On Dec. 10, 2020, California's Office of the Attorney General proposed a sixth set of modifications to the CCPA regulations, which have posed a moving target since the first version was published Oct. 11, 2019. The office stated that the most recent changes are being proposed in response to comments received on its Oct. 12, 2020, set of proposed modifications to the "final" California Consumer Privacy Act regulations, which were issued effective Aug. 14, 2020.
The Dec. 10 proposal updates two aspects of the attorney general's Oct. 12 proposal, leaving the other features unchanged. The updates relate to notice of the "Do Not Sell" right and notably revive the "Do Not Sell" icon concept that was left on the cutting room floor in the final regulations.
The updates are as follows:
- Revising Section 999.306(b)(3) to clarify that a business selling personal information that it collects from consumers offline needs to inform the consumers by an offline method of the right to opt out of the sale of their personal information and provide instructions on how to submit a request to opt-out. The modifications provide clearer examples of acceptable offline notification methods.
The Dec. 10 changes fix several ambiguities in the Oct. 12 version. First, they clarify that it is sale, not collection, of personal information obtained offline that triggers the offline "Do Not Sell" notice requirement. Second, they fix the implication in the October proposal that the collection of personal information over the phone may require reading the full "Do Not Sell" notice.
- In the proposed new Section 999.306(f), the attorney general's office revives the option of using a uniform sale "opt-out button." This idea had been included in October 2019 but was left out of the final regulations. However, the California Privacy Rights Act includes the opt-out button as an option, and the latest proposed modifications to the CPRA do, as well. The button may be used in addition to, but not in lieu of, posting a notice of the right to opt-out of sales and a "Do Not Sell My Personal Information" link. The proposed modifications include prescriptive requirements as to the placement and size of the button, as well as state the button must lead to the same webpage or online location to which the "Do Not Sell My Personal Information" link leads. The office stated in a communication announcing the modifications that the purpose of the button is to promote consumer awareness of the opportunity to opt out of the sale of personal information.
The latest version does not alter the other features of the Oct. 12 proposed revisions. These include:
- A 999.315(h) requirement that a business’s avenue for submitting requests to opt-out to be easy to execute and include minimal steps. The modifications offer related illustrative guidance.
- A 999.326 narrowing of permissible steps that may be used to authenticate authorized agent requests to know or delete.
Finally, the Dec. 10 proposal adds to the record a number of documents that it relied on in preparing the proposed regulations, which are available here. A comparison of the Final Regulations to the most recent modifications is available here.
California's Office of the Attorney General is accepting written comments to the most recent proposed changes until Dec. 28.
Photo by Wil Stewart on Unsplash
The Westin Research Center released a new interactive tool to help IAPP members navigate the California Consumer Privacy Act. The “CCPA Genius” maps requirements in the law to specific CCPA provisions, the proposed regulations, expert analysis and guidance regarding compliance, the California Privacy Rights Act ballot initiative, and other resources.
“California Privacy Law,” now in its newly updated fourth edition, provides businesses, attorneys, privacy officers and other professionals with practical guidance and in-depth information to navigate the state’s strict policies.
If you want to comment on this post, you need to login.