On December 10, 2020, the California Attorney General (AG) released the Fourth Set of Proposed Modifications to the California Consumer Protection Act (CCPA) Regulations, styled as “Modifications to Proposed Modifications.” The Fourth Set comes shortly after the comment period for the Third Set of Proposed Modifications closed on Oct. 28.  Per the AG’s Notice of the Fourth Set of Proposed Modifications, the public has until 5:00 p.m. PST on Dec. 28 to submit comments via email to the CA DOJ at PrivacyRegulations@doj.ca.gov. Comments may also be mailed to the AG’s office at the address provided in its Notice, available here.

In the Third Set, the proposed changes predominately focus on making the consumer right to opt-out of the sale of one’s personal information easier to understand and exercise.  In the Fourth Set, the edits clarify some drafting errors and ambiguities that remained from prior versions of the Regulations and provide some robust guidance promoting a uniform rollout of “Do Not Sell” opt-out button. The proposed changes are described in more detail below.

  • Examples of an Offline Opt-Out Notice. Section 999.306 of the CCPA Regulations currently in effect (Final Regulations) address the “Notice of Right to Opt-Out of Sale of Personal Information.” The Third Set proposes a new subsection (b)(3) to provide guidance on how businesses that collect personal information offline (e.g., brick and mortar establishments) should provide notice to consumers regarding their CCPA rights and the right to opt-out.  It includes illustrative examples both for when personal information is collected in-person by a store on paper forms and via telephone.

The Fourth Set further modifies proposed subsection (b)(3) to clarify that it applies to “a business that sells personal information that it collects[,]”  whereas previous language in the Third Set stated it applies to “a business that collects personal information[.]”

  • Guidance on Making Opting-Out “Easy.” Section 999.315 of the Final Regulations addresses “Requests to Opt-Out.”  The Third Set proposes a new subsection (h) stating that the method for submitting an opt-out request should be “easy [] to execute,” “shall require minimal steps[,]” and shall not have the “purpose or [] substantial effect” of impairing the consumer’s opt-out rights (emphasis added).

The opt-out process likewise provides that the “process for submitting a request to opt-out shall not require more steps than that business’s process for a consumer to opt-in to the sale of personal information after having previously opted out.” (h)(1).

While this  proposed new requirement is sure to create more work for businesses, as this is yet another metric to be measured under the CCPA, the addition would at least instruct businesses where to begin the count when measuring “steps.”  The proposed subsection (h)(1) provides (bold added):

The business’s process for submitting a request to opt-out shall not require more steps than that business’s process for a consumer to opt-in to the sale of personal information after having previously opted out. The number of steps for submitting a request to opt-out is measured from when the consumer clicks on the “Do Not Sell My Personal Information” link to completion of the request. The number of steps for submitting a request to opt-in to the sale of personal information is measured from the first indication by the consumer to the business of their interest to opt-in to completion of the request.

Additional provisions of section 999.315(h) include prohibitions on “confusing language” like double negatives, and certain actions that might make opting-out more difficult, like making consumers click through pages explaining the downsides of opting-out, requiring additional and unnecessary information from the consumer to opt-out, or requiring a consumer to scroll to the bottom of a privacy policy or similar document or page to the actual opt-out mechanism after clicking a “Do Not Sell” link.

  • Clarifying the Authorized Agent Provisions. The Third Set clarifies an ambiguity that existed in section 999.326(a) of the Final Regulations, which describe how a consumer can use an authorized agent to submit requests to know or delete on their behalf.  The Final Regulations state at subsection (a) that “When a consumer uses an authorized agent to submit a request to know or a request to delete, a business may require that the consumer do the following[…][,]” (emphasis added). The business is then allowed to require the consumer to: (1) provide proof they had provided the agent signed permission to act on their behalf, (2) provide verification of their own identity with the business, or (3) provide direct confirmation that the agent is authorized to act on their behalf.  The Third Set proposes striking the first requirement and instead allow the authorized agent to provide “proof that the consumer gave the agent signed permission to submit the request.” While this is likely to make it somewhat easier for authorized agents to act on behalf of the consumers they serve, the Third Set still provides that businesses may require that the consumer directly confirm both the identity and authorization for the agent to act on their behalf vis-a-vis the business.
  • Promoting a Uniform “Opt-Out Button.” The only completely new provision in the Fourth Set is a new subsection for section 999.306, which describes the “Notice of a Right to Opt-Out of Sale of Personal Information.” The new subsection (f) describes the “Opt-Out Button” and clarifies that an actual button “may be used in addition to . . . but not in lieu of any requirement to post the notice to opt-out” or a “Do Not Sell” link.  The provision provides examples of an opt-out button which may be used and provides other specifications, like the button “shall be added to the left side” of the “Do Not Sell” link and that it should be “approximately the same size as any other buttons” used by the site.  The proposed subsection provides rendering of what the button / link combo should look like:
  • Finally, the Third Set corrected an ambiguity existing in section 999.332(a), which deals with “Notice to Consumers Under 16 Years of Age.”  As the AG summarizes in its Notice of the Third Set of Modifications, the proposed change “clarifies that businesses subject to either section 999.330. [“Consumers Under 13 Years of Age”], section 999.331. [“Consumers 13 to 15 Years of Age”], or both of these sections are required to include a description of the processes set forth in those sections in their privacy policies.”  In short, this provision modifies the Regulations to ensure that section 999.332 has a broader interpretation and application on businesses, as minors under 16 should be thought of as “consumers” requiring additional compliances measures and protections under the CCPA.

For more information on Data, Privacy & Cybersecurity issues, visit GT’s Data Privacy Dish blog.