Alston & Bird Consumer Finance ABstract

California Department of Justice Releases Post-Finalization Modifications to CCPA Regulations

By and

Cyber attack

On October 12, 2020, the California Department of Justice (“Department”) released its first set of proposed post-finalization modifications to the California Consumer Privacy Act Regulations (the “CCPA Regulations”).

As many businesses know, the CCPA Regulations were finalized on August 14, 2020.  The Department styled these new modifications as a “Third Set of Proposed Modifications” to the CCPA Regulations, suggesting that it sees them as related to the two rounds of modifications it proposed before the Regulations were finalized.  (You can read our summaries of the key impacts of these prior modifications here (first round of modification) and here (second round of modifications)).

While the Department’s new proposed modifications are modest in volume, they contain potentially significant impacts for businesses.  If passed in their current form, the modifications would modify the CCPA Regulations as follows:

(1) Required Offline Opt-Out Notices Would Return: Pre-finalization drafts of the Regulations required businesses that “substantially interact[] with consumers offline” to provide an offline notice to consumers about their right to opt-out of data sales.  However, this requirement was deleted as the Regulations were finalized during review by California’s Office of Administrative Law.

  • The Department’s new proposed modifications would reintroduce the requirement to provide offline opt-out notices whenever a “business … collects personal information in the course of interactions with consumers offline.”
  • As illustrations of how this required offline notice can be provided, the modifications state that “brick-and-mortar store[s]” may provide notice by (a) “printing the notice on the paper forms that collect the personal information” or by (b) posting signage in “the area where the personal information is collected.” Likewise, businesses that collect personal information over the phone may provide notice orally “during the phone call where such personal information is collected.”

(2) The Requirement for “Easy” Opt-Outs Would Return – with Specified Prohibited Practices: Pre-finalization draft of the Regulations required businesses’ methods enabling consumer to make Opt-Out requests to be “easy for consumers to execute and [] require minimal steps.” Again, however, this requirement was deleted as the Regulations were finalized during review by California’s Office of Administrative Law.

  • The Department’s new proposed modifications would reintroduce verbatim the requirements that (a) “[a] business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps,” and (b) opt-out submission methods cannot “subvert[] or substantially impair[]” consumers’ choice to opt-out.
  • The new proposed modifications contain a list of prohibited opt-out practices, potentially derived from the California Attorney General’s initial experience enforcing the CCPA. For example, businesses cannot:
    • Use confusing double-negative language (e.g., “Don’t Not Sell My Personal Information”),
    • Require consumers to click through or listen to reasons why they should not submit an opt-out request;
    • Require consumers to provide personal information not necessary for the opt-out request; or
    • If a consumer has already clicked on “Do Not Sell My Personal Information,” require the consumer to scroll through a Privacy Policy to locate the opt-out submission form.

(3) Businesses Could Ask Authorized Agents for Proof of their Authority (and Would Not Need to Go to the Consumer): The new proposed modifications would clarify that, when businesses receive a CCPA request from an individual purporting to act as a consumer’s authorized agent, they can require the authorized agent to provide proof it has written permission to act for the consumer. Under the current Regulations, businesses would have to go to the consumer to obtain this proof.

(4) All Notices to Consumers Under 16 Years of Age Would Require Additional Disclosures: The modifications would clarify that any privacy policy directed towards individuals under the age of 16 must meet the CCPA Regulations’ additional information requirements.  Currently, the Regulations imply that these additional information requirements only apply to privacy policies directed at children that are both under 13 (regulated under § 999.330 Regulations) as well as age 13-15 (regulated under § 999.331).  The modifications would clarify that any privacy policy that is directed at any individual under 16 – irrespective of under 13 or age 13-15 – must contain the additional content required under the CCPA Regulations.

A redline showing the proposed changes based on the currently effective regulations is available here.  The proposed modifications are open for public comment until Wednesday, October 28, 2020.

Dan Felz

About Dan Felz

Daniel Felz is an attorney with Alston & Bird’s Privacy & Data Security Group. Dan leverages his extensive international experience to advise clients on global privacy, cybersecurity, technology, and adversarial matters.

[Read Bio]

Aaron Wasser

About Aaron Wasser

Aaron Wasser is an associate in Alston & Bird’s Privacy & Data Security Team. Aaron focuses his practice on helping clients develop tailored solutions to complex privacy and cybersecurity problems.

[Read Bio]