On August 14, 2020, the California Attorney General announced that the state’s Office of Administrative Law approved the AG’s proposed regulations pursuant to the California Consumer Privacy Act. The final regulations, which took immediate effect on the day of the announcement, reflect the withdrawal of the following provisions (as well as numerous other “non-substantive” changes made to improve grammar, organization, accuracy, consistency and clarity).

Explicit consent for material changes to use of personal information

  • Deleted Text (§ 999.305(a)(5)): “A business shall not use a consumer’s personal information for a purpose materially different than those disclosed in the notice at collection. If the business seeks to use a consumer’s previously collected personal information for a purpose materially different than what was previously disclosed to the consumer in the notice at collection, the business shall directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose.”

Offline notices of opt-out right

  • Deleted Text (§ 999.306(b)(2)): “A business that substantially interacts with consumers offline shall also provide notice to the consumer by an offline method that facilitates consumer awareness of their right to opt-out. Such methods include, but are not limited to, printing the notice on paper forms that collect personal information, providing the consumer with a paper version  of the notice, and posting signage directing consumers to where the notice can be found.”

Easy-to-use mechanisms for submitting opt-out requests

  • Deleted Text (§ 999.315(c)): “A business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. A business shall not utilize a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out.”

Denial of authorized agent requests without proof of the agent’s authority

  • Deleted Text (§ 999.326(c)): “A business may deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer to act on their behalf.”

The AG expressly reserved the right to resubmit these withdrawn provisions after further review and possible revision. Moreover, other provisions of the CCPA, the CCPA regulations and/or other applicable laws may require measures that are similar to, if not as prescriptive as, those required by the withdrawn provisions. Thus, these changes likely do not substantially relax businesses’ compliance obligations.

Wording of “Do Not Sell” links

One of the “non-substantive” changes reflected in the final regulations eliminates the flexibility that businesses would have had to use the phrasing “Do Not Sell My Info” rather than “Do Not Sell My Personal Information” when linking to notices of the consumer’s right to opt-out of sales of personal information. This change appears to necessitate updates to the vast number of websites that currently employ the former phrasing.

For an overview of all changes reflected in the final regulations, see the AG’s Addendum to Final Statement of Reasons

Expanded scope of enforcement

So far, the AG has limited his enforcement activity under the CCPA to the “four corners” of the CCPA itself. Now that the CCPA regulations have taken effect, businesses should expect the AG to expand his enforcement activity to address violations of the regulations as well.

Contributors

Adam Connolly

Jonathan Newmark

Posted by Cooley