On August 14, 2020, the California Attorney General (AG) announced that the Office of Administrative Law (OAL) approved the California Consumer Privacy Act (CCPA) regulations, which will take effect immediately. The OAL’s approval concludes the expedited review process requested by the AG on June 1. For more information on the review process, see GT’s June 2, 2020 blog.

The Purpose of the Regulations

Under the CCPA, the AG is empowered to adopt regulations to further the law’s purposes. The CCPA regulations purport to do so via additional definitions; further detail on the contents of consumer notices; clarification of the methods in-scope businesses must offer to consumers for submitting requests to know, delete and opt out (or opt in); specificity relating to verification of requests; and more.

Final Regulations Changes

Although the OAL’s review is limited to regulatory legal requirements, the approved regulations include a number of updates to the proposed final set of regulations. After the AG’s submission of the final proposed regulations on July 29, the AG submitted an Addendum (July Addendum) to the AG’s Final Statement of Reasons (FSOR), as part of the final rulemaking package. In the Addendum, the AG withdrew certain provisions and made several non-substantive changes for accuracy, consistency, and clarity. It is unusual, but not improper, to amend regulations while they are under OAL review. When necessary, OAL generally accepts changes that do not add new regulatory requirements. Amendments which delete a regulatory requirement, or which clarify the language without substantive change to requirements, like those submitted via the AG’s July Addendum, will usually be acceptable.

Listed below are the key changes in the OAL-approved CCPA regulations, all of which were proposed by the AG in the July Addendum.

  • Removal of the “Do Not Sell My Info” Shorthand. The final regulations eliminate the shorthand wording “Do Not Sell My Info” from Section 999.305(b) and (f), but leave the “Do Not Sell My Personal Information” verbiage. Thus, rather than relying on the shorthand “Do Not Sell My Info” wording, businesses that are “selling” are required to use the “Do Not Sell My Personal Information” language in their website footer links and in-app links.
  • “Materially Different” Purposes Language Removed. In the final regulations, the following language from Section 999.305(a) regarding notice of new uses of personal information after collection and obtaining explicit consent was removed:

(5) A business shall not use a consumer’s personal information for a purpose materially different than those disclosed in the notice at collection. If the business seeks to use a consumer’s previously collected personal information for a purpose materially different than what was previously disclosed to the consumer in the notice at collection, the business shall directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose.

In the July Addendum, the AG withdrew this provision. While the reason for the removal is unclear, the opt-in “explicit consent” to new uses of personal information may have been deemed to create legal obligations beyond the CCPA’s current requirements.

  • Offline Opt-Out Notice Requirement. Absent from the final regulations is the requirement formerly in Section 999.306(b)(2) which held that “a business that substantially interacts with consumers offline shall also provide notice to the consumer by an offline method that facilitates consumer awareness of the right to opt-out,” such as by providing paper versions of the notice or posting signage. The elimination of former Section 999.306(b)(2) may be due to the fact that other provisions already address the issue of opt-out notice in relation to offline collection situations. Those provisions include the following language:
    • “[a] business that does not operate a website shall make the privacy policy conspicuously available to consumers,” see Section 999.308(b), and that the policy includes an explanation of the consumer’s right to opt out of the sale of their personal information. See Section 999.308(c)(3).
    • When a business collects consumers’ personal information offline, it may include the notice on printed forms that collect personal information, provide the consumer with a paper version of the notice, or post prominent signage directing consumers to where the notice can be found online. See Section 999.305(a)(3)(c).

Thus, the removal of Section 999.306(b)(2) does not substantively change obligations for businesses to inform consumers of their right to opt out offline.

  • Service Provider “Second Business” Clarification. Section 999.314(b) changed the reference from “second business” to “second entity” when indicating that “To the extent that a business directs a second entity to collect personal information from a consumer…the second entity shall be deemed a service provider of the first business for purposes of the CCPA…”This change may seek to eliminate confusion over the colloquial usage of the word “business” compared to the formal CCPA definition, so that it is not assumed that a service provider in question would necessarily otherwise qualify as an eligible “business” under the CCPA.
  • Removal of Ease of Consumer Opt-Out Requirement. Pursuant to the AG’s withdrawal of this provision in the July Addendum, the final CCPA regulations do not contain the following Section 999.315 “subverting” sub-section relating to requests to opt out:

A business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. A business shall not utilize a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out.

However, Section 999.315(a), which requires a business to provide two or more designated methods for submitting an opt-out request, including an interactive form accessible via the “Do Not Sell My Personal Information” link, and identifies several other acceptable request methods, was retained. Also retained was the paragraph immediately following the eliminated language, which provides:

If a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted pursuant to Civil Code section 1798.120 for that browser or device, or, if known, for the consumer.

(1) Any privacy control developed in accordance with these regulations shall clearly communicate or signal that a consumer intends to opt-out of the sale of personal information…

Although the reason the above “subverting” provision was eliminated is unclear, given the remaining language in Section 999.315, the language may have been removed as duplicative and unnecessary.

  • Clarification of Authorized Agents Requiring Signed Permission. In Section 999.326, regarding authorized agents’ submission of requests to know and delete, the final regulations remove former sub-section (c), which stated that “A business may deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer to act on their behalf.” In the July Addendum, the AG withdrew this provision, potentially because subpart (a) describes the procedure a business may employ for a consumer to approve an authorized agent to assert to know-and-delete requests, making any action by the agent irrelevant.In contrast, in relation to requests to opt out of sales, the final regulations indicate that a business may deny a request from an authorized agent if the agent “cannot provide to the business the consumer’s signed permission” demonstrating the consumer’s authorization to have the agent act on his/her behalf. See Section 999.315(f). Previously, reference was only made to requests being denied if an authorized agent did not “submit proof” of authorization. Thus, an authorized agent is required only to present signed permission to act on behalf of a consumer to assert the consumer’s opt-out right, but it is unnecessary for the consumer to verify their own identity directly with the business or confirm that they provided the authorized agent permission to submit a request, as required under Section 999.326(a).
  • Removal of the Severability Section. The final regulations remove former Section 999.341, which held that if any article, section, or other portion of the regulations were rendered inoperative, such decision “shall not affect the validity of the remaining portion of these regulations.”
  • Financial Incentive Definition. The final regulations update the definition of “financial incentive.” Whereas previously the definition meant “a program, benefit or other offering, including payments to consumers, related to the collection, retention, or sale of personal information,” the final definition replaces “retention” with “deletion.” The July Addendum articulates that this change is intended “to align with the express language of the statute.”

In addition, the final regulations update references in certain sections from “child” or “minor” to “consumer,” and include citations to additional CCPA sections of the California Civil Code as legal authorities for individual sections.

For more information on Data, Privacy & Cybersecurity issues, visit GT’s Data Privacy Dish blog.