Caution - CCPA Construction Ahead
Proposed Modifications to New CCPA Regulations Released for Public Comment
The California Consumer Privacy Act (CCPA) is starting to remind some of never-ending road construction with all of its caution flags, detour signage, and miles of orange cones – and headaches for drivers. More construction is now in the works on California’s consumer privacy highway.
The California Department of Justice (Department) initially published proposed CCPA regulations on October 11, 2019. The Department collected and reviewed public comments and released modifications to the proposed regulations on February 10, 2020 and March 11, 2020 based on comments received during the relevant comment periods. On August 14, 2020, California’s Office of Administrative Law (OAL) approved the long awaited final CCPA regulations and they became effective on that date. Check out our prior blog posting for more information on the final CCPA regulations.
On October 12, 2020, the Department released a third set of proposed modifications to the CCPA regulations. The deadline to submit written comments to these new proposed regulatory changes is October 28, 2020.
The new proposed changes focus on four key areas: offline notices of the right to opt-out of the sale of personal information (PI), “Do Not Sell My Personal Information” opt-out requests, authorized agent requests, and notices involving the PI of minors, as highlighted below:
1. Offline Notices
Proposed Section 999.306(b)(3) offers the following examples of how businesses that collect PI while interacting with consumers offline can provide consumers with the notice of their right to opt-out of the sale of PI through an offline method:
- Paper Forms and Signage: A business that collects PI from consumers in a brick-and-mortar store may provide notice by printing the notice on the paper forms that collect the PI or by posting signage in the area where the PI is collected directing consumers to where the notice can be found online.
- Telephone Notice: A business that collects PI over the telephone may provide the notice orally during the call where the information is collected.
2. Opt-Out Requests
Proposed Section 999.315(h) offers examples and further guidance on how a business’s methods for submitting requests to opt-out should be easy for consumers to execute and require minimal steps by consumers to exercise their opt-out rights. This proposed change may reflect consumer complaints indicating frustration with the perceived roadblocks that some companies had put in place to allegedly limit the ability of consumers to exercise their CCPA rights.
The proposal provides that a business may not use a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s choice to opt-out. The proposal provides the following benchmarks:
- Do Not Require More Steps to Opt-out Than to Opt-in: A business’s process for submitting a request to opt-out may not require more steps than that business’s process for a consumer to opt-in to the sale of PI after having previously opted out. The proposed regulations provide the following formulas for calculating these steps:
- The number of steps for submitting a request to opt-out is measured from when the consumer clicks on the “Do Not Sell My Personal Information” link to the completion of the request.
- The number of steps for submitting a request to opt-in to the sale of PI is measured from the first indication by the consumer to the business of their interest to opt-in to completion of the request.
- Do Not Use Confusing Language: A business may not use confusing language, such as double negatives (e.g., “Don’t Not Sell My Personal Information”), when providing consumers with the choice to opt-out.
- Do Not Use Rebuttals: Except as permitted by the regulations, a business may not require consumers to click through or listen to reasons why they should not submit a request to opt-out before confirming their request.
- Do Not Require Unnecessary PI: A business’s process for submitting a request to opt-out may not require the consumer to provide PI that is not necessary to implement the request.
- Do Not Bury Opt-out Submission Mechanism: Once a consumer clicks the “Do Not Sell My Personal Information” link, a business may not require the consumer to search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to opt-out.
3. Authorized Agent Requests
Proposed Section 999.326(a) clarifies that when a consumer uses an authorized agent to submit a request to know or a request to delete PI, a business may require the consumer’s authorized agent to provide proof that the consumer provided the agent with signed permission to submit the request. A business may also require the consumer to verify their own identity directly with the business or directly confirm with the business that they provided the authorized agent with permission to submit the request on their behalf.
4. Notices to Consumers Under 16 Years of Age
Proposed Section 999.332(a) includes a grammatical change, which clarifies that businesses subject to Section 999.330 (regarding minors under 13 years of age) and/or 999.331 (regarding minors 13 – 16 years of age) must include a description of the applicable processes for opting in to the sale of PI, as set forth in those sections, in their privacy policies.
Although the construction dust has barely settled on the final CCPA regulations, businesses subject to the CCPA must now navigate around a new orange cone, the recent proposed changes to the CCPA regulations, and prepare for even more construction on the California privacy highway if Proposition 24, the California Privacy Rights and Enforcement Act (CPRA), is approved by California voters on November 3, 2020. The ballot initiative, if passed, will substantially revise and amend the CCPA, including transferring rulemaking authority to a new state agency. You can see our prior blog postings for more information on the ballot initiative here and here.
For businesses trying to maintain CCPA compliance programs that meet the demands of consumers, the applicable legal requirements, and the expectations of the regulator, these constant statutory and regulatory changes can make that task seem like a massive road construction project and the usual “thank you for your patience” sign at the end of this construction project seems to be elusive. Keep calm and comply on.