California AG Proposes Further Revisions To State Privacy Law Regulations
Insights
10.15.20
The California Attorney General just proposed a third set of modifications to the regulations implementing the state’s landmark privacy law. The regulations for the California Consumer Privacy Act (the CCPA) had previously gone into effect in August 2020, but the proposed modifications unveiled on October 12 would change and clarify certain requirements related to notice provisions and methods for opting in and opting out of the sale of personal information and verifying authorized agents.
To briefly recap, the California Department of Justice is the agency responsible for enforcement of, and issuance of regulations for California’s all-inclusive privacy law, which took effect on January 1, 2020. The Attorney General first published proposed CCPA regulations for public comment in October 2019. In February and March 2020, the Attorney General issued two separate rounds of modifications to the proposed regulations. While the Attorney General began enforcement of the CCPA on July 1, 2020, the regulations did not become final until August 14, 2020.
The Attorney General has now issued yet another set of proposed revisions to the regulations, which are open for public comment through October 28, 2020. The following is a summary of the proposed changes to the regulations:
- Businesses That Collect Personal Information Offline Must Give Offline Notice Of The Right To Opt Out Of Sale
Businesses that sell consumer information must provide clear and conspicuous notice of the consumer’s right to opt out of the sale of their personal information. The regulations define how that notice should be given in certain scenarios. A business that operates a website or mobile application must post a “Do Not Sell My Personal Information” link on the website’s homepage or a mobile application’s download page, landing page, or other place within the application. A business that does not operate a website is required to establish another method to provide notice that is easy to read and understandable to consumers.
Under the proposed modifications to the regulations, businesses that collect personal information in the course of interacting with consumers offline would have to provide notice by an offline method. For example, a business that collects personal information from consumers in a store may print the notice on paper forms used to collect information, or by posting signage directing the consumers to where notice can be found online. Businesses that collect information via phone may provide notice orally, during a call with the consumer. - New Guidance For Simplifying Consumer Opt-Out Requests
The new proposed modifications would explicitly require that a business’s methods for submitting requests to opt-out of the sale of personal information shall be easy for consumers to execute and require minimal steps. A business shall not use a method that impairs the consumer’s choice to opt out.
The new proposed modifications also set forth do’s and don’ts for designing processes for requests to opt out that meet the easy-to-use requirement. For instance, a business shall not have an opt-out process that has more steps than the business’s process for a consumer to opt in to the sale of personal information.
Additionally, when presenting consumers with the choice to opt out, the business shall not use confusing language, like double-negatives, or require consumers to read or listen to reasons why they should not opt out, or require consumers to provide unnecessary personal information in order to submit an opt-out request. Also, after consumers click the “Do Not Sell My Personal Information” link, the business shall not require consumers to search through a webpage with a voluminous amount of text, like the privacy policy, to find the mechanism for submitting the request to opt out. - Clarification Of The Requirements For Verifying Authorized Agents
When a consumer uses an authorized agent to submit requests to know or requests to delete, a business can require proof that the consumer gave the agent signed permission to submit the request. Previously, it was potentially unclear whether the business must procure that proof directly from the consumer or through the agent.
The new proposed modifications would clarify that the business may require the authorized agent to provide proof that the consumer gave signed permission to the agent. Additionally, as an alternative verification method, the business may require the consumer to either verify their own identity directly with the business, or directly confirm with the business that the consumer authorized the agent to submit the request. - Businesses That Sell Personal Information Of Young Consumers Must Describe Their Opt-In Process In Their Privacy Policy
Under the current CCPA regulations, businesses that knowingly sell personal information of both consumers under the age of 13 and consumers between the ages of 13 and 16 must describe in their privacy policies their methods for submitting a request to opt in to the sale of personal information. The proposed modifications would require businesses that knowingly sell personal information of consumers in one or both age groups to explain their opt-in methods in their privacy policies.
Conclusion
With amendments to the CCPA on the ballot this fall, the Attorney General’s proposed revisions to the regulations represent one of many potential changes to California’s brand new privacy law. We will continue to monitor and provide updates on these proposed modifications to the regulations as the public provides comments to the Attorney General. If your business has questions regarding implementing the requirements of the CCPA, please reach out to our CCPA Task Force.
Related People
-
- Anthony Isola
- Partner