On October 12, 2020, the California Attorney General provided public notice of a new Proposed Third Set of Modifications to the Regulations under the California Consumer Privacy Act (the “CCPA”). You will be forgiven if you assumed that “final approval” of the existing Regulations back in August meant the Regulations were final—or at least we hope so because we made the same assumption.
Since August, however, it appears the AG was working behind the scenes to resurrect previously withdrawn Sections 999.306(b)(2) (covering offline notice of opt-out if a business substantially interacts with consumers offline); 999.315(c) (minimum standards for opt-out requests); and 999.326(c) (specific requirements for authorized agents). The AG describes the newly proposed rules as follows:
- “Proposed section 999.306, subd. (b)(3), provides examples of how businesses that collect personal information in the course of interacting with consumers offline can provide the notice of right to opt-out of the sale of personal information through an offline method.”
- “Proposed section 999.315, subd. (h), provides guidance on how a business’s methods for submitting requests to opt-out should be easy and require minimal steps. It provides illustrative examples of methods designed with the purpose or substantial effect of subverting or impairing a consumer’s choice to opt-out.”
- “Proposed section 999.326, subd. (a), clarifies the proof that a business may require an authorized agent to provide, as well as what the business may require a consumer to do to verify their request.”
- “Proposed section 999.332, subd. (a), clarifies that businesses subject to either section 999.330, section 999.331, or both of these sections [which relate to children’s data] are required to include a description of the processes set forth in those sections in their privacy policies.”
None of the above fundamentally changes CCPA compliance, but businesses will nonetheless want to be aware of these new provisions and make sure their practices comply. For example, Section 999.305(a)(3)(c) already states that “When a business collects consumers’ personal information offline, it may include the notice on printed forms that collect personal information, provide the consumer with a paper version of the notice, or post prominent signage directing consumers to where the notice can be found online.” Proposed Section 999.306(b)(3) includes further detail for businesses that sell personal information collected offline, requiring that these businesses must “provide notice by an offline method that facilitates consumers’ awareness of their right to opt-out.” The proposed Regulation gives the example of “printing the [opt-out] notice on the paper forms that collect the personal information or  posting signage in the area where the personal information is collected directing consumers to where the notice can be found online.”
Similarly, new Section 999.315(h) details the AG’s expectations for online opt-outs of sale. In general, an opt-out mechanism must “be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out.” This includes “not requir[ing] more steps than that business’s process for a consumer to opt-in to the sale of personal information after having previously opted out. The number of steps for submitting a request to opt-out is measured from when the consumer clicks on the ‘Do Not Sell My Personal Information’ link to completion of the request.” For reference, Section 999.316 covers opting-in after a consumer has opted out, and specifies a two-step process for indicating a desire to opt-in followed by confirmation. While the opt-in steps might not necessarily equate to two clicks of a mouse, businesses should compare and carefully measure this process against the steps involved in their opt-out mechanism.
The changes relating to authorized agents and children’s privacy notices are perhaps less significant, but still worth mentioning. For example, proposed Section 999.326(a) states that when a business receives a consumer request from an authorized agent, it “may require the authorized agent to provide proof that the consumer gave the agent signed permission to submit the request.” (Previously, businesses had the option of asking the consumer to provide the signed permission.) Businesses may still require consumers to directly verify their identity with the business or directly confirm that they provided the agent permission to submit the request.
Finally, we note that Section 999.305(a)(5) (requiring businesses to obtain express consent before using previously collected information for a materially different purpose), which was also withdrawn in August, is not addressed in the Third Set of Modifications to the Regulations. It remains to be seen whether this provision could be updated in a future rulemaking.
The rulemaking process can be somewhat murky, making it difficult to assess the AG’s motivations in publishing these new Regulations. We do know that enforcement of the CCPA has been underway since July, so it is possible that these updates resulted from consumer complaints or some of the AG’s observations during its investigations. With so little public information relating to those investigations, it is difficult to say for sure. In any case, the AG is accepting written public comments on the Proposed Third Set of Modified Regulations until October 28, 2020.