[co-author: Patrick Waldrop]

On Monday, Oct. 12, the California Office of the Attorney General (the Attorney General or OAG) released a third set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations (the Regulations). The full text can be found on the Attorney General’s website here. The proposed modifications to the Regulations are limited to four sections. While the proposed changes are relatively minor in substance, they nevertheless provide helpful and important guidance on the following topics:

1. Requirement to provide notice at collection (and prohibition of new or secondary uses of personal information);
2. Requirement for offline notice of right to opt-out;
3. Requirement to make it “easy” for consumers to submit opt-out requests;
4. Methods for verifying an authorized agent request; and
5. Requirements for Notices to Minors Under 16 Years of Age.

Requirement to Provide Notice at Collection

What is perhaps most noteworthy is what is not included in this rulemaking package. In the Final Regulations, which went into effect on August 14 four sections from the latest rulemaking package were withdrawn: proposed Sections 999.305(a)(5), 999.306(b)(2), 999.315(c), and 999.326(c). The latest rulemaking as of October 12 includes revisions that modify Sections 306, 315 and 326 but does not include revisions to address what had been proposed as Section 305(a)(5) and was subsequently withdrawn.

This is interesting to note because the previous language proposed as Section 999.305(a)(5) had allowed businesses some wiggle room to argue that a new notice at collection is not required if the anticipated use of personal information is not “materially different” than those disclosed in the notice at collection. The previous, now withdrawn, proposal had also allowed businesses to use a consumer’s previously collected personal information for a purpose materially different from what was previously disclosed to the consumer in the notice at collection, if the business directly notified the consumer of this new use and obtained explicit consent from the consumer .

As discussed in our earlier blog post, this puts the emphasis on the accuracy and understandability of the pre-collection notice and underscores the importance of carefully drafting collection-specific notices and privacy policies. Without further guidance from the OAG, Section 999.305(a)(1) requires businesses to provide consumers with notice, at or before the point of collection, about the categories of personal information to be collected and the purposes for which the personal information will be used. Without revised regulations on this requirement, businesses no longer have the benefit of this materiality test when assessing whether the new or secondary uses of the personal information would be allowed under the CCPA.

Requirement for Offline Notice of Right to Opt-Out

The first proposed modification is in Section 999.306, Notice of Right to Opt-Out of Sale of Personal Information. The OAG added Section 999.306(b)(3), which makes clear that “a business that collects personal information in the course of interacting with consumers offline” must provide offline notice to consumers of their right to opt out of the sale of their personal information. The revised language is substantially similar to the version that was withdrawn on Aug. 14. What is interesting to note is that the previous version included a qualifier so that “a business that substantially interacts with consumers offline [emphasis added]” would be required to provide notice to the consumer by an offline method. The revised language no longer has that qualifier, so presumably any business that collects personal information offline must carefully look at whether a separate offline notice of the right to opt-out will be needed.

The new Section 999.306(b)(3) provides examples of scenarios in which offline collection may occur and ways a business could meet the requirement:

• Example (a) addresses businesses that “collect[] personal information in a brick-and-mortar store” and explains that those businesses can meet the notice requirement either by “printing the notice on the paper forms that collect the personal information or by posting signage in the area where the personal information is collected” that points consumers to an online notice.
• Example (b) states that “[a] business that collects personal information over the phone may provide the notice orally during the call where the information is collected.”

Requirement to Make It “Easy” for Consumers to Submit Opt-Out Requests

The new Section 999.315(h) is the exact same text as was previously proposed by the OAG and subsequently withdrawn. What is different from the previous proposal is that this proposal includes examples of how to comply with the requirement that the process of submitting an opt-out request be “easy” and require “minimal steps.” Under the revised Regulations, businesses are prohibited from creating an opt-out process “designed with the purpose or ha[ving] the substantial effect of subverting or impairing a consumer’s choice to opt-out.” Five examples included in this proposal illustrate opt-out procedures that, in the OAG’s eyes, would make it difficult for consumers to submit an opt-out request. According to the new examples, a business’s opt-out request procedure cannot do any of the following:

• Take more steps than the process to opt back into sales after having opted out;
• Use confusing language like double-negatives;
• Force consumers to “click through or listen to reasons why they should not submit a request to opt-out” in order to submit such a request;
• “Require the consumer to provide personal information that is not necessary to implement the request”; or
• Require scrolling or searching through a webpage like a privacy policy to find the opt-out request method after the consumer clicks a Do Not Sell My Personal Information button.

Methods for Verifying an Authorized Agent Request

The next proposed change applies to consumer requests submitted by an authorized agent. Section 999.326(a) previously allowed businesses to require that the consumer “provide the authorized agent [with] signed permission” to submit a request on the consumer’s behalf. The Attorney General now proposes shifting this burden of providing signed permission from the consumer to the authorized agent. When a consumer uses an authorized agent to submit a request to know or a request to delete, a business may require the authorized agent to provide proof that the consumer gave the agent signed permission to submit the request. The revisions do not make any changes to the other two methods by which a business may verify a consumer’s request: (1) reaching out to the consumer directly to verify the consumer’s identity and/or (2) asking the consumer to confirm that agent has the consumer’s permission to submit the request.

Requirement for Notices to Minors Under 16 Years of Age

Finally, the Attorney General adds the word “or” to Section 999.332(a) to clarify that Section 999.332 applies to businesses subject to Section 999.330 or Section 999.331 or both Sections 999.330 and 999.331. In the simplest terms, 999.330 discusses how businesses must handle authorization by parents or guardians of sales of personal information about their child under age 13, while 999.331 addresses opt-in requests from minors between the ages of 13 and 16. Section 999.332(a) requires businesses that process personal information regarding children under 16 to explain their obligations under 999.330 and/or 999.331 in their privacy policies. Prior to the proposed modification, it was possible to interpret this requirement as applying only to businesses that were subject to both 999.330 and 999.331. Although this was not one of the sections withdrawn in August or one for which we anticipated revisions, this appears to be a technical correction.

Key Takeaways

All in all, the proposed modifications provide narrowly tailored guidance that will help businesses understand their obligations under the CCPA. The additions to Section 999.315, in particular, offer a number of noteworthy glimpses into what the Attorney General is looking for when it comes to a business’s obligations to provide an “easy” way to submit opt-out requests. The examples provided in this latest rulemaking will have operational consequences, and thus we recommend that legal teams work with IT and privacy operations teams to evaluate any changes to CCPA programs that may be needed.

Taken together, the revisions to the Regulations make clear that the Attorney General is focused on reducing the friction consumers experience when attempting to exercise their CCPA rights. The Attorney General is accepting comments on the proposed modifications through Wednesday, October 28, at 5 p.m. Pacific time.

We will continue to monitor whether the OAG submits revised rules to address the notice at collection requirement for new or different uses under Section 999.305. Although this latest set of proposals was submitted just in time to meet the one-year requirement to submit rulemaking under existing authority (which began on October 11, 2019), we understand the governor may extend the one-year deadline by 60 calendar days, which may give the OAG until December 10 to submit any new or revised rules, including in Section 305 (see Executive Order N-40-20).

We will also be monitoring the election results to see whether the California Privacy Rights Act (CPRA) passes on November 3. If it does pass, we can expect additional rulemaking activity, as the act would create and fund the California Privacy Protection Agency, which will have the power to issue rulemaking and enforce the CPRA.