Businesses that sell personal information collected in the course of interacting with California residents should take note of the following proposed changes:
- Opt-Out Notifications for Consumers Whose Information is Collected Offline. Under the CCPA Regulations, businesses that sell consumer personal information are required to notify consumers of their rights to opt out of such sales. Businesses that collect information about consumers through offline interactions struggle with how to satisfy this requirement. The proposed revisions to Section 999.306(b)(3) of the CCPA Regulations attempt to clarify the confusion by specifying that businesses may provide such offline notices to consumers by the same offline means they use to collect consumer information, as illustrated in the Proposed Modifications by the following examples:
- Businesses that sell personal information collected from California consumers in brick-and-mortar stores would have the option to provide notice of opt-out rights on the paperwork used to collect such information or on signage posted in the area where the information is collected.
- Businesses that sell personal information collected from California consumers via telephone would have the option to inform consumers of their opt-out rights orally during the call in which the information is collected.
- Addition of Opt-Out Button for Online Notices. The CCPA Regulations require businesses that sell personal information collected from California consumers online to provide online opt-out notices to California residents. To facilitate online notices, the modifications propose adding Section 999.306(f) to the CCPA Regulations, which would give businesses the option to add an “opt-out button” on their websites for consumers to indicate that they do not wish to have their personal information sold. It is important to note, however, that the addition of an opt-out button would not, on its own, fulfill the online notice requirements. Instead, opt-out buttons would function as an additional tool to facilitate consumer awareness and exercise of the right to opt out. Under the Proposed Modifications, opt-out buttons must be the same size as the other buttons on the business’s website and must meet the following requirements:
- Guidance on Ease of Access Requirements for Opt-out Requests. While one of the recurring themes in the CCPA Regulations is ease of consumer access to data privacy options, a lack of clear guidance on what constitutes ease of access has led to differing interpretations of the rules. To address this issue with respect to opt-out requests, the modifications propose adding Section 999.315(h) to the CCPA Regulations, which would expand upon the “ease of use” requirement of Section 999.315(b) by specifying that access to opt-out requests should require “minimal steps,” and would explicitly ban specific methods designed to thwart access to opt-out requests. Under proposed Section 999.315(h), a business’s opt-out request process must NOT:
- Require more steps to opt out than it would take a consumer to opt back in to the sale of the consumer’s information after having opted out.
- Use confusing language or double-negatives (i.e., “Don’t Not Sell My Personal Information”).
- Require consumers to click through or listen to reasons why they should not opt out.
- Require consumers to provide personal information beyond the information necessary to implement the request.
- Require consumers to search or scroll through a privacy policy or webpage to locate the opt-out mechanism after clicking the “Do Not Sell My Personal Information” link.
The future of the CCPA Regulations remains uncertain and will depend in large part on the comments the OAG receives to the Proposed Modifications. Given the likelihood of future proposed changes, businesses should closely monitor the CCPA rulemaking activities page on the OAG’s website, which sets out the current status of the CCPA Regulations and provides up-to-date information about the latest developments.