Additional CCPA Regulations Approved, Take Effect
CPW and its sister blog SPB have been covering developments concerning the California Consumer Privacy Act of 2018 (“CCPA”). As we discussed the end of last year, on December 10, 2020, the California Attorney General (“AG”) proposed some modifications to the regulations implementing the CCPA (the “Regulations”). These were published in response to comments received by the AG following publication of the previous set of proposed CCPA modifications on October 12, 2020.
While the proposed modifications to the Regulations were relatively minor in substance, they provided guidance on the following issues:
Refinement of requirement to provide notice at collection (and clarification of prohibition of new or secondary uses of personal information) (Section 999.305);
Requirement for offline notice of right to opt-out (Section 999.306);
New standards for a “do not sell” opt-out icon (Section 999.306);
Requirement to make it “easy” for consumers to submit opt-out requests with minimal steps, and providing that a process for submitting a request to opt-out shall not require more steps than that process for a consumer to opt-in to the sale of personal information after having previously opted out (Section 315);
Methods for verifying an authorized agent request (Section 999.326); and
Requirements for Notices to Minors Under 16 Years of Age (Section 332).
As part of the rulemaking the Office of Attorney General (OAG) has clarified through its final statement of reasons (“FSOR”) that the use of the “do not sell” opt-out icon is optional, not mandatory. That was not altogether clear from the draft regulations and the ambiguity garnered comments.
It should be noted, however, the icon is supplemental, not an alternative, to the “Do Not Sell My Personal Information” link that is required, and the icon, if used, must be placed to the immediate left of the link. The OAG explains in the FSOR that “[t]his location is mandatory because it promotes awareness of the consumer’s right to opt-out of the sale of personal information.”
The OAG explained that businesses are free to place the icon in other places, but that placing it next to the statutorily mandated link helps users find that link. With the CPRA and the Virginia CDPA to require yet additional opt-out links for new opt-out rights, and industry self-regulatory frameworks such as the DAA’s Ad Choices “interest-based advertising” opt-out link also requiring home page links, one can only ask how many consumer choice links will be required on a home page, and how will consumers ever make heads or tails of them? Wouldn’t a single Privacy link on the home page to a privacy navigation and FAQs center be more effective in helping consumers sort out what the OAG referred to, by reference to an academic study, as a “scavenger hunt” for transparency and choice information.
For more on the history of the development of the icon, see our prior post here.
The CCPA regulations went into effect on August 14, 2020 and the additional amendments to the regulations went into effect on March 15, 2021.