The California Attorney General has issued revisions to the previous version of the proposed regulations, and it appears to be aimed at making compliance more attainable.
The July 1, 2020 enforcement date for the California Consumer Privacy Act (CCPA) is closing in and companies doing business in the state are grappling with understanding and complying with its complicated and evolving requirements. On February 7th, the California Attorney General issued revisions to the previous version of the proposed regulations originally released back in October 2019. The changes appear to be aimed at making compliance more attainable, although various interpretive issues have yet to be resolved and operational challenges (including with respect to verifying and responding to consumer requests and record keeping) still abound.
The deadline for public comment on these revisions closed on February 24th, which means there are likely more changes yet to come before the July 1 date.
Relief Provided to Data Brokers and Service Providers
Relief for service providers under the revised proposed regulations would allow them to utilize the data they receive to build or improve the quality of their services as long as they do not use the data to build or modify consumer or household profiles. The original proposed regulations appeared to limit the ability of service providers to do anything with PI it received outside of providing the contracted-for service. In addition, service providers that receive requests to know or delete from a consumer can take action on behalf of the businesses they represent or inform the consumer it cannot respond because they are a service provider. The prior version required service providers to notify the consumer to contact the business directly.
The revised proposed regulations also provide relief in the form of the addition of qualifying provisions such as adding "reasonably" to the provisions on accessibility to consumers with disabilities, and "readily" to available locations where consumers will see information helpful to making choices for opting in or out of things like financial incentives or price or service differences, which, although still strongly consumer-protective, create a more achievable standard.
Lastly, businesses would no longer need to specify the manner in which a consumer's PI has been deleted, but rather, can inform the consumer whether it has complied with the request to delete the PI.