On December 10, 2020, the California Attorney General published a fourth set of proposed modifications to the California Consumer Privacy Act. This follows revisions proposed in February, March and October 2020. As a reminder, the CCPA is in effect and being enforced by both the California AG and the plaintiffs' bar.
Generally speaking, these modifications present relatively minor changes that simply clarify language from the third set of proposed revisions and make few substantive changes to the regulations.
A redline produced by the AG of the specific proposed changes includes the following:
- 999.306, subd.
(b)(3): Clarifies the requirement and examples of how
businesses that sell personal information that has been collected
from consumers in offline interactions must provide notice of the
right to opt-out of the sale of personal information by an offline
method (although that method can direct consumers to go online).
Examples include: 1) printing the notice on the paper forms that
collect the personal information, 2) posting signage in the area
where the personal information is collected directing consumers to
where the notice can be found online, or 3) providing the notice
orally during a call where the information is collected.
- Our take: These changes do not substantively change the requirement or examples from the third set of proposed revisions and remain generally consistent with the practices that many offline businesses have already implemented.
- 999.315, subd. (f):
Brings back the "opt-out button" as an option to be used
in conjunction with offering individuals the right to opt-out of
the sale of personal information. The button has been redesigned
from the example included in the earlier versions of the draft
regulations, and the modifications now explain that the button must
be used in conjunction with the "Do Not Sell My Personal
Information" text.
- Our take: The new iteration of the opt-out button is sleeker and more minimal, but, as outlined above, differs from the previous version insofar as it is not intended to be used in lieu of the "Do Not Sell My Personal Information" text but rather alongside the text as shown below.
- 999.326, subd. (a):
Modifies the language relating to the verification process a
business may use when a consumer uses an authorized agent to submit
requests on the consumer's behalf. The updated language
clarifies that the business may require the agent to
provide proof that he or she has been authorized by the consumer to
submit the request and/or require the consumer to directly
verify his or her identity or confirm that the agent is indeed
authorized to submit the request.
- Our take: This reflects a minor modification to better clarify to whom businesses should direct specific types of verifications, however the substance of the verification process remains the same.
As with prior proposed modifications, the AG will accept written comments regarding the proposed changes, followed by publishing the final text of the regulation and OAL review. Comments should be submitted to PrivacyRegulations@doj.ca.gov before December 28, 2020 at 5:00 pm (Pacific time) and must be limited to comments on the specific additions and deletions proposed in this round of modifications.
Originally Published by Cooley, December 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.