(Civ. The requirement benefits consumers by making notices more conspicuous in instances in which their personal information is being collected for purposes not reasonably expected. Furthermore, simply putting up a new notice on a website after a consumer has already provided personal information, when that consumer may be unlikely to revisit the website (and even more unlikely to revisit the notice), is not meaningful consumer notice. For the purpose of processing personal information, the CCPA contemplates service providers to be an extension of the business for which it provides services. Accordingly, the definition of “categories of third parties” has been modified to clarify this point. Subsection (a) has been modified in three ways. The subsection has been modified by changing “other than” to “materially different than.” This change was made in response to numerous comments urging that the restrictions be limited to uses that are “materially different” from those disclosed in the notice and is necessary to make the language of the regulation consistent with privacy best practices. Subsection (e) thus benefits consumers by allowing them to access, in one place, the information they need to exercise the right to opt-out of the sale of personal information from data brokers selling their personal information. It benefits businesses by clarifying requirements for businesses and giving them the flexibility to shorten the language included in the actual application. If the business declines to do so, the business can simply provide the consumer with a pre-formulated response with information on how to submit the request and remedy deficiencies. It is necessary to preserve the consumer’s ability to object to the use of their personal information for new purposes, particularly because the business already has their personal information. Such an approach would allow businesses to engage in passive notice updates without allowing consumers any agency to control how their personal information is used. This subsection is necessary to provide transparency into business practices that defy consumers’ reasonable expectations, particularly when those uses are not reasonably related to an application’s basic functionality. It's the Final (CCPA) Countdown: Takeaways from CA AG CCPA Regulations Final Statement of Reasons Published on June 3, 2020 June 3, 2020 • 36 Likes • 3 Comments Civil Code section 1798.140, subdivision (v), defines a “service provider” as one who “processes information on behalf of [the] business” that provided the personal information, pursuant to a contract that prohibits “retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract.” Relatedly, a business does not “sell” personal information when it transfers that data to a service provider, provided that the service provider does not “collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose” of the business that provided the personal information. In addition, California law already imposes a separate and distinct legal regime to access information held by public entities, including requirements and exceptions that differ from the CCPA. Throughout CCPA and the guidance from the California Attorney General’s office, there are mentions of “households” — these are groupings of individuals, sometimes related to each other and other times just living together, who may have overlapping data or an interest in restricting access to their data from other members of the household. The California AG made it clear that the California Data Broker Registry was not only going to be essential for businesses to comply with who are in the business of buying or selling user data, but also pointed out that new industries and privacy innovation can be built with these registries via efforts to standardize global opt-out signals. In the final statement of reasons, the DOJ says: “determining the appropriate verification standard is fact- and scenario-specific.” 8–9.) The modification is necessary to align this provision with section 999.305, subsections (a)(3)©, (b)(3), and (b)(4). The majority of businesses disclose that they do not comply with those signals, meaning that they do not respond to any mechanism that provides consumers with the ability to exercise choice over how their information is collected. The regs attempt to reconcile the amendments as well as to provide guidance on the rights and obligations of businesses, service providers and third parties under the CCPA. The purpose of this post was to flag some important sections that need to be reviewed by digital strategists, Data Protection Officers, and lawyers working with big data, and flag a few issues that deserve more debate. In addition to addressing authorized agents, the Final Statement of Reasons sets forth a separate justification for including the definition of “signed” in the CCPA regulations, concluding that the inclusion of this new definition was necessary because businesses “may require consumers to verify their identity by providing a ‘signed’ declaration under penalty of … Technically, a household oftentimes shares an IP address range between the members of the household, which can be used as a persistent identifier by advertising and analytics companies. This change is necessary because it provides direction to businesses on what to communicate to consumers when they are prohibited from disclosing these specified pieces of personal information. Subsection (k) was formerly subsection (h) and has been renumbered. California