On August 14, 2020, Attorney General Xavier Becerra announced that the Office of Administrative Law (OAL) approved final regulations under the California Consumer Privacy Act (CCPA), making them effective immediately. In early June, a set of proposed regulations was submitted to the OAL for review and was expected to be finalized within ninety days. However, on July 29 – two months into the review period – the Attorney General submitted an “Addendum to Final Statement of Reasons” which withdrew certain provisions from consideration by the OAL. The Addendum states that the Attorney General may resubmit the deleted sections “after further review and possible revision.” Although the version approved by the OAL does not contain the deleted provisions, businesses must stay tuned to see how the regulations evolve.
For the time being, the final CCPA regulations do not contain, and the Attorney General will not enforce, the following proposed provisions:
- Section 999.305(a)(5) contained language requiring businesses to obtain consumers’ explicit consent before using their personal information for any new business purpose. Some businesses argued that this requirement was an impermissible extension of the original statute, which required notice of the new use, not to the new use.
- Section 999.306(b)(2) contained a requirement that businesses, including brick-and-mortars, that substantially communicate with their customers offline tell those customers about their rights to opt out of data collection through paper notices or signs directing them to a website policy. For the time being, businesses can rely exclusively on their website notice to advise on consumers’ rights.
- Section 999.315(c) contained a requirement that a business’s methods for submitting the request to opt-out must “be easy for consumers to execute” and “require minimal steps to allow the consumer to opt-out.” The deleted section also prohibited businesses from using a method “designed with the purpose or [that] has the substantial effect of subverting or impairing a consumer’s decision to opt-out.”
- Section 999.326(c), permitted a business to deny a request from a customer’s agent who does not offer proof they’ve been authorized by that customer to act on their behalf. However, the final regulations still require that an “authorized agent” be registered with the Secretary of State to conduct business in California.
- In sections 999.305(b)(3), 999.305(f)(1), 999.306(b)(1) and 999.315(a) the phrase “Do Not Sell My Info” has been deleted, eliminating the option for businesses to use the phrase on a hyperlink directing consumers to privacy choices. Therefore, in order to track the statute’s language, businesses should use “Do Not Sell My Personal Information.”
Now that the regulations are final, and effective, the Attorney General will turn to the job of enforcing the many requirements of the CCPA. Businesses who were awaiting additional guidance shall look no further.