October 28, 2021

Volume XI, Number 301

Advertisement
Advertisement

October 28, 2021

Subscribe to Latest Legal News and Analysis

October 27, 2021

Subscribe to Latest Legal News and Analysis

October 26, 2021

Subscribe to Latest Legal News and Analysis

Final CCPA Regulations Are Now in Effect – With a Few Changes

The California Attorney General (“AG”) announced on Friday, August 14th, that the Office of Administrative Law (“OAL”) approved the final California Consumer Privacy Act (“CCPA”) regulations. The AG submitted the regulations to OAL for approval on June 1, 2020.  The final version includes several substantive changes where the AG “withdrew” provisions along with procedural and grammatical changes.  Although the AG did not explain the reasons for withdrawing several provisions in the Addendum to Final Statement of Reasons, the AG stated he may resubmit these provisions following “further review and possible revision.”  The final regulations have immediate effect and are now enforceable by the AG.

Summary of Final Regulation Changes

We summarize below the main substantive changes that were made to the version submitted to the OAL by the AG:

  • Ease of Submitting Requests to Opt-Out: The AG withdrew proposed Section 999.315(c), which would have prohibited businesses from making it difficult for consumers to request sale opt outs. Despite the removal of this provision, the AG is still likely to scrutinize company practices that frustrate a consumer’s ability to exercise CCPA rights.

  • Offline Notice of Right to Opt-Out: The AG withdrew proposed Section 999.306(b)(2), which would have required businesses to provide offline notices of the right to opt-out where the business substantially interacts with consumers offline. This change may have limited impact, however, because businesses must still provide a “notice at collection” for offline interactions, which must reference the webpage where the opt-out right can be exercised (if applicable).

  • Materially Different Purposes: The AG withdrew proposed Section 999.305(a)(5). This section would have prohibited any use of personal information for purposes that are materially different from the purposes disclosed in the notice at collection without providing the consumer with a new notice and obtaining explicit consent. Again, this change may have limited impact in practice because the CCPA statute and other federal and state laws continue to restrict making material changes without consent in most cases.  We therefore encourage any company considering such changes to consult with counsel.

  • Denial of Authorized Agents: The AG withdrew proposed Section 999.326(c), which would have permitted businesses to deny any rights request from an authorized agent that failed to submit proof of the consumer’s authorization. The reason for this change is unclear given that Section 999.315(g) still permits a business to deny a request to opt-out if the agent fails to submit proof of the consumer’s authorization.  Nevertheless, it is likely that the AG will support businesses that take reasonable steps to verify that authorized agents have appropriate authority to submit requests to know and delete on behalf of consumers.

  • “Do Not Sell My Info”: Finally, the AG withdrew the option proposed in Section 999.315(a) for businesses that sell data to use the phrase “Do Not Sell My Info.” Businesses that sell data must only use the lengthier phrase “Do Not Sell My Personal Information” on their website homepages. Entities that are using the short form should take note and update their website as soon as possible.

More Changes to Come?

On a related topic, the California legislature has proposed to amend the CCPA (AB-1281) to extend the business-to-business and personnel carve-outs through January 1, 2022, in place of the CCPA’s January 1, 2021 expiration date. The proposed amendment recently advanced from the Senate Judiciary Committee to the Appropriations Committee. For details on the proposed amendment, see our prior post. The California legislative calendar is scheduled to end soon, so the enactment of AB-1281 remains uncertain.  These carve-outs could also be extended if the Consumer Privacy Rights Act passes – it will appear on California’s November 2020 ballot. We will provide updates as developments unfold.

© Copyright 2021 Squire Patton Boggs (US) LLPNational Law Review, Volume X, Number 231
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Ann J. LaFrance Data Privacy & Cybersecurity Attorney Squire Patton Boggs New York, NY & Washington DC
Partner

Ann LaFrance co-chairs the firm’s global Data Privacy & Cybersecurity Practice and is a senior member of the international Communications Practice.

In addition to advising clients on national and cross-border data privacy and cybersecurity matters, Ann has experience counselling clients on a broad range of legal and regulatory issues affecting the provision of internet and digital services, as well as advanced technologies. She has particular expertise advising on issues of concern to technology, media and telecommunications companies and she frequently serves as an adviser to...

212-872-9830
Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs
Partner

Elliot Golding (CIPP/US) is a member of our Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He has been selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, representing the best of the data law bar around the world.

Elliot partners with clients to proactively manage risk by developing and implementing information governance programs,...

202-457-6407
Lydia de la Torre Data Privacy & Cybersecurity Attorney Squire Patton Boggs Palo Alto, CA
Of Counsel

Lydia de la Torre provides strategic privacy compliance advice related to US and EU privacy, including data protection and cybersecurity law, General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), other state’s privacy and cyber laws, US financial privacy laws, and marketing and advertising compliance, as well as information security. She also represents clients in investigations with an eye toward helping them avoid litigation.

Lydia’s work in-house and with organizations has run the gamut, from pre-IPO start-ups to mature Fortune 500 companies, in a...

650-843-3227
Glenn Brown Data Privacy & Cybersecurity Attorney Squire Patton Boggs Atlanta., GA
Of Counsel

A senior member of our Data Privacy & Cybersecurity Practice Group, Glenn Brown provides business-oriented advice to clients in numerous industries on data privacy and regulatory compliance matters, including regulatory investigations and examinations. He has experience driving privacy and compliance priorities within organizations and providing strategic counsel regarding privacy, compliance and risk to support the growth and success of the business.

Glenn also has deep experience advising clients regarding compliance with many of the US...

678-272-3235
Lauren Kitces Data Privacy & Cybersecurity Attorney Squire Patton Boggs Washington DC
Associate

Lauren Kitces is a member of our Data Privacy & Cybersecurity Practice, where she provides business-oriented privacy and cybersecurity advice to a wide range of clients, leveraging her in-house experience to provide mindful guidance. She has strong international experience, which she uses to help translate pre-existing international efforts into US regulatory compliance. Lauren enjoys the nuance and complexities that come with being in a field that is still evolving and forming both nationally and internationally.

Lauren utilizes her analytical thought-process and over 10 years...

202-457-6427
Advertisement
Advertisement
Advertisement