On December 10, 2020, the California Attorney General published a fourth set of proposed modifications to the California Consumer Privacy Act. This follows revisions proposed in February, March and October 2020. As a reminder, the CCPA is in effect and being enforced by both the California AG and the plaintiffs’ bar.

Generally speaking, these modifications present relatively minor changes that simply clarify language from the third set of proposed revisions and make few substantive changes to the regulations.

A redline produced by the AG of the specific proposed changes includes the following:

  • 999.306, subd. (b)(3): Clarifies the requirement and examples of how businesses that sell personal information that has been collected from consumers in offline interactions must provide notice of the right to opt-out of the sale of personal information by an offline method (although that method can direct consumers to go online). Examples include: 1) printing the notice on the paper forms that collect the personal information, 2) posting signage in the area where the personal information is collected directing consumers to where the notice can be found online, or 3) providing the notice orally during a call where the information is collected.
    • Our take: These changes do not substantively change the requirement or examples from the third set of proposed revisions and remain generally consistent with the practices that many offline businesses have already implemented.
  • 999.315, subd. (f): Brings back the “opt-out button” as an option to be used in conjunction with offering individuals the right to opt-out of the sale of personal information. The button has been redesigned from the example included in the earlier versions of the draft regulations, and the modifications now explain that the button must be used in conjunction with the “Do Not Sell My Personal Information” text.
    • Our take: The new iteration of the opt-out button is sleeker and more minimal, but, as outlined above, differs from the previous version insofar as it is not intended to be used in lieu of the “Do Not Sell My Personal Information” text but rather alongside the text as shown below.
  • 999.326, subd. (a): Modifies the language relating to the verification process a business may use when a consumer uses an authorized agent to submit requests on the consumer’s behalf. The updated language clarifies that the business may require the agent to provide proof that he or she has been authorized by the consumer to submit the request and/or require the consumer to directly verify his or her identity or confirm that the agent is indeed authorized to submit the request.
    • Our take: This reflects a minor modification to better clarify to whom businesses should direct specific types of verifications, however the substance of the verification process remains the same.

As with prior proposed modifications, the AG will accept written comments regarding the proposed changes, followed by publishing the final text of the regulation and OAL review. Comments should be submitted to PrivacyRegulations@doj.ca.gov before December 28, 2020 at 5:00 pm (Pacific time) and must be limited to comments on the specific additions and deletions proposed in this round of modifications.


Kristopher Kleiner

Posted by Cooley