On March 15, 2021, California approved new regulations implementing the California Consumer Privacy Act. These regulations primarily focus on a business's obligations to comply with opt-out right protocols and requirements (e.g., Do Not Sell links) and respond to data privacy requests that are submitted by a consumer's authorized agent.
Although California voters recently approved the California Privacy Rights Act, the CCPA's outstanding requirements, including these new regulations, remain in full force and effect at this time. The news release that accompanied the March regulations described, in general terms, CCPA enforcement activities undertaken by the California Department of Justice and the regulatory powers of the soon-to-be-operational California Privacy Protection Agency.
Opt-out/Do Not Sell icons
The CCPA creates a complex set of rules and procedures in the event a business "sells" a consumer's personal information, and it (infamously) defines the term "sale" to mean, in essence, any disclosure of a consumer's personal information to another business or a third party "for monetary or other valuable consideration." The CCPA requires businesses that "sell" personal information to provide consumer's the ability to "opt-out" of this transaction by clicking a link on its website titled "Do Not Sell My Personal Information."
While earlier drafts of the CCPA regulations contained examples of how this link could be displayed, they were not included in the final version of the CCPA regulations issued in August 2020. The March 2021 regulations revisit this issue and state that the "following opt-out icon may be used in addition to posting the notice of right to opt out, but not in lieu of any requirement to post" an opt-out notice or a "Do Not Sell My Personal Information" link. California made the icon easily available in different formats here.
The new regulations provide that "[t]he icon shall be approximately the same size as any other icons used by the business on its webpage." Although the use of the word "shall" in this clause implies that the use of the icon is mandatory, the regulations clearly state elsewhere that this icon "may be used" by businesses and infer this method is purely discretionary. The news release that accompanied the regulations reinforce the optional nature of the icon. It is interesting to see the March regulations address this issue given the CPRA amended the CCPA to require similar but distinct opt-out icons for businesses that "share" personal information or process "sensitive" personal information.
Opt-out notice requirements and prohibited practices
The March 2021 regulations create new provisions specifically addressing how opt-out notice requirements can be satisfied when dealing with consumers in the offline context. This type of situation often occurs when consumers provide personal information at a store's customer service desk or over the phone to a helpdesk representative and the business thereafter "sells" this data within its organization (e.g., to affiliates that do not share common branding) or to third parties for marketing purposes. When engaging consumers in these offline contexts, the March 2021 regulations require businesses to inform consumers via "an offline method" of their opt-out rights and provide them with instructions on submitting such requests. The regulations include the following examples of how businesses may satisfy these requirements:
- Include opt-out notices and disclaimers on the paper forms that collect the personal information.
- Post signs in the area where the personal information is collected that directs consumers to where more information about their opt-out rights can be found online.
- When personal information is gathered over the phone, verbally inform consumers of their right to opt out at that time.
With respect to the last issue regarding telephonic notices, many organizations that use telephonic customer service representatives have already expanded their prerecorded disclaimers stating "this call may be monitored" to include references to their online privacy statement and such a practice aligns with the non-exhaustive examples outlined in the March 2021 regulations.
Additionally, the March 2021 regulations provide that the methods a business uses to enable opt-out requests must be "easy for consumers to execute" and "require minimal steps to allow the consumer to opt-out." Businesses are prohibited from employing an opt-out "method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer's choice to opt-out." To emphasize this point, these regulations provide examples of prohibited practices in this area:
- An opt-out process cannot require more steps than a consumer's process to opt-in to the sale of personal information after having previously opted out.
- A business cannot use double negatives ("Don't Not Sell My Personal Information") or other confusing language when furnishing opt-out notices to consumers.
- A business cannot (with some limited exceptions) require consumers to "click-through or listen to reasons why they should not submit a request to opt-out" before their request is finalized.
- Businesses cannot request unnecessary personal information from consumers exercising their opt-out rights.
The March 2021 regulations also state that "[u]pon clicking the 'Do Not Sell My Personal Information' link, the business shall not require the consumer to search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to opt-out." It should be noted that the new regulations do not amend Section 999.306(b), which provides that a business that collects personal information through a mobile application may provide a link to its opt-out notice within the application (e.g., the settings menu). This notice may itself link to the section of the business's privacy policy that contains the appropriate opt-out content. Businesses using this technique should ensure their links precisely sync to the opt-out section of their privacy policy to avoid implicating the "searching and scrolling" prohibition.
Consumer privacy requests and authorized agents
The CCPA creates a framework in which an authorized agent may submit data privacy requests on behalf of a consumer, provided the agent is registered with the Secretary of State to conduct business in California and complies with certain authentication and verification processes. More specifically, Section 999.326 sets forth the processes a business could follow to verify that an authorized agent is in fact, lawfully acting on behalf of a consumer.
The March 2021 regulations amended Section 999.326 so that when a business receives a "request to know" or a "request to delete" from an authorized agent, the "business may require the authorized agent to provide evidence that the consumer gave the agent signed permission to submit the request." Previously, this section required consumers to provide this type of information, and this clause was presumably amended to account for the fact that businesses engaging with authorized agents perform their authentication and verification processes directly with the agent and not the consumer who is seeking to avoid interaction with the business.
Notwithstanding, the CCPA regulations still permit businesses to require a consumer and not the authorized agent to verify their own identity with the business or confirm that they provided the authorized agent permission to submit the request. In other words, pursuant to the March 2021 regulations, a business may require both the authorized agent and the consumer to produce evidence that the agency relationship exists between the parties and the data privacy request has been duly authorized.
Photo by Paul Hanaoka on Unsplash
California Privacy Law, Fifth Edition
“California Privacy Law,” now in its newly updated fifth edition, provides businesses, attorneys, privacy officers and other professionals with practical guidance and in-depth information to navigate the state’s strict policies.