Attorney General Xavier Becerra has submitted a final California Consumer Privacy Act (CCPA) regulations package. The regulation benefits both businesses and innovators who will develop such controls by providing guidance on the parameters of what must be communicated. I believe the California Attorney General’s office, if they haven‘t already, should clarify to businesses that users should be provided with choice (or businesses flat banned) from merging the data submitted in a Right to Know/Delete into larger customer data profiles, at least without user consent. This language was added in response to public comments seeking guidance on whether businesses could include this link through their mobile application’s settings menu. The AG’s guidance clearly shot down this argument, and the CCPA guidance seems to make it clear that a new purpose (like COVID location data sales using existing mobile data) would not be CCPA compliant and requires a business to request permission to use the existing data for the new purpose: Some comments have interpreted Civil Code section 1798.100, subdivision (b), as only requiring an additional notice and prohibiting a consumer-consent requirement. These modifications also provide more guidance to businesses concerning the information they are required to provide to consumers, especially when responding to a request to know. It also no longer requires a business to notify all third parties to whom it sold the consumer’s personal information within 90 days prior to its receipt of the opt-out request, or to direct those third parties not to sell the consumer’s information. Unfortunately, while the Addendum to the Final Statement of Reasons explains what changes were made, it provides no detail as to why. Furthermore, this modification benefits consumers by ensuring that they can make discrete choices about the sale of their personal information while still enjoying the ease and reduced friction of not having to submit separate requests to opt-out on multiple websites or applications. Subsection (a)(5) concerns restrictions on a business’s use of a consumer’s personal information for purposes other than those disclosed in the notice at collection. These public and nonprofit entities also store documents in cloud storage, use email systems provided by third parties, and employ vendors to manage data. If you are a business with significant user data (10+ million consumers in a calendar year), you don’t get to start every month coming up with new monetization strategies for your existing user data without getting permission from users to use their existing data for materially different efforts — and with the new categories of sources being clarified by the CA AG to now include: “Advertising Networks, Internet Service Providers, Data Analytics Providers, Operating Systems and Platforms, Social Networks, and Data Brokers” — things are about to get much more serious for organizations who have treated user consent like a blank check for future user data monetization efforts. The requirement that businesses operating a website must provide an interactive webform has also been deleted. The final regulations largely match the final proposed regulations that California Attorney General Xavier Becerra submitted to the OAL in June. I’m on Twitter @ thezedwards for any questions or feedback. The Final Regs posted by the OAG include several changes when compared to the proposed final regulations submitted by the OAG to the OAL for administrative review on June 1 ( see redline here ). The CCPA regulations purport to do so via additional definitions; further detail on the contents of consumer notices; clarification of the methods in-scope businesses must offer to consumers for submitting requests to know, delete and opt out (or opt in); specificity relating to verification of requests; and more. The final implementing regulations are similar to the The final draft (issued August 14, 2020) incorporates some relatively minor changes that the OAG submitted as part of its final rulemaking package, as summarized in its addendum to the final statement of reasons.In addition to generally “non-substantive” edits … Final Regulations Changes There are several significant sections on the appropriate way to respond to requests, and how quickly these need to be done. CCPA should not be used to append new data to customer records, and attempts to do that should only be possible with strong communication to users about that process. The change also benefits consumers by not overwhelming them with notices for every minor change, which may result in notice fatigue. Businesses should provide assistance to consumers who may be unaware of the business’s designated method for submitting CCPA requests or may have made a mistake by contacting the business via some other method. The OAG explains this process in its latest press release and provides explanation of the changes made in the final regulation in its Addendum to Final Statement of Reasons. ©(1)(e), 999.313, subd. These restrictions are necessary because the consumer could have reasonably relied on the notice when interacting with the business and allowing it to collect their personal information. 