The California Office of the Attorney General has issued proposed modifications to the state's California Consumer Privacy Act (CCPA) Regulations. The changes, released on October 12, 2020, have been submitted for comment through October 28, 2020.
The proposed amendments restore the deletions made by the Office of Administrative Law (OAL) in August in connection with:
- Notice of opt out offline
- Ease of the opt-out request process
- Authentication of the authorized agent, with some detail/examples added.
The modifications also make an important clarification involving the content of privacy policies regarding children's information. The changes do not propose the restoration of the section on the need to obtain consent to use an individual's data for a materially different purpose (which was deleted by the OAL in August).
Offline Opt-Out Notice
Businesses that collect information offline are required to provide a notice of the right to opt out offline. For bricks-and-mortar settings, the Regs suggest providing a printed paper notice, and for collection over the phone, providing the notice orally during the call in which the information is collected.
Easy Methods to Opt Out
A business’s methods for submitting requests to opt out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt out.
A business shall not use a method that is designed with the purpose or that has the substantial effect of subverting or impairing a consumer’s choice to opt out. (This is brings back language similar to the former 999.306(c) which the AG in the Final Statement of Reasons stated was a prohibition against dark patterns.) Specifically:
- The business’s process for submitting a request to opt out shall not require more steps than that business’s process for a consumer to opt into the sale of personal information after having previously opted out.
- A business shall not use confusing language such as double negatives.
- A business shall not require consumers to click through or listen to reasons why they should not submit a request to opt-out before confirming their request.
- The business’s process for submitting a request to opt out shall not require the consumer to provide personal information that is not necessary to implement the request.
Authenticating the Authorized Agent
The amendments would allow a business to require an authorized agent filing a request on behalf of a consumer to provide proof that the consumer gave the agent signed permission to submit the request. The business may also require the consumer to do either of do the following:
- Verify their own identity directly with the business
- Directly confirm with the business that they provided the authorized agent permission to submit the request