California Attorney General Publishes Third Set of Modified Proposed Regulations for the California Consumer Privacy Act

| Jessica Sganga

On October 12, 2020, the California Attorney General published a Third Set of Modified Proposed Regulations (“Modified Regulations”) even though the final text of the California Consumer Privacy Act (“CCPA”) regulations are already in full effect. In sum, the Modified Regulations only make minor edits to the final CCPA regulations. They provide additional guidance on how to implement the CCPA’s right to opt-out of sale of personal information and modify the text related to how authorized agents can submit data privacy requests on behalf of consumers.

Initially, under Section 999.306(b)(3) of the Modified Regulations, the Attorney General provides illustrations on how businesses that operate offline can comply with the requirement to provide opt-out notice. For example, if the business is a brick-and-mortar store, the Modified Regulations state that the business can provide the opt-out notice by printing it on paper forms that the business uses to collect personal information. Alternatively, the business can post a sign in the area of the store that it collects personal information, which directs consumers to where the notice can be found online (e.g., the web address for the business’s privacy policy). Further, the Modified Regulations state that if the business collects personal information over the phone, it may provide the opt-out notice orally during the call when it collects the consumer’s personal information.

Next, Section 999.315(h) of the Modified Regulations includes a provision requiring businesses to make submission of opt-out requests easy for consumers to execute and with minimal steps. This provision expressly cautions businesses to not use a method that will subvert or impair a consumer’s choice to opt-out. For example, a business cannot require a consumer to go through more steps to opt-out than are required to opt-in to the sale of personal information after a consumer previously opted out. In addition, after a consumer clicks the “Do Not Sell My Personal Information” link, the consumer should be sent directly to where they can opt-out, instead of having to search or scroll through the text of a privacy policy or website to find the method for submitting an opt-out request. Further, a business cannot use confusing language, such as double-negatives (e.g., “Don’t Not Sell My Personal Information”), or require consumers to click through or listen to reasons why they should not submit an opt-out request before actually submitting the request.

Lastly, the Attorney General modified Section 999.326, which is the provision explaining how authorized agents can submit CCPA requests on behalf of consumers. The modified language clarifies that the business may require the authorized agent, instead of the consumer, to provide proof that the consumer gave the agent signed permission to submit the request. In addition, a business may require consumers to do either of the following to verify the agent’s authority to act on their behalf: (1) verify the consumers’ own identity directly with the business; and (2) directly confirm with the business that they provided the authorized agent permission to submit the request.

The California Attorney General has given the public until October 28, 2020, to provide comments regarding the Modified Regulations. Instructions for submitting a comment can be found here.