On December 10, 2020, the California Attorney General (AG) released the Fourth Set of Proposed Modifications to the California Consumer Protection Act (CCPA) Regulations, styled as “Modifications to Proposed Modifications.” The Fourth Set comes shortly after the comment period for the Third Set of Proposed Modifications closed on Oct. 28.  Per the AG’s Notice of the Fourth Set of Proposed Modifications, the public has until 5:00 p.m. PST on Dec. 28 to submit comments via email to the CA DOJ at PrivacyRegulations@doj.ca.gov. Comments may also be mailed to the AG’s office at the address provided in its Notice, available here.

In the Third Set, the proposed changes predominately focus on making the consumer right to opt-out of the sale of one’s personal information easier to understand and exercise.  In the Fourth Set, the edits clarify some drafting errors and ambiguities that remained from prior versions of the Regulations and provide some robust guidance promoting a uniform rollout of “Do Not Sell” opt-out button. The proposed changes are described in more detail below.

  • Examples of an Offline Opt-Out Notice. Section 999.306 of the CCPA Regulations currently in effect (Final Regulations) address the “Notice of Right to Opt-Out of Sale of Personal Information.” The Third Set proposes a new subsection (b)(3) to provide guidance on how businesses that collect personal information offline (e.g., brick and mortar establishments) should provide notice to consumers regarding their CCPA rights and the right to opt-out.  It includes illustrative examples both for when personal information is collected in-person by a store on paper forms and via telephone.

The Fourth Set further modifies proposed subsection (b)(3) to clarify that it applies to “a business that sells personal information that it collects[,]”  whereas previous language in the Third Set stated it applies to “a business that collects personal information[.]”

  • Guidance on Making Opting-Out “Easy.” Section 999.315 of the Final Regulations addresses “Requests to Opt-Out.”  The Third Set proposes a new subsection (h) stating that the method for submitting an opt-out request should be “easy [] to execute,” “shall require minimal steps[,]” and shall not have the “purpose or [] substantial effect” of impairing the consumer’s opt-out rights (emphasis added).

The opt-out process likewise provides that the “process for submitting a request to opt-out shall not require more steps than that business’s process for a consumer to opt-in to the sale of personal information after having previously opted out.” (h)(1).

While this  proposed new requirement is sure to create more work for businesses, as this is yet another metric to be measured under the CCPA, the addition would at least instruct businesses where to begin the count when measuring “steps.”  The proposed subsection (h)(1) provides (bold added):

The business’s process for submitting a request to opt-out shall not require more steps than that business’s process for a consumer to opt-in to the sale of personal information after having previously opted out. The number of steps for submitting a request to opt-out is measured from when the consumer clicks on the “Do Not Sell My Personal Information” link to completion of the request. The number of steps for submitting a request to opt-in to the sale of personal information is measured from the first indication by the consumer to the business of their interest to opt-in to completion of the request.

Additional provisions of section 999.315(h) include prohibitions on “confusing language” like double negatives, and certain actions that might make opting-out more difficult, like making consumers click through pages explaining the downsides of opting-out, requiring additional and unnecessary information from the consumer to opt-out, or requiring a consumer to scroll to the bottom of a privacy policy or similar document or page to the actual opt-out mechanism after clicking a “Do Not Sell” link.

