California AG issues second CCPA modifications

The California Attorney General released a second round of CCPA regulation modifications on March 11, 2020, just months before enforcement was scheduled to begin. If you thought you had your CCPA compliance program figured out, time to check again. The modifications clarify notice requirements, adjust opt-out mechanisms, and add new disclosure obligations. Some changes make compliance easier; others add complexity you'll need to address.

What changed in the second modifications

The most significant changes affect how businesses handle consumer requests and communicate privacy practices. Notice at collection requirements got more specific—you cannot just point consumers to a general privacy policy anymore. The notice must be provided at or before the point of collection and must be specific to the categories being collected.

Verification requirements received detailed guidance. How do you verify that the person requesting access to personal information is actually the consumer whose information you hold? The modifications provide tiered verification requirements based on the sensitivity of the request and the type of information involved. Higher-risk requests require more rigorous verification.

The "Do Not Sell My Personal Information" link requirements got clarified. The link must be conspicuous and use that specific phrasing. Businesses that buried opt-out mechanisms in privacy policy footnotes or used different terminology need to update their websites.

Verification headaches and solutions

Verification is where many CCPA compliance programs struggle. You need to confirm that requesters are who they claim to be, but you cannot collect so much information that the verification process itself becomes a privacy risk. The modifications provide a framework, but implementation requires judgment.

For access requests (knowing what personal information you hold), password-protected account holders can verify through account authentication. Non-account holders require matching at least two pieces of information you already have about them. For deletion requests, the verification bar is higher—you need higher confidence that you are deleting the right person's data.

The practical challenge: many businesses do not have clean enough data to perform reliable verification. If your customer database has duplicate records, inconsistent formatting, or incomplete information, verification becomes guesswork. Data quality is not just a marketing concern anymore—it is a compliance requirement.

Service provider clarifications

The modifications clarify the service provider exception and what contracts need to include. Service providers can process personal information on behalf of businesses without that processing counting as a "sale"—but only if contracts include specific provisions limiting how service providers use the data.

This matters for vendor management. Your existing contracts may not include CCPA-required provisions. Review agreements with any vendor that processes California consumer data on your behalf. Updates may be needed to maintain the service provider exception.

The modifications also address subcontractors. Service providers that use their own subcontractors must ensure those subcontractors are bound by similar restrictions. Your vendor management program needs visibility into sub-processing relationships, not just direct vendor contracts.

Household data complications

CCPA's definition of "personal information" includes information about households, not just individuals. The modifications address how to handle requests involving household data, but the answers are not simple. Providing household information to one household member might violate another member's privacy.

The guidance suggests reasonable precautions: verify that all household members consent before disclosing household-level data, or limit disclosures to information about the specific requestor. For businesses that do not traditionally think about household relationships—online retailers, subscription services, utility companies—this adds complexity to request handling.

Financial incentive program requirements

CCPA allows businesses to offer financial incentives for consumers who allow their data to be used in certain ways—loyalty programs, discounts for data sharing, and similar items The modifications add requirements for these programs: consumers must opt in, the business must explain how the value of the data is calculated, and programs cannot be discriminatory.

The "value calculation" requirement is particularly challenging. How do you determine the value of personal information you collect? The modifications accept good-faith estimates based on reasonable methodologies, but you need to be able to explain your approach if regulators ask.

Timeline and enforcement implications

These modifications appeared just months before CCPA enforcement began on July 1, 2020. Businesses had limited time to update compliance programs to address the new requirements. The modifications were not entirely surprising—they addressed known ambiguities—but the timing created implementation pressure.

The modifications also signaled the Attorney General's interpretation of CCPA requirements, which matters for enforcement. Businesses that implemented interpretations inconsistent with the modifications faced the choice of updating programs or risking enforcement actions based on AG-preferred interpretations.

What you need to update

• Review notice at collection practices. Ensure notices are specific to the collection context, not generic privacy policy links.
• Implement verification procedures matching the modification requirements. Tier verification based on request sensitivity.
• Verify your "Do Not Sell My Personal Information" link is conspicuous and uses required phrasing.
• Review service provider contracts for required CCPA provisions. Update agreements that lack required language.
• Assess household data handling procedures. Implement safeguards for requests involving multiple household members.
• Document financial incentive program valuations if you offer such programs.
• Update training for staff handling consumer requests to reflect modification requirements.

CCPA modifications are an ongoing reality—the law evolves through regulatory guidance and enforcement actions. Organizations that built compliance programs expecting static requirements need to adapt to iterative refinement. The second modifications will not be the last, and California's approach influences privacy legislation in other states.

See also

Selected articles on related subjects.

Compliance · Credibility 71/100 · July 1, 2020

California begins enforcing the CCPA

The California Attorney General started enforcing the California Consumer Privacy Act on 1 July 2020, compelling businesses to honor consumer rights requests and update data-handling disclosures.

Compliance · Credibility 71/100 · August 14, 2020

California CCPA regulations approved and effective immediately

California’s Office of Administrative Law approved the CCPA regulations on 14 August 2020, making the rules effective the same day and clarifying notices, opt-outs, and recordkeeping obligations.

Compliance · Credibility 73/100 · March 10, 2020

SAP Security Patch Day

SAP's March 2020 patch day included a HotNews-level critical fix for LM Configuration Wizard (CVE-2020-6207) plus NetWeaver and Business Client patches. If you are running SAP, these need attention.

Compliance · Credibility 91/100 · March 9, 2020

FINRA Regulatory Notice 20-08 on pandemic business continuity

FINRA issued Regulatory Notice 20-08 outlining expectations for member firms’ pandemic business continuity plans, supervisory controls, and remote work supervision during COVID-19. Broker-dealers must document how they…

Compliance · Credibility 73/100 · March 15, 2020

HHS issues limited HIPAA waiver during COVID-19 emergency

HHS waived certain HIPAA penalties for good-faith telehealth during COVID-19. Healthcare providers can use FaceTime, Skype, and similar platforms without the usual business associate agreement requirements.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• ESG Assurance Operating Guide

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published

March 11, 2020

Coverage pillar

Compliance

Source credibility

73/100 — medium confidence

Topics

CCPA · rulemaking · notices

Sources cited

3 sources (oag.ca.gov, cvedetails.com, iso.org)

Reading time

5 min

Cited sources

1. Text of Second Set of Modifications to CCPA Regulations
2. CVE Details - Vulnerability Database — CVE Details
3. ISO 37301:2021 — Compliance Management Systems — International Organization for Standardization