The regulations accepted by the OAL contained revisions from the OAG, which are summarized in an addendum to the final statement of reasons (“Addendum”). The Addendum is available here.
Summary of Changes
The OAG classifies many of the changes to the regulations as non-substantive and meant to improve accuracy, consistency and clarity. For example, the word “minor” was changed to “consumer” in order to align the regulations with the statute. However, the provisions the OAG withdrew or modified reflect the key substantive changes.
The OAG withdrew certain provisions for additional consideration. As specified in the Addendum, the following provisions were withdrawn:
- 999.305(a)(5): A business shall not use a consumer’s personal information for a purpose materially different than those disclosed in the notice at collection. If the business seeks to use a consumer’s previously collected personal information for a purpose materially different than what was previously disclosed to the consumer in the notice at collection, the business shall directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose.
- 999.306(b)(2): A business that substantially interacts with consumers offline shall also provide notice to the consumer by an offline method that facilitates consumer awareness of their right to opt-out. Such methods include, but are not limited to, printing the notice on paper forms that collect personal information, providing the consumer with a paper version of the notice and posting signage directing consumers to where the notice can be found online.
- 999.315(c): A business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. A business shall not utilize a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out.
- 999.326(c): A business may deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer to act on their behalf.
Other notable changes include:
- Deletion of “Do Not Sell My Info” Option for Opt-Out Link. The regulations removed the option to use “Do Not Sell My Info” rather than the longer form “Do Not Sell My Personal Information” for a business’s opt-out link, which was present in several provisions. The Addendum notes that this was done “to align with the express language of the statute.”
- Businesses Can Require Signed Permission for Authorized Agents for Consumer Opt-Outs. The OAG revised § 999.315(f) (previously §999.315(g)), which addresses the ability of a consumer to use an authorized agent to submit a request to opt-out, to specify that a business may deny a request from an authorized agent “if the agent cannot provide to the business the consumer’s signed permission demonstrating” that they have been authorized to act on the consumer’s behalf. Previously, the regulations included the broad statement that businesses can require that an authorized agent submit proof that they could act on the consumer’s behalf. The Addendum noted that this was changed for “clarity and to be consistent with other parts of the regulation.”
Looking Ahead
Now that the regulations are in effect, businesses should immediately review their outward facing privacy policies, opt-out links (where relevant) and internal procedures to ensure that they comply with the regulations requirements. As we noted in our analysis of the final draft regulations in a June 29 Bloomberg Law article, titled “Decoding CCPA’s Final Regulations Before Act Takes Effect,” the regulations provide additional detail on key CCPA obligations including proper notices, service provider provisions and how to comply with consumer requests.
The CCPA is one of the most comprehensive and far-reaching privacy laws in the United States, offering California consumers control over their personal information and strong privacy protections for consumers. Since the CCPA was signed into law on June 28, 2018, it has gone through two rounds of amendments before going into effect on January 1, 2020. The AGO’s office has been consistent in its commitment to enforce the CCPA. The regulations have taken effect on the heels of the July 1, 2020 effective date for the AG’s enforcement power. Although the regulations have just become effective, California residents have taken full advantage of the private right to action, which we discussed in Law360 in “Lessons From 6 Months Of Calif. Privacy Law Litigation.”
We will continue to monitor developments with the AG’s enforcement of the CCPA, as well as class action cases that cite the CCPA. If you have any questions about your company’s obligations, and compliance and risk mitigation efforts, please contact a member of the Akin Gump Cybersecurity, Privacy and Data Protection team.