[co-author: Tawanna Lee]
On Thursday, December 10, 2020, the California Attorney General’s (AG) office released a new set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations. The CCPA regulations were just finalized earlier this year, on August 14, 2020. Since then, the AG has proposed two sets of modifications—one set of modifications proposed in October and this latest set modifications proposed on December 10. The latest proposals are responsive to stakeholder comments received in October and focus on refining opt-out notice obligations.
Businesses subject to the California privacy law should continue to review and enhance their compliance programs to confirm ongoing alignment with the AG’s evolving expectations and guidance.
Specifically, the latest set of proposed changes to the final regulations include:
- A clarification that businesses who sell—and not merely collect—personal information in “offline” scenarios must provide consumers with a Notice of Right to Opt-Out by an “offline” method.
- A new provision regarding an optional uniform Opt-Out button “to promote consumer awareness of the opportunity to opt-out of the sale of the personal information.” The proposed new provision makes clear that the button “may be used in addition to posting the notice of right to opt-out, but not in lieu of any requirement to post the notice of right to opt-out or a “Do Not Sell My Personal Information link.” Where businesses choose to use the uniform button, there are specific requirements on placement and size. Note that the AG had previously proposed, then did not move forward with, a similar uniform Opt-Out button earlier in the rulemaking process.
Stakeholders can submit comments on these proposed changes until December 28, 2020.
In addition to this ongoing CCPA rulemaking activity, stakeholders should be prepared for a significant amount of activity that will be launched in the wake of California voters approving the California Privacy Rights and Enforcement Act of 2020 (CPRA) which builds from but will significantly change the CCPA framework. While the CPRA’s obligations on businesses will not become operative until January 2023, rulemaking activity required under the new law must be completed by July 2022, so stakeholders should expect activity to begin in the relatively near term.
Now more than ever, it is crucial that businesses keep their fingers on the pulse of emerging privacy laws in the United States.