The California Office of Administrative Law today approved the CCPA Regulations that the California Attorney General submitted in June, and the regulations are effective immediately. As we discussed here, the now-final regulations, for the most part, substantively match those that the AG released in March, with a few notable changes.
Significantly, the AG has removed the shortened “Do Not Sell My Info” language throughout the final regulations to align with the statutory language. While the final regulations do not explicitly prohibit abbreviations, this removal indicates that businesses must include the full “Do Not Sell My Personal Information” language in their website link to an opt-out request. This is consistent with the statute, which requires businesses to include “a clear and conspicuous link on the business’s Internet homepage, titled ‘Do Not Sell My Personal Information’” that links to an opt-out request. Apparently, there is no room for flexibility on this display.
The Addendum to the Final Statement of Reasons also identifies four other provisions that the AG has “withdrawn”:
- Former § 999.305(a)(5) requiring a business to provide notice and obtain explicit consent prior to using a consumer’s personal information for a “materially different purpose” than disclosed in the notice at collection.
- Former § 999.306(b)(2) requiring businesses that substantially interact with consumers offline to provide consumers with an offline notice informing them of their right to opt-out. In other words, there is no longer an express requirement to provide an offline Do Not Sell My Personal Information notice, such as a paper form or store signage. Notably, the obligation to provide an offline Notice at Collection still applies.
- Former § 999.315(c) indicating that a business must implement an easy opt-out method for consumers, and must not use a method that would impair a consumer’s decision to opt-out (though a business is still required to consider ease of use when implementing an opt-out method).
- Former § 999.326(c) permitting a business to deny a request from an authorized agent who does not submit proof of consumer authorization (though a business may still require a consumer to verify his or her identity directly with the business when using an authorized agent, and the business may deny opt-out requests from an authorized agent if the agent cannot provide signed permission that demonstrates authorization from the consumer).
While the Addendum does not provide any rationale for these withdrawals, it notes that the AG “may resubmit [the withdrawn] section[s] after further review and possible revision.” The Addendum also identifies other “non-substantive changes” the AG has made, including grammatical and syntax modifications.
While July 1 marked the CCPA’s enforcement date, the finalized regulations solidify an entity’s requirements under the CCPA to comply with the CCPA as clarified through the now-finalized regulations. With each violation subject to a penalty of between $2,500 and $7,500, entities should carefully review their current CCPA practices to ensure compliance with both the statute and the final regulations.
If you have questions on how the finalized regulations may affect your business, please contact Alysa Hutnik and Lauren Myers. If you have other CCPA questions, please see our other CCPA blog posts and our Advertising and Privacy Law Resource Center.