On August 14, 2020, the California Office of Administrative Law approved the California Attorney General’s final regulations (the “Regulations”) under the California Consumer Privacy Act (the “CCPA”) and filed the Regulations with the Secretary of State’s office. The CCPA Regulations take effect immediately, and all businesses that are subject to the CCPA must now comply with both the statute and the Regulations.
The approved final Regulations contain several changes from the previous version of the Regulations, which include “non-substantive changes for accuracy, consistency, and clarity,” as well as the removal of certain provisions “for additional consideration”. These changes are detailed in an Addendum to Final Statement of Reasons by the Office of the Attorney General. The Attorney General expressly reserved the right to resubmit the withdrawn provisions after further review and possible revision. Moreover, other provisions of the CCPA, the Regulations and/or other applicable laws may require measures that are similar to those required by the withdrawn provisions. As such, these changes likely do not materially alter businesses’ compliance obligations. However, businesses will need to review the final Regulations carefully to determine whether the revisions impact their compliance measures. The provisions that have been removed from the Regulations are as follows:
Offline Notice Section Deleted. For businesses that primarily operate through in-person store locations, one of the most significant changes is the removal of the requirement for businesses that substantially interact with consumers offline to provide an offline notice regarding the opt-out of sales of personal information. This arguably permits businesses that primarily operate offline to direct consumers to an online opt-out form. This change may provide some relief for businesses that would otherwise need CCPA-related disclosures on their stores’ checkout counters or paper receipts. However, the removal of this requirement may be less relevant in the current environment, given that Covid-19 and California’s stay-home orders are keeping many consumers away from stores and requiring certain businesses to close altogether during the pandemic.
Removal of Requirement to Obtain Consumer’s Consent Before Using Personal Information for New Purpose. The final Regulations delete the prohibition on using Personal Information for a purpose that is materially different than that disclosed in the privacy notice. With this change, businesses are no longer required to notify consumers directly and obtain explicit consent for new purposes of data processing. The underlying statutory requirement imposed by Section 1798.100(b) that businesses “shall not … use personal information collected for additional purposes without providing the Consumer with notice consistent with this section” remains in effect, but in practical terms, the key requirement for altering the use of Personal Information is that businesses must accurately update the description of purposes for which Personal Information may be used in the mandatory privacy notice.
Deletion of Requirement to Make Opt-Out Requests “Easy”. The final Regulations remove the requirement that businesses provide Consumers with a means to opt-out of the sale of Personal Information that is “easy for consumers to execute”, “require[s] minimal steps to allow the Consumer to opt-out” and not “designed with the purpose or [having] the substantial effect of subverting or impairing a Consumer’s decision to opt-out.”
It is unclear whether this change will actually make compliance any easier for businesses. The responsibility for businesses to consider the method by which they interact with consumers when choosing opt-out request mechanisms remains in place, as does the obligation to provide two (2) methods for submitting such requests, including a toll-free telephone number. Moreover, despite this provision’s removal, the Attorney General may still look unfavorably on a request mechanism designed to have the “substantial effect of subverting or impairing a consumer’s decision to opt-out”.
Verifying Requests to Know and Delete From an Authorized Agent. With respect to requests to know and requests to delete, the final Regulations remove the language stating that a “business may deny a request from an Authorized Agent that does not submit proof that they have been authorized by the consumer to act on their behalf.” However, businesses still may require Consumers to (1) provide the Authorized Agent with signed permission to make the request; (2) verify the Consumer’s identity directly with the business and (3) directly confirm with the business that they provided the Authorized Agent permission to submit the request. Therefore, a business that receives an information or deletion request from an Authorized Agent may still verify the Consumer’s identity directly. In fact, verifying the requesting Consumer directly may be the best option for verification, in order to minimize the risk of disclosing information in response to a fraudulent request.
Shorter “Do Not Sell My Info” Option Removed. The final Regulations also eliminate the phrase “Do Not Sell My Info” as one of the options for businesses to make consumers aware of their right to opt-out of the sale of their Personal Information. According to the Addendum to the Final Statement of Reasons, this phrase was deleted throughout the Regulations in order “to align with the express language of the statute.” Accordingly, businesses that posted the “Do Not Sell My Info” language on their websites will be required to replace it with “Do Not Sell My Personal Information.” However, the procedural components of opting Consumers out of the sale of their Personal Information remain unchanged.
One provision that we would hope to see removed in future amendments to the Regulations, is the obligation for businesses to offer a toll-free telephone number as one of the methods for submitting Consumer requests. During the short period of time in which the Regulations have been in effect, it has already become clear that it is impracticable from an operational standpoint to respond adequately to Consumer requests via telephone, and that it is very difficult to document communications with the requesting Consumer via telephone. Telephone requests are especially prohibitive with respect to “Requests to Know”, which require the business to provide to the requesting Consumer a copy of the Consumer’s data in written form, whether by mail, email or through an online portal.
Conclusion. Overall, the final Regulations are relatively insignificant in comparison with the major changes that were introduced in previous drafts of the Regulations, and the key obligations imposed on businesses remain largely unaltered. The most important aspect of the final Regulations is that there is no longer any doubt that the Regulations are a real and active obligation for businesses operating within the scope of the CCPA.
If your business requires assistance in complying with the CCPA, please do not hesitate to contact us.
CIRCULAR 230 DISCLOSURE – Pursuant to rules and regulations imposed by the Internal Revenue Service, any tax advice contained in this communication, including any attachments, is not intended or written to be used, and cannot be used, for the purpose of (1) avoiding tax penalties under the Internal Revenue Code or (2) promoting, marketing or recommending to another person any transaction or matter addressed herein.
The summary which appears above is reprinted for information purposes only. It is not intended to be and should not be considered legal advice nor substitute for obtaining legal advice from competent, independent, legal counsel. If you would like to discuss these matters in more detail, please feel free to contact us so that we can provide the clarification and resources you need to make effective decisions.