On October 12, 2020, California’s Attorney General proposed a third set of modifications to California Consumer Privacy Act (“CCPA”) regulations. These proposed modifications come nearly two months after the final regulations were approved and made effective by the California Office of Administrative Law (“OAL”) on August 14, and less than a month before the California Privacy Rights Act (“CPRA”) will be put to the voters on the statewide ballot on November 3, 2020.
Below, we summarize the proposed modifications as well as provide direct links at the bottom of this post. The deadline for comments is not later than 5pm (Pacific Time) on October 28, 2020:
-
Offline Notices of Opt Out Rights:
Current section 999.306 requires businesses that “sell” personal information to provide a notice of consumers’ rights to opt out. They provide for online notices and even require businesses that does not operate a website to provide an alternative documented method to inform consumers of the right to opt out. The proposed modification would include more specific instructions and examples. It specifically requires businesses that collect personal information offline (presumably even if they also collect it online) to provide notice by an offline method. For example, they illustrate, if a business collects personal information in a store, it can print the notice on paper or post signage. If they collect information over the phone, they may provide the notice orally.
-
Consumer Methods for Requesting Opt Out:
Section 999.315 addresses consumer opt out requests . The proposed regulations insert a new subsection (h), which would require the business’s methods for submitting opt-out requests to be easy to execute and require minimal steps, and which cannot be so complicated as to subvert or impair the consumer’s opt out attempts:
- Specifically, the process for requesting to opt-out shall not require more steps than the opt-in requests. The regulation also provides guidance on how to measure the number of steps for comparison.
- A business shall not use confusing language (“Don’t Not Sell my Personal Information”) when providing opt out choices.
- Unless otherwise permitted, a business shall not require consumers confirming their opt out request to click through or listen to reasons why they should not do so.
- The business’s process shall not require the consumer to provide any more personal information than is necessary to process the request.
- Upon clicking “Do Not Sell My Personal Information”, the business shall not require the consumer to search or scroll through the text of a privacy policy or similar document to locate the opt-out request mechanism.
-
Authorized Agent Requests:
Section 999.326 addresses opt-out requests submitted by an authorized agent on behalf of a consumer. The current version allows a business to require that the consumer do the following: (1) provide the authorized agent signed permission to do so; (2) verify their owner identity directly with the business; [and/or] (3) directly confirm with the business that they provided the authorized agent permission to submit the request. (The current regulations did not specify whether all or only one of these options were required – there was no “and” or “or”).
- The proposed regulations modify this to allow a business to require the authorized agent to provide proof that the consumer gave the agent signed permission to submit the request. It then says that the business “may also” require the consumer to do “either of the following”:
- Verify their own identity directly with the business; or directly confirm with the business that they provided the authorized agent permission to submit the request.
- Therefore, this proposed change would clarification a business’s choices in complying with requests from authorized agents.
To view the redline of proposed modifications, click here.
To view the notice summary of proposed modifications, click here.