Just two months after the final implementing regulations under the California Consumer Privacy Act of 2018 (CCPA) (“the Regulations”) were approved and took effect, California’s Department of Justice (DOJ) has issued another set of proposed modifications and invited written comments from interested stakeholders.
The modifications, which re-introduce provisions that California’s Office of Administrative Law (OAL) withdrew before finalizing the Regulations in August 2020, could impact covered businesses’ CCPA compliance programs, particularly with respect to their provision of notices regarding consumers’ right to opt out of the sale of their personal information, as well as the submission of consumers’ opt-out requests. A summary of the proposed modifications is as follows:
- Offline Notice of Right to Opt Out of Sale of Personal Information. The Regulations require a covered business to notify consumers of their right to direct the business to stop selling their personal information. The proposed modifications would require a business that collects personal information in the course of interacting with consumers offline to provide an opt-out notice by an offline method that facilitates consumers’ awareness of the opt-out right. The modifications also include illustrative examples:
- A business that collects personal information from consumers in a brick-and-mortar store may provide notice by printing the notice on the paper forms that collect the personal information or by posting signage in the area where the personal information is collected, directing consumers to where the notice can be found online.
- A business that collects personal information over the phone may provide the notice orally during the call where the information is collected.
- Submission of Opt-Out Requests. The Regulations require a covered business to provide two or more designated methods for consumers to submit requests to opt out, including an interactive form accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information” on the business’s website or mobile application. The proposed modifications would require a business to make its methods for submitting opt-out requests easy for consumers to execute with minimal steps. The methods may not be designed with the purpose of, nor have the substantial effect of, subverting or impairing a consumer’s choice to opt out. Specifically:
- The business’s process for submitting a request to opt out may not require more steps than its process for a consumer to opt in to the sale of personal information after having previously opted out.
- A business may not use confusing language, such as double negatives (e.g., “Don’t Not Sell My Personal Information”), when providing consumers the choice to opt out.
- Except as otherwise permitted by the Regulations, a business may not require consumers to click through or listen to reasons why they should not submit a request to opt out before confirming their request.
- The business’s process for submitting a request to opt out may not require the consumer to provide personal information that is not necessary to implement the request.
- Authorized Agents’ Submission of Consumer Requests to Know or Requests to Delete. The proposed modifications would clarify that a business may require proof from an authorized agent that a consumer gave the agent permission to submit a request to know or a request to delete on his or her behalf. As the Regulations currently provide, the business may also require the consumer to directly confirm with the business that he or she provided the authorized agent permission to submit the request.
A redline comparison of the Regulations and the proposed modifications is available here. Stakeholders’ written comments must be received no later than 5:00 p.m. on October 28, 2020, and must be limited in scope to the modified provisions. Comments can be submitted by email to PrivacyRegulations@doj.ca.gov, or by mail to:
Lisa B. Kim, Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013
If the modifications are approved in their current form, they will take effect on one of four quarterly dates, based on when the final regulations are filed with the California Secretary of State, unless the DOJ requests a later effective date or demonstrates good cause for an earlier effective date. California Attorney General Xavier Becerra previously requested—and was granted—an earlier effective date for the Regulations, so there is precedent for the OAL departing from the quarterly effective date scheme in the context of the CCPA Regulations.