Just two months after the final implementing regulations under the California Consumer Privacy Act of 2018 (CCPA) (“the Regulations”) were approved and took effect, California’s Department of Justice (DOJ) has issued another set of proposed modifications and invited written comments from interested stakeholders.
The modifications, which re-introduce provisions that California’s Office of Administrative Law (OAL) withdrew before finalizing the Regulations in August 2020, could impact covered businesses’ CCPA compliance programs, particularly with respect to their provision of notices regarding consumers’ right to opt out of the sale of their personal information, as well as the submission of consumers’ opt-out requests. A summary of the proposed modifications is as follows:
- Offline Notice of Right to Opt Out of Sale of Personal Information. The Regulations require a covered business to notify consumers of their right to direct the business to stop selling their personal information. The proposed modifications would require a business that collects personal information in the course of interacting with consumers offline to provide an opt-out notice by an offline method that facilitates consumers’ awareness of the opt-out right. The modifications also include illustrative examples:
- A business that collects personal information from consumers in a brick-and-mortar store may provide notice by printing the notice on the paper forms that collect the personal information or by posting signage in the area where the personal information is collected, directing consumers to where the notice can be found online.
- A business that collects personal information over the phone may provide the notice orally during the call where the information is collected.
- Submission of Opt-Out Requests. The Regulations require a covered business to provide two or more designated methods for consumers to submit requests to opt out, including an interactive form accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information” on the business’s website or mobile application. The proposed modifications would require a business to make its methods for submitting opt-out requests easy for consumers to execute with minimal steps. The methods may not be designed with the purpose of, nor have the substantial effect of, subverting or impairing a consumer’s choice to opt out. Specifically:
- The business’s process for submitting a request to opt out may not require more steps than its process for a consumer to opt in to the sale of personal information after having previously opted out.
- A business may not use confusing language, such as double negatives (e.g., “Don’t Not Sell My Personal Information”), when providing consumers the choice to opt out.
- Except as otherwise permitted by the Regulations, a business may not require consumers to click through or listen to reasons why they should not submit a request to opt out before confirming their request.
- The business’s process for submitting a request to opt out may not require the consumer to provide personal information that is not necessary to implement the request.
- Upon clicking the “Do Not Sell My Personal Information” link, the business may not require the consumer to search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to opt out.
- Authorized Agents’ Submission of Consumer Requests to Know or Requests to Delete. The proposed modifications would clarify that a business may require proof from an authorized agent that a consumer gave the agent permission to submit a request to know or a request to delete on his or her behalf. As the Regulations currently provide, the business may also require the consumer to directly confirm with the business that he or she provided the authorized agent permission to submit the request.
- Notices to Consumers Under 16 Years of Age. The proposed modifications would clarify that if a business is subject to either §999.330 (i.e., the business has actual knowledge that it sells personal information of consumers under 13 years of age) and/or §999.331 (i.e., the business has actual knowledge that it sells personal information of consumers aged 13-15), the business must include its applicable opt-in processes in its privacy policy. As currently written, the Regulations require a business to include these processes in its privacy policy if the business is subject to §999.330 and §999.331.
A redline comparison of the Regulations and the proposed modifications is available here. Stakeholders’ written comments must be received no later than 5:00 p.m. on October 28, 2020, and must be limited in scope to the modified provisions. Comments can be submitted by email to PrivacyRegulations@doj.ca.gov, or by mail to:
Lisa B. Kim, Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013
If the modifications are approved in their current form, they will take effect on one of four quarterly dates, based on when the final regulations are filed with the California Secretary of State, unless the DOJ requests a later effective date or demonstrates good cause for an earlier effective date. California Attorney General Xavier Becerra previously requested—and was granted—an earlier effective date for the Regulations, so there is precedent for the OAL departing from the quarterly effective date scheme in the context of the CCPA Regulations.