On March 11, 2020, the California Attorney General released another set of revisions to the California Consumer Privacy Act (CCPA) draft implementing regulations. The regulations are not yet finalized (a public comment period for this most recent version is open until March 27, 2020), but below we highlight key changes and takeaways for businesses under the latest version of the regulations. Note that this round of revisions to the regulations largely consist of updates to the prior modifications to the regulations, which we summarized in a previous alert available here.

Modified Definition of “Financial Incentive

The definition of “financial incentive” was modified from a “program, benefit, or other offering, including payments to consumers as compensation for the disclosure, deletion, or sale of personal information” to a “program, benefit or other offering, including payments to consumers, related to the collection, retention, or sale of personal information.”  This change seems to broaden the concept of financial incentive to potentially pick up other types of program and incentives so long as there is some sort of connection between the consumer’s personal information and incentives being offered. 

Service providers

The latest turn of the regulations clarifies restrictions related to service providers’ use of personal information by clarifying that while service providers can use personal information for internal purposes to build or improve the quality of their services, such use would not expand to using personal information to build or modify consumer profiles to use in providing services to another business or augmenting data acquired from another source.

Consumer requests. When responding to a request to know, businesses must now disclose when the business maintains consumers’ sensitive data (e.g., SSN), without actually disclosing the sensitive data. With respect to deletion requests, if a business that sells personal information denies a deletion request, it must ask the consumer if the consumer wants to opt out of the sale of the consumer’s personal information.


Businesses that do not collect PI directly from consumers are not required to provide a notice at the point of collection if such business do not sell consumers’ personal information.

Removal of the opt-out button

The latest version of the draft regulations removes the optional standard “Do Not Sell” opt-out toggle button and all accompanying language.

Privacy policy requirements

Privacy policies must include the categories of sources from which personal information is collected, as well as the business or commercial purposes for collecting or selling personal information. 

IP addresses

The prior modifications to the draft regulations provided that IP addresses are considered personal information if a business can “reasonably link” IP addresses with a particular consumer or household. The latest version of the regulations removes this language completely. A link to a comparison version of the latest modifications to the draft regulations is available here.

We will continue to monitor updates to the draft implementing regulations. Considering the more moderate revisions in this latest update, we anticipate the regulations are nearing their final form, which will help streamline compliance efforts for businesses.


Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.


Amy de La Lama has assisted a wide array of companies in addressing legal issues related to global privacy and data collection, data security, information technology and related restrictions on data collection and movement.


Michael advises clients across various industries, including global online businesses, pharmaceutical companies, healthcare providers, manufacturers, financial institutions, sourcing providers, retail companies, and other organizations regarding the legal aspects of global privacy and data protection, data security, information technology, and related restrictions on data collection and transfer.


Harry is a partner based in New York. He advises global organizations on privacy and data security compliance requirements. His practice is focused on delivering commercially practical advice on designing security, privacy, and technologically compliant solutions.


Lothar has been helping companies in Silicon Valley and around the world take products, business models, intellectual property and contracts global for nearly 20 years. He advises on data privacy law compliance, information technology commercialization, interactive entertainment, media, copyrights, open source licensing, electronic commerce, technology transactions, sourcing and international distribution at Baker McKenzie in San Francisco & Palo Alto.


Gary is an associate in the Chicago office. His practice focuses on regulatory and transactional issues in global privacy and data protection, including cross-border data transfers, data security, data breach notification, global privacy, website privacy policies, behavioral advertising, and comprehensive compliance programs.