CCPA update: New regulations approved

Keypoint: Modifications to the CCPA regulation’s provisions regarding requests to opt-out and authorized agent requests are now final.

<a href='https://www.freepik.com/vectors/background'>Background vector created by pikisuperstar - www.freepik.com</a>

On March 15, 2021, the California Attorney General’s office announced that the Office of Administrative Law has approved the Attorney General’s proposed changes to the CCPA regulations. The new regulations make three general changes relating to the right to opt out of sales and one change to authorized agent requests. In addition, the Attorney General’s press release reaffirms that enforcement activities are proceeding.

Changes to Right to Opt Out Provisions

Offline Collection and Notices

A business that sells personal information that it collects offline is now specifically required to inform consumers in an offline method of their right to opt-out and to provide consumers with instructions on how to submit an opt-out request. The regulations explain that the notice can be provided on paper forms that collect information, through signage in the area where personal information is collected, or over the phone.

Opt-Out Icon

The regulations now authorize (but do not require) the use of an opt-out icon (see picture below) that “may be used in addition to posting the notice of right to opt-out, but not in lieu of any requirement to post the notice of right to opt-out or a ‘Do Not Sell My Personal Information’ link.”

Of note, when the regulations were originally proposed they referred to this as a “button” whereas it is now referred to as an “icon.” The prior version of the proposed regulations also included a paragraph stating that “[w]here a business posts the ‘Do Not Sell My Personal Information’ link, the opt-out button shall be added to the left of the text as demonstrated below. The opt-out button shall link to the same Internet webpage or online location to which the consumer is directed after clicking on the ‘Do Not Sell My Personal Information’ link.” That paragraph was deleted from the final approved regulations. The only requirement that remains for the icon is that it “shall be approximately the same size as any other icons used by the business on its webpage.”

Also of note, the Attorney General’s press release specifically refers to the icon as “optional.”

Businesses can download the icon here.

Ban on Dark Patterns and Other Methods that Obstruct Opt-Outs

Businesses are now required to make submitting requests to opt out “easy for consumers to execute” and must “require minimal steps to allow the consumer to opt-out.” Businesses are also precluded from using “a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s choice to opt-out.”

The regulations provide five examples, including that businesses should not (1) use confusing language, (2) require consumers to click through or listen to reasons why they should not opt-out, and (3) require consumers to scroll through privacy policies or similar documents after clicking the “Do Not Sell My Personal Information” link.

Changes to Provisions for Making Authorized Agent Requests to Know and Delete

The regulations now state that a business may require an authorized agent to provide proof that the consumer gave the agent signed permission to submit the request. The prior regulations placed that optional requirement on the consumer.

A business still may require the consumer to either verify their own identity with the business or directly confirm with the business that the consumer provided the authorized agent permission to submit the request.

Enforcement

The Attorney General’s press release made two comments with respect to enforcement that are worth flagging.

First, the press release states: “Since CCPA enforcement began on July 1, 2020, the Department has seen widespread compliance by companies doing business in California, especially in response to notices to cure.”

Second, the press release notes that although “[s]ome of the Attorney General’s responsibilities under the CCPA will transition over to the California Privacy Protection Agency created under the CPRA” the Attorney General will still “retain the authority to go to court to enforce CPRA.”

The Attorney General’s statements are a reminder that enforcement actions under the CCPA are proceeding and will continue to proceed. In addition, the statement clarifies a potential misconception that the Attorney General’s office will be relinquishing all enforcement authority when the CPRA goes into effect. Rather, the office will retain certain enforcement authority that will be in addition to the enforcement authority granted to the California Privacy Protection Agency.

David Stauss is a partner at Husch Blackwell LLP and co-leader of the firm’s privacy and data security practice group. David regularly assists clients in preparing for and responding to data security incidents, including managing multi-state breach notifications. He also regularly counsels clients on complying with existing and emerging privacy and information security laws, including the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA) and state information security statutes. To stay up to date on these issues, subscribe to Husch Blackwell’s privacy blog. Stauss can be reached at david.stauss@huschblackwell.com.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.