The Regulations to the California Consumer Privacy Act (CCPA) continue to evolve, in confusing fashion. As background, the AG’s Office had previously issued proposed Regulations to the CCPA in October 2019. The AG’s Office then issued a revised set of proposed amendments to the Regulations in February 2020 and then again in March 2020. While most of the regulations were made effective on August 14, 2020, the California Department of Justice withdrew four (4) sections of the proposed Regulations from the review of the Office of Administration Law so that they could be adjusted at a later date. Adding to the confusion, the California Department of Justice just yesterday released a new third set, of proposed amendments to the Regulations. This new set of amendments corrects the four sections of the prior proposed regulations that were not originally submitted for review. The four sections include:
- Proposed section 999.306, subd. (b)(3), which elaborates on how businesses that collect personal information in the course of interacting with consumers offline can provide the notice of right to opt-out of the sale of personal information through an offline method. The proposed language indicates that brick-and-mortar stores can offer paper notices or post signs in the area where personal information is collected. Businesses collecting personal information over the phone can provide the notice orally.
- Proposed section 999.315, subd. (h), which provides guidance on how a business’s methods for submitting requests to opt-out should be easy and require minimal steps. The business’s process for submitting a request to opt-out shall not require more steps than that business’s process for a consumer to opt-in to the sale of personal information after having previously opted out, which is determined from the time the consumer clicks the “Do Not Sell My Personal Information” link. Also, businesses should not use confusing language to label the opt-out link, require the consumer to list why they are opting-out, require the consumer to provide personal information to perform the request, or require the consumer to search the privacy policy to find the link to the opt-out request page.
- Proposed section 999.326, subd. (a), which clarifies that a business may require an authorized agent to provide proof that the consumer gave the agent signed permission to submit the request. Additionally a business may require a consumer to verify their own identity directly with the business or directly confirm with the business that they provided the authorized agent permission to submit the request.
- Proposed section 999.332, subd. (a), which clarifies that for those businesses that sell personal information of consumers under the age of 13, sell the personal information of consumers ages 13 to 15, or sell both, are required to include a description of the processes to opt-in as set forth in sections 999.330 and 999.331 in their privacy policies.
The California Department of Justice will accept written comments regarding the proposed changes between Tuesday, October 13, 2020 and Wednesday, October 28, 2020.