On Aug. 14, California’s attorney general announced the Office of Administrative Law approved the final regulations under the California Consumer Privacy Act and filed them with the secretary of state. According to the attorney general, the CCPA regulations go into effect immediately. The attorney general’s office had requested this immediate effective date when it filed the proposed final regulations June 1.
The approved final regulations include additional revisions. These changes are detailed in an Addendum to Final Statement of Reasons by the Office of the Attorney General and include “non-substantive changes for accuracy, consistency, and clarity,” as well as the withdrawal of certain provisions “for additional consideration.” Businesses will need to review these final regulations carefully to determine whether the revisions impact their plans for compliance. Some of these changes include:
The OAG withdrew four provisions from the CCPA regulations:
- Section 999.305. Notice at Collection, Subsection (a)(5). This provision prohibited a business from using a consumer’s personal information for a materially different purpose than disclosed in the notice of collection unless it obtained explicit consent from the consumer.
- Section 999.306. Notice of Right to Opt-Out, Subsection (b)(2). This provision required a business that substantially interacts with consumers offline to provide a notice to the consumer by an offline method.
- Section 999.315. Requests to Opt-Out, Subsection (c). This provision required that a business’s method for submitting requests to opt out be easy for consumers and require minimal steps. It also prohibited a business from using “a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out.”
- Section 999.326. Authorized Agent, Subsection (c). This provision permitted a business to deny a request from an authorized agent in which the agent does not submit proof they are authorized to act on the consumer’s behalf.
The Addendum to the FSOR and attorney general’s news release do not include any commentary or explanation regarding why these provisions were withdrawn. It is likely these changes will generate some scrutiny, particularly to the extent they are perceived as favoring businesses. For example, the Final Statement of Reasons includes substantial discussion regarding Section 999.305, Subsection (a)(5) and the need for this provision, stating “[j]ust as a business must provide a notice at or before the point of collection so that the consumer may affirmatively decide whether to proceed ... , subsection (a)(5) is necessary so that the consumer may affirmatively decide whether to agree to the new use.” Similarly, the FSOR states Section 999.315, Subsection (c) “is necessary to avoid the possibility that some businesses may create confusing or complex mechanisms for consumers to exercise their rights under the CCPA.”
The approved regulations also include several “global modifications,” including replacing the word “minor” with “consumer.” The only explanation given for this change is that it was made “to align with the statute.” Practitioners can be expected to question why this change was made now and not in previous revisions to the regulations.
Other changes include the deletion of the alternative language “or ‘Do Not Sell My Info’” and Section 999.317, Subsection (g), relating to the disclosure of consumer request metrics for businesses handling a large amount of consumer data, which has been reorganized. Section 999.341 regarding severability was deleted as unnecessary.
Approval of the CCPA regulations is a final step in a long rulemaking process. While there may be further changes on the horizon — either through additional modifications to the regulations, amendment of the CCPA or approval of the California Privacy Rights Act in November’s election — having final regulations solidifies the present compliance requirements for businesses.
Photo by Paul Hanaoka on Unsplash
The Westin Research Center released a new interactive tool to help IAPP members navigate the California Consumer Privacy Act. The “CCPA Genius” maps requirements in the law to specific CCPA provisions, the proposed regulations, expert analysis and guidance regarding compliance, the California Privacy Rights Act ballot initiative, and other resources.
This book aims to help the person who is leading a business’s CCPA efforts so they can have a handle on what is necessary to comply and make risk-based choices about how best to proceed.
If you want to comment on this post, you need to login.