First, in legalese: The second set of modifications to the proposed regulations promulgated by the California attorney general’s office for the California Consumer Privacy Act was released late Wednesday afternoon.
Now, in English: The third version of the AG’s draft regs just dropped and it’s time to get out your highlighters.
This latest draft incorporates feedback gathered during a 15-day comment period on draft No. 2.The deadline to submit written comments is March 27.
For those keeping track, CCPA enforcement is still officially set to begin on July 1, which doesn’t leave a lot of time for companies still questing for clarity on their compliance regimes.
So, what are the changes? It’s a little confusing …
… but we’ve got you covered.
Click here to read a redline (and green-line and blue-line) version of the latest modifications.
Button be gone
The newly proposed regs do away with the highly unpopular opt-out button design that was put forward in the second draft.
Under the CCPA, consumers have the right to opt out of the sale of their personal info, and businesses need to inform consumers that they have that right and also give them the ability to opt out. One suggested method is via a voluntary opt-out button that links to the business’s privacy notice.
But the opt-out button suggested by the AG rubbed almost everyone the wrong way, privacy advocates and lawyers alike, who all complained that the half-baked toggle-like design made the button look interactive – which it wasn’t.
Weirdly, the AG simply nixes the button proposal and doesn’t offer up another option in the new draft.
Do Not Track … really is back
The second draft of the regs included language that appeared to cement Do Not Track as a requirement under CCPA by calling for businesses that collect personal information from consumers online to honor global user-enabled privacy controls.
But there were a few qualifiers, including that consumers would have to “affirmatively select their choice to opt out” using the privacy controls, be they a browser plugin, privacy setting, device setting or other mechanism, and that these controls couldn’t be designed with any preselected settings.
The latest draft does away with both qualifiers, paving the way for DNT by default across browsers.
IP addresses
In the previous version of the draft regs, the AG provided a bit of clarification on when information is considered personal and when it’s not. An IP address, for example, is only considered personal info if a business can “reasonably link” it with a particular consumer or household – well, actually, scratch that.
The AG removed that language wholesale from the new draft. Looks like the carveout for IP addresses is gone.
Easy come, easy go.
What’s next?
Could we be in store for a fourth draft? Anything’s possible. If the AG makes substantial changes to the third draft based on the comments due March 27, that’ll trigger yet another 15-day comment period.
What’s most likely, though, is that the AG will release its final version sometime in early or mid-April. After that, California’s Office of Administrative Law will have to approve the proposed regs, a process that could take another 30 days.
