TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | CCPA final regulations in effect, includes some changes Related reading: Important commentary from Calif. OAG in proposed CCPA regulations package

rss_feed

""

On Aug. 14, California’s attorney general announced the Office of Administrative Law approved the final regulations under the California Consumer Privacy Act and filed them with the secretary of state. According to the attorney general, the CCPA regulations go into effect immediately. The attorney general’s office had requested this immediate effective date when it filed the proposed final regulations June 1.

The approved final regulations include additional revisions. These changes are detailed in an Addendum to Final Statement of Reasons by the Office of the Attorney General and include “non-substantive changes for accuracy, consistency, and clarity,” as well as the withdrawal of certain provisions “for additional consideration.” Businesses will need to review these final regulations carefully to determine whether the revisions impact their plans for compliance. Some of these changes include:

Withdrawn provisions

 The OAG withdrew four provisions from the CCPA regulations:

  • Section 999.305. Notice at Collection, Subsection (a)(5). This provision prohibited a business from using a consumer’s personal information for a materially different purpose than disclosed in the notice of collection unless it obtained explicit consent from the consumer.
  • Section 999.306. Notice of Right to Opt-Out, Subsection (b)(2). This provision required a business that substantially interacts with consumers offline to provide a notice to the consumer by an offline method.
  • Section 999.315. Requests to Opt-Out, Subsection (c). This provision required that a business’s method for submitting requests to opt out be easy for consumers and require minimal steps. It also prohibited a business from using “a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out.”
  • Section 999.326. Authorized Agent, Subsection (c). This provision permitted a business to deny a request from an authorized agent in which the agent does not submit proof they are authorized to act on the consumer’s behalf.

The Addendum to the FSOR and attorney general’s news release do not include any commentary or explanation regarding why these provisions were withdrawn. It is likely these changes will generate some scrutiny, particularly to the extent they are perceived as favoring businesses. For example, the Final Statement of Reasons includes substantial discussion regarding Section 999.305, Subsection (a)(5) and the need for this provision, stating “[j]ust as a business must provide a notice at or before the point of collection so that the consumer may affirmatively decide whether to proceed ... , subsection (a)(5) is necessary so that the consumer may affirmatively decide whether to agree to the new use.” Similarly, the FSOR states Section 999.315, Subsection (c) “is necessary to avoid the possibility that some businesses may create confusing or complex mechanisms for consumers to exercise their rights under the CCPA.”

Other modifications

The approved regulations also include several “global modifications,” including replacing the word “minor” with “consumer.”  The only explanation given for this change is that it was made “to align with the statute.” Practitioners can be expected to question why this change was made now and not in previous revisions to the regulations.

Other changes include the deletion of the alternative language “or ‘Do Not Sell My Info’” and Section 999.317, Subsection (g), relating to the disclosure of consumer request metrics for businesses handling a large amount of consumer data, which has been reorganized. Section 999.341 regarding severability was deleted as unnecessary. 

Conclusion

Approval of the CCPA regulations is a final step in a long rulemaking process. While there may be further changes on the horizon — either through additional modifications to the regulations, amendment of the CCPA or approval of the California Privacy Rights Act in November’s election — having final regulations solidifies the present compliance requirements for businesses.

Photo by Paul Hanaoka on Unsplash

CCPA Genius

The Westin Research Center released a new interactive tool to help IAPP members navigate the California Consumer Privacy Act. The “CCPA Genius” maps requirements in the law to specific CCPA provisions, the proposed regulations, expert analysis and guidance regarding compliance, the California Privacy Rights Act ballot initiative, and other resources.

Access here

Implementing the CCPA: A Guide for Global Business

This book aims to help the person who is leading a business’s CCPA efforts so they can have a handle on what is necessary to comply and make risk-based choices about how best to proceed.

Digital version


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

3 Comments

If you want to comment on this post, you need to login.

  • comment greg wilson • Aug 17, 2020
    Notice at Collection and Right to OptOut were IMHO important consumer protections that should not have been removed.  Yes, you can still optout but now there will be maze-like structures put in place to discourage consumers.  And Notice at Collection protection is meaningless if businesses can now use data in ways consumers may not appreciate without notification or consent.  This smacks of influence from big tech platforms that will benefit from these changes.
  • comment Philip Downing • Aug 18, 2020
    Have to agree with Greg Wilson; I'm struggling to figure out why these provisions were removed.
  • comment Davit DJIBILYAN • Aug 19, 2020
    No equivalent of Article 14 GDPR at all? Strange