On December 10, 2020, California's Department of Justice (DOJ) released another set of proposed modifications to the California Consumer Privacy Act (CCPA) implementing regulations (the "Regulations"). As we previously reported, the DOJ last issued modifications in October 2020, just two months after the Regulations were finalized and took effect.
The latest draft addresses feedback that the DOJ received in response to its October modifications, and the new edits center around consumers' right to opt out of the sale of their personal information, both online and offline. They include:
- Opt-Out Notices for the Sale of Personal Information
(§ 999.306(b)(3)). The modified Regulations clarify that only a business that sells personal information that it collects in the course of interacting with consumers offline (e.g., in a brick-and-mortar store or over the phone) must inform consumers, via an offline method, of their right to opt out of the sale of their personal information, as well as provide instructions on how consumers may submit an opt-out request. That said, the separate requirement for a business to make its "notice at collection" available offline stands, regardless of whether the business sells personal information.
- Opt-Out Button (§ 999.306(f)). The proposed modifications depict an opt-out button, shown below, that a business that sells personal information may post online in addition to its required opt-out notice and "Do Not Sell My Personal Information" link. The draft regulations specify that the button, if utilized, must:
1. Be added to the left of the "Do Not Sell My Personal Information" text;
2. Link to the same Internet web page or online location to which the consumer is directed after clicking on the "Do Not Sell My Personal Information" link; and
3. Be approximately the same size as any other buttons used by the business on its web page.
The DOJ invites comments from interested stakeholders, but the comments must be limited to the newly modified provisions only. Written comments may be submitted until 5:00 p.m. PST on December 28, 2020, by email to PrivacyRegulations@doj.ca.gov, or by mail to:
Lisa B. Kim, Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013
We will continue to monitor developments related to the CCPA rulemaking process, and in the interim, please visit MoFo's CCPA Resource Center for additional information.
Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Morrison & Foerster LLP. All rights reserved