On August 14, 2020, the California Office of Administrative Law (“OAL”) approved the final implementing regulations pursuant to the California Consumer Privacy Act of 2018 (“CCPA”). This final and approved version of the CCPA regulations went into effect immediately and contains a last round of revisions to language that has been refined across several iterative drafts. While the majority of the changes are grammatical in nature and will have no effect on CCPA compliance requirements, there were a few substantive changes that could impact certain businesses.
What’s New in the Final CCPA Regulations
The proposed final regulations were submitted to the OAL by California Attorney General, Xavier Becerra, (“California AG”) on June 1, 2020. During OAL’s review process, additional revisions were made to the regulations. Besides grammatical cleanup, the final regulations contain relatively minor, but meaningful, revisions that better align the CCPA regulations with the statutory CCPA requirements. For a comprehensive redline showing the full changes from the proposed CCPA regulations submitted June 1, 2020, to the final CCPA regulations approved and now in effect, click here. Please note that Orrick has prepared this redline, and it is not prepared by or officially issued by the State of California. The State of California has, however, published an Addendum to the Final Statement of Reasons, which contains bullet point lists of all of the changes contained in the final CCPA regulations.
Definition of “Financial Incentive” Aligned with Statutory Definition. Section 999.301(j).
The definition of “financial incentive” was revised to change the word “retention” back to “deletion” to “align with the express language of the statute.” The definition now reads: “Financial incentive” means a “program, benefit, or other offering, including payments to consumers, related to the collection, deletion, or sale of personal information.”
Changing “retention” back to “deletion” may reflect an attempt by the OAL to more closely align with the statutory requirements for financial incentives and reject the California AG’s attempt to expand the definition beyond the necessary connection between the exercise of CCPA rights and the benefit, price or service differential. This change may strengthen the argument of businesses seeking to interpret the financial incentive requirements to apply to a narrower subset of benefits or price or service differentials.
“Do Not Sell My Info” No Longer Permitted as Substitute for “Do Not Sell My Personal Information” Link. Section 999.305(b)(3) and other sections.
The option to provide a link titled, “Do Not Sell My Info” instead of “Do Not Sell My Personal Information” has been removed from the CCPA regulations. Businesses currently using the shortened version of the “Do Not Sell” link should modify the text of the link to “Do Not Sell My Personal Information.”
Denial of Authorized Agent Requests Reworked. Section 999.315(f) and Section 999.326 (formerly, Section 999.326(c)).
The ability to deny a request to opt out from an authorized agent “that does not submit proof” of authorization was changed to the ability to deny a request from an authorized agent “if the agent cannot provide to the business the consumer’s signed permission demonstrating that they have been authorized by the consumer to act on the consumer’s behalf.” This revision further clarifies that the authorization validation techniques in Section 999.326 are not carried over to the right to opt out, for which a lower bar of signed permission is sufficient.
The provision permitting a business to “deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer to act on their behalf” has been deleted from Section 999.326. Although this change appears significant on the surface, it is unlikely to have any real impact on businesses because:
- Section 999.326 retains provisions setting forth the type of proof required to validate an agent’s authorization for requests to know and delete (i.e., power of attorney or signed permission, verification of identity and direct confirmation).
- Civ. Code § 1798.140(y) provides that a business is not obligated to provide information in response to a request to know or request to delete if the business cannot verify the person making the request is a person authorized by the consumer to act on the consumer’s behalf.
- Section 999.315(f) retains an explanation of when a business can reject a request to opt out from an agent (i.e., if the agent cannot provide to the business the consumer’s signed permission”).
Use Limitation Principle and Explicit Consent Requirement Removed. Section 999.305(a) (formerly, Section 999.305(a)(5)).
The final CCPA regulations removed:
- The provision requiring a business to not use a consumer’s personal information for a purpose materially different than those disclosed in the notice at collection; and
- The requirement to provide direct notice and obtain explicit consent from a consumer before using previously collected personal information for a purpose materially different than what was previously disclosed to the consumer in the notice at collection.
The Office of the Attorney General “may resubmit this section after further review and possible revision.”
Offline Notice Requirement Dropped. Section 999.306(b) (formerly, Section 999.306(b)(2)).
The requirement for a business that substantially interacts with consumers offline to provide notice of the right to opt out to the consumer by an offline method that facilitates consumer awareness of their right to opt out has been removed. The Office of the Attorney General “may resubmit this section after further review and possible revision.” Although this revision may provide some businesses greater latitude with respect to the Notice of the Right to Opt Out, there is still a requirement in Section 999.306(c) of the CCPA regulations to include in the Notice of Right to Opt Out “the offline method by which the consumer can submit their request to opt-out” if the business does not operate a website.
Requirements that Methods for Opting Out be “easy for consumers to execute” and “require minimal steps” Removed. Section 999.315 (formerly, Section 999.315(c)).
The requirements that a business’s methods for submitting requests to opt out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt out have been removed from the CCPA regulations. In addition, the regulations also removed the restriction of a business to use a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt out. The Office of the Attorney General “may resubmit this section after further review and possible revision.”
Although this removes the California AG’s express restriction on actions that would make opting out of sales more difficult, the California AG is still likely to view multistep, opt-out methods perceived to impede a consumer’s right to opt out as being inconsistent with the requirements of the CCPA. As a result, businesses should still take the amount of effort required by a consumer to opt out into consideration when designing opt-out methods.
In summary, while the final CCPA regulations introduce some meaningful revisions from the last draft of the proposed CCPA regulations, the cumulative impact of these revisions is likely to be minor for companies who already began updating their CCPA compliance controls to address the prior sets of proposed regulations. However, businesses that have not yet started updating their CCPA compliance program to address the regulations are now faced with materially different and additional obligations with no grace period to implement the necessary updates.
Businesses in either situation should sit down with internal or external counsel to prepare a priority-action item list designed to address the CCPA regulations promptly. Prioritizing external requirements, such as those relating to privacy notice disclosures and the handling of consumer requests, may buy businesses some time while working through the more nuanced, back-end obligations.
 The second set of modifications to the proposed CCPA regulations – available here (clean) and here (redline) – reflected input gathered during the public comment period for the first set of modifications, which concluded on February 25, 2020. The first draft of the proposed regulations and the first set of modifications, as well as the public comments and the transcripts and audio of the public hearings, are available on the California AG’s CCPA webpage. Our summary of the second set of modifications is available here, our summary of the first set of modifications is available here, and our summary of the original draft of the proposed CCPA regulations is available here.