While enforcement of the CCPA began August 14, 2020, the Office of the Attorney General has now proposed a third set of modifications to the CCPA Regulations. They are further described below.
What are the proposed changes?
There are three primary updates to the regulations in the areas of (1) offline opt-outs; (2) rules surrounding opt-outs; and (3) steps for verifying the identity of individuals exercising their rights. Outside of these updates, the major rights and requirements from the previous Regulations remain in place. The modifications are organized in the sequence they appear in the Regulations.
Offline Opt-Outs. The updated Regulations provide examples of how businesses can provide the notice of the right to opt-out of the sale of personal information in offline settings. These methods include:
- Brick-and-mortar: notice can be provided by printing the notice on paper forms that collect the personal information or by posting signs with information about where the notice can be found online in the area where personal information is collected.
- Phone: a business may provide the notice orally during the call when information is collected.
Opt-Out Submission Guidance. The proposed modifications provide further guidance on the methods businesses can provide for individuals to submit requests to opt-out.
- Easy to exercise: the proposed modifications emphasize that requests to opt-out must be easy and require minimal steps for individuals to exercise. For example, the number of steps to opt-out must not be more than the number of steps to opt-in after having previously opted out.
- Clear language: opt-out language should be clear and should not be phrased in a confusing manner. Double-negatives should be avoided.
- No superfluous steps: businesses must not require individuals to click through or listen to reasons why they should not submit a request to opt-out.
Authorized Agent. The proposed modifications clarify the requirements surrounding the proof that a business may require an authorized agent to provide, as well as what the business may require a consumer to do to verify their request.
- Signed permission: businesses may ask authorized agents to provide proof of signed permission to submit the request.
- Verify identity directly: the business may also require the individual on whose behalf the authorized agent submits a request, to verify their own identity directly with the business or directly confirm with the business that they provided the authorized agent with permission.
What to Do?
If your CCPA procedures have been crafted with consideration of the current Regulations, you may consider whether you will need to revise them to incorporate the clarifications from these proposed changes.
The Attorney General will accept comments on this third set of modifications. The deadline to submit written comments is fast approaching on October 28, 2020, at 5 p.m. PST. If considering a comment for submission, please review the “Tips for Submitting Effective Comments” by the Department of Justice, available here.
Written comments may be submitted by email to PrivacyRegulations@doj.ca.gov, or by mail at the address listed below.
Lisa B. Kim, Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013