Newsflash - What A Long Strange Trip It’s Been: Final CCPA Regulation Amendments Approved

 
March 17, 2021

On March 15, 2021, the California Attorney General (AG) announced that the California Office of Administrative Law approved a set of proposed amendments2 (previously summarized here) to the final California Consumer Privacy Act (CCPA) regulations that went into effect on August 14, 2020 (Regulations). The AG’s press release3 explains that the modifications, among other things, ban “dark patterns” that obscure the process for opting out of the sale of personal information through confusing language or unnecessary steps. The release also offers some insight into the AG’s enforcement of the CCPA to date, disclosing that the office appears to have used notices to cure to promote compliance.

This Newsflash provides a summary of key changes4 made to the Regulations by the Amendments, as well as next steps for businesses that may be impacted by the Amendments.

Changes to Requirements for Businesses that Sell Personal Information

Offline Notice of Sales of Personal Information Collected Offline

Businesses that collect personal information from consumers offline and sell that personal information must now give consumers notice of the right to opt-out of such sale via an offline method and instructions on how to exercise that right. The Amendments include illustrative examples of acceptable offline notice methods for businesses that collect personal information offline:

  • A business that collects personal information from consumers in a brick-and-mortar store could provide the opt-out notice to consumers using paper forms used to collect personal information or provide the opt-out notice by posting a sign in the area where personal information is collected.
  • A business that collects personal information over the phone could provide the opt-out notice to consumers orally during the phone call.

Optional Opt-Out Icon

The Amendments offer an optional opt-out “Privacy Options” icon that businesses can use in addition to providing a notice of the right to opt-out and the “Do Not Sell My Personal Information” link as required by the CCPA and Regulations. If the icon is used, it must be approximately the same size as any other icons on the business’s website.

Requirements for Facilitating Consumer Opt-Out Requests

The Amendments require businesses that sell personal information to implement opt-out methods that are “easy for consumers to execute” and “require minimal steps.” These methods cannot be “designed with the purpose” or have the “substantial effect” of subverting or impairing a consumer’s opt-out choice. The Amendments provide illustrative good practices of how businesses can meet these requirements:

  1. The number of steps a consumer must go through to submit a request to opt-out cannot exceed the number of steps a consumer would have to go through to opt back into the sale of their personal information.5
  2. A business cannot use confusing language, such as double negatives, when providing consumers with the choice to opt-out.
  3. A business cannot require a consumer to “click through or listen to reasons why” they shouldn’t opt-out before being able to submit an opt-out request.
  4. If a consumer clicks on a business’s “Do Not Sell My Personal Information” link, the business cannot require them to “search or scroll through the text of a privacy policy or similar document or webpage” to locate the business’s opt-out mechanism.
  5. Businesses cannot require consumers to provide personal information that is not necessary to comply with an opt-out request when submitting such a request.

Authorized Agent Requests

The Regulations previously allowed businesses to require a consumer to provide the business with signed permission before an authorized agent could submit a request to know or request to delete on the consumer’s behalf. This approach was eliminated in favor of one where businesses can require authorized agents to provide “proof” that the consumer gave the agent signed permission to submit requests to know or delete on behalf of the consumer.

The Amendments permit a business to require the consumer to either verify their own identity directly with the business or directly confirm with the business that the consumer provided the authorized agent permission to submit the request to know or delete.

Key Takeaways

The AG’s press release emphasizes the importance of the opt-out changes and the AG’s focus on notice obligations for businesses that sell personal information. All businesses should review the Amendments and consider the need to make corresponding updates to your CCPA policies and procedures, such as updating the mechanisms available for authorized agents to submit requests in your online privacy policy.

Businesses that sell consumers’ personal information will want to carefully review the mechanisms they have in place to facilitate consumer opt-out requests to ensure that the mechanisms are clear and easy for consumers to use. In particular, businesses should carefully consider the illustrative good practices in the Amendments that may impact their existing opt-out processes; for example, the requirement that consumers should not be required to take more clicks to make an opt-out request than required for an opt-in request may be particularly challenging for website or mobile app developers to implement.

Footnotes

  1. Title Introduction, What A Long Strange Trip It’s Been – With a nod to California’s own Grateful Dead.
  2. https://oag.ca.gov/system/files/attachments/press-docs/CCPA March 15 Regs.pdf.
  3. https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-approval-additional-regulations-empower-data.
  4. The Amendments also clarify that a business that sells the personal information of consumers under 13 years of age and/or between 13 and 15 years of age must include certain disclosures in its privacy policy relating to “under 13” consumers’ opt-in and opt-out rights. Previously, the language of the Regulations technically only required these disclosures if a business had actual knowledge that it sold the personal information of consumers under 13 years of age and between 13 and 15 years of age.
  5. For opt-outs, the number of steps is counted from when a consumer first clicks a business’s “Do Not Sell My Personal Information” link to the completion of the request. For opt-ins, the number of steps is counted from the first indication by the consumer to a business of their interest in opting-in to the completion of the request.

Subscribe to Dechert Updates