Overview
Just when you thought you finally had a handle on CCPA compliance, the California Attorney General has proposed additional modifications to the regulations that recently became final on August 14. Fortunately, the changes are minor. More significant changes to the CCPA may be just around the corner, though, if California voters approve the California Privacy Rights Act Initiative on November 3.
On October 12, 2020, California Attorney General Xavier Becerra released a new set of proposed modifications to regulations implementing the California Consumer Privacy Act (CCPA). Specifically, the modifications would:
- Require that “[a] business that collects personal information in the course of interacting with consumers offline… provide notice by an offline method that facilitates consumers’ awareness of their right to opt-out” of the sale of their information. Pursuant to this requirement, “a brick-and-mortar store [could] provide notice by printing the notice on the paper forms that collect the personal information or by posting signage in the area where the personal information is collected directing consumers to where the notice can be found online.” In addition, “[a] business that collects personal information over the phone [could] provide the notice orally during the call where the information is collected.”
- Mandate that “[a] business’s methods for submitting requests to opt-out…be easy for consumers to execute and…require minimal steps to allow the consumer to opt-out” and prohibit a business from “us[ing] a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s choice to opt-out.” In particular, a business would be prohibited from “requir[ing] more steps [in the process to opt out] than that business’s process for a consumer to opt-in to the sale of personal information after having previously opted out,” “us[ing] confusing language, such as double-negatives (e.g., ‘Don’t Not Sell My Personal Information’), when providing consumers the choice to opt-out,” “requir[ing] consumers to click through or listen to reasons why they should not submit a request to opt-out before confirming their request,” “requir[ing] the consumer to provide personal information that is not necessary to implement the request,” or “[u]pon clicking the ‘Do Not Sell My Personal Information’ link…requir[ing] the consumer to search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to opt-out."
- Allow a business to “require [an] authorized agent to provide proof that the consumer gave the agent signed permission to submit [a] request” to know or a request to delete. The existing language permits the business to require the consumer to “provide the authorized agent signed permission to” submit a request to know or a request to delete.
- Clarify that businesses subject to either § 999.330 (regarding processes for the opt-in to the sale of personal information by consumers under 13 years of age) or § 999.331 (regarding processes for the opt-in to the sale of personal information by consumers between 13 and 15 years of age) must “include a description of the processes set forth in those sections in its privacy policy.” The existing language of the regulations only requires businesses subject to both § 999.330 and § 999.331 to take this step.