The California Attorney General’s Office of Administrative Law has approved additional amendments to the California Consumer Privacy Act (CCPA) regulations, which went into effect March 15, 2021. A preliminary version of these new regulations were initially to be submitted as part of the CCPA regulations that went into effect on August 14, 2020, but were ultimately removed from that set of regulations. Instead these four new regulations were pulled from the proposal last minute and were not submitted for review, only to be reintroduced in October 2020 (see article here).
These now-approved modifications are minor and unlikely to greatly impact most businesses. They do, however, provide some useful clarifications and examples regarding previously existing provisions that should provide guidance for affected businesses.
Section 999.306 covers notice of consumers’ right to opt out of businesses’ sales of their personal information. While previous iterations of the section already provided guidelines for businesses that collect consumers’ information online, the amended section provides new guidance and examples for businesses that collect information through offline interactions with consumers (e.g., in-person); and also provides a uniform opt-out icon that businesses can use on their websites. Importantly, the new guidance provided by the amendment allows businesses that collect data offline to provide opt-out notices to consumers through the same means by which they interact with the business (e.g., a business that sells personal information collected over the phone may inform a consumer of their right to opt out over the phone). The amendment clarifies that businesses should notify consumers about personal data collected offline in addition to data collected online, while providing for some flexibility as to the means through which businesses provide that notice.
Section 999.315 covers consumers’ ability to submit requests to opt out of the sale of their personal information. The latest amendment to that provision explicitly prohibits businesses from providing consumers with a method for opting out of sales that is “designed with the purpose” or has the “substantial effect of subverting or impairing a consumer’s choice to opt-out.” The amendment provides examples of prohibited opt-out language or processes, banning things like the use of double negatives or other confusing language or steps.
Section 999.326 covers how businesses verify that an agent is authorized to make opt-out selections on behalf of a consumer. The amended section clarifies that businesses making that verification may ask the purported agent to provide signed permission from the consumer before processing the request. The amendment also allows businesses to ask consumers to verify their own identity and/or confirm that they provided the agent with authorization.
Section 999.332 addresses businesses required to include a description of processes as required by Section 999.330 (Collection of Information from Consumers Under 13 Years of Age) or 999.331 (Collection of Information from Consumers 13 to 15 Years of Age) by changing the qualifying language of the statute from “and” to “and/or.” Whereas before only businesses subject to both 999.330 and 999.331 were required to include a description of processes in their privacy policies, the amendment clarifies that businesses subject to either provision will need to describe its processes in its privacy policy.