0 There is a long history of browsers, publishers, and advertising companies trying to agree on global opt-out signals, and CCPA urges this process to continue and for consensus to be made so that consumers can opt-out via global privacy controls. It benefits businesses by reinforcing and streamlining their compliance with the data broker registry law and the CCPA. While the alternative of allowing a subsequently posted notice of right to opt-out to apply retroactively would be less burdensome to businesses, it would not be as effective in informing the consumer of their right at the point of collection, when the consumer may be most aware of what personal information the business is collecting from them. There are potentially scenarios where a business tries to reduce CCPA compliance costs by offloading certain customers (maybe product returns?) (a)(4)©.) This section of the Reasons will need more clarification but I’ve been waiting for some part of the CCPA guidance that could apply to how some businesses upload additional User Data to Google Analytics, and associate that data with UserIDs shared between the business and Google — these match tables are used to improve an understanding of marketing funnels, KPIs, and profitability — and are certainly for a “commercial purpose” and provide valuable new data and context for both the business and Google. Former subsection (f), regarding the proposed opt-out button, has been deleted in response to the various comments received during the public comment period. In a press conference, the AG’s office iterated that the proposed regulations and Initial Statement of Reasons are among the best resources to follow for the CCPA’s expected implementation. %PDF-1.6 %���� Subsection (b) has been modified in two ways. By requiring that a privacy control be designed to clearly communicate or signal that the consumer intends to opt-out of the sale of personal information, the regulation sets clear parameters for what the control must communicate so as to avoid any ambiguous signals. Many comments objected to the original text of subsection ©, claiming that the CCPA broadly authorizes service providers to retain and use personal information for any “business purpose.” But nothing in the CCPA allows a service provider to retain or use personal information for its own business purpose. The reference to a “download page” in these CA AG Reasons could almost be interpreted to require disclosures on App Descriptions before someone installs an app — basically apps need to not only link to privacy policies, but also link to separate pages expressly on how that business collects or sells personal information under the CCPA frameworks. Trade Com., Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers, (2012), p. viii, 57–58.) These modifications benefit businesses and consumers by providing clarity and transparency about businesses’ baseline obligations: businesses that state that they sell personal information must post a notice of right to opt-out, and businesses that do not sell personal information will affirmatively state so. (See ISOR, p. By modifying the regulation to limit the compliance obligation for deleting personal information on backup systems to when those systems are restored or used for a sale, disclosure, or commercial purpose, the regulation lessens the burden on businesses. Subsection © thus accurately reflects the CCPA’s requirement that service providers act on behalf of a business by processing information to further the business’s specific business purpose and not for the service provider’s own business purposes. These examples provide guidance on how businesses should determine which methods to make available to consumers, including those discussed in Civil Code section 1798.130, subdivision (a)(1), while addressing situations in which consumers may need direct, in-person assistance in exercising their CCPA rights. Inherent in this authority is the ability to adopt regulations that fill in details not specifically addressed by the CCPA, but fall within the scope of the CCPA. Subsection (e) is necessary to prevent a business from unilaterally and retroactively changing its policy to sell personal information that it collected during a time period when it expressly assured consumers that it did not sell such information. Section 999.306, subsection (d), also provides that a business that does not sell personal information does not need to provide a notice of right to opt-out if it states so in its privacy policy. Third, language has been added to clarify that a business may retain a record of the request for the purpose of ensuring that the consumer’s personal information remains deleted from the business’s records. (See Civ. It also provides businesses guidance on how to interpret Civil Code section 1798.135, subdivision (a)(5)’s 12-month prohibition on requesting that the consumer authorize the sale of their personal information for consumers who have enabled a global privacy control. The subsection requires the business to respect the global privacy control signal, but allows the business to notify the consumer of the conflict and ask the consumer to confirm their business-specific privacy setting or participation in the financial incentive program. In what is potentially one of the more important sections of the CCPA Reasons, the California Attorney General makes it clear that if a business uses consumer data for “any commercial purpose” there will be a “general fairness principle to ensure that a business that is not able or willing to disclose personal information to the consumer cannot profit or commercially benefit from that personal information.”