  • Clarifying the Authorized Agent Provisions. The Third Set clarifies an ambiguity that existed in section 999.326(a) of the Final Regulations, which describe how a consumer can use an authorized agent to submit requests to know or delete on their behalf.  The Final Regulations state at subsection (a) that “When a consumer uses an authorized agent to submit a request to know or a request to delete, a business may require that the consumer do the following[…][,]” (emphasis added). The business is then allowed to require the consumer to: (1) provide proof they had provided the agent signed permission to act on their behalf, (2) provide verification of their own identity with the business, or (3) provide direct confirmation that the agent is authorized to act on their behalf.  The Third Set proposes striking the first requirement and instead allow the authorized agent to provide “proof that the consumer gave the agent signed permission to submit the request.” While this is likely to make it somewhat easier for authorized agents to act on behalf of the consumers they serve, the Third Set still provides that businesses may require that the consumer directly confirm both the identity and authorization for the agent to act on their behalf vis-a-vis the business.
  • Promoting a Uniform “Opt-Out Button.” The only completely new provision in the Fourth Set is a new subsection for section 999.306, which describes the “Notice of a Right to Opt-Out of Sale of Personal Information.” The new subsection (f) describes the “Opt-Out Button” and clarifies that an actual button “may be used in addition to . . . but not in lieu of any requirement to post the notice to opt-out” or a “Do Not Sell” link.  The provision provides examples of an opt-out button which may be used and provides other specifications, like the button “shall be added to the left side” of the “Do Not Sell” link and that it should be “approximately the same size as any other buttons” used by the site.  The proposed subsection provides rendering of what the button / link combo should look like:
  • Finally, the Third Set corrected an ambiguity existing in section 999.332(a), which deals with “Notice to Consumers Under 16 Years of Age.”  As the AG summarizes in its Notice of the Third Set of Modifications, the proposed change “clarifies that businesses subject to either section 999.330. [“Consumers Under 13 Years of Age”], section 999.331. [“Consumers 13 to 15 Years of Age”], or both of these sections are required to include a description of the processes set forth in those sections in their privacy policies.”  In short, this provision modifies the Regulations to ensure that section 999.332 has a broader interpretation and application on businesses, as minors under 16 should be thought of as “consumers” requiring additional compliances measures and protections under the CCPA.

For more information on Data, Privacy & Cybersecurity issues, visit GT’s Data Privacy Dish blog.

Print:
EmailTweetLikeLinkedIn
Photo of Gretchen A. Ramos Gretchen A. Ramos

Gretchen A. Ramos is Co-Chair of the Data, Privacy & Cybersecurity Practice and focuses her practice on privacy, cybersecurity, and information management. A creative problem-solver with a long track record of success in commercial disputes, she never loses sight of the simple fact…

Gretchen A. Ramos is Co-Chair of the Data, Privacy & Cybersecurity Practice and focuses her practice on privacy, cybersecurity, and information management. A creative problem-solver with a long track record of success in commercial disputes, she never loses sight of the simple fact that she works in a service industry. Clients appreciate not only her legal skills, but also her direct, no-nonsense approach to client service, including her bullet-pointed emails, snapshot executive summaries, and creativity in finding ways to streamline communications for in-house counsel with dozens of other projects—and little time—on their hands.

Gretchen’s clients come from diverse industries, including technology (SaaS), health care and life sciences, consumer products, manufacturing, academic institutions, and non-profits. She provides clients with practical business advice on compliance with state and federal U.S. laws, GDPR, APEC, and other global privacy laws in relation to their external and internal privacy and security procedures, product and app development, and advertising practices. Gretchen also regularly drafts and negotiates contracts concerning data-related vendors, assists clients in assessing privacy risks in corporate transactions, and provides guidance on and conducts privacy and security assessments. She has managed dozens of data breaches, and helps clients prepare for and immediately respond to security incidents and breaches.

Photo of Darren Abernethy Darren Abernethy

Darren J. Abernethy is a data privacy attorney with more than a decade of experience, including in AmLaw private practice in Washington, D.C. and as in-house counsel at startups and a leading privacy technology vendor. He advises clients on matters related to advertising…

Darren J. Abernethy is a data privacy attorney with more than a decade of experience, including in AmLaw private practice in Washington, D.C. and as in-house counsel at startups and a leading privacy technology vendor. He advises clients on matters related to advertising technology, privacy, data breach management, and FTC best practices.

Darren’s concentrations include the California Consumer Privacy Act (CCPA), the European Union General Data Protection Regulation (GDPR)/ePrivacy, digital advertising, direct marketing, and IP-related transactional matters.

Michael C. Hoosier

Michael C. Hoosier is a data, privacy and cybersecurity attorney at Greenberg Traurig in San Francisco, where he counsels clients on how to comply with local, state, federal, and international privacy laws and regulations. Prior to joining GT, Michael worked as a litigator…

Michael C. Hoosier is a data, privacy and cybersecurity attorney at Greenberg Traurig in San Francisco, where he counsels clients on how to comply with local, state, federal, and international privacy laws and regulations. Prior to joining GT, Michael worked as a litigator, with his practice split between white collar investigations and enforcement, and complex commercial litigation. Michael has represented corporate and individual clients in connection with international anti-corruption investigations, internal investigations, and in defensive postures with respect to federal regulators. His litigation experience includes drafting portions of varied motions and briefs, and reviewing complex commercial documents, including tech-related master services agreements and multibillion-dollar trust documents, for breach of contract and related issues.