Finalized CCPA Regulations Take Effect
On August 14, 2020, the California Office of Administrative Law (OAL) approved the final regulations to the California Consumer Privacy Act (CCPA), which had been submitted by California Attorney General Xavier Becerra to the OAL for expedited review on June 1. The regulations, which take effect immediately, provide additional requirements for CCPA compliance, including procedures for businesses to provide privacy notices and steps consumers may take to exercise their privacy rights under the act. The regulations also include some clarifications surrounding businesses’ transparency and accountability mechanisms. They do not, however, shed further light on the meaning of “sale” under CCPA, an issue that has caused consternation among many businesses.
Some key requirements under the regulations that companies should be aware of include:
1. Removal of “Do Not Sell My Info” Abbreviation
The CCPA requires businesses to include a link on their homepage titled “Do Not Sell My Personal Information,” which provides consumers the opportunity to opt-out of the company’s ability to sell his or her personal information. Previous drafts of the regulations included the option to abbreviate the title of the button to read “Do Not Sell My Info”, but the final regulations remove this short form option and will require companies to write out the full title “Do Not Sell My Personal Information”.
2. Removal of Explicit Offline Notice Section
CCPA section 999.306(b)(2) required businesses that substantially interact with consumers offline to provide notice through an “offline method that facilitates consumer awareness of their right to opt out,” such as a paper notice or signage at the time of the data collection. The regulations abrogate this requirement to provide an offline notice. However, businesses still should note they have an obligation to inform consumers of their right to opt out offline. The regulations do not effect requirements under sections 999.308 and 999.305(a)(3)(c), which state that businesses without a website still must provide consumers with an offline, CCPA-compliant privacy notice an opportunity to opt-out of the sale of their personal information.
3. Deletion of “Materially Different” Purposes Language
The regulations also remove the requirement under section 999.305(a) of the CCPA that businesses provide consumers a direct notice, and receive explicit consent from such consumer, when the business intends to use personal information previously collected for a “materially different” purpose.
4. Refinement of Authorized Agent Requirements
The regulations clarify that a business can deny a request for information from an authorized agent making the request on behalf of a consumer, if the agent “cannot provide to the business the consumer’s signed permission” demonstrating such authorization (section 999.315(f)). The specificity of “signed permission” replaces previous vaguer language that the authorized agent “submit proof” of authorization to act.
Finally, the requirements included some additional changes, such as the change of the term “minor” or “child” to “consumer” in certain sections and an adjustment to the definition of “Financial Incentive” in the regulations to match the definition under CCPA. Businesses with customers who reside in California should review and update their privacy notices to ensure compliance with all requirements of CCPA and its final regulations.