On August 14, 2020, the California Attorney General announced final approval of the California Consumer Privacy Act Regulations by the Office of Administrative Law.  The Regulations take effect immediately.

While the revisions made to the Final Regulations mostly consist of “non-substantive changes” to correct grammatical errors or clarify the wording of various provisions, business should be aware of the “global modifications” made in a few key areas.  These are summarized below along with our take on what they may mean for businesses:

• Deletion of the prohibition on using personal information for a purpose materially different than that disclosed in the notice provided at the time of collection. Formerly § 999.305(a)(5).  Our take: Flexibility is certainly nice, but approach with caution any use of personal information that may differ from what is stated in the applicable privacy policy.  Regardless of California’s approach, the FTC previously has prosecuted businesses based on material differences between what the business says it will do with personal information and how it actually uses the information.  Additionally, the AG’s Addendum to Final Statement of Reasons indicates that “[t]he OAG may resubmit this section after further review and possible revision.”
• Removal of the requirement for businesses that substantially interact with consumers offline to provide an offline notice regarding the opt-out of sales of personal information. Formerly § 999.306(b)(2).  Our take: This may provide some relief for businesses that would otherwise need CCPA-related disclosures on their stores’ checkout counters or paper receipts, but may go largely unnoticed by consumers given that Covid-19 and California’s stay-home orders are keeping so many consumers away from stores.  Note also that this provision is amenable to revision and resubmission by the AG.
• Deletion of the requirement that businesses provide consumers with a means to opt-out of the sale of personal information that is “easy for consumers to execute” and not “designed with the purpose . . . of subverting or impairing a consumer’s decision to opt-out.” Formerly § 999.315(c).  Our take: Don’t get carried away.  The AG certainly will not look favorably on any opt-out mechanism designed to obfuscate consumers’ opt-out rights regardless of what is expressly stated in the Regulations.
• Removal of language stating that a “business may deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer to act on their behalf.” Formerly § 999.326(c).  Our take: On its face, this is a puzzling change, which seems to leave businesses with the obligation to respond to requests by authorized agents even when the identity of the requesting agent cannot be verified.  Note, however, that the updated § 999.315(f) allows businesses to “deny a request from an authorized agent if the agent cannot provide to the business the consumer’s signed permission demonstrating that they have been authorized by the consumer to act on the consumer’s behalf.”  Verifying the consumer’s identity directly remains an option, and may be the best choice when potentially faced with unverifiable requests from alleged agents of consumers in order to minimize the risk of disclosing information to malicious actors.
• Elimination of the phrase “Do Not Sell My Info” as one of the options for businesses to make consumers aware of their right to opt-out of the sale of their personal information. According to the Addendum to the Final Statement of Reasons, this phrase was deleted throughout the Regulations in order “to align with the express language of the statute.”  Our take: If you are a business that used the phrase “Do Not Sell My Info” on your website, it is no doubt annoying to remove that language and replace it with “Do Not Sell My Personal Information.”  Fortunately, the substantive aspects of opting consumers out of sales remain unchanged.
• The Regulations revised several references to “minors” to instead use the more inclusive term “consumers.” However, the applicable rules and cutoff ages for the requirements remain unchanged.  Our take: The Addendum to the Final Statement of Reasons seems to indicate that the primary motivation for this change was conforming the Regulations with the specific language used in the CCPA statute.  It is a bit strange that a revision involving two terms carrying legal significance came so late in the history of these Regulations, but the rules for compliance remain as before.   

Unfortunately, while the Addendum to the Final Statement of Reasons explains what changes were made, it provides no detail as to why.  Thus, it is difficult to say with certainty how these changes might impact the AG’s enforcement of the CCPA.  At long last, though, the final rules are in place.  That is, unless the California Privacy Rights Act passes in November . . .