May 21, 2022

Volume XII, Number 141


May 20, 2022

Subscribe to Latest Legal News and Analysis

May 19, 2022

Subscribe to Latest Legal News and Analysis

May 18, 2022

Subscribe to Latest Legal News and Analysis

Additional CCPA Regulations Approved, Take Effect

CPW and its sister blog SPB have been covering developments concerning the California Consumer Privacy Act of 2018 (“CCPA”).  As we discussed the end of last year, on December 10, 2020, the California Attorney General (“AG”) proposed some modifications to the regulations implementing the CCPA (the “Regulations”).  These were published in response to comments received by the AG following publication of the previous set of proposed CCPA modifications on October 12, 2020.

While the proposed modifications to the Regulations were relatively minor in substance, they provided guidance on the following issues:

  1. Refinement of requirement to provide notice at collection (and clarification of prohibition of new or secondary uses of personal information) (Section 999.305);

  2. Requirement for offline notice of right to opt-out (Section 999.306);

  3. New standards for a “do not sell” opt-out icon (Section 999.306);

  4. Requirement to make it “easy” for consumers to submit opt-out requests with minimal steps, and providing that a process for submitting a request to opt-out shall not require more steps than that process for a consumer to opt-in to the sale of personal information after having previously opted out (Section 315);

  5. Methods for verifying an authorized agent request (Section 999.326); and

  6. Requirements for Notices to Minors Under 16 Years of Age (Section 332).

As part of the rulemaking the Office of Attorney General (OAG) has clarified through its final statement of reasons (“FSOR”) that the use of the “do not sell” opt-out icon is optional, not mandatory.  That was not altogether clear from the draft regulations and the ambiguity garnered comments.

It should be noted, however, the icon is supplemental, not an alternative, to the “Do Not Sell My Personal Information” link that is required, and the icon, if used, must be placed to the immediate left of the link.  The OAG explains in the FSOR that “[t]his location is mandatory because it promotes awareness of the consumer’s right to opt-out of the sale of personal information.”

The OAG explained that businesses are free to place the icon in other places, but that placing it next to the statutorily mandated link helps users find that link.  With the CPRA and the Virginia CDPA to require yet additional opt-out links for new opt-out rights, and industry self-regulatory frameworks such as the DAA’s Ad Choices “interest-based advertising” opt-out link also requiring home page links, one can only ask how many consumer choice links will be required on a home page, and how will consumers ever make heads or tails of them?  Wouldn’t a single Privacy link on the home page to a privacy navigation and FAQs center be more effective in helping consumers sort out what the OAG referred to, by reference to an academic study, as a “scavenger hunt” for transparency and choice information.

For more on the history of the development of the icon, see our prior post here.

The CCPA regulations went into effect on August 14, 2020 and the additional amendments to the regulations went into effect on March 15, 2021.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XI, Number 76

About this Author

Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...

Alan L. Friel Data Privacy & Cybersecurity Attorney Squire Patton Boggs Los Angeles, CA

Alan Friel is the deputy chair of the firm’s Data Privacy & Cybersecurity Practice.

Alan is a thought leader in digital media, intellectual property, and privacy and consumer protection law, with three decades of relevant experience to address the intersection of law and technology.

Prior to joining the firm, Alan was a partner at a US law firm, where he led the US Consumer Privacy practice (in which he counseled clients on compliance with the California Consumer Privacy Act (CCPA) and other data privacy regimes), and the retail, restaurant and e-commerce industry...