Home Privacy California AG Publishes Updated CCPA Regs With Far More Clarity Than The First Draft
Privacy

California AG Publishes Updated CCPA Regs With Far More Clarity Than The First Draft

By

SHARE:

The California attorney general’s office has released the second draft of its implementation regulations for the California Consumer Privacy Act.

The updated regs, published late Friday, take into consideration feedback received during a 45-day comment period that ended in December. The AG is accepting comments on the amended proposed regulations until Feb. 25 (extended from Feb. 24).

Although the law has been in effect since Jan. 1, the AG can’t start bringing enforcement actions until July 1. The purpose of the implementation regs is to provide businesses with practical information they can use to operationalize the law between now and then.

Click here to read a redline version of the revised regs that shows all of the changes between the first draft and the second. There’s a lot in there, but here are some of the main takeaways and clarifications as the regs wend their way toward completion.

Personal info

The draft regs clarify when personal information is considered personal and when it isn’t, which depends on the manner in which the information is maintained. If a business collects the IP addresses of visitors to its site, for example, but doesn’t, and couldn’t reasonably, take the extra step of linking that IP address to any individual consumer or household, then the IP address isn’t “personal information” under the law.

The button

Consumers have the right to opt out of the sale of their personal information, and businesses need to inform consumers of that right and give them the ability to opt out, either through a link to a privacy policy and/or a voluntary opt-out button that also links to the notice.

The first version of the AG’s regs didn’t provide any guidance on what this button should actually look like, but the second draft does, and behold!

The button, which looks like an on/off toggle, has to be roughly the same size as other buttons of the company’s site. But, considering the button is optional – it may be used in addition to, but not as a substitute for, the notice of a consumer’s right to opt out – it’s unclear how many businesses will decide to implement it.

Do Not Track

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

Daily Roundup

Daily News Roundup

YouTube Brings Back Misinfo Merchants; Tylenol Protects Its Brand Against Autism Claims

Businesses that collect personal information from consumers online will need to honor global user-enabled privacy controls, such as a browser plug-in, privacy setting, device setting or other mechanism that signals a consumer’s choice to opt out of the sale of their personal information.

If a global privacy control conflicts with a consumer’s business-specific privacy setting, the business still needs to honor it, but is also allowed to alert the consumer of the conflict and give the person a chance to either confirm their choice or change their mind.

Do Not Track is alive and well in California.

Setting expectations

Apps that collect the sort of info from mobile devices that a consumer would “not reasonably expect” it to collect will be required to provide just-in-time notifications with a summary of the categories of personal info being gathered and a link to the full privacy notice at the time of collection.

The regs offer a practical example. Say a business has a flashlight app that collects geolocation data. That business will have to provide a real-time notice about what it collects right when consumers open the app.

Sounds like another nail in the coffin for background data collection.

Service providers

There’s a little more info in the regs on what service providers can and can’t do with personal information.

Service providers, which are akin to data processors under Europe’s General Data Protection Regulation, can use a business’s personal information internally to build or improve the quality of their services – but not for profiling. They cannot build or modify household or consumer profiles or clean or augment data acquired from another source.

Data from before

Businesses that don’t and don’t intend to sell personal information during a certain time period are exempt from providing consumers with a notice of their right to opt out during that time period. But what about personal information that was collected before the CCPA went into effect?

The regs state that businesses aren’t allowed to sell personal information collected during a time when they didn’t have a notice posted and that, if they want to, they’ve got to obtain a consumer’s “affirmative authorization,” aka, an opt-in.

The regs are unclear, however, if businesses need to get an opt-in on data they collected before Jan. 1, 2020. If they do, CCPA compliance just got a lot more complicated.

Must Read

Chris Mufarrige, director, Bureau of Consumer Protection, FTC
Data Privacy Roundup

FTC Consumer Protection Chief: No Easy Answers On Privacy, ‘Only Trade-Offs’

Privacy isn’t black-and-white, says the FTC’s Chris Mufarrige, promising evidence-driven consumer protection cases under the Trump administration.

Publishers

How Encryption Keys Could Resolve The TID Furor

Rather than sharing universal TIDs that any DSP or curator can access, Raptive says publishers should instead share encrypted TIDs with an encryption key provided only to trusted demand-side partners.

Digital Out-Of-Home

Clear Channel Brings Mid-Flight Measurement To Its OOH Network

Clear Channel will provide advertisers weekly, mid-flight reports on outcomes driven by its inventory in order to bring OOH measurement closer to the speed of digital.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
FTC Commissioner Mark Meador speaking at the NAD's annual conference in Washington, DC on Sept. 16, 2025. (Photo: Brian O'Doherty)
Federal Trade Commission

FTC Commissioner Mark Meador: ‘No Human Society Can Long Survive Without Consumer Trust’

Keeping American kids safe in what FTC Commissioner Mark Meador calls “an increasingly complex and fast-paced technological environment” is a top priority for the agency.

Comic: "Deal ID, please."
Commerce

Amazon Expands Its Programmatic Integration With SiriusXM

On Tuesday, Amazon DSP announced an expanded integration with satellite radio company SiriusXM.

Rembrand merges with Spaceback
ad tech M&A

Omar Tawakol Is Merging His AI Startup Rembrand With Spaceback

Rembrand announced that it’s merging with creative automation startup Spaceback to build a unified AI-powered platform for “content-based” CTV, digital video and display.

Popular

  1. Scott Young, Co-Founder & Chief Product Officer, Transmit
    OPINION: Data-Driven Thinking

    SSPs Are Facing Extinction – And Only Bold Differentiation Can Save Them

    SSPs are staring at their own demise. And it’s because, for over a decade, SSPs have positioned themselves as agnostic platforms.

  2. antitrust

    DOJ v. Google: During Opening Arguments, The DOJ And Google Battle Over An AdX Divestiture

    Court is back in session. And the fate of  the open internet is in the balance.

  3. feedback loop
    attribution

    The Trade Desk and Acxiom Deepen Their UID2 Collaboration With An AI-Powered Measurement Solution

    The Trade Desk and Acxiom have a new product that plugs into Kokai to create a live feedback loop between UID2 IDs and real-world outcomes.

  4. Marketers

    AI Is Evolving Faster Than Expected – But Still Can’t Be Rushed

    Trevor Carr, newly appointed Head of CSA, North America at Havas, discusses data and tech consulting and AI trends.

  5. A cartoon showing a marketer and agency standing outside a burning house. "So, what color should we paint the walls?" Caption: Totally Brand Safe
    Daily News Roundup

    Jimmy Kimmel Live(s On), No Thanks To Brands; The Case For Ad-Supported Wikipedia

    Kimmel’s back, baybee; would ads make Wikipedia better, actually?; and Amazon gets accused of dark patterns.