CCPA Regulations Go Into Effect – With a Few Final Changes

Ballard Spahr LLP

Ballard Spahr LLP

On August 14, 2020, the California Office of Administrative Law (“OAL”) approved in part and withdrew in part the Regulations regarding the California Consumer Privacy Act (“CCPA”).  While most of the changes are non-substantive, the OAL withdrew certain provisions of the Regulations and resubmitted them to the Attorney General’s Office for further review.  Approved sections went into effect immediately.

Among the more notable provisions withdrawn was 999.305(a)(5), which would have required businesses to obtain express consent from consumers before using previously collected information for a materially different purpose.  Rather than obtaining express consent, businesses must comply with Section 1798.100(b) of the CCPA, which prohibits businesses from using personal information “collected for additional purposes without providing the consumer with notice consistent with this section.”  Because initial notice can generally be accomplished through an online privacy policy, it appears that updates to an online privacy policy may suffice if a business intends to start using previously collected personal information for an additional purpose.

The OAL also made three changes relating to consumers’ opt-out right:  (1) withdrawing a provision that required businesses that substantially interacted with consumers offline to provide notice of the right to opt-out via an offline method; (2) withdrawing a provision that required businesses to make the opt-out process to be “easy” and “require minimal steps”; and (3) requiring businesses to entitle their opt-out page as “Do Not Sell My Personal Information” as opposed to “Do Not Sell My Info.”  While the latter change is non-substantive, it is a concrete change that many businesses may need to make.

Finally, while much has been made of the OAL’s withdrawal of a provision stating that businesses may deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer (previously Section 999.326(c)), that may be a change without practical effect.  Indeed, Section 999.326(a)(1) still allows businesses to require that a consumer provide the authorized agent with signed permission to submit requests to know or delete.  And, similarly, Section 999.315(f) allows businesses to deny a request to opt-out submitted by an authorized agent if the agent cannot provide to the business the consumer’s signed permission.  Accordingly, it appears that businesses arguably may be able to deny requests if they are unable to verify that an authorized agent has a consumer’s written permission to submit requests on their behalf.

Under California law, the Attorney General’s Office has one year to resubmit withdrawn sections after further review and possible revision.  Whether or not the Attorney General’s Office revises and/or resubmits those provisions will likely be influenced by whether the California Privacy Rights Act is passed on the upcoming ballot.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.