Alston & Bird Consumer Finance Blog


California Department of Justice Releases Post-Finalization Modifications to CCPA Regulations

On October 12, 2020, the California Department of Justice (“Department”) released its first set of proposed post-finalization modifications to the California Consumer Privacy Act Regulations (the “CCPA Regulations”).

As many businesses know, the CCPA Regulations were finalized on August 14, 2020.  The Department styled these new modifications as a “Third Set of Proposed Modifications” to the CCPA Regulations, suggesting that it sees them as related to the two rounds of modifications it proposed before the Regulations were finalized.  (You can read our summaries of the key impacts of these prior modifications here (first round of modification) and here (second round of modifications)).

While the Department’s new proposed modifications are modest in volume, they contain potentially significant impacts for businesses.  If passed in their current form, the modifications would modify the CCPA Regulations as follows:

(1) Required Offline Opt-Out Notices Would Return: Pre-finalization drafts of the Regulations required businesses that “substantially interact[] with consumers offline” to provide an offline notice to consumers about their right to opt-out of data sales.  However, this requirement was deleted as the Regulations were finalized during review by California’s Office of Administrative Law.

  • The Department’s new proposed modifications would reintroduce the requirement to provide offline opt-out notices whenever a “business … collects personal information in the course of interactions with consumers offline.”
  • As illustrations of how this required offline notice can be provided, the modifications state that “brick-and-mortar store[s]” may provide notice by (a) “printing the notice on the paper forms that collect the personal information” or by (b) posting signage in “the area where the personal information is collected.” Likewise, businesses that collect personal information over the phone may provide notice orally “during the phone call where such personal information is collected.”

(2) The Requirement for “Easy” Opt-Outs Would Return – with Specified Prohibited Practices: Pre-finalization draft of the Regulations required businesses’ methods enabling consumer to make Opt-Out requests to be “easy for consumers to execute and [] require minimal steps.” Again, however, this requirement was deleted as the Regulations were finalized during review by California’s Office of Administrative Law.

  • The Department’s new proposed modifications would reintroduce verbatim the requirements that (a) “[a] business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps,” and (b) opt-out submission methods cannot “subvert[] or substantially impair[]” consumers’ choice to opt-out.
  • The new proposed modifications contain a list of prohibited opt-out practices, potentially derived from the California Attorney General’s initial experience enforcing the CCPA. For example, businesses cannot:
    • Use confusing double-negative language (e.g., “Don’t Not Sell My Personal Information”),
    • Require consumers to click through or listen to reasons why they should not submit an opt-out request;
    • Require consumers to provide personal information not necessary for the opt-out request; or
    • If a consumer has already clicked on “Do Not Sell My Personal Information,” require the consumer to scroll through a Privacy Policy to locate the opt-out submission form.

(3) Businesses Could Ask Authorized Agents for Proof of their Authority (and Would Not Need to Go to the Consumer): The new proposed modifications would clarify that, when businesses receive a CCPA request from an individual purporting to act as a consumer’s authorized agent, they can require the authorized agent to provide proof it has written permission to act for the consumer. Under the current Regulations, businesses would have to go to the consumer to obtain this proof.

(4) All Notices to Consumers Under 16 Years of Age Would Require Additional Disclosures: The modifications would clarify that any privacy policy directed towards individuals under the age of 16 must meet the CCPA Regulations’ additional information requirements.  Currently, the Regulations imply that these additional information requirements only apply to privacy policies directed at children that are both under 13 (regulated under § 999.330 Regulations) as well as age 13-15 (regulated under § 999.331).  The modifications would clarify that any privacy policy that is directed at any individual under 16 – irrespective of under 13 or age 13-15 – must contain the additional content required under the CCPA Regulations.

A redline showing the proposed changes based on the currently effective regulations is available here.  The proposed modifications are open for public comment until Wednesday, October 28, 2020.

California Passes Bill Extending Exemptions for Employment and Business-to-Business Information Under the CCPA

On Friday, August 28, the California state legislature passed Assembly Bill 1281 (“AB 1281”), potentially extending until January 1, 2022 the partial exemptions for employment and business-to-business data under the California Consumer Privacy Act (the “CCPA”).  AB 1281 only takes effect if the California Privacy Rights Act of 2020 (the “CPRA”), an initiative to amend the CCPA, is not approved in the statewide general election on November 3.  If the CPRA is not approved, the exemptions will expire on January 1, 2022.  If the CPRA is approved, the exemptions will expire on January 1, 2023.

Before the passage of AB 1281, there was more uncertainty regarding when businesses would have to fully incorporate employment and business-to-business data into their CCPA compliance programs.  The exemptions were previously set to expire on January 1 of the coming year unless the CPRA were to pass in November.  Businesses now have until at least January 1, 2022 to fully incorporate employment and business-to-business information into their CCPA compliance programs.

For more information on AB 1281 and its impact on a business’s decision to fully extend its compliance program to employment and business-to-business data, please visit our previous blog post here.  A summary of the CPRA’s key business impacts may be found here.

California Privacy Rights Act (CPRA) Will be on November Ballot

The California Secretary of State has announced that the California Privacy Rights Act (CPRA) will be on California’s November 3, 2020 ballot.  If approved by California voters, the CPRA would significantly update and amend the California Consumer Privacy Act (CCPA) that went into effect at the beginning of this year.  The organization that submitted the CPRA for inclusion on the ballot has stated its polling shows 88% of Californians would support a ballot measure expanding privacy protections.

We published a summary of the CPRA’s key business impacts here.  The most recent version of the CPRA can be view downloaded here.

As a ballot initiative, the CPRA could only be placed on California’s November ballot if a sufficient number of signatures of registered voters were collected and validated.  Until last night, the California Secretary of State was still working with California counties to determine whether Alastair Mactaggart’s organization – which submitted the CPRA for placement on the ballot – had collected sufficient qualifying signatures.  As we reported, Mactaggart had petitioned California courts to compel the placement of the CPRA on this year’s California ballots.  The Secretary of State’s announcement confirms the CPRA will be voted on this year.

The Updated CCPA Regulations: Alston & Bird Detail the 30 Key Business Impacts

On February 7, California Attorney General Xavier Becerra released updated regulations to the California Consumer Privacy Act (CCPA).  The updates contain a number of material modifications to the initial CCPA regulations that AG Becerra’s office released in October 2019.

Alston & Bird has compiled a privacy briefing summarizing the 30 key modifications to the Regulations that potentially impact businesses. These include modifications to rules regarding:

  • Notices companies must provide (there are new types!);
  • How companies must intake and process consumer requests to access or delete data;
  • “Do Not Sell My Info” requests;
  • How B2B service providers can use customer data; and
  • Data-mediated financial incentive programs.

To read the full Privacy Briefing on the Updated Regulations, click here.

For further information, contact Kathleen BenwayDavid KeatingAmy Mushahwar, or Daniel Felz.

California Releases Modified CCPA Regulations

On February 7, 2020, the California Office of the Attorney General released Modified Regulations to the California Consumer Privacy Act (“CCPA”). The Modified Regulations update the Initial Proposed Regulations, which were previously published on October 11, 2019. The deadline to submit written comments is February 24, 2020 at 5:00 pm PST.

Alston & Bird’s Privacy & Data Security team will be publishing a blog post with a more detailed discussion of the Modified Regulations.