California AG Proposes Modifications to CCPA Regulations as CPRA Vote Nears

California AG Proposes Modifications to CCPA Regulations as CPRA Vote Nears

Blog WilmerHale Privacy and Cybersecurity Law

Less than a month before Californians are to vote on the California Privacy Rights Act (CPRA) (which we have previously written about here), the California attorney general (California AG) proposed a third set of modifications to the California Consumer Privacy Act’s (CCPA) regulations. This latest set of proposed regulations also comes less than two months after California’s Office of Administrative Law (OAL) approved the latest version of CCPA regulations (which have been in effect since August 14).

The California AG is accepting comments on the proposed regulations up until 5 p.m. PT on October 28, 2020. Based on this timing, it seems unlikely that this third set of modified regulations will be approved by the OAL before we learn of the status of the CPRA on November 3. Even if the CPRA passes, however, most of the law will not go into effect until January 1, 2023, which means businesses subject to the CCPA will still need to account for these new regulations.

If approved by the OAL, the third set of modified CCPA regulations would include the following changes:

  • Offline notice of the Right to Opt Out of Sale: The third set of modified regulations clarifies that businesses that collect consumer personal information offline and are required by the CCPA to provide consumers with notice of their right to opt out of sale must provide an offline notice that “facilitates consumers’ awareness of their right to opt-out.” For example:
    • A business that collects personal information from consumers in a brick-and-mortar store may provide notice by printing the notice on a paper form or by posting signage in the area where personal information is being collected.
    • A business that collects personal information over the phone may provide the notice orally during the call in which the information is collected.
  • Examples of when a business has made it burdensome for consumers to exercise their Right to Opt Out of Sale: The third set of modified regulations illustrates situations where a business has used an opt-out method “that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s choice to opt-out.” These examples include the following:
    • The business’s process for submitting a request to opt out shall not require more steps than that business’s process for a consumer to opt in to the sale of personal information after having previously opted out.
    • A business shall not use confusing language, such as double negatives (e.g., “Don’t Not Sell My Personal Information”), when providing consumers the choice to opt out.
    • A business shall not require consumers to click through or listen to reasons why they should not submit a request to opt out before confirming their request.
    • The business’s process for submitting a request to opt out shall not require the consumer to provide personal information that is not necessary to implement the request.
    • Upon the clicking of the “Do Not Sell My Personal Information” link, the business shall not require the consumer to search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to opt out.
  • Clarity regarding how a business must respond to a request from an authorized agent: Previously, the regulations had stated that a business may require a consumer to provide signed permission with regard to using the authorized agent, but the third set of modifications makes clear that the business may require the authorized agent to provide proof that the consumer gave the agent signed permission to submit the request.
  • Privacy policy disclosures for consumers under the age of 13 and between the ages of 13 and 15: The third set of modified regulations makes clear that a business that collects personal information from consumers under the age of 13 and/or between the ages of 13 and 15 must provide notice of how it obtains opt-in consent from either the consumers or their parents (as required) in the business’s privacy policy (the previous version of the regulations had stated that this requirement applied only to businesses that collected personal information from both sets of consumers).