The following is a summary of key modifications the AG is proposing in the latest draft:

• Service Providers – The AG revised the exemptions to the general rule that service providers may not retain, use, or disclose personal information obtained in the course of providing services.

Second, the AG edited a clause that allowed a service provider to use personal information for internal purposes to build or improve the quality of its services. The AG clarified that the exemption does not allow a service provider to build or modify consumer profiles to use in providing services to another business; or correcting or augmenting data acquired from another source. These clarifications indicate that the AG seeks to limit a service provider from using personal information it obtains through providing a service to develop consumer profiles that it can resell.

• Removal of Opt Out Button – In the prior draft of the regulations, the AG proposed a standard opt out button and logo for the industry to adopt. But the opt out button came under scrutiny in comments submitted by Lorrie Cranor of Carnegie Mellon University, which highlighted usability issues presented by the color and appearance of the AG’s proposed button. Cranor's team noted that the icon looked deceptively like an actual toggle switch, and when combined with its red color, could be misinterpreted as indicating an off-state. "[A] consumer may misinterpret the [AG] toggle icon as an indication that they have already opted-out of the sale of their personal information,” Cranor’s team wrote. In the latest version, the AG removes all reference to the opt out button.
• Exemption from Notice at Point of Collection – A business that does not collect PI directly from a consumer is not required to provide a notice at the point of collection if that business will not sell the consumer’s personal information.
• Guidance on IP Addresses – The AG abruptly removed guidance indicating that an IP address that does not link to a particular consumer or household would not be “personal information.” The new draft does not include new guidance, however, leaving the prior guidance as the only interpretation issued by the AG on whether IP addresses are “personal information.”
• Privacy Policy Disclosures – The AG restored language from the first draft of the regulations requiring a business to identify the categories of sources from which personal information is collected and the business/commercial purpose for collecting or selling personal information, both in a manner that provides consumers a meaningful understanding of the information disclosed. The new language does not require these disclosures “for each” category of personal information.
• Sensitive Data Disclosures – The AG proposes that even if a business withholds sensitive data in response to a request to know, the business must still provide a description of the information withheld. For example, a business should not provide an actual social security number, but should state that it holds the consumer’s social security number.
• Denial of Deletion Request – When a business that sells personal information denies a deletion request, the business must ask the consumer if the consumer wants to opt out of the sale of their personal information.
• Definition of a Financial Incentive – The AG removed a confusing element of the definition of a financial incentive that had previously indicated that a program, benefit, or other offering, including payments to consumers, would be a “financial incentive” where a company compensated the disclosure, deletion, or sale of personal information. The AG clarified that a financial incentive relates instead to the collection, retention, or sale of personal information.
• Annual Privacy Policy Disclosures – The requirement to disclose metrics when a business buys, receives, sells, or shares personal information of more than 10 million consumers in a calendar year will now only apply to businesses that know or should reasonably know that they meet the threshold for such a disclosure.

The modifications impose a number of changes to the regulations. Of immediate note to companies are the following:

