December 4, 2020

Volume X, Number 339

Advertisement

December 04, 2020

Subscribe to Latest Legal News and Analysis

December 03, 2020

Subscribe to Latest Legal News and Analysis

December 02, 2020

Subscribe to Latest Legal News and Analysis

New Proposed CCPA Regulations Add Clarity to Process for Opting Out of Sale of Personal Information

On October 12, 2020, the California Department of Justice announced the release of a new, third set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations. The proposed modifications amend a final set of regulations that were approved by the California Office of Administrative Law just two months earlier.

For insights, events and our Resource Guide on CCPA regulations, please click here to visit our Resource Center.

IN DEPTH


The Third Set of Proposed Modifications to the CCPA Regulations released on October 12 do not make substantial changes to the previously final set of CCPA regulations. The majority of the proposed modifications serve to clarify existing requirements rather than add new requirements or materially alter existing ones. As a result, the new proposed modifications should help businesses better understand what is expected to maintain compliance with certain aspects of the CCPA.

PROCESS FOR OPTING OUT OF SALE OF PERSONAL INFORMATION

The Department of Justice proposed to amend Sections 999.306(b)(3) and 999.315(h) to provide more detail about how a business should provide the right to opt out of the sale of personal information. Specifically, the Department of Justice:

  • Provides illustrative examples of how a business that collects personal information offline can provide its opt-out notice offline—through paper forms, posting signage directing consumers to an online notice or orally over the phone.

  • Makes clear that the methods for submitting opt-out requests should be easy for consumers to find and execute. For example, consumers should not have to search or scroll to find where to submit a request to opt out after clicking on the “Do Not Sell My Personal Information” link. A business should not use confusing language, try to impair a consumer’s choice to opt out or require a consumer to read through or listen to reasons why they should not opt out before confirming their request. In addition, the process for requesting to opt out shall collect only the amount of personal information necessary to execute the request.

VERIFYING AUTHORIZED AGENT

The Department of Justice added language to Section 999.326(a) clarifying what a business may request to verify that an agent is authorized to act on a consumer’s behalf. Specifically, a business may require an authorized agent to provide proof of signed permission from the consumer for the agent to submit the request. In addition, the business may require the consumer to either verify their own identity directly with the business or directly confirm with the business that they provided the authorized agent permission to submit the request. Previously, a business had to go through the consumer to verify the authorized agent. Now, a business can verify the authorized agent directly.

NOTICES TO CONSUMERS UNDER 16 YEARS OF AGE

Finally, the Department of Justice clarified in Section 999.332(a) that all businesses that sell personal information about children must describe in their privacy policies the processes used to obtain consent from the child or parent (as applicable). Previously, the regulations were worded such that only a business that sells the personal information of both consumers under 13 and consumers between 13 and 15 had to describe the processes used to comply with the CCPA’s consent requirements for minors.

Next Steps

The Department of Justice stated that it will accept written comments on the new proposed modifications until October 28, 2020. All timely comments will be reviewed and responded to by the Department’s staff as part of the compilation of the rulemaking file. In the meantime, we recommend reviewing forms and procedures used to comply with the CCPA’s opt-out, agent verification and children’s consent requirements against the proposed modifications to determine whether any updates may be needed.

© 2020 McDermott Will & EmeryNational Law Review, Volume X, Number 294
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Laura E. Jehl Partner Global Privacy & Cybersecurity  Autonomous Vehicles  Compliance  Consumer Data & Digital Marketing  Cross-Border Data Protection  Data Breach Management  Data Licensing & Strategies  Employer Data Privacy  Health Information Privacy  Information Security & Risk Mitigation  Privacy Litigation & Governmental Investigations  FinTech and Blockchain  Technology & Commercial Transactions  Telecommunications Transactions  Energy  Food, Beverage & Agribusiness  Healthcare  Technology  Alcohol
Partner

Laura Jehl serves as global head of the Firm’s Privacy and Cybersecurity Practice. Focusing on the intersection of data, law and emerging technologies, Laura advises clients on a broad range of privacy and cybersecurity issues. She has extensive experience identifying and mitigating privacy and data protection issues arising out of the collection, use and storage of data as well as the design of new business models, products and technologies. With unique experience as a former senior in-house counsel and C-suite executive, she understands the business, legal and...

202-756-8930
Jonathan Ende, attorney
Attorney

Jonathan Ende focuses his practice on antitrust and competition, with particular strength in regulatory matters. He has a great deal of experience in internal investigations, and has a keen insight on the manufacturing and biomedical industries in particular.

202-756-8768
Amy C. Pimentel, Global Privacy Staff Attorney, McDermott Will & Emery Law Firm
Associate

Amy Pimentel is an associate in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Boston office.  Amy is a member of the Firm’s Global Privacy and Data Protection Affinity Group.  She focuses her practice on consumer protection, privacy, information security and international law.

Amy received her J.D. in 2014 from Northeastern University School of Law.  While in law school, Amy worked at the U.S. Department of Justice in the Office of International Affairs and interned for a judge at the International Criminal Tribunal...

617-535-3948
Advertisement
Advertisement