On October 12, 2020, the California Attorney General published a third set of proposed modifications to the California Consumer Privacy Act. This follows revisions proposed in February and March 2020 that were largely approved following review by the Office of Administrative Law. As a reminder, the CCPA is in effect and being enforced by both the California AG and the plaintiffs' bar.
Multiple revisions to the regulations are not surprising given the complex nature of the law, the many comments from various stakeholders on the various versions of the regulations, and evolving interpretations as the law is applied. More substantive revisions may be in store depending on the outcome of Proposition 24 (the California Privacy Rights Act or CPRA) in November. Indeed, these third proposed changes to the regulations may become moot since the time it will take for them to be finalized will likely extend well past when the CPRA would become law, if passed.
A redline produced by the AG of the specific proposed changes includes the following:
- 999.306, subd.
(b)(3): Adds a requirement and examples of how businesses
that collect personal information while interacting with consumers
offline must provide notice of the right to opt-out of the sale of
personal information by an offline method (although that method can
direct consumers to go online). Examples include: 1) printing the
notice on the paper forms that collect the personal information, 2)
posting signage in the area where the personal information is
collected directing consumers to where the notice can be found
online, or 3) providing the notice orally during a call where the
information is collected.
- Our take: These changes more or less reflect practices that many offline businesses are already taking.
- 999.315, subd. (h):
Adds guidance that consumer opt-out procedures should be simple and
lists a number of methods that businesses should not use, such as
requiring consumers to complete more steps to opt-out than they
were required to complete to opt-in, using confusing language such
as double negatives, requiring consumers to click through or listen
to reasons that they should not opt-out, collecting personal
information unnecessary for the opt-out request, and requiring the
consumer to scour a privacy policy or other lengthy document to
find the CCPA opt-out link after clicking a "Do Not Sell My
Personal Information" link.
- Our take: This change poses some potential challenges. While we understand the California AG's desire to prohibit "subverting or impairing a consumer's choice to opt-out," the regulation also includes vague requirements that the opt-out process be "easy" and "require minimal steps". The illustrative examples do not provide much practical guidance on these points. Businesses may find it difficult to explain the opt-out process in as few steps as they explain the opt-in process, and in effect, this may lead to more complex, multistep opt-in processes to comply with this added requirement.
- 999.326, subd. (a):
Provides businesses with the option to require direct verification
of the consumer's identity and/or authorization for an agent to
act on their behalf in addition to proof from the authorized agent
that the consumer gave signed permission to submit the
request.
- Our take: Businesses can now request botha signed authorization between the consumer and authorized agent in addition to requiring the consumer to directly verify relevant information before complying with an agent's request. This change arguably requires proof that the consumer authorized an agent to undertake a specific request, potentially impacting third-party requestors that seek to monetize CCPA consumer rights request tools because it will be more difficult to scale and automate requests with this additional limitation.
- 999.332, subd. (a):
Clarifies that businesses subject to either section
999.330 (Consumers Under 13 Years of Age) or section 999.331
(Notice to Consumers Under 16 Years of Age)
of the CCPA regulations, as opposed to just those subject to
both of these sections, are required to include in their
privacy policies the additional notice for consumers under 16 years
of age described in those sections.
- Our take: This change appears to be more of a cleanup than a substantive regulatory change.
As with prior proposed modifications, the AG will accept written comments regarding the proposed changes, followed by publishing the final text of the regulation and OAL review. Comments should be submitted to PrivacyRegulations@doj.ca.gov between October 13 and October 28, 2020 and must be limited to comments on the specific additions and deletions proposed in this round of modifications.
Contributors
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.