January 29, 2023

Volume XIII, Number 29


January 27, 2023

Subscribe to Latest Legal News and Analysis

January 26, 2023

Subscribe to Latest Legal News and Analysis

Kick the CCPA Compliance Program Back Into Gear

2020 “back to school” has a whole new meaning in the age of COVID-19.   Now, it is finally time for companies to take compliance with the California Consumer Privacy Act (“CCPA”) off the back burner and implement policies and procedures and processes.  The California Attorney General’s final regulations are in place and approved (“Final Regulations”), and ready for enforcement.  The Final Regulations include additional revisions, which are important for businesses to consider as they move forward with the CCPA compliance.

These changes appear in the Attorney General’s Addendum to Final Statement of Reasons, which can be found here.  They include corrections, clarifications, and the withdrawal of four provisions “for additional consideration.”  The Attorney General’s office withdrew a total of four provisions from the Final Regulations.  This means that, for the time being, the Attorney General will not enforce these four requirements, but some companies had already made certain changes to implement the “not quite final” regulations.  These will need to be updated to match the Final Regulations.  The Addendum makes it clear, however, that the Attorney General may still resubmit the deleted sections “after further review and possible revision.”  We will continue to monitor the CCPA legal developments and any subsequent revisions to the regulations.     

Deleted Provisions:

  • Section 999.305(a)(5).  This controversial provision arguably exceeded the scope of the CCPA in that it required a business to obtain explicit consent from the consumer before using their personal information for any new business purpose, as opposed to simply requiring a notice.  With it withdrawn, mere notice of a new use should now suffice.  

  • Section 999.306(b)(2).  This provision previously required a business that substantially interacts with consumers offline to provide an offline notice to consumers of their right to opt out.  This notice could be in a form of a signage or paper form, which was said to be difficult for some businesses to implement.  Now companies may rely solely on their website as the basis to provide the notice of the right to opt out to their consumers.  

  • Section 999.315(c).  This provision previously contained a requirement that a business’s method for consumers’ submitting requests to opt out be easy and involve only minimal steps, so as to minimize the burden on the consumers.  It also prohibited a business from using “a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out.”  With this provision deleted, businesses can now utilize any reasonable and appropriate method for accepting opt-out requests, although they should still strive to make the process simple, if possible.

  • Section 999.326(c).  This provision previously allowed a business to deny a request from a consumer’s authorized agent if the agent did not submit proof that they have been authorized to act on the consumer’s behalf.  The final regulations, however, still require the agent to be registered with the Secretary of State to conduct business in California.  As a practical matter, businesses cannot immediately deny a consumer’s request for insufficient proof of authorization but can still deny it if the request is ultimately unverifiable.

Additional Changes:

Several other changes were made and were dubbed “non-substantial.”  The following of these changes are worth noting, however:

  • Previously, the regulations allowed companies to use the shorthand phrase ““Do Not Sell My Info.”  However, this phrase has now been removed from sections 999.305(b)(3), 999.305(f)(1), 999.306(b)(1) and 999.315(a) of the regulations.  Businesses, therefore, can no longer use this shorter phrase on a hyperlink directing consumers to their privacy choices.  They must now revert to the statute’s original language:  “Do Not Sell My Personal Information.”

  • Previously, the regulations stated in Section 999.308(c)(1)(e) that the privacy policy must describe the sources from which personal information is collected “in a manner that provides consumers a meaningful understanding of the information being collected.”  This provision has now been deleted.  Business must still identify “categories of sources from which the personal information is collected,” however.

The Final Regulations are now final and fully effective, which means that any companies that were previously awaiting additional guidance from the AG’s office now have all the tools and requirements at their disposal.  We expect the Attorney General’s office to turn its full attention to enforcing the CCPA.  It is, therefore, important, to ensure full compliance with the CCPA, especially for those businesses that have not been actively considering how these Final Regulations affect their compliance programs.   

©1994-2023 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume X, Number 252

About this Author

Cynthia Larose Privacy Attorney Mintz Levin
Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...

Natalie Prescott, Mintz Levin Law Firm, Litigation Attorney
Practice Group Associate

Natalie’s practice focuses on a wide range of litigation matters.

Prior to joining the firm, Natalie worked as the co-founder and trial lawyer for a boutique litigation firm that focuses on state and federal litigation. She also spent many years as a litigation associate at one of the world’s largest law firms, where she received extensive consumer litigation, trial, and appellate experience.

Previously, Natalie served as a judicial law clerk for the Honorable Roger T. Benitez of the United States District Court of the...

858 -314-1534