On October 12, 2020, the California Department of Justice (“Department”) released its first set of proposed post-finalization modifications to the California Consumer Privacy Act Regulations (the “CCPA Regulations”).
As many businesses know, the CCPA Regulations were finalized on August 14, 2020. The Department styled these new modifications as a “Third Set of Proposed Modifications” to the CCPA Regulations, suggesting that it sees them as related to the two rounds of modifications it proposed before the Regulations were finalized. (You can read our summaries of the key impacts of these prior modifications here (first round of modification) and here (second round of modifications)).
While the Department’s new proposed modifications are modest in volume, they contain potentially significant impacts for businesses. If passed in their current form, the modifications would modify the CCPA Regulations as follows:
(1) Required Offline Opt-Out Notices Would Return: Pre-finalization drafts of the Regulations required businesses that “substantially interact with consumers offline” to provide an offline notice to consumers about their right to opt-out of data sales. However, this requirement was deleted as the Regulations were finalized during review by California’s Office of Administrative Law.
- The Department’s new proposed modifications would reintroduce the requirement to provide offline opt-out notices whenever a “business … collects personal information in the course of interactions with consumers offline.”
- As illustrations of how this required offline notice can be provided, the modifications state that “brick-and-mortar store[s]” may provide notice by (a) “printing the notice on the paper forms that collect the personal information” or by (b) posting signage in “the area where the personal information is collected.” Likewise, businesses that collect personal information over the phone may provide notice orally “during the phone call where such personal information is collected.”
(2) The Requirement for “Easy” Opt-Outs Would Return – with Specified Prohibited Practices: Pre-finalization draft of the Regulations required businesses’ methods enabling consumer to make Opt-Out requests to be “easy for consumers to execute and  require minimal steps.” Again, however, this requirement was deleted as the Regulations were finalized during review by California’s Office of Administrative Law.
- The Department’s new proposed modifications would reintroduce verbatim the requirements that (a) “[a] business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps,” and (b) opt-out submission methods cannot “subvert or substantially impair” consumers’ choice to opt-out.
- The new proposed modifications contain a list of prohibited opt-out practices, potentially derived from the California Attorney General’s initial experience enforcing the CCPA. For example, businesses cannot:
- Use confusing double-negative language (e.g., “Don’t Not Sell My Personal Information”),
- Require consumers to click through or listen to reasons why they should not submit an opt-out request;
- Require consumers to provide personal information not necessary for the opt-out request; or
(3) Businesses Could Ask Authorized Agents for Proof of their Authority (and Would Not Need to Go to the Consumer): The new proposed modifications would clarify that, when businesses receive a CCPA request from an individual purporting to act as a consumer’s authorized agent, they can require the authorized agent to provide proof it has written permission to act for the consumer. Under the current Regulations, businesses would have to go to the consumer to obtain this proof.
A redline showing the proposed changes based on the currently effective regulations is available here. The proposed modifications are open for public comment until Wednesday, October 28, 2020.