1. Service Providers: The modifications clarify that it would be acceptable (and thus, not a “sale”) for a service provider to use a business’s personal information to build or improve the quality of the service provider’s services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source. The modifications also require the service provider to stop selling data on behalf of a business when a consumer has opted out of the business’s sale of their personal information. This clarification arguably restricts an interpretation that using personal information to build or augment profiles, or to clean or augment personal information, are acceptable “business purposes” between a business and a service provider.
2. Third Parties: The modifications no longer require a third party that purchases personal information to contact the consumer directly to provide notice and an opt out, or to contact the source and confirm that the source provided the required notice and obtain signed attestations.
3. Loyalty Programs/Not Discrimination: If a consumer informs the business that she would like to remain in a loyalty program but otherwise have the business delete their information, it is lawful under the CCPA for the business to deny the deletion request as to the information necessary to maintain the enrollment in and benefits from the loyalty program. The modifications specifically provide that a business’s denial of a consumer’s request to know, request to delete, or request to opt-out for reasons permitted by the CCPA or the regulations are not discriminatory.
4. Personal Information (Actual, Not Hypothetical): The modifications reinforce that whether information is “personal information” depends on how the business maintains the information, noting, for example, “if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.” In other words, if data collected technically could be considered personal information under the CCPA definition, but the business does not and cannot reasonably link that data to any particular consumer or household, that data would not be personal information.
5. Notice at Point of Collection: The modifications clarify that a business may not use personal information for purposes that are materially different from those disclosed in the notice at collection, unless the business directly notifies the consumer of the new use and obtains explicit consent.
6. Privacy Policy “Right to Know” Disclosure: In describing the “right to know” in the privacy policy, the disclosure should be written in a manner that provides consumers with a meaningful understanding of the categories listed, and disclose:
   • The categories of personal information collected;
   • The categories of sources from which it was collected;
   • The business or commercial purpose for collecting or selling personal information;
   • The categories of third parties with whom the business shares personal information;
   • The categories of personal information the business sold in the past 12 months and, for each category, the categories of third parties to whom they sold it; and
   • The categories of personal information disclosed for business purpose in the past 12 months and, for each category, the categories of third parties to whom they disclosed it.
7. Privacy Policy “Agent Instructions” Disclosure: The privacy policy must provide instructions on how a consumer can designate an authorized agent to make a request under the CCPA on the consumer’s behalf.
8. Consumer Rights Requests: The modifications would update how a business responds to consumer rights requests as follows:
   • Online-Only Businesses: If they have a direct relationship with a consumer, the modified regulations confirm that an online-only business need only provide an email address for submitting requests to know.
   • Timing: A business has 10 business days to confirm receipt of a request, and 45 calendar days to respond. If the business cannot verify the consumer’s identity within the 45 days, the business may deny the request. In other words, the clock does not run indefinitely if the consumer has not verified his or her identity during the initial 45-day period.
   • “Right to Know” Search Exceptions: A business does not need to search for personal information in response to a request if the business does not maintain the personal information in a searchable format, maintains it only for legal and compliance purposes, does not sell the information or use it for any commercial purpose, and describes in its response to the consumer the categories of information it holds that it did not search but which may contain the information. This provides some flexibility to avoid expensive searches for personal information, such as call recording or video footage collected by companies for security or legal compliance purposes.
   • “Right to Know” Production Exceptions: The modifications struck the express exception preventing a business from providing specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of the personal information, the consumer’s account with the business, or the security of the business’s systems or networks. Instead, the modifications more generally state that a business may avoid producing specific pieces of personal information, in whole or in part, because of a conflict with federal or state law, or based an exception to the CCPA, but must inform the requestor and explain the basis for the denial, unless prohibited from doing so by law.
   • Deletion Denial/Opt Out Notice: If the business denies a deletion request, it also must ask the consumer if she wants to opt out of the sale of her personal information (even if the consumer has not made the opt-out request), and include a link to the opt out.
   • Deletion Compliance: Two-step confirmation of deletion requests is no longer required. In fulfilling a deletion request, the business does not need to specify the manner in which it deleted the personal information.
   • No Fee for Verification: A business cannot require a consumer to pay a fee for the verification of a request to know or request to delete.
9. Do Not Sell Button: The modifications provide additional information about the voluntary use of the opt-out button. When the opt-out button is used, it should be the same size as other buttons on the webpage, such as:
10. Opt Out: A business has 15 business days to comply with an opt-out request. Significantly, the modifications provide that businesses will not need to notify third parties to whom they sold the consumers data within 90 days. Instead, this obligation is limited to circumstances when the business sold personal information to third parties between the date of the opt-out request and the date of compliance. For sales made during this limited period, the business shall direct the third party purchasers not to further sell the data. In addition, the opt-out method must be easy for consumers to execute and require minimal steps to allow the consumer to opt-out. “A business shall not utilize a method that is designed with the purpose or substantial effect of subverting or impairing a consumer’s decision to opt-out.”
11. User-Enabled Privacy Controls: A privacy control developed in accordance with the regulations must clearly communicate that a consumer intends to opt out of the sale of her personal information. The privacy control must require that the consumer affirmatively select her choice to opt out and not be designed with pre-selected settings. If a global privacy control conflicts with a consumer’s existing business-specific privacy setting or participation in a business’s financial incentive program, the business shall respect the global privacy control but may notify the consumer of the conflict and give the consumer the choice to confirm the business-specific privacy setting or participation in the financial incentive program.
12. Mobile Notifications: The modifications provide that, where a business collects information from a mobile application, it can provide a link to the privacy policy within the applications. Where the application collects information that the consumer would not reasonably expect, the business must provide a notification of that collection, such as through a pop up window, that explains the collection and links to the larger privacy policy.
13. Households: The modifications clarify that a household means those who reside at the same address, share a common device or the same service provided by a business, and are identified by the business as sharing the same group account or unique identifier. In terms of responding to “household” rights requests, if a consumer has a password-protected account with a business that collects personal information about a household, the business may process requests to know and delete relating to household information through the business’s existing business practices and in compliance with the regulations. If a member of a household is a minor under the age of 13, a business must obtain verifiable parental consent before complying with a request to access specific pieces of information for the household or the deletion of household personal information pursuant to CCPA-mandated parental consent.
14. Employee Privacy Notice: Under the revised regulations, employee privacy notices do not need to contain links to the Do Not Sell option.
15. Data Brokers: The modifications provide that data brokers do not need to provide a notice at collection to the consumer if it included in its registration submission a link to its online privacy policy that includes instructions on how a consumer can submit a request to opt-out.
16. Annual Privacy Policy Disclosures: Businesses that buy, receive for the business’s commercial purposes, sell, or share for commercial purposes, the personal information of 10MM+ (up from 4MM+) consumers in a calendar year must disclose required metrics by July 1 of every calendar year in their privacy policy (or on their website and accessible from a link included in their privacy policy) with some variations depending on how it tracks the data.