On Monday, the California Attorney General (“AG”) proposed a third set of modifications to the recently enacted California Consumer Privacy Act (“CCPA”) regulations.  Interested parties have until October 28 to file comments in response.

These proposed modifications are the latest effort in an extensive rulemaking process that has lasted more than a year.  Most recently, on August 14, the California Office of Administrative Law (“OAL”) formally approved the AG’s initial set of CCPA regulations, which went into effect immediately.  In approving the regulations, the OAL deleted five provisions that had been included in the version the AG submitted in June, but indicated that the AG could revise and resubmit those subsections for approval in the future.  The latest modifications are largely focused on reviving several of these last-minute removals.

In particular, the proposed modifications would:

  • Reinstate the offline notice requirements, which apply broadly to any “business that collects personal information in the course of interacting with consumers offline.”  The proposed modifications include illustrative examples in § 999.306(b)(3) of how businesses that collect personal information from consumers offline can provide the notice of right to opt-out of the sale of personal information through an offline method.  A brick-and-mortar store may provide notice by printing notice on paper forms that are used to collect information or posting signs that explain how to find online notice.  And a business that collects information over the phone can provide notice orally during the phone call.
  • Provide more specific guidance in § 999.315(h) on methods for submitting requests to opt-out.  The proposed modifications disfavor methods that are “designed with the purpose” or that have “the substantial effect” of “subverting or impairing a consumer’s decision to opt-out.”  For example, a business should not require a consumer to go through more steps to opt-out of selling personal information than to opt-in after having opted-out.  Businesses also should not use confusing language like double negatives.
  • Clarify in § 999.326(a) the proof that a business may require from an authorized agent submitting a request on behalf of a consumer.

The proposed regulations also modify § 999.332(a), which outlines the requirements for notice to consumers under 16 years old.  The revision clarifies that a business subject to either § 999.330 (describing the requirements for consumers under 13) or § 999.331 (governing consumers ages 13 to 15) is required to include a description of the opt-in and opt-out processes in its privacy policy.  As previously written, the regulations appeared to apply only to businesses subject to both § 999.330 and § 999.331.

These changes suggest the AG may continue to refine the rules in the coming months.

Tags: California, California Consumer Privacy Act (CCPA), CCPA
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Read more about Lindsey TonsagerEmail
Show more Show less