On Friday, August 14, 2020, California Attorney General Xavier Becerra announced approval by the Office of Administrative Law (OAL) of final regulations (Final Regs) under the California Consumer Privacy Act (CCPA). Proposed final regulations were submitted to the OAL by the Office of the Attorney General (OAG) on June 1, 2020. During OAL’s review process, additional revisions were made to the proposed regulations. The approved regulations are now, according to the OAG and OAL, in effect along with the CCPA, which went into effect on January 1, 2020. The OAG gained enforcement authority as of July 1, 2020, which will now include enforcement of the Final Regs. It has been reported that dozens of CCPA compliance investigations have commenced.
In the Notice of Approval in Part and Withdrawal in Part of Regulatory Action, the OAL stated that four proposed sections — 999.305(a)(5), 999.306(b)(2), 999.315(c) and 999.326(c) — were withdrawn from OAL review pursuant to Government Code Section 11349.3(c). The OAG explains this process and provides clarity on what to expect in its Addendum to Final Statement of Reasons. We discuss below the business impact of the approved regulations as of August 14, how to interpret the withdrawal of the four proposed sections and what to expect going forward, which likely includes further rulemaking to address some of the proposed provisions that have been withdrawn.
- Removal of “Do Not Sell My Info” option
- Four proposed sections that were withdrawn by the OAG:
- How businesses may use previously collected information for a materially different purpose by obtaining express consent from consumers;
- How businesses substantially interacting with consumers offline should provide notice of right to opt-out via an offline method;
- Minimum standards for submitting opt-out requests to businesses; and
- Ability to deny certain requests from authorized agents if they fail to submit certain documentation.
- Procedural steps the OAG may take to further revise the regulations
Background: Administrative Process
The CCPA regulations package is one of the largest, if not the largest, set of privacy regulations ever issued by the California Department of Justice. Unlike some of the other privacy laws and regulations, which were adopted without much public participation, Civil Code Section 1798.185, subdivision (a) requires the Attorney General (AG) to solicit broad public participation and adopt regulations to further the purposes of the CCPA. The CCPA regulations approved by OAL were drafted after a broad and inclusive preliminary rulemaking process that included seven public forums, during which the office received over 300 letters. During the formal rulemaking process, Attorney General Becerra held four public hearings throughout the state, along with a 45-day comment period and two subsequent 15-day comment periods. These comment periods resulted in the submission of over 1,000 public comments, each of which was taken into consideration when drafting the final regulations, and most of which were specifically commented upon by the OAG’s published responses to comments and a Final Statement of Reasons.
The OAG explains this process in its latest press release and provides explanation of the changes made in the final regulation in its Addendum to Final Statement of Reasons. The Final Regs posted by the OAG include several changes when compared to the proposed final regulations submitted by the OAG to the OAL for administrative review on June 1 (see redline here). Characterized as “non-substantive changes for accuracy, consistency, and clarity,” these changes were likely recommended by OAL, which is responsible for conducting administrative review of proposed regulations to ensure that regulations comply with the administrative law principles outlined in Government Code § 11349.1(a) (requiring application of the principles of Necessity, Authority, Clarity, Consistency, Reference and Nonduplication).
Removal of the “Do Not Sell My Info” Option
One of the most notable changes in the final regulations is the removal of the option for businesses to use the words “Do Not Sell My Info” in the link for the notice of right to opt out of “sale.” In the Addendum, the OAG explains that the words “or ‘Do Not Sell My Info’” were deleted throughout the regulations to align with the express language of the statute. This option was originally included in the October 11, 2019 version of the proposed regulations by the OAG to give businesses a shorthand for the opt-out right notice. This, however, was not approved by the OAL as it was found not to be consistent with the statutory requirement.
Given that the OAG did not state in its Addendum that it will reconsider and submit revised regulations on this point, we should consider this change to be final. Businesses that “sell” personal information under the CCPA should thus include a link at the bottom of their homepage or the download or landing page of a mobile application with the words “Do Not Sell My Personal Information,” which directs users to the notice of right to opt out. It’s important to note the CCPA defines “homepage” as the introductory page of an internet website and any internet web page where personal information is collected. A business that collects personal information through a mobile application may also provide a link to the notice within the application, such as through the application’s settings menu. Businesses should also carefully consider the specific content requirements for this notice of right to opt out under the CCPA and the final regulations.