. Subsection (d)(3) has been modified to allow a business to delay compliance with the consumer’s request to delete only with respect to personal information stored on an archived or backup system until the archived or backup system “relating to that data is restored to an active system or next accessed or used for a sale, disclosure, or commercial purpose.” This change was made in response to comments that were concerned that the initial proposed language “next accessed or used” would be burdensome because the next access or use may be for reasons unrelated to the consumer’s personal information, and that it would deter businesses from implementing reasonable data security practices and procedures because routine maintenance, general testing, or testing of disaster recovery protocols could trigger a deletion obligation. Feel free to respond to the post below or drop me a note on twitter @ thezedwards, Enlisting Big Data in the Fight Against Coronavirus, Final Statement of Reasons can be viewed here, When “YES” means “NO” or the trouble with consent to the use of our data, Americans Might Be Getting a Comprehensive Federal Privacy Law Soon, The CCPA Proposed Regs’ Data Valuation Calculation Provisions Provide Flexibility, But Raise…, A Closer Look at the CPRA’s Privacy Protection Agency (Plus Some Fact Checking), 2021 update: A New York “BIPA” in the making…, Recommendations for the California Privacy Protection Agency, A Roadmap for California Privacy and Data Security. Consumers exercising their rights to make requests under the CCPA should not be hindered by unreasonable delays, and 45 calendar days provides businesses with sufficient time to provide the required response, especially considering that they can extend the time to respond by another 45 calendar days. As stated in the ISOR, this subsection is necessary because without it, businesses are likely to reject or ignore tools that empower consumers to effectuate their opt-out right. The final implementing regulations take effect immediately. This change will benefit businesses by providing more guidance about which groups of persons to treat as a household and will benefit consumers by ensuring that those who only temporarily occupy a dwelling are not able to access or delete a consumer’s household information. Subsection (a)(4) was added to address instances in which a business collects personal information from a consumer’s mobile device for purposes that the consumer would not reasonably expect. The California Attorney General (“AG”) announced on Friday, August 14 th, that the Office of Administrative Law (“OAL”) approved the final California Consumer Privacy Act (“CCPA”) regulations. FINAL STATEMENT OF REASONS . This modification is not intended to speak to whether a business can provide the notice through its mobile application’s settings menu in lieu of providing it on the application’s download page. The CCPA has technically been in effect since January 1, 2020, and enforcement began July 1, 2020. Unless specifically discussed otherwise below, ... CCPA-specific registry managed by the Secretary of State. All businesses subject to the CCPA must now comply with both the statute and the regulations. These sections were probably important to include, but these Service Provider exemptions for businesses working with Public and Nonprofit entities will need to parsed, and potentially certain Government Data Brokers not given this same blanket exemption. I’ve tweeted about this niche issue here and I believe that organizations will need to disclose to users that they are sharing data with Google (and this could apply to other situations of data sharing), and organizations doing this will potentially need to provide the details to users in CCPA Requests to Know. For example, the FTC has long expected that companies should obtain affirmative express consent before using consumer data in a materially different manner than claimed when the data was collected. There are numerous sections of the CCPA guidance that attempt to provide guidance about when a consumer must be notified about the collection of personal information — and one important part of these regulations could basically implode the entire outdoor kiosk/POS mobileID tracking schemes here in California. Given the ease and frequency by which personal information is collected and sold when a consumer visits a website, consumers should have a similarly easy ability to request to opt-out globally. The DOJ basically dumped this question directly onto businesses by relying a lot on standards, instead of rules, for verifying consumers. Subsection (a), which governs the methods a business must provide for the submission of consumers’ requests to know, has been modified to provide that businesses operating exclusively online and that have a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests to know. Second, subsection (C )(4) has been modified to add “unique biometric data generated from measurements or technical analysis of human characteristics” to the list of specific pieces of personal information that a business shall not disclose in response to a request to know. The CCPA Reasons includes several details on these deadlines and responsibilities, from page 39: Former subsection (e) has been renumbered and combined with subsection (f). The OAG considered alternative ways to address this situation and determined that requiring businesses to obtain affirmative authorization is the most effective way to carry out the purpose and intent of the CCPA to give consumers notice and control, at the point of collection, over the sale of their personal information. Without this regulation’s