CCPA Update: New Regulations Approved

Husch Blackwell LLP

Keypoint: Modifications to the CCPA regulation’s provisions regarding requests to opt-out and authorized agent requests are now final.

On March 15, 2021, the California Attorney General’s office announced that the Office of Administrative Law has approved the Attorney General’s proposed changes to the CCPA regulations. The new regulations make three general changes relating to the right to opt out of sales and one change to authorized agent requests. In addition, the Attorney General’s press release reaffirms that enforcement activities are proceeding.

Changes to Right to Opt Out Provisions

Offline Collection and Notices

A business that sells personal information that it collects offline is now specifically required to inform consumers in an offline method of their right to opt-out and to provide consumers with instructions on how to submit an opt-out request. The regulations explain that the notice can be provided on paper forms that collect information, through signage in the area where personal information is collected, or over the phone.

Opt-Out Icon

The regulations now authorize (but do not require) the use of an opt-out icon (see picture below) that “may be used in addition to posting the notice of right to opt-out, but not in lieu of any requirement to post the notice of right to opt-out or a ‘Do Not Sell My Personal Information’ link.”

Of note, when the regulations were originally proposed they referred to this as a “button” whereas it is now referred to as an “icon.” The prior version of the proposed regulations also included a paragraph stating that “[w]here a business posts the ‘Do Not Sell My Personal Information’ link, the opt-out button shall be added to the left of the text as demonstrated below. The opt-out button shall link to the same Internet webpage or online location to which the consumer is directed after clicking on the ‘Do Not Sell My Personal Information’ link.” That paragraph was deleted from the final approved regulations. The only requirement that remains for the icon is that it “shall be approximately the same size as any other icons used by the business on its webpage.”

Also of note, the Attorney General’s press release specifically refers to the icon as “optional.”

Businesses can download the icon here.

Ban on Dark Patterns and Other Methods that Obstruct Opt-Outs

Businesses are now required to make submitting requests to opt out “easy for consumers to execute” and must “require minimal steps to allow the consumer to opt-out.” Businesses are also precluded from using “a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s choice to opt-out.”

The regulations provide five examples, including that businesses should not (1) use confusing language, (2) require consumers to click through or listen to reasons why they should not opt-out, and (3) require consumers to scroll through privacy policies or similar documents after clicking the “Do Not Sell My Personal Information” link.

Changes to Provisions for Making Authorized Agent Requests to Know and Delete

The regulations now state that a business may require an authorized agent to provide proof that the consumer gave the agent signed permission to submit the request. The prior regulations placed that optional requirement on the consumer.

A business still may require the consumer to either verify their own identity with the business or directly confirm with the business that the consumer provided the authorized agent permission to submit the request.


The Attorney General’s press release made two comments with respect to enforcement that are worth flagging.

First, the press release states: “Since CCPA enforcement began on July 1, 2020, the Department has seen widespread compliance by companies doing business in California, especially in response to notices to cure.”

Second, the press release notes that although “[s]ome of the Attorney General’s responsibilities under the CCPA will transition over to the California Privacy Protection Agency created under the CPRA” the Attorney General will still “retain the authority to go to court to enforce CPRA.”

The Attorney General’s statements are a reminder that enforcement actions under the CCPA are proceeding and will continue to proceed. In addition, the statement clarifies a potential misconception that the Attorney General’s office will be relinquishing all enforcement authority when the CPRA goes into effect. Rather, the office will retain certain enforcement authority that will be in addition to the enforcement authority granted to the California Privacy Protection Agency.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Husch Blackwell LLP | Attorney Advertising

Written by:

Husch Blackwell LLP

Husch Blackwell LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.