents a business from directing a consumer to a place where

Would conspicuous by any other name … link as effectively?

Multiple comments to the final California Consumer Privacy Act regulations ask the California Attorney General to explain what “conspicuous link” means for the purpose of the notice at collection, privacy policy and notice of opt-out under CCPA.

The California Attorney General responds:

In one response:

More responses from the California Attorney General to questions about the final California Consumer Privacy Act regulations:

Q. Can a business use an IP address to determine if a website visitor is a California consumer?

California Attorney General: Can’t confirm or deny.

“Nothing prevents a business from using an IP address to determine the location for valid business purposes. Whether or not that is a reliable or definitive method to determine residency raises specific legal questions that may require a fact specific determination.”

CCPA Final Regs IP Address and Residence Odia Kagan

Q: Should backup and archive systems be excluded from the deletion requirement pursuant to a CCPA consumer delete request?


Continue Reading CCPA Regulations: IP Addresses and Residence, Backup and Archive Systems, Opt-Outs and Third Parties

The California Attorney General has addressed a wide range of questions from businesses and other interested parties, in responding to comments to final California Consumer Privacy Act (CCPA) regulations. Here are three involving opt-out links, deletion of personal information and the meaning of the the phrases “reasonably anticipated within the context of a business” and “reasonably aligned with the expectations of the consumer,” and whether IP addresses are personal information.

Q: Is it possible to use traditional opt out links (e.g to opt out of cookies) instead of the “Do Not Sell My Personal Information” link?

California Attorney General: No. This is inconsistent with the language and intent of CCPA.

No alt text provided for this image

Q: Can you provide further guidance to clarify the meaning of “reasonably anticipated within the context of a business” and “reasonably aligned with the expectations of the consumer.” These are two open-ended exceptions to the obligation to delete personal information pursuant to a consumer request to delete which have the potential to be very useful to businesses.


Continue Reading CCPA Regulations: ‘Opt Out’ Links, Deletion of Personal Information, IP Addresses

Exactly which consumer rights need to be explained in a  privacy notice? The California Attorney General recently addressed this question in responding to comments to final California Consumer Privacy Act (CCPA) regulations.

Q: When drafting a privacy notice, do you need to include only the individual rights which are relevant to your data processing or