California AG issues modified CCPA regulations

On 7 February 2020, the California Attorney General published modified proposed CCPA regulations representing the second round of modifications before final adoption. The updates refine notice at collection requirements, establish design standards for opt-out mechanisms that prohibit dark patterns, tighten consumer request verification procedures, and clarify service provider contractual obligations. With enforcement beginning in July 2020, organizations must assess updated requirements against existing setups and adjust compliance programs as needed.

Regulatory Context and Timeline

The California Consumer Privacy Act became effective January 1, 2020, but enforcement was delayed until July 1, 2020 to allow time for regulatory clarification. The Attorney General's rulemaking process generated significant public comment requiring multiple rounds of modifications to address stakeholder concerns and operational challenges.

The February 2020 modifications represent the second set of changes to initially proposed regulations. These modifications respond to industry feedback requesting practical guidance while maintaining consumer protection objectives. Additional modifications would follow before final regulations were adopted.

Organizations had limited time between regulation finalization and enforcement startment to implement required changes. The modifications provided clearer compliance targets while also requiring assessment of existing setups against refined requirements.

Notice at Collection Refinements

The modified regulations expand guidance on notice at collection requirements that inform consumers about data practices at or before the point of collection. Notices must identify specific categories of personal information collected and the business or commercial purposes for each category. The regulations provide examples of compliant notice formats and language.

Offline collection scenarios receive specific attention. Businesses collecting personal information through in-person transactions, phone calls, or paper forms must provide notices through posted signage, verbal disclosure, printed materials, or other means appropriate to the collection context. The regulations acknowledge operational challenges while maintaining transparency expectations across collection channels.

Privacy policy requirements align with notice at collection obligations. Full privacy policies must describe categories of personal information collected, purposes for collection and use, consumer rights under CCPA, and how consumers can exercise those rights. Policies must be accessible from website homepages and updated annually or when practices change.

Financial incentive notices require disclosure when businesses offer different prices or services in exchange for personal information. The modifications clarify how to calculate and present the value of personal information in incentive programs, addressing concerns about consumer understanding of data-for-discount arrangements.

Opt-Out Mechanism Design Standards

The modifications address dark pattern concerns by establishing explicit design requirements for opt-out mechanisms. The "Do Not Sell My Personal Information" link must appear clearly and conspicuously on business websites, typically in the website footer, without requiring consumers to navigate through multiple pages, complete account registration, or accept unrelated terms to access opt-out functionality.

Button and interface design requirements prohibit manipulative patterns that steer consumers toward permitting data sales. Equal visual prominence must be given to opt-out and opt-in choices where presented together. Larger fonts, brighter colors, or more prominent positioning for "accept" versus "decline" options may violate dark pattern prohibitions.

Language requirements mandate clear, consumer-friendly terminology that accurately describes the effect of consumer choices. Technical jargon, legalistic language, or confusing phrasing that might mislead consumers about opt-out consequences creates compliance risk. Opt-out must be achievable in the minimum number of steps technically possible.

If you are affected, conduct user experience testing against regulatory examples and dark pattern prohibitions. Interface designs developed before regulation finalization may contain elements that regulators consider non-compliant, requiring modification before enforcement.

Consumer Request Verification

Verification standards for consumer rights requests receive detailed treatment in the modifications. Businesses must implement reasonable verification procedures matching identity assurance levels to the sensitivity of requested actions. Access requests permitting consumers to know what information a business holds require moderate verification. Deletion requests permanently removing personal information warrant higher assurance levels.

Verification methods may include matching consumer-provided information against existing account data, sending verification codes to email addresses or phone numbers on file, or requiring consumers to log into existing accounts. Businesses cannot require consumers to create new accounts solely for verification purposes.

Household requests present particular complexity. The modifications clarify how businesses should handle requests affecting all household members versus individual requests. Joint account holders may request information about their shared account, but requests to delete household data generally require consent from other household members to avoid unauthorized deletion affecting others' information.

