On October 12, 2020, the California Attorney General published a third set of proposed modifications to the regulations adopted pursuant to the California Consumer Privacy Act. This follows revisions proposed in February and March 2020 that were largely approved following review by the Office of Administrative Law. As a reminder, the CCPA is in effect and being enforced by both the California AG and the plaintiffs' bar.
Multiple revisions to the regulations are not surprising given the complex nature of the law, the many comments from various stakeholders on the various versions of the regulations, and evolving interpretations as the law is applied. More substantive revisions may be in store depending on the outcome of Proposition 24 (the California Privacy Rights Act or CPRA) in November. Indeed, these third proposed changes to the regulations may become moot since the time it will take for them to be finalized will likely extend well past when the CPRA would become law, if passed.
A redline produced by the AG of the specific proposed changes includes the following:
- 999.306, subd. (b)(3): Adds a requirement and
examples of how businesses that collect personal information while
interacting with consumers offline must provide notice of the right
to opt-out of the sale of personal information by an offline method
(although that method can direct consumers to go online). Examples
include: 1) printing the notice on the paper forms that collect the
personal information, 2) posting signage in the area where the
personal information is collected directing consumers to where the
notice can be found online, or 3) providing the notice orally
during a call where the information is collected.
- Our take: These changes more or less reflect practices that many offline businesses are already taking.
- 999.315, subd. (h): Adds guidance that
consumer opt-out procedures should be simple and lists a number of
methods that businesses should not use, such as requiring consumers
to complete more steps to opt-out than they were required to
complete to opt-in, using confusing language such as double
negatives, requiring consumers to click through or listen to
reasons that they should not opt-out, collecting personal
information unnecessary for the opt-out request, and requiring the
consumer to scour a privacy policy or other lengthy document to
find the CCPA opt-out link after clicking a "Do Not Sell My
Personal Information" link.
- Our take: This change poses some potential challenges. While we understand the California AG's desire to prohibit "subverting or impairing a consumer's choice to opt-out," the regulation also includes vague requirements that the opt-out process be "easy" and "require minimal steps". The illustrative examples do not provide much practical guidance on these points. Businesses may find it difficult to explain the opt-out process in as few steps as they explain the opt-in process, and in effect, this may lead to more complex, multistep opt-in processes to comply with this added requirement.
- 999.326, subd. (a): Provides businesses with
the option to require direct verification of the consumer's
identity and/or authorization for an agent to act on their behalf
in addition to proof from the authorized agent that the consumer
gave signed permission to submit the request.
- Our take: Businesses can now request botha signed authorization between the consumer and authorized agent in addition to requiring the consumer to directly verify relevant information before complying with an agent's request. This change arguably requires proof that the consumer authorized an agent to undertake a specific request, potentially impacting third-party requestors that seek to monetize CCPA consumer rights request tools because it will be more difficult to scale and automate requests with this additional limitation.
- 999.332, subd. (a): Clarifies that businesses
subject to either section 999.330 (Consumers Under 13
Years of Age) or section 999.331 (Notice to Consumers Under 16
Years of Age) of the CCPA regulations, as opposed to just
those subject to both of these sections, are required to
include in their privacy policies the additional notice for
consumers under 16 years of age described in those sections.
- Our take: This change appears to be more of a cleanup than a substantive regulatory change.
As with prior proposed modifications, the AG will accept written comments regarding the proposed changes, followed by publishing the final text of the regulation and OAL review. Comments should be submitted to PrivacyRegulations@doj.ca.gov between October 13 and October 28, 2020 and must be limited to comments on the specific additions and deletions proposed in this round of modifications.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.