Despite the belief of many that implementation of the California Consumer Privacy Act (CCPA) was largely complete — including the author, who recently published a CCPA alert titled “It’s Finally Final” — the California attorney general recently threw covered businesses a bit of a curveball, issuing a third set of proposed changes to the now-“final” CCPA implementing regulations. Fortunately for those overseeing CCPA compliance, the revisions are largely clarifications of the existing regulations rather than fundamental changes. Interested stakeholders have until 5:00 p.m. Pacific Time on Wednesday, October 28, to submit comments to PrivacyRegulations@doj.ca.gov.
There are four proposed revisions:
1. Clarification on “brick-and-mortar” notice of opt-out right. A predominantly “offline” covered business is still required to comply with the CCPA’s requirement to provide customers notice of their right to opt-out if it collects their personal information. The revision provides two examples:
- If the information is collected via paper forms, the notice may be provided on the forms themselves or on a sign in the same area of the store directing consumers to the company’s online notice.
- If the information is collected over the phone, the notice may be provided orally during the same call.
2. Clarification on ease of submitting opt-out requests. The second revision provides illustrative “dos and don’ts” for the opt-out process. The process must:
- be easy to execute
- require minimal steps
- not be designed to impair, or have the effect of impairing, the consumer’s choice to opt-out
- not use confusing language, such as double negatives
- not force the consumer to read or hear reasons not to opt-out
- not request more personal information than is necessary to implement the request
- not use more steps to opt-out than are required to opt-in after having previously opted out
3. Clarifications regarding authorized agents. The third revision clarifies what must be provided to the business if a request to know or a request to delete is submitted through an authorized agent. In such a scenario, the business may require the agent to provide proof that the consumer gave the agent signed authorization. In addition, the business may also ask the consumer to either:
- verify his or her own identity directly with the business, or
- directly confirm to the business that they gave the agent permission to submit the request.
The author has learned his lesson and will no longer promise any finality with regard to the CCPA — particularly as the California Privacy Rights and Enforcement Act, which will build on and expand the CCPA, is set to be voted on by the California electorate in less than two weeks.