Authorized agent verification requires confirming both agent authorization and underlying consumer identity. Businesses may require signed written permission from consumers authorizing agents to act on their behalf. Power of attorney documentation may be required for sensitive requests. Verification procedures for agents should not create unreasonable barriers to legitimate authorized representations.

Service Provider Contractual Provisions

Contractual requirements for service providers and contractors receive refinement clarifying obligations that must be addressed in written agreements. Contracts must specify the business or commercial purposes for which personal information is provided, prohibit retention or use of information beyond those specified purposes, prohibit combining personal information received with information from other sources, and require compliance certification upon request.

The distinction between service providers (processing data on behalf of the disclosing business) and third parties (receiving data for their own business purposes) carries significant legal implications. Service provider disclosures are not "sales" under CCPA, while third-party disclosures may constitute sales triggering opt-out rights. Misclassification of relationships could create compliance failures and enforcement exposure.

Subcontractor flow-down requirements ensure service provider obligations extend throughout data processing chains. Primary service providers must contractually require their subcontractors to comply with the same restrictions and certification requirements. If you are affected, audit existing vendor agreements and implement amendments addressing modified requirements.

Enforcement Priorities and Preparation

While July 2020 enforcement startment allowed time for regulatory finalization, the modifications signal likely enforcement priorities. Notice adequacy, opt-out mechanism accessibility, and verification procedure reasonableness represent areas where regulators focused detailed guidance, suggesting these topics may receive initial enforcement attention.

Documentation demonstrating good-faith compliance efforts may influence enforcement discretion for organizations actively implementing requirements. Maintain records of compliance assessments, remediation activities, and policy changes supporting attestations of reasonable compliance efforts.

Consumer complaints provide enforcement leads. If you are affected, implement responsive complaint handling and track complaint patterns that might show compliance gaps requiring attention before regulatory inquiry.

Similar analysis

Additional analysis covering similar themes.

Compliance · Credibility 71/100 · July 1, 2020

California begins enforcing the CCPA

The California Attorney General started enforcing the California Consumer Privacy Act on 1 July 2020, compelling businesses to honor consumer rights requests and update data-handling disclosures.

Compliance · Credibility 71/100 · August 14, 2020

California CCPA regulations approved and effective immediately

California’s Office of Administrative Law approved the CCPA regulations on 14 August 2020, making the rules effective the same day and clarifying notices, opt-outs, and recordkeeping obligations.

Compliance · Credibility 71/100 · February 14, 2023

CPPA files final CPRA regulations with California OAL

California's CPPA filed final CPRA regulations in February 2023, adding implementation detail to the statute. Risk assessments, automated decision-making disclosures, and updated privacy notice requirements. The…

Compliance · Credibility 71/100 · October 10, 2023

California Delete Act Signed Into Law

California's Delete Act (SB 362) requires data brokers to honor deletion requests through a single centralized mechanism. One request to delete your data from all registered brokers. It is a significant expansion of…

Compliance · Credibility 87/100 · June 2, 2025

Tennessee Information Protection Act

Tennessee's Information Protection Act went effective July 1, 2025. It is another state privacy law with the usual consumer rights—access, deletion, opt-out—but with relatively high thresholds (100K consumers). If you…

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• ESG Assurance Operating Guide

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published

February 7, 2020

Coverage pillar

Compliance

Source credibility

83/100 — high confidence

Topics

CCPA enforcement · Regulatory updates · Consumer rights

Sources cited

3 sources (oag.ca.gov, iso.org)

Reading time

5 min

Further reading

1. California Consumer Privacy Act (CCPA) Proposed Regulations (Second Set of Modifications) — California Department of Justice
2. Attorney General Becerra Issues Modified Regulations for CCPA — Office of the Attorney General, California
3. ISO 37301:2021 — Compliance Management Systems — International Organization for Standardization