My Third Set of Comments to the CA DOJ on the CCPA Regulations

California is in a state of emergency. Our state is facing its worst public health crisis in decades (or possibly ever). Yet, the California DOJ is pushing forward its regulations to the California Consumer Privacy Act (CCPA). It just reiterated that the DOJ will start enforcing its still-not-finalized regulations in three months.

Commenting on the DOJ’s latest regulatory changes was an exceptionally difficult professional challenge for me. As I sorted through the changes, my mind kept drifting towards the Californians who are experiencing life-changing (and possibly life-ending) healthcare challenges, the Californians who are out of work and struggling financially, and the huge number of California businesses that will fail imminently. It was hard to get worked up about the arcanity of CCPA regulations. The concerns they seek to address feel so distant, so trivial, so inconsequential compared to the massive structural social shifts we’re experiencing right now.

Meanwhile, COVID-19 is creating massive privacy concerns, but those concerns are due to potential government abuse of information about citizens–which the CCPA doesn’t address because it doesn’t apply to government actors. If the DOJ wants to represent my interests as a constituent, it would be aggressively protecting us from the efforts to other government entities to build unprecedented surveillance capacity and strip constituents of their civil rights and civil liberties.

* * *

Comments to the California Department of Justice’s (DOJ) Second Set of Revisions
to the California Consumer Protection Act (CCPA) Regulations

March 24, 2020

Privacy Revisions Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013

By email:

I am a tenured law professor at Santa Clara University School of Law, where I teach Internet Law. This is my third set of comments on the California Department of Justice (DOJ)’s proposed regulations for the California Consumer Privacy Act. My prior two sets of comments:

This time, I am commenting on the second set of revisions dated March 11, 2020. These comments represent only my views and not the views of my employer or any third party.

* * *

Deletion of 999.302

While the prior draft’s exclusion of IP addresses from “personal information” was imperfectly expressed, the idea was in the right direction. Rather than eliminating the idea entirely, the DOJ would fix many problems by excluding IP addresses from the definition of “personal information” solely for purposes of 1798.140(c)(1)(B).

Opt-Out Button

I appreciate the DOJ stepping back from the unworkable proposed opt-out button design. However, now I do not understand how the DOJ plans to comply with 1798.185(a)(4)(C), which mandates that the DOJ establish rules and procedures for the development and use of an opt-out logo or button. Is the DOJ postponing or abandoning that effort?

Transparency Reports

999.317(g) should be deleted entirely because the DOJ has not provided adequate justification for it. The book Full Disclosure by Archon Fung et al lays out multitudinous challenges to properly designing transparency reports. 317(g) conflicts with much of the book’s guidance, especially the uncertainty about who will use the information and how they will use it.

Separately, the newly-added “reasonably should know” qualifier should be deleted because it will force businesses to comply with the rule before actually reaching the 10M threshold. This language makes business anticipate future but uncertain customer growth. As with all numerical thresholds for obligations in the CCPA or regulations, the DOJ should provide a phase-in period so that businesses incur the compliance expenses only after they reach the threshold.


The DOJ should relax the July 1, 2020 enforcement date. California has declared a state of emergency and is on indefinite lockdown due to COVID-19. This is not business as usual.

Instead, these circumstances significantly hamper businesses’ ability to respond to the constantly-changing requirements of the draft regulations. Due to illness or layoffs, some businesses will not have employees available to implement the new requirements. Furthermore, businesses across the state are under extreme financial stress due to the imminent state-wide economic depression; and many businesses have seen their customer base virtually dry up overnight, making it challenging for them to meet the expenses like rent and payroll needed to keep the lights on.

In the face of the unprecedented public health crisis, many businesses will need adequate time to manage the logistics, and absorb the expenses, of complying with the DOJ’s regulations. Forcing businesses to incur additional compliance expenses, on a super-tight timeline, will hurt everyone.

Thank you for considering my comments.

Professor Eric Goldman
Co-Director, High Tech Law Institute
Supervisor, Privacy Law Certificate
Santa Clara University School of Law
500 El Camino Real
Santa Clara, CA 95053


[You can also read my comments in PDF form.]


Prior CCPA Posts

* Comments on the DOJ’s Proposed Modifications to the CCPA Regulations
Eric Goldman’s Comments to the California DOJ Draft Regulations for the Consumer Privacy Act (CCPA) (Part 3 of 3)
Some Lessons Learned from the California Consumer Privacy Act (CCPA), 18 Months In (Part 2 of 3)
Resetting the California Consumer Privacy Act (CCPA)…with 2 Weeks To Go! (Part 1 of 3)
And At the End of the Day, the CCPA Remains Very Much the Same (Guest Blog Post)
A Recap of the Senate Judiciary Committee Hearing on Amending the California Consumer Privacy Act (Guest Blog Post)
Want Companies to Comply with the CCPA? Delay Its Effective Date (Guest Blog Post)
Recap of the California Assembly Hearing on the California Consumer Privacy Act
A Status Report on the California Consumer Privacy Act
41 California Privacy Experts Urge Major Changes to the California Consumer Privacy Act
California Amends the Consumer Privacy Act (CCPA); Fixes About 0.01% of its Problems
Recent Developments Regarding the California Consumer Privacy Act
The California Consumer Privacy Act Should Be Condemned, Not Celebrated
A First (But Very Incomplete) Crack at Inventorying the California Consumer Privacy Act’s Problems
Ten Reasons Why California’s New Data Protection Law is Unworkable, Burdensome, and Possibly Unconstitutional (Guest Blog Post)
A Privacy Bomb Is About to Be Dropped on the California Economy and the Global Internet
An Introduction to the California Consumer Privacy Act (CCPA)