Although this deletion of the shorthand version of the link is effective immediately, businesses have thirty (30) days to “cure” the issue upon receipt of a letter of noncompliance. We also note that a proposal for a design of the opt-out button or logo was withdrawn by the OAG during the rulemaking process in March, and we hope it will be included in the revised rulemaking in the future. The AG’s statutory authority to develop a “recognizable and uniform opt-out logo or button” could potentially solve the clumsiness of the required narrative link.
Other Non-Substantive Changes
The remaining changes to the Final Regs are less impactful and appear to be intended to provide clarity or eliminate duplication. For example, throughout the text, instead of using the terms “children” and “minor(s),” the Final Regs use the phrases “consumers under 13” and “consumers under 16,” respectively. Also, in Section 999.301(j), the definition of “financial incentive program” has been changed to “a program related to the collection, deletion, or sale of personal information” (instead of “collection, retention, or sale of personal information”). This change reflects the language of the CCPA itself and is non-substantive because deletion and retention are inherently interrelated and any financial incentive program for retention also falls within the scope of deletion (or nondeletion). Another example of clarifying language is the addition of a definition for “request to delete” that cites to Cal. Civ. Code Section 1798.105 (the request to delete section of the original CCPA text). This simply adds clarity to the term by cross-referencing it to the section that outlines how requests to delete are intended to apply in the CCPA. An example of removal of duplication is the removal of the following line in Section 999.308(e): “The categories [of sources] shall be described in a manner that provides consumers a meaningful understanding of the information collected.” As noted in the Addendum, this same sentence was earlier stated in the definition of categories of sources. It remains, however, in Section 999.308(d) and (f), which refer to disclosures of categories of personal information, business purposes and commercial purposes because those terms were not further defined by the regulations and because Section 999.308 was the first instance the “meaningful understanding” standard was applied to those categories.
Four Withdrawn Sections
In addition to the non-substantive changes, four sections were withdrawn by the OAG as of August 14:
- Removed guidance on how businesses may use previously collected information for a materially different purpose by obtaining express consent from consumers. Section 999.305(a)(5) was not included in the Final Regs. It would have allowed a business to use personal information for a materially different purpose than what was disclosed in the notice, at or before the point of collection, as long as the business obtained explicit consent for that new purpose from the consumer. Section 999.305(a)(1) requires businesses to provide consumers with notice, at or before the point of collection, about the categories of personal information to be collected from them and the purposes for which the personal information will be used. Section 305(a)(6) further states that “[i]f a business does not give the notice at collection to the consumer at or before the point of collection of their personal information, the business shall not collect personal information from the consumer.” Therefore, without additional guidance from the OAG, it would seem that a business can use personal information only for purposes that are expressly stated in the pre-collection notice and that a business that seeks to use personal information for a different purpose must do so by collecting the information again under a new notice (i.e., styled as a new collection). This would be consistent with Section 305(a)(5), which states that “[a] business shall not collect categories of personal information other than those disclosed in the notice at collection. If the business intends to collect additional categories of personal information, the business shall provide a new notice at collection.” For example, if a business wishes to use the contact information that was previously collected from a consumer for marketing purposes and no notice at collection was provided which disclosed that purpose to the consumer, the business would, as it stands now, need to provide new pre-collection notice and technically re-collect the email and phone number it already has on file. However, if the original pre-collection notice was broad enough to cover both purposes, this would not be necessary. Indeed, enumerated business purpose number 5 in Section 1798.140(d) includes both customer service and advertising and marketing. Pre-collection notice is required to disclose the intended purposes for the collection for the categories of personal information. The Final Regs require that this be done in a manner that is understandable to the consumer. The last-minute change in the Final Regs puts the emphasis on the accuracy and understandability of the pre-collection notice and underscores the importance of carefully drafting collection-specific notices and privacy policies, if they are used as the basis for describing the collection purposes. While the insertion of the “materiality” standard appears to have been removed from the Final Regs, it is likely to nonetheless be helpful in determining the sufficiency and understandability of a challenged pre-collection notice. We also note that this pre-collection notice requirement applies only to businesses that are collecting personal information, and thus we recommend analyzing whether the entity that is undertaking the collection is a “business” and whether the data in question is “personal information” under the CCPA. Further, the Final Regs limit the obligation to provide pre-collection notice in certain narrow contexts, and subject to certain requirements.
