On October 12, 2020, the California Attorney General published a third set of proposed modifications to the regulations adopted pursuant to the California Consumer Privacy Act. This follows revisions proposed in February and March 2020 that were largely approved following review by the Office of Administrative Law. As a reminder, the CCPA is in effect and being enforced by both the California AG and the plaintiffs’ bar.
Multiple revisions to the regulations are not surprising given the complex nature of the law, the many comments from various stakeholders on the various versions of the regulations, and evolving interpretations as the law is applied. More substantive revisions may be in store depending on the outcome of Proposition 24 (the California Privacy Rights Act or CPRA) in November. Indeed, these third proposed changes to the regulations may become moot since the time it will take for them to be finalized will likely extend well past when the CPRA would become law, if passed.
A redline produced by the AG of the specific proposed changes includes the following:
- 999.306, subd. (b)(3): Adds a requirement and examples of how businesses that collect personal information while interacting with consumers offline must provide notice of the right to opt-out of the sale of personal information by an offline method (although that method can direct consumers to go online). Examples include: 1) printing the notice on the paper forms that collect the personal information, 2) posting signage in the area where the personal information is collected directing consumers to where the notice can be found online, or 3) providing the notice orally during a call where the information is collected.
- Our take: These changes more or less reflect practices that many offline businesses are already taking.
- 999.315, subd. (h): Adds guidance that consumer opt-out procedures should be simple and lists a number of methods that businesses should not use, such as requiring consumers to complete more steps to opt-out than they were required to complete to opt-in, using confusing language such as double negatives, requiring consumers to click through or listen to reasons that they should not opt-out, collecting personal information unnecessary for the opt-out request, and requiring the consumer to scour a privacy policy or other lengthy document to find the CCPA opt-out link after clicking a “Do Not Sell My Personal Information” link.
- Our take: This change poses some potential challenges. While we understand the California AG’s desire to prohibit “subverting or impairing a consumer’s choice to opt-out,” the regulation also includes vague requirements that the opt-out process be “easy” and “require minimal steps”. The illustrative examples do not provide much practical guidance on these points. Businesses may find it difficult to explain the opt-out process in as few steps as they explain the opt-in process, and in effect, this may lead to more complex, multistep opt-in processes to comply with this added requirement.
- 999.326, subd. (a): Provides businesses with the option to require direct verification of the consumer’s identity and/or authorization for an agent to act on their behalf in addition to proof from the authorized agent that the consumer gave signed permission to submit the request.
- Our take: Businesses can now request botha signed authorization between the consumer and authorized agent in addition to requiring the consumer to directly verify relevant information before complying with an agent’s request. This change arguably requires proof that the consumer authorized an agent to undertake a specific request, potentially impacting third-party requestors that seek to monetize CCPA consumer rights request tools because it will be more difficult to scale and automate requests with this additional limitation.
- 999.332, subd. (a): Clarifies that businesses subject to either section 999.330 (Consumers Under 13 Years of Age) or section 999.331 (Notice to Consumers Under 16 Years of Age) of the CCPA regulations, as opposed to just those subject to both of these sections, are required to include in their privacy policies the additional notice for consumers under 16 years of age described in those sections.
- Our take: This change appears to be more of a cleanup than a substantive regulatory change.
As with prior proposed modifications, the AG will accept written comments regarding the proposed changes, followed by publishing the final text of the regulation and OAL review. Comments should be submitted to PrivacyRegulations@doj.ca.gov between October 13 and October 28, 2020 and must be limited to comments on the specific additions and deletions proposed in this round of modifications.