On March 15, 2021, California Attorney General, Xavier Becerra, announced additional California Consumer Privacy Act (CCPA) regulations. These new changes went into effect on March 15, 2021.
Currently, businesses that must comply with the CCPA and that “sell” personal information under the law are required to provide a right to opt-out notice in a way that “is easy to read and understandable to consumers.” For businesses with webpages, consumers should be directed to click the “Do Not Sell My Personal Information” link if the consumer wishes to opt-out.
Since enforcement of the CCPA began, there has been some confusion on what the proper procedures are for businesses that collect personal information offline. The new amendments now require businesses to provide consumers an offline method for submitting an opt-out request. For example, if the business is a brick and mortar store, the business “may inform consumers of their right to opt-out on the paper forms that collect the personal information or by posting signage in the area where the personal information is collected.”1 The notice to consumers will inform the consumer where her/his personal information is collected and where the opt-out information can be found online. The regulations also state that the right to opt-out may be provided over the phone.
The new amendment also permits businesses to add an opt-out icon, in addition to the right to opt-out notice. The Attorney General has noted that the use of this “icon” is optional. The only requirement is that the icon must be approximately the same size as any other icons used by the business on its webpage. The icon may not be used as an alternative to the requirement to a “Do Not Sell My Personal Information” opt-out notice. Thus, on balance, it is unlikely that many businesses will add the icon to their website.
Businesses can download the icon here.
Businesses are now required to make the methods for submitting requests to opt-out easy for consumers to execute with minimal steps. When determining how to design a business’s opt-out method, “the number of steps for submitting a request to opt-out is measured from when the consumer clicks on the “Do Not Sell My Personal Information” link to completion of request.”2 For example, the process for submitting a request to opt-out cannot require more steps than the steps required for a consumer to opt-in to the sale of personal information after having opted out.
The regulation has also been amended to allow a business to require an authorized agent to provide proof that the consumer gave the agent signed permission to submit an access or deletion request. The prior language of the regulation suggested that the business could only direct such a request to the consumer.
1. Cal. Civ. Code § 999.306 (b)(3)(a).
2. Cal. Civ. Code § 999.315(h)(1).