On Friday, August 14, 2020, the California Office of Administrative Law (OAL) approved the California Office of the Attorney General’s (OAG) Final CCPA Regulations (the “Regulations”) and filed them with California Secretary of State. The Regulations became effective immediately.
The OAL-approved Regulations contain several modifications from prior versions. While many of the changes are purely stylistic, several changes substantively affect CCPA compliance moving forward. This article addresses key substantive changes. For a complete review of these modifications, please see the OAG Addendum to the Final Statement of Reasons.
1. Opt-Out Links May No Longer Read “Do Not Sell My Info”. Previously, the Regulations permitted businesses to shorten their opt-out links so they read “Do Not Sell My Info” instead of the full “Do Not Sell My Personal Information.” The final OAL-approved Regulations remove the ability to use the short-form “Do Not Sell My Info.” Accordingly, businesses must now update their links to expressly use the language “Do Not Sell My Personal Information.”
2. No Requirement for an Offline Notice of Right to Opt-Out – but other Offline Notice Obligations May Remain. Prior drafts of the Regulations required businesses that “substantially interact with consumers offline” to provide an “offline” notice of the right to opt-out (see the former § 999.306(b)(2)). This requirement has since been deleted, potentially easing opt-out compliance for companies with significant retail presences. But note, other aspects of the final Regulations may continue to require companies to provide offline notices or methods for submitting rights requests:
- For example, when companies collect data offline, the Regulations still suggest using signage or paper forms to provide a notice of collection “where consumers will encounter it at or before the collection of any personal information” (see § 999.305(b)(3)).
- Additionally, businesses that “interact with consumers in person” must still “consider” providing in-person methods for submitting requests to Know or Delete personal information (see § 999.312(c)).
3. No Express Requirement to Obtain Consent Prior to New Material Uses of Personal Information. Prior drafts of the Regulations required business to obtain “explicit” consumer consent before using personal information “for a purpose materially different than those disclosed in the notice at collection” (see the former § 999.305(a)(5)). This provision has been deleted in full. However, this change does not affect separate and longstanding FTC guidance on the need to provide notice and obtain consent before using previously collected consumer personal information for materially new purposes.
4. Authorized Agent Requests – The Rules Have Moved Around but Not Changed. Prior drafts of the Regulations expressly permitted a business to “deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer to act on their behalf” (see the former § 999.326(c)). This provision was removed. But note, § 999.315(f) of the Regulations remains and now permits businesses to deny agent-submitted requests “if the agent cannot provide to the business the consumer’s signed permission demonstrating that they have been authorized by the consumer to act on the consumer’s behalf.” Thus, it appears this rule has not changed, but has instead moved to a new location.
5. No Express Requirement for “Easy” Opt-Outs Methods. The Final Regulations deleted a requirement for businesses to make “methods for submitting requests to opt-out … easy for consumers to execute and … require minimal steps to allow the consumer to opt-out” (see the former § 999.315(c)). For companies that have made their opt-out links readily available, this change is unlikely to make much of a practical difference.