The Latest CCPA Draft, Explained

Dhara Shah

Senior Editor

Loyola University Chicago School of Law, JD 2020


The California Attorney General’s office released an updated draft to the California Consumer Privacy Act (CCPA) on February 10th. This updated draft follows the four public hearings that were held in December of 2019 and over 1,700 pages of submitted comments. Comments are being heard as of the posting of this article, and if no new changes are made, a final rulemaking record will be submitted.

CCPA Refresher

The CCPA came into effect on January 1, 2020 and serves as a consumer privacy act for the residents of the state. It allows for more transparency between a company and its consumers—allowing the consumers to ask to see what information the company has collected about them, who it is shared with, and includes many other consumer-centered privacy ideas. Often compared to the General Data Protection Regulation (GDPR), it too places strong fines on companies that fail to properly comply with the CCPA.

The CCPA gives a variety of rights to its consumers, including: the right to know what personal information is collected, used, shared, or sold; the right to delete personal information held by businesses; the right to opt out of their data being sold; and the right to nondiscrimination.

Notable Changes

Of the changes, the ones to look out for include further clarification on what constitutes the collection of “personal information”, removing the claw back period, and introducing more user friendly ways to opt-out, amongst others.

The first noteworthy change highlights that businesses are not collecting “personal information” when the business collects an IP address but does not link the IP address to a particular individual and it could not reasonably be linked to one. This, in turn, ends up raising further questions on what a “reasonable” link constitutes in the context of the CCPA. Some argue that given how vastly the internet is used, IP addresses are also collected more than other information—so if they are “personal information” then the way they are handled changes. If it is considered to be “personal information”, a business would reach the 50,000 consumer threshold much quicker, thus including a larger group of businesses liable to the CCPA.

Another noteworthy change is the removal of the claw back period. Initially, a 90-day claw back period was placed into effect for businesses to pass on an individual’s opt-out of sale of information. The latest draft has since removed this provision.

As the center of the CCPA are the consumers, it only makes sense they have tried to make it as user friendly as possible. The newest draft introduces the option of an opt-out button that can be used in addition to the notice of the right to opt-out. It really will be as easy as a click of a button then. Companies like OneTrust have already started to create and market this button towards businesses.

Other noteworthy changes include: confirming that a two-step process for online requests to delete is not required, rather is optional; stating that the metrics and transparency reporting requirements only holds to those with 10 million or more consumers now, rather than the initial—businesses with 4 million or more consumers; and a deletion of the requirements to treat unverifiable deletion requests as opt-out requests.

Next Steps

Comments will be heard again until February 25th, 2020. To submit comments visit,

While comments are still being submitted, the CCPA has gone into effect since January 1st, 2020. Qualifying businesses should already be in compliance with the CCPA—with just the primary requirements including: meeting the “right to know” by telling consumers how their data is being used; meeting the “right to opt out” by creating a privacy policy and potentially even including a one-click button; meeting the “right to delete”; and meeting verification requirements. Of those in compliance, the hardest challenge so far seems to be just determining where a company is storing consumer data.

Stay tuned for what the next round of the rulemaking process brings and what other regulations may be inspired from the CCPA. As data privacy concerns are only growing in the minds of consumers, it will be important to ensure that the data privacy protection and compliance environment continues to grow as well.