Compliance Briefing — California AG issues second CCPA modifications

California's Attorney General released a second set of modified CCPA regulations on March 11, 2020, clarifying consumer notice wording, offline opt-out obligations, and rules for user-enabled privacy controls. Businesses had limited time to adjust notices and interface flows before the July 1 enforcement date.

Zeph Tech Research Lead

Research lead, Zeph Tech

1 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: On 11 March 2020 the California Attorney General issued a second set of modified CCPA regulations. The revisions tightened notice language, obligated equivalent offline opt-out prompts, and clarified how browser privacy controls qualify as valid opt-out signals.

Why it matters

Consumer notices: prescribed phrasing for collection and financial incentive notices reduces latitude in copywriting.
Channel parity: retailers collecting data offline must provide opt-out methods comparable to online flows.
Signal handling: explicit recognition of user-enabled privacy controls requires technical support for browser-based opt-outs.

Operator actions

Update notices: Align website and in-store collection notices with the modified wording and required link placement.
Opt-out UX: Ensure offline data capture (point-of-sale, call centers) presents opt-out choices equivalent to web flows.
Signal support: Implement detection of user-enabled privacy controls and map them to Do Not Sell preferences.
Policy refresh: Revise privacy policies and financial incentive summaries to match the March 11 draft ahead of enforcement.

Timeline plotting source publication cadence sized by credibility. — 1 publication timestamps supporting this briefing. Source data (JSON)

Horizontal bar chart of credibility scores per cited source. — Credibility scores for every source cited in this briefing. Source data (JSON)

Visit pillar hub

Latest guides

Third-Party Risk Oversight Playbook — Zeph Tech
Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.
Compliance Operations Control Room — Zeph Tech
Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.
SOX Modernization Control Playbook — Zeph Tech
Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.

Why it matters

Operator actions

Related briefings

Compliance Briefing — California begins enforcing the CCPA

Compliance Briefing — California CCPA regulations approved and effective immediately

Compliance Briefing — March 10, 2020

Compliance Briefing — FINRA Regulatory Notice 20-08 on pandemic business continuity

HHS issues limited HIPAA waiver during COVID-19 emergency

Continue in the Compliance pillar

Latest guides