On March 11, 2020 the California Attorney General released modifications to the CCPA. This is the second time this year he has released an update, read about the February update here. These are the most impactful changes we’ve identified:
A business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information.
Removed: Opt-out button logo requirement
A business must identify the categories of sources from which personal information is collected. The categories shall be described in a manner that provides consumers a meaningful understanding of the information being collected. Identify the business or commercial purpose for collecting or selling personal information. The purpose shall be described in a manner that provides consumers a meaningful understanding of why the information is collected or sold.
If the business has actual knowledge that it sells the personal information of minors under 16 years of age, a description of the processes required by sections 999.330 and 999.331.
The business shall inform the consumer with sufficient particularity that it has collected the type of information. For example, a business shall respond that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.
If a business that denies a consumer’s request to delete sells personal information and the consumer has not already made a request to opt-out, the business shall ask the consumer if they would like to opt out of the sale of their personal information and shall include either the contents of, or a link to, the notice of right to opt-out in accordance with section 999.306.
A service provider shall not retain, use, or disclose personal information obtained in the course of providing services except: (1) To process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA.
A business shall not require the consumer or the consumer’s authorized agent to pay a fee for the verification of their request to know or request to delete.