Fifth Time’s the Charm? Overview of the Latest Proposed CCPA Regulation Modifications
Last week, the California Office of the Attorney General (“OAG”) released another set of proposed modifications to its CCPA regulations, which makes five versions of the regulations in the year since the OAG released the initial version in October 2019. The OAG’s latest proposal would modify the final regulations that took effect on August 14, 2020, following the California Office of Administrative Law (“OAL”) review and is subject to public comment through October 28, 2020.
The most recent modifications would create substantive changes for covered businesses, including creating additional requirements not included in the “final” regulations. The proposed changes are summarized below:
- Addition of subsection 999.306(b)(3): This proposed new subsection provides that “[a] business that collects personal information in the course of interacting with consumers offline shall also provide notice [of the right to opt-out of sales of personal information] by an offline method that facilitates consumers’ awareness of their right to opt-out.” The provision also includes examples of compliant offline opt-out notice delivery methods, which include printing the notice on personal information collection forms or posting notice signage in brick-and-mortar locations and delivering the notice orally on phone calls over which personal information is collected.
This provision adds more specificity compared to a similar provision that was removed from the “final” regulations following OAL review. That provision would have required “[a] business that substantially interacts with consumers offline” to offer an offline opt-out notice.
In contrast, this latest proposed modification specifies that the offline opt-out notice requirement only applies to businesses that actually collect personal information through offline interactions. And its use of specific compliance examples also seems designed to address vagueness in the previous version of the provision. As we noted in our prior post on the “final” regulations, this offline opt-out notice requirement is not mandated by the CCPA statute—which may provide a further basis for objection by the OAL.
- Addition of subsection 999.315(h): This proposed subsection would restore the following language that was removed from the “final” version of the proposed regulations: “A business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. A business shall not use a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s choice to opt-out.”
The removal of this language was a welcome development for covered businesses because it eliminated vague standards like “easy for consumers to execute” and “minimal steps” that introduce further uncertainty for businesses seeking to comply with the regulations. The latest version of this provision attempts to address that issue by providing “[i]llustrative examples.” Specifically, the new proposed provisions:
- State that the opt-out submission process shall not require more “steps” than the process a covered business offers to opt-in for sales following a prior opt-out. The “steps” are to be measured from clicking on the Do Not Sell My Personal Information link for opt-outs versus from “the first indication by the consumer to the business of their interest to opt-in to completion of the request” for opt-ins.
- Prohibit “confusing language, such as double negatives,” requiring consumers to click through or listen to reasons why the consumers should not opt-out, and collecting personal information not necessary to fulfill the opt-out request.
- State that clicking on the Do Not Sell My Personal Information link cannot require the consumer to “search or scroll” through additional text to locate the opt-out mechanism.
As with the addition of subsection 999.315(h), the revisions to this provision appear intended to address vagueness concerns by incorporating additional illustrative content. However, that content does not offer much in the way of practical clarity for businesses seeking to comply with the underlying standards. Therefore, this update may potentially still be subject to OAL objection.
- Revision of subsection 999.326(a): The proposed revisions to this section would provide covered businesses less flexibility in verifying requests to know or delete personal information submitted by an authorized agent. The “final” regulations currently permit a business to require a consumer that uses an authorized agent to submit a request to know or delete to: (1) provide the authorized agent signed permission to make the request on their behalf, (2) verify the consumer’s identity directly with the business, and (3) confirm with the business directly that the consumer provided the agent permission to submit the request.
The proposed modification would permit businesses to require that the authorized agent—rather than the consumer—“provide proof that the consumer gave the agent signed permission to submit the request” as a matter of course. However, businesses would only be able to require the consumer to (1) verify their identity directly with the business or (2) confirm with the business directly that the consumer provided the agent permission to submit the request.
The OAG’s continued modifications to the CCPA regulations suggest the relative certainty businesses enjoyed following adoption of the “final” regulations may be short-lived. Which might be just as well: the OAG’s days as the primary CCPA regulator will be numbered if the California Privacy Rights and Enforcement Act ballot initiative passes this fall. In the meantime, if your organization needs assistance addressing evolving CCPA regulatory requirements, our team is available to assist.