Final CCPA Regulations Are Now in Effect – With a Few Changes
The California Attorney General (“AG”) announced on Friday, August 14th, that the Office of Administrative Law (“OAL”) approved the final California Consumer Privacy Act (“CCPA”) regulations. The AG submitted the regulations to OAL for approval on June 1, 2020. The final version includes several substantive changes where the AG “withdrew” provisions along with procedural and grammatical changes. Although the AG did not explain the reasons for withdrawing several provisions in the Addendum to Final Statement of Reasons, the AG stated he may resubmit these provisions following “further review and possible revision.” The final regulations have immediate effect and are now enforceable by the AG.
Summary of Final Regulation Changes
We summarize below the main substantive changes that were made to the version submitted to the OAL by the AG:
Ease of Submitting Requests to Opt-Out: The AG withdrew proposed Section 999.315(c), which would have prohibited businesses from making it difficult for consumers to request sale opt outs. Despite the removal of this provision, the AG is still likely to scrutinize company practices that frustrate a consumer’s ability to exercise CCPA rights.
Offline Notice of Right to Opt-Out: The AG withdrew proposed Section 999.306(b)(2), which would have required businesses to provide offline notices of the right to opt-out where the business substantially interacts with consumers offline. This change may have limited impact, however, because businesses must still provide a “notice at collection” for offline interactions, which must reference the webpage where the opt-out right can be exercised (if applicable).
Materially Different Purposes: The AG withdrew proposed Section 999.305(a)(5). This section would have prohibited any use of personal information for purposes that are materially different from the purposes disclosed in the notice at collection without providing the consumer with a new notice and obtaining explicit consent. Again, this change may have limited impact in practice because the CCPA statute and other federal and state laws continue to restrict making material changes without consent in most cases. We therefore encourage any company considering such changes to consult with counsel.
Denial of Authorized Agents: The AG withdrew proposed Section 999.326(c), which would have permitted businesses to deny any rights request from an authorized agent that failed to submit proof of the consumer’s authorization. The reason for this change is unclear given that Section 999.315(g) still permits a business to deny a request to opt-out if the agent fails to submit proof of the consumer’s authorization. Nevertheless, it is likely that the AG will support businesses that take reasonable steps to verify that authorized agents have appropriate authority to submit requests to know and delete on behalf of consumers.
“Do Not Sell My Info”: Finally, the AG withdrew the option proposed in Section 999.315(a) for businesses that sell data to use the phrase “Do Not Sell My Info.” Businesses that sell data must only use the lengthier phrase “Do Not Sell My Personal Information” on their website homepages. Entities that are using the short form should take note and update their website as soon as possible.
More Changes to Come?
On a related topic, the California legislature has proposed to amend the CCPA (AB-1281) to extend the business-to-business and personnel carve-outs through January 1, 2022, in place of the CCPA’s January 1, 2021 expiration date. The proposed amendment recently advanced from the Senate Judiciary Committee to the Appropriations Committee. For details on the proposed amendment, see our prior post. The California legislative calendar is scheduled to end soon, so the enactment of AB-1281 remains uncertain. These carve-outs could also be extended if the Consumer Privacy Rights Act passes – it will appear on California’s November 2020 ballot. We will provide updates as developments unfold.