Main Menu
Print PDF

Finalized CCPA Regulations Take Effect

Cyber Law and Data Protection Alert | August 24, 2020
By: Joshua A. Mooney and Gwenn Barney

On August 14, 2020, the California Office of Administrative Law (OAL) approved the final regulations to the California Consumer Privacy Act (CCPA), which had been submitted by California Attorney General Xavier Becerra to the OAL for expedited review on June 1. The regulations, which take effect immediately, provide additional requirements for CCPA compliance, including procedures for businesses to provide privacy notices and steps consumers may take to exercise their privacy rights under the act. The regulations also include some clarifications surrounding businesses’ transparency and accountability mechanisms. They do not, however, shed further light on the meaning of “sale” under CCPA, an issue that has caused consternation among many businesses.

Some key requirements under the regulations that companies should be aware of include:

1. Removal of “Do Not Sell My Info” Abbreviation

The CCPA requires businesses to include a link on their homepage titled “Do Not Sell My Personal Information,” which provides consumers the opportunity to opt-out of the company’s ability to sell his or her personal information. Previous drafts of the regulations included the option to abbreviate the title of the button to read “Do Not Sell My Info”, but the final regulations remove this short form option and will require companies to write out the full title “Do Not Sell My Personal Information”.

2. Removal of Explicit Offline Notice Section

CCPA section 999.306(b)(2) required businesses that substantially interact with consumers offline to provide notice through an “offline method that facilitates consumer awareness of their right to opt out,” such as a paper notice or signage at the time of the data collection. The regulations abrogate this requirement to provide an offline notice. However, businesses still should note they have an obligation to inform consumers of their right to opt out offline. The regulations do not effect requirements under sections 999.308 and 999.305(a)(3)(c), which state that businesses without a website still must provide consumers with an offline, CCPA-compliant privacy notice an opportunity to opt-out of the sale of their personal information.

3. Deletion of “Materially Different” Purposes Language

The regulations also remove the requirement under section 999.305(a) of the CCPA that businesses provide consumers a direct notice, and receive explicit consent from such consumer, when the business intends to use personal information previously collected for a “materially different” purpose.

4. Refinement of Authorized Agent Requirements

The regulations clarify that a business can deny a request for information from an authorized agent making the request on behalf of a consumer, if the agent “cannot provide to the business the consumer’s signed permission” demonstrating such authorization (section 999.315(f)). The specificity of “signed permission” replaces previous vaguer language that the authorized agent “submit proof” of authorization to act.

Finally, the requirements included some additional changes, such as the change of the term “minor” or “child” to “consumer” in certain sections and an adjustment to the definition of “Financial Incentive” in the regulations to match the definition under CCPA. Businesses with customers who reside in California should review and update their privacy notices to ensure compliance with all requirements of CCPA and its final regulations.

If you have questions or would like further information, please contact Joshua Mooney (mooneyj@whiteandwilliams.com; 215.864.6345) or Gwenn Barney (barneyg@whiteandwilliams.com; 215.864.7063).

This correspondence should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult a lawyer concerning your own situation and legal questions.
Back to Page