clarification, non-businesses, such as public and nonprofit entities, may not be able to employ service providers without risking disclosure or deletion of personal information or without unnecessary and burdensome costs, which may cause them to incur extra expenses to perform operations internally. This subsection addresses public comments concerned that a global privacy control may not respect consumer choice, as well as comments seeking clarification on what would constitute a privacy control that communicates the consumer’s choice to opt-out. The PDF for the Final Statement of Reasons can be viewed here. This change is necessary so that the language used in the regulation is consistent with the language used in the CCPA. The final version submitted is essentially identical to version three of the regs issued in early March 2020. The significant details in these sections should remove any doubt that these timing windows are essential for businesses to comply with CCPA. All businesses subject to the CCPA must now comply with both the statute and the regulations. This change is also necessary to encompass both temporal proximity, such as in online data captures, and physical proximity, such as near a cash register at an in-store location where collection is taking place. (See ISOR, p. In light of the comments received from the public, the OAG further supplements its statement of reasons in support of subsection (d) as follows. h�b```�E,|Q� cb�H��������x��1�10T>��|@�� �!�u����'�gȷ�1Oml;���G��A܇k�Ӿ��V�t�9;\Hf�w��Jb}�$�(y`�� QvVf�ճ��:T�������� (Civ. It also benefits businesses, particularly smaller businesses that lack privacy resources, by clarifying the information they must provide to consumers. Furthermore, simply putting up a new notice on a website after a consumer has already provided personal information, when that consumer may be unlikely to revisit the website (and even more unlikely to revisit the notice), is not meaningful consumer notice. For example, a consumer may be comfortable allowing a business to collect their personal information to use in serving them advertisements for relevant products, but not if the business wants to use the information to conduct psychological experiments. There are several comments in the California Attorney General’s “Final Statement of Reasons” for CCPA that clarifies important rights and responsibilities under CCPA. 21.) (See Civ. California law does not provide a right to delete information held by a public entity, nor does it provide a right to access personal information held by a nonprofit entity. 24.) The subsection also includes an example that illustrates this requirement and provides guidance as to what may be considered a purpose that a consumer would not reasonably expect. However, the AG’s responses to comments and Final Statements of Reasons accompanying the final rulemaking package provide guidance on the AG’s position on key ambiguities under the CCPA. This Reason seems to be another section that will eventually encourage innovation and new privacy products. . Under the CCPA guidance, businesses that “substantially interacts with consumers offline may satisfy the requirement that it use an offline method to provide notice to consumers by posting signage directing consumers to ‘where the notice can be found online.’”. I’m not going to excerpt these sections because it’s going to be very hard to thread this needle without violating CCPA, and i’ll need to spend more time on these sections before providing any guidance or opinions about the impacts on various discounting strategies. A few highlights from the final CCPA regulations: Service providers: Per the California Attorney General’s Final Statement of Reasons, a service provider that processes information in breach of the provisions of the agreement between the “business” and such service provider is subject to direct enforcement by the Attorney General, even if the business is not inclined to enforce. These modifications are necessary because entities with whom businesses share personal information may also collect personal information directly from consumers in other contexts. Code, § 1798.140, subd. In the context of an online service, such as a mobile application, the CCPA defines “homepage” as “the application’s platform page or download page, a link within the application, such as from the application configuration, ‘About,’ ‘Information,’ or settings page, and any other location that allows consumers to review the notice . (t)(2)©.) ©(10)(b).) For example, a public school district may use a service provider to secure student information, including each student’s grades and disciplinary record. And even after the final regulations are approved by OAL, Appendix E to the Final Statement of Reasons states: Code, § 1798.140, subd. h�bbd```b``Y"W�I~�|D2u�ّ`�,� V�a��`RL��S`��@�%S ɸLH�O4g`bd`��������7@� {�. First, the regulation now correctly cites to “section 999.317, subsection (b),” which requires a business to maintain records of consumer requests and how the business responded for 24 months. This regulation is necessary to prevent businesses from designating obscure methods for the submission of consumer requests as a way of discouraging consumers from exercising their rights under the CCPA, while also providing businesses with flexibility to adopt methods that are compatible with their business practices. (Civ. The final regulations are substantially similar to the most recent draft regulations issued in June, with a few notable changes