The California Attorney General’s office (OAG) recently released a third set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations. This comes on the heels of the second set of modifications the Office of Administrative Law (OAL) approved just two months ago (see article here). The third set of proposed modifications restores certain provisions the OAG had previously withdrawn from its draft regulations submitted to the OAL in July, as well as clarifies and adds illustrative examples to some provisions. Overall, the modifications do not significantly alter the CCPA regulatory landscape, and if accepted, are not likely to impact businesses greatly. Nonetheless, businesses should review the changes, which address the following topics, to confirm that they would not require any adjustment in business practice:
Right to Opt Out of Sale of Personal Information (§§ 999.306 & 999.315):
- Restores requirements previously withdrawn by OAG:
- 999.306: Proposed regulations would require that businesses that collect consumer personal information offline must provide an offline notice to consumers at the time of collection. Examples of offline notices include in-store paper postings and oral notices provided over the phone.
- 999.315: Proposed regulations would require that the submission of an Opt-Out Request may only require minimal steps for the consumer to implement. A business’s opt-out submission request should be easy for consumers to execute and may not be designed with the intent or substantial effect of subverting or impairing a consumer’s choice to opt-out. The amendment provides illustrative examples, which include:
- The opt-out submission process may not require more steps than the opt-in process;
- A business may not use confusing language (e.g., double negatives) in the opt-out notice;
- A business may not require consumers to click through or listen to reasons why they should not submit a request to opt-out before confirming their request;
- The opt-out submission process should not require the consumer to provide more information than is necessary to implement the request; and
- Upon clicking the “Do Not Sell My Personal Information” link, the business may not require the consumer to search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to opt-out.
Authorized Agent (§ 999.326):
- Proposed Clarification: When a consumer uses an authorized agent to submit a request to know or delete the consumer’s information, the business may require the consumer to provide some form of proof the consumer consented to have the authorized agent submit information on their behalf. Currently, the regulation lists three options, but does not indicate whether a business must select only one, or has the option to require all three of the following:
(1) provide the authorized agent signed permission;
(2) verify the consumer’s own identity directly with the business;
(3) directly confirm with the business that the consumer provided the authorized agent permission to submit the request.
The proposed amendment clarifies that the business must first require the consumer to provide the authorized agent signed permission, and then may also require one of the remaining two options.
Privacy Policy Regarding Children (§ 999.332):
- Proposed Clarification: The proposed amendment added the term “or” to address either Section 999.330 (Collection of information from Consumers Under 13 Years of Age) and/or Section 999.331 (Collection of Information Consumers 13 to 15 Years of Age), such that a business that is subject to one or both sections must provide notice of how it obtains opt-in consent from either the consumers or their parents in the business privacy policy.
The California Attorney General’s office is accepting comments through October 28, 2020. Assuming the Attorney General’s office makes no revisions to the proposed regulations after the comment period, the regulations will become effective upon approval by the OAL. The OAL typically has 30 working days to review and approve regulations after they are submitted, though the deadline may be expedited or extended.
The proposed amendments to the CCPA regulations come against the backdrop of Proposition 24 regarding the California Consumer Privacy Right Act (CPRA), which is already in front of California voters following delivery of state-wide mail-in ballot materials. Even if the CPRA – sometimes referred to as CCPA 2.0 – is approved in the November 3, 2020 vote, it will generally not be operative January 1, 2023 (other than certain provisions, like the creation of the California Privacy Protections Agency, which would become operative on the CPRA’s effective date). Accordingly, the CCPA regulations, including the proposed modifications, if approved, will be effective until at least January 2023, irrespective of the outcome of the vote on the CPRA. Businesses should therefore continue to monitor modifications to, and seek compliance with, the CCPA regulations. We will continue to monitor updates to California privacy law, and report on important developments.
Sources: