But Wait, There Really Is More: California AG Releases New Proposed Modifications to the Final CCPA Regulations
Despite the belief of many that implementation of the California Consumer Privacy Act (CCPA) was largely complete — including the author, who recently published a CCPA alert titled “It’s Finally Final” — the California attorney general recently threw covered businesses a bit of a curveball, issuing a third set of proposed changes to the now-“final” CCPA implementing regulations. Fortunately for those overseeing CCPA compliance, the revisions are largely clarifications of the existing regulations rather than fundamental changes. Interested stakeholders have until 5:00 p.m. Pacific Time on Wednesday, October 28, to submit comments to PrivacyRegulations@doj.ca.gov.
There are four proposed revisions:
1. Clarification on “brick-and-mortar” notice of opt-out right. A predominantly “offline” covered business is still required to comply with the CCPA’s requirement to provide customers notice of their right to opt-out if it collects their personal information. The revision provides two examples:
- If the information is collected via paper forms, the notice may be provided on the forms themselves or on a sign in the same area of the store directing consumers to the company’s online notice.
- If the information is collected over the phone, the notice may be provided orally during the same call.
2. Clarification on ease of submitting opt-out requests. The second revision provides illustrative “dos and don’ts” for the opt-out process. The process must:
- be easy to execute
- require minimal steps
- not be designed to impair, or have the effect of impairing, the consumer’s choice to opt-out
- not use confusing language, such as double negatives
- not force the consumer to read or hear reasons not to opt-out
- not request more personal information than is necessary to implement the request
- not use more steps to opt-out than are required to opt-in after having previously opted out
- not require the consumer to scroll through a privacy policy or text on a webpage to find the opt-out procedure after clicking the “Do Not Sell My Personal Information” link on the company’s homepage. Note: in practical terms, this means that the “Do Not Sell My Personal Information” link should take the user directly to either (i) the opt-out webform or (ii) the portion of the CCPA privacy policy containing the opt-out instructions and link (rather than to the top of the CCPA privacy policy webpage).
3. Clarifications regarding authorized agents. The third revision clarifies what must be provided to the business if a request to know or a request to delete is submitted through an authorized agent. In such a scenario, the business may require the agent to provide proof that the consumer gave the agent signed authorization. In addition, the business may also ask the consumer to either:
- verify his or her own identity directly with the business, or
- directly confirm to the business that they gave the agent permission to submit the request.
4. Clarification regarding notices to consumers under age 16. This change clarifies that a business that is aware that it sells the personal information of children 15 years of age or younger must include in its CCPA privacy policy both the required information regarding the opt-in process for the sale of personal information of children under age 13 and the analogous required information for children between the ages 13 and 15.
The author has learned his lesson and will no longer promise any finality with regard to the CCPA — particularly as the California Privacy Rights and Enforcement Act, which will build on and expand the CCPA, is set to be voted on by the California electorate in less than two weeks.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.