The California Office of the Attorney General ("Attorney General") is rapidly releasing updates to the Proposed Regulations. The first set of updates to the Proposed Regulations were released on February 7, 2020 ("First Modified Proposed Regulations"), and after a 15-day public comment period and the receipt of about 100 comments, the Attorney General released a second set of updates on March 11, 2020 ("Second Modified Proposed Regulations"). There are fewer changes in this round, and most of them consist of minor clarifications. This may indicate that the final regulations, expected in July 2020, will not deviate significantly from the current set of proposed regulations.
The following is a summary of the few key changes in the Second Modified Proposed Regulations:
Sale of Personal Information Graphic: The First Modified Proposed Regulations added a sample opt-out button graphic for businesses to use in conjunction with the required link, but the Attorney General deleted the proposed graphic from the Second Modified Proposed Regulations.
Unverifiable Consumer Requests: A hotly contested topic in the public comments, the Attorney General removed the requirement that a business treat an unverified consumer request to delete as a request to opt-out of the sale of personal information, and the First Modified Proposed Regulations instead required that businesses affirmatively ask the consumer if they would like to opt-out in the event a request is unverifiable. The Second Modified Proposed Regulations has kept this requirement, putting it into a separate provision requiring it to affirmatively ask if the consumer would like to opt-out if the consumer's request to delete is denied for any reason, not limiting it to denials based on verification.
Responding to a Request to Know: Businesses cannot disclose certain confidential information in response to a request to know (e.g., Social Security numbers, government-issued identification numbers, health insurance information, or account passwords). The Second Modified Proposed Regulations clarifies that, in responding to a request to know where the consumer asks for disclosure of specific pieces of information that the business holds on the consumer, the business must instead disclose the type of information held without disclosing the actual information. For example, the business may state that it collected and stores a fingerprint scan of the consumer, but not disclose the actual fingerprint data.
Although these regulations are still not final, the Second Modified Proposed Regulations highlight the key provisions that will likely remain untouched. Public comments for these updates close on March 27, 2020, giving the public another two-week period to reply.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm of approximately 750 lawyers practicing throughout a network of 14 offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy and technology sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.