- Removed guidance on how businesses substantially interacting with consumers offline should provide notice of right to opt out via an offline method. Section 999.306(e) states that “[a] business shall not sell the personal information it collected during the time the business did not have a notice of right to opt-out posted unless it obtains the affirmative authorization of the consumer.” Section 999.306(b)(2), which was removed from the Final Regs, would have provided businesses with examples of how to provide notice to the consumer of their right to opt-out of sale of personal information using an offline method. This subsection is analogous to offline notice methods described in Section 999.305(a)(3)(c), which provides that notice at collection, which shall include notice of optout if the business sells personal information, may be provided on printed forms that collect personal information, by providing the consumer with a paper version of the notice or posting prominent signage directing consumers to where the notice can be found online. Without further guidance, businesses should continue to comply with the notice of right to opt out requirements found in Section 999.306 and the pre-collection notice requirements of Section 999.305(a)(3)(c). Businesses that do not directly collect personal information from consumers should look at the advantages Section 999.305(e) of the Final Regs provides to registered data brokers.
- Removed guidance on how businesses can provide consumers methods for submitting opt-out requests. Section 999.315(c), which required businesses to allow consumers to submit opt-out requests with “minimal steps” and to “not utilize a method designed with the purpose or [having] the substantial effect of subverting or impairing a consumer’s decision to opt-out,” has been removed. The removal of this provision does not mean that these methods are permitted. Indeed, Section 999.315(b) still requires that a business consider “the manner in which the business sells personal information to third parties, available technology, and ease of use” when determining which methods consumers may use to submit requests to opt out. As a practical matter, the number of steps or clicks needed for consumers to submit their opt-out request should be considered in making this ease-of-use determination. For technical and practical reasons, businesses may have two different methods of opt-out — one for cookies that could constitute sales and one for more traditional personal information like name, email address and transaction history. This change arguably supports this approach. However, it remains important that the consumer be able to easily understand the methods and exercise them.
- Ability to deny certain requests from authorized agents if they fail to submit certain documentation. Section 999.326(c), which would have granted businesses the ability to deny authorized agent requests for failing to submit proof they are authorized to act on behalf of the consumer, has been removed. However, Section 999.326(a)(1-3) already includes three hurdles that a business may require before a consumer is able to use an authorized agent to submit a request, and Section .326(b) refers to the Probate Code for the requirements of establishing a valid power of attorney form of authorization. Therefore, without further guidance from the OAG, businesses cannot deny a request from an authorized agent solely because the authorized agent failed to submit proof of consumer authorization, if the authorization is otherwise reasonably verified.
For businesses that have been relying on the four sections outlined above, the OAG may resubmit those sections after further review and possible revision. If the OAG seeks to issue another set of proposed regulations under its existing rulemaking authority with only a 15-day comment period, it must do so before October 11, 2020 (the one-year anniversary of the first set of proposed CCPA regulations) under Government Code 11346.4(b). Therefore, we will be watching for yet another round of proposed regulations in the next seven weeks. It is also possible that the Governor may extend the one-year deadline by 60 calendar days, which may give until December 10 for the OAG to issue revisions to the four withdrawn sections (see Executive Order N-40-20).
“In California, privacy is an inalienable right. Californians should control who possesses their personal data and how it’s used,” said Attorney General Becerra in his press release announcing the approval of the regulations. “With these rules finalized, California breaks ground and leads the nation to protect and advance data privacy. These rules guide consumers and businesses alike on how to implement the California Consumer Privacy Act. As we face a pandemic of historic proportions, it is particularly critical to be mindful of personal data security.”
If you have any questions on how businesses should protect Californians’ rights to personal data under the CCPA or the regulations, feel free to reach out to the authors or others in BakerHostetler’s Digital Assets and Data Management (DADM) Practice Group. For additional articles covering the CCPA, the California Privacy Rights Act (CPRA) or the recent Schrems II decision, visit BakerHostetler’s Data Counsel blog and our Consumer Privacy Resource Center.