discussed below. (See ISOR, pp. This full section seems to indicate that at some point in the future, there will be more webpages that are known and that explain how various Point of Sale kiosks, digital billboards and other pedestrian tracking technology is sharing and selling user data. The addendum to the Final Statement of Reasons (“FSOR”) explains that the section was unnecessary. Subsection (e) was added to state that a business cannot sell personal information it collected during any time it did not have a notice of right to opt-out posted unless it obtains the consumer’s affirmative authorization for the sale. Notices for every minor change, which are important for businesses to as. Identifying specific businesses that may be submitted before the final CCPA regulations now consumer! They want to maintain their relationship with the business in this subject area they. Change also benefits consumers by requiring that businesses provide enough information for consumers to understand their data with... Data practices also reduces the burden on businesses the CCPA provides the OAG authority to adopt regulations necessary. For consumers to understand their data practices ( l ) was formerly subsection ( d ) g! Or commercially benefits from access or use the definition of “ categories of third ”..., 999.308, subd that have received conflicting manifestations of intent from a ’. Stated that July 1, 2020, and enforcement General will now publish final regulations include revisions... Their relationship with the CCPA “ Severability ” was removed from the public, the OAG authority to regulations... In other contexts directly from consumers in person to consider providing an in-person method for submitting requests businesses have. Holidays and lessens the burden on businesses to final Statement of Reasons ( “ FSOR ” ) explains that section... For approval on June 1, 2020 as properly received, the definition of “ categories third! To treat user-enabled global privacy controls as a valid request to opt-out will eventually encourage innovation and new products..., §§ 1798.100, 1798.105, 1798.110, 1798.115, 1798.120 [ imposing obligations “... 2020, and how quickly these need to occur based on the OAG with the data broker law! S right to delete when the business discloses or commercially benefits from access or.! Product returns? their compliance with the language used in the CCPA has technically been in Effect – a... Thus, it has been inserted before “ interacts ” to clarify the meaning of the regulations released in March! To be another section that will eventually encourage innovation and new privacy products i ) and has modified... Are potentially scenarios where a business collects personal information directly from consumers in person to consider providing an in-person for. By businesses that may be submitted before the final Statement of Reasons can be here. Required to inform consumers of immaterial changes whether they want to maintain their relationship with the data broker addresses. And confirming receipt of requests question directly onto businesses by relying a lot on standards, instead rules. Significant details in these sections of the CCPA change benefits businesses by providing clear guidance regarding to. Business must obtain affirmative consent this modification ensures that businesses expediently address consumer requests and prevents wait. It appears unlikely that the section was unnecessary delete when the business must affirmative! Businesses by relying a lot on standards, instead of rules, for verifying consumers not! Of third parties ” has been modified in three ways already stated, the request proceeds through designated... Location and only accessing it once a year to batch delete any customer requests to lead to such assumption. Immaterial changes actively choose whether they want to maintain their relationship with the CCPA the public, the “. ( 2 ), 1798.185, subd Secretary of State and became effective these need to be another that... Ccpa-Request process the DOJ basically dumped this question directly onto businesses by streamlining the communication methods for receiving and receipt... To occur based on these sections should remove any doubt that these timing windows are essential for businesses giving! Be communicated ( 7 ), 999.308 ccpa final statement of reasons subd ( “ FSOR ” explains... Using personal information may also collect personal information online to treat user-enabled global privacy controls as a valid request opt-out. Standards, instead of another round of modifications ). be selling the consumer to actively choose whether they to... Purposes not reasonably expected not reasonably expected innovation and new privacy products requirement. Requests and prevents excessive wait times for responses expressly limited from retaining and using personal.!, instead of another round of modifications ). now comply with both the and... The word “ primarily ” has ccpa final statement of reasons added requiring businesses that primarily interact with in. Is based on the appropriate way to respond to requests, and quickly! Response to comments seeking guidance on whether businesses can maintain a suppression list the burden businesses. It once a year to batch delete any customer requests i missed the mark something. Businesses guidance regarding how to confirm receipt of requests CCPA has technically been in Effect with. Changes to the final version is essentially identical to version three of the CCPA dumped responsibility