CCPA Regs Update Covers Opt Outs, Authorized Agents, Children’s Privacy Notice

Fox Rothschild LLP

Fox Rothschild LLP

The California Office of the Attorney General has issued proposed modifications to the state's California Consumer Privacy Act (CCPA) Regulations. The changes, released on October 12, 2020, have been submitted for comment through October 28, 2020.

Key Changes

The proposed amendments restore the deletions made by the Office of Administrative Law (OAL) in August in connection with:

  • Notice of opt out offline
  • Ease of the opt-out request process
  • Authentication of the authorized agent, with some detail/examples added.

The modifications also make an important clarification involving the content of privacy policies regarding children's information. The changes do not propose the restoration of the section on the need to obtain consent to use an individual's data for a materially different purpose (which was deleted by the OAL in August). 

Offline Opt-Out Notice

Businesses that collect information offline are required to provide a notice of the right to opt out offline. For bricks-and-mortar settings, the Regs suggest providing a printed paper notice, and for collection over the phone, providing the notice orally during the call in which the information is collected.

Easy Methods to Opt Out

A business’s methods for submitting requests to opt out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt out.

A business shall not use a method that is designed with the purpose or that has the substantial effect of subverting or impairing a consumer’s choice to opt out. (This is brings back language similar to the former 999.306(c) which the AG in the Final Statement of Reasons stated was a prohibition against dark patterns.) Specifically:

  • The business’s process for submitting a request to opt out shall not require more steps than that business’s process for a consumer to opt into the sale of personal information after having previously opted out.
  • A business shall not use confusing language such as double negatives.
  • A business shall not require consumers to click through or listen to reasons why they should not submit a request to opt-out before confirming their request.
  • The business’s process for submitting a request to opt out shall not require the consumer to provide personal information that is not necessary to implement the request.
  • The business shall not require the consumer, upon clicking the “Do Not Sell My Personal Information” link, to search or scroll through the text of a privacy policy or similar document or web page to locate the mechanism for submitting a request to opt out.

Authenticating the Authorized Agent

The amendments would allow a business to require an authorized agent filing a request on behalf of a consumer to provide proof that the consumer gave the agent signed permission to submit the request. The business may also require the consumer to do either of do the following:

  • Verify their own identity directly with the business
  • Directly confirm with the business that they provided the authorized agent permission to submit the request

Addition to Privacy Policy Regarding Children

The Regs clarify that a business that is subject to either Section 999.330 (Collection of information from Consumers Under 13 Years of Age) or Section 999.331 (Collection of Information Consumers 13 to 15 Years of Age), or to both of them, needs to include the information set forth in these sections in its privacy policy.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.