CCPA regulations: Deadline approaching for comments to proposed modifications

Hogan Lovells
Contact

Hogan Lovells

On October 12, the California Attorney General announced a new set of proposed modifications to the CCPA regulations. Although this third set of proposed modifications is relatively brief, they would reinstate some provisions that were removed at earlier phases of the rulemaking and could impact a number of CCPA compliance efforts. The announcement also signals that the California Attorney General intends to continue refining the CCPA regulations even though they would eventually become displaced if California voters approve the California Privacy Rights Act (Proposition 24)—“CCPA 2.0”—as part of the November 3 election.

The California Attorney General is accepting comments on its proposed modifications until October 28, 2020 at 5:00pm PST, and we provide below an overview of the four changes proposed in this third set of proposed modifications, which can be reviewed in this redline document.

  • 999.306(b)(3) - Clarifies that a business that collects personal information (PI) in an offline context must provide notice of the right to opt-out by an offline method.
    • The revisions also include examples of offline notices (e.g., notice on paper forms used to collect PI; signage in the area where PI is collected).
  • 999.315(h) - Clarifies that a business’s methods for submitting opt-out requests must be easy to use and require minimal steps. A business may not use a method that has the purpose or “substantial effect of subverting or impairing a consumer’s choice to opt-out.”
    • The revisions also include guidance for meeting this requirement (e.g., avoid confusing language; do not require consumers to click through/listen to reasons why they should not submit a request to opt out; do not require the consumer to provide PI that is not necessary to implement the request; after the consumer clicks the DNSMPI link, do not require the consumer to search or scroll through the text of a privacy policy to locate the opt-out mechanism).
  • 999.326(a) - Clarifies the proof that a business may require an authorized agent to provide and the steps a business may require a consumer to take to verify an agent request.
    • This change is largely a reorganization of existing requirements in section 999.326. It clarifies that the agent (instead of the consumer) can be required to provide proof of signed permission form the consumer. A business can still require the consumer to directly verify their own identity with the business or directly confirm with the business that the agent has been authorized to submit the request.
  • 999.332(a) - Clarifies that a business that either has actual knowledge that it sells the PI of consumers under 13 years of age (section 999.330), or has actual knowledge that it sells the PI of consumers over 13 years of age but under 16 years of age (section 999.331), must include a description of the relevant opt-in procedures in its privacy policy.
    • The existing description of this requirement uses the “and” connector between 999.330 and 999.331, which may give the impression that a written description of opt-in procedures is required only if a business is subject to both of those sections.

The notice and text of the third set of proposed modifications can be accessed here and here.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hogan Lovells | Attorney Advertising

Written by:

Hogan Lovells
Contact
more
less

Hogan Lovells on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.