California AG Releases Third Set of Proposed Modifications to CCPA Regulations

Troutman Pepper

On October 12, less than a month before California will vote on a referendum that would significantly overhaul the California Consumer Privacy Act (CCPA), the California attorney general released a third set of Proposed Modifications (Proposed Modifications) to the implementing regulations for the CCPA. These Proposed Modifications come only a few months after the CCPA regulations went into effect on August 14, 2020. This third set is subject to a public comment period, with a deadline to submit written comments by October 28 at 5:00 p.m. PST.

The Proposed Modifications, if adopted, would require the following:

  • Requires Offline Notice of the Right to Opt Out. For businesses that collect personal information offline (e.g., in-person or via telephone), the Proposed Modifications require businesses to provide an offline notice, facilitating consumers’ awareness of their right to opt out. The proposed change includes illustrative examples for compliance. For example, for businesses that collect personal information in a brick-and-mortar store, notice may be provided by “posting signage in the area where the personal information is collected directing consumers to where the notice can be found online.” For businesses that collect personal information over the phone, notice can be provided orally during the call in which personal information is collected. 

  • Encourages Ease of Opt-Out Methods. The Proposed Modifications add a section to the provisions on requests to opt out, requiring that a “business’s methods for submitting requests to [opt out] shall be easy for consumers to execute and shall require minimal steps to allow the consumer to [opt out].” Businesses would also be barred from using an opt-out method that, in the view of the attorney general, is “designed with the purpose or has the substantial effect of subverting or impairing a consumer’s choice to [opt out].” For example, the Proposed Modifications prohibit a business from (1) using “confusing language, such as double-negatives (e.g., ‘Don’t Not Sell My Personal Information’)” when providing the choice to opt out; (2) requiring more steps to opt out than required to opt in to the sale of personal information after having previously opted out, (3) requiring consumers to click through or listen to reasons why they should not opt out, (4) requiring the consumer to “search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to [opt out]” after clicking on the “Do Not Sell My Personal Information” link, and (5) requiring the consumer to provide any personal information that is not necessary to complete the opt-out request.

    These Proposed Modifications demonstrate that regulators no longer focus solely on what information a business elects to disclose about its data collection and sharing practices. Rather, how such information is disclosed will be a key factor in deciding whether businesses are being “transparent” about their data privacy practices and, if the Proposed Modifications are adopted as is, if they are complying with the law. It will be interesting to observe whether the attorney general will establish an office for businesses to get “pre-approval” of a designed process to avoid the ambiguity created by this proposed rule.

  • Modifies Proof Required for Authorized Agent. The Proposed Modifications seek to modify the “authorized agent” provision of the implementing regulations by allowing businesses the discretion to require an authorized agent, who is submitting a request to know or a request to delete on behalf of a consumer, to provide “proof that the consumer gave the agent signed permission to submit the request.” Also, businesses can continue to require consumers to directly verify their identity with the business or confirm they provided the authorized agent permission.

  • Clarifies Notices to Consumers Under 16 Years of Age. The Proposed Modifications amend the notice provisions for consumers under the age of 16 to clarify that a business subject to sections 999.330 (for consumers under 13 years of age) or 999.331 (for consumers 13 to 15 years of age) must provide certain disclosures in the business’s privacy policy on the business’s established processes about opting in to the sale of personal information of a consumer under the age of 16.

As the CCPA and its implementing regulations continue to change, especially with the upcoming California Privacy Rights Act (aka CCPA 2.0) on the November ballot, businesses must continue to be up to date with the statutory and regulatory aspects of the law. For information on how to comply with the CCPA, see Troutman Pepper’s article series on CCPA enforcement available here. Also, for information regarding the upcoming CCPA 2.0 set to appear on the California November 2020 ballot, see Troutman Pepper’s article here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Troutman Pepper | Attorney Advertising

Written by:

Troutman Pepper
Contact
more
less

Troutman Pepper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.