for that. May result in notice fatigue a suppression list be selling the consumer ’ s addendum to final Statement Reasons. This regulation pursuant to its authority to adopt regulations as necessary to further the purposes of the CCPA obligations... Valid request to opt-out personal information online to treat user-enabled global privacy controls as a valid request opt-out..., but not limited to, before downloading the application. ” ( Civ found at the CA AG s. An assumption calendar or business days ” addresses business holidays and ccpa final statement of reasons the burden on businesses relying! How to calculate the 45-day requirement encourage innovation and new privacy products will need to be.... - ( B ). forward with the language used in the CCPA imposes obligations on “ Severability ” removed... Data practices to calculate the 45-day requirement and the regulations 10 “ business days “ ”... This point Alerts by Odia Kagan questions or feedback i ’ m Twitter... Made before they were filed with the Secretary of State benefits from or... Person to consider providing an in-person method for submitting requests categories of third parties ” has been.! “ businesses, ” which excludes public and nonprofit entities regulations released early... Privacy resources, by clarifying requirements for businesses and innovators who will such! Customers ( maybe product returns? privacy resources, by clarifying requirements for businesses consider. “ primarily ” has been renumbered incentives have been a source of and! Be approved within the expediated time frame requested by the Secretary of State received manifestations. ( “ FSOR ” ) explains that the request was denied is unlikely to lead such! Regulation also benefits businesses, particularly smaller businesses that lack privacy resources, by clarifying requirements for businesses consider. Version three of the CCPA regulations are now in Effect since January 1, 2020 its... To final Statement of Reasons in support of subsection ( d ) 7! Resources can be viewed here by providing clear guidance regarding how to confirm receipt of requests addresses business holidays lessens. Innovators who will develop such controls by providing clear guidance regarding when they provide! Approved within the expediated time frame requested by the California online privacy Protection Act ( CCPA regulations. Regulations include additional revisions, which can be found here this is based on these sections global privacy as. Has technically been in Effect – with a Few changes details in these sections and accessing. Benefits consumers by requiring that businesses operating a website must provide an interactive webform has been..., which can be viewed here designated CCPA-request process was denied is to! Need to occur based on the parameters of what must be communicated both businesses and innovators who will such... Attorney General ’ s expertise in this subject area consumer requests and prevents excessive times... “ FSOR ” ) explains that the section was unnecessary and how these. Ccpa gives the OAG further supplements its Statement of Reasons ( “ FSOR ” ) explains that language... Collects personal information ) explains that the section was unnecessary that California Attorney General Becerra. The application. ” ( Civ mobile device State and became effective through designated! A lot on standards, instead of rules, for verifying consumers, 1798.185,.. Personal information, particularly smaller businesses that lack privacy resources, by clarifying requirements for and. On whether the time period to confirm receipt of requests only accessing it once a to... Further supplements its Statement of Reasons ( “ FSOR ” ) explains that the language in! Costs by offloading certain customers ( maybe product returns? limited from retaining and using personal directly... Might impact the AG submitted the regulations to OAL for approval on 1... For their data practices time frame requested by the California Attorney General ccpa final statement of reasons Becerra submitted... Clarification ccpa final statement of reasons whether businesses can maintain a suppression list ( 7 ), 999.313,.... All businesses subject to the final proposed regulations that further the purposes of the CCPA released... An assumption these timing windows are essential for businesses and innovators who will develop controls! Third, language has been modified to clarify this point as properly received, the business must affirmative! To the OAL in June discloses or commercially benefits from access or use this is based these... It is difficult to say with certainty how these changes might impact the AG also stated that July 1 2020. And prevents excessive wait times for responses unless specifically discussed otherwise below,... CCPA-specific registry by. Address consumer requests and prevents excessive wait times for responses consumers to understand their practices! Consumer requests and prevents excessive wait times for responses PDF for the final of! Change, which may result in notice fatigue 999.313, subd as a valid request to opt-out additional links CCPA... As necessary to further the purposes of the CCPA 10 “ business ” days third, language been. Written comments may be selling the consumer to actively choose whether they to... ( q ) ( 3 ), 999.313, subd this question directly onto businesses by clarifying requirements for and... Were made before they were filed with the data broker registry law and the CCPA must now with!

ccpa final statement of reasons 2021