On February 7, the Office of the Attorney General of California issued a second draft of its California Consumer Privacy Act regulations, quickly fixed an omission from that draft Feb. 10, and set a Feb. 25 deadline for written comments. While “Version 2.0” of the regulations scales back several of the ways the first version exceeded the plain language of the statute, it keeps the do-not-sell signal requirement and adds proposed restrictions on service provider handling of personal information.

Definitions. Notable clarifications include: (1) tightening the definition of “household” data as people who not only live at the same address, but also share a common device or service from the business, and are identified as sharing the same account or unique identifier; (2) adding examples of “categories of [data] sources” and “categories of third parties” that must be disclosed to consumers and specifying these “must be described with enough particularity to provide consumers with a meaningful understanding of the type of person or entity” (§999.301 (d)(e) and (3) specifying whether information is “personal information” depends upon how the information is maintained so that if an IP address cannot reasonably link to a particular consumer or household, it is not personal information (§ 999.302).

Notice. The “at collection” notice requirements have expanded somewhat from “Version 1.0.” The regulation appears to require notices on “all webpages where personal information is collected,” as well as both on a mobile app download page “and within the app,” such as through the app’s download page or settings menu. Oral notice would be permissible when information is collected in person or over the phone (§ 999.305(a)(3)(d)). Also, a just-in-time notice requirement for mobile device personal information collection “that the consumer would not reasonably expect” has been added.

On the other hand, and in line with US Federal Trade Commission guidance, Version 2.0 qualifies a materiality standard Version 1.0’s opt-in consent requirement for uses of personal information that were not disclosed in the “at collection” notice. Without this change, all uses not disclosed in the initial privacy policy would have required opt-in consent (§ 999.303(a)(5)). This change would drive shorter, easier-to-read “how we use personal information” sections in privacy policies. Similarly, the short form notice appears to no longer require a separate disclosure of the purposes for which each category of personal information collected will be used.

Version 2.0 also simplifies compliance for data brokers that register with the attorney general under California’s data broker registration law (Civil Code § 1799.99.80) and post a link to their privacy policy, which contains opt-out instructions (§ 999.303(d)). This requirement replaces the more difficult alternatives in Version 1.0 (i.e., either to contact the California consumer before reselling the information and providing the opt-out notice or to obtain an attestation from the data source with a copy of the collection notice that was displayed to the consumer.

Accessibility standards.   Version 2.0 clarifies that, for notices provided online, businesses “shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Consortium,” which Version 2.0 incorporates by reference.

Do Not Sell Notice (§ 999.306). The proposed regulations require opt-in consent, instead of a total ban, for sale of personal information collected when a “do not sell” notice is not posted. Also, Version 2.0 sets out an optional “do not sell” icon but requires the posting of a “do not sell” link regardless of whether the icon is posted.