California Attorney General Xavier Becerra announced this week that the Office of Administrative Law approved additional California Consumer Privacy Act (CCPA) regulations, which became effective March 15, 2021.

The additional changes to the regulations primarily affect businesses that sell the personal information of California residents. The changes include a uniform Opt-Out Icon for the purpose of promoting consumer awareness of the right to opt-out of the sale of personal information, guidance to businesses regarding opt-out requests, including what not to do, and changes regarding the proof that a business may require for authorized agents and consumer verifications.

New sections of the regulations include a requirement that a business that sells personal information it collects from consumers offline shall also inform consumers by an offline method of their right to opt-out and provide instructions on how to submit a request to opt-out. The new regulations state that the Opt-Out Icon may be used in addition to posting the notice of the right to opt-out, but not in lieu of any requirement to post the notice of right to opt-out or a “Do Not Sell My Personal Information” link. (A link to download the Opt-Out Icon can be found here.)

With respect to authorized agents, a business may require that the consumer authorized agent provide proof that the consumer gave the agent signed permission to submit the request. The business may also require the consumer to do either of the following: (1) verify their own identity directly with the business or (2) directly confirm with the business that it provided the authorized agent permission to submit the request.

Other new sections of the regulations state that a business’s methods for submitting requests to opt-out should be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. Examples of methods that businesses should not use are specified in the regulations and include:

  • The process for opting out shall not require more steps than the business process for opting in to the sale of personal information;
  • The business should not use confusing language such as double negatives (Don’t Not Sell My Personal Information);
  • The business shall not require consumers to click through or to listen to reasons they should not submit a request to opt-out before confirming their request;
  • The business cannot require the process for submitting a request to opt-out to require the consumer to provide personal information that is not necessary to implement the request; and
  • Upon clicking the “Do Not Sell My Personal Information” link, the business shall not require the consumer to search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to opt-out.

The bottom line for these additional changes to the CCPA regulations is that the overriding principles remain the same: inform consumers of their right to opt-out of the sale of their personal information and present this information to consumers in a way that is easy to read and understand.

California Governor Gavin Newsom, along with Attorney General Xavier Becerra, Senate President pro Tempore Toni G. Atkins (D-San Diego), and Assembly Speaker Anthony Rendon (D-Lakewood), announced the appointment of the five-member inaugural board for the California Privacy Protection Agency (CPPA) this week.

The Board was established by the California Consumer Privacy Rights Act (CPRA) and will oversee the rulemaking process for various topics relating to the CPRA, including privacy audits, consumer opt-out rights, and compliance relating to the protection of the privacy rights of consumers with regard to their personal information.

According to Attorney General Xavier Becerra, “The California Privacy Protection Agency marks a historic new chapter in data privacy by establishing the first agency in the country dedicated to protecting forty million Californians’ fundamental privacy rights. The CPPA Board will help California residents understand and control their data privacy while holding online businesses accountable.”

The Board members will select an Executive Director and may serve for no more than eight years.

On December 11, 2020, California Attorney General Xavier Becerra released the fourth set of proposed modifications to the regulations of the California Consumer Privacy Act of 2018 (CCPA). This fourth set of proposed modifications is in response to comments received to the third set of modifications that were released on October 12, 2020. According to the update released with the proposed text, the changes include:

Revisions to section 999.306, subd. (b)(3), to clarify that a business selling personal information collected from consumers in the course of interacting with them offline shall inform consumers of their right to opt-out of the sale of their personal information by an offline method; and

Proposed section 999.315, subd. (f), regarding a uniform button to promote consumer awareness of the opportunity to opt-out of the sale of personal information.

The text of the proposed modifications can be found here. Probably the biggest news for the opt-out option is the proposal to include an opt-out button, which may be used in addition to posting the right to opt-out, but not in lieu of any requirement to post a “Do Not Sell My Personal Information” link. The proposed regulations state that if a business posts the “Do Not Sell My Personal Information” link, then the opt-out button shall be added to the left of the text as follows:    The proposed modifications also add language that states that submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. Businesses are not to use confusing language for opt-out requests or to require consumers to click through or listen to reasons why they should not submit a request to opt out. Businesses may not require consumers to provide personal information that is not necessary to implement the request, nor can a business require the consumer to search or scroll through the text of a privacy policy to locate the mechanism to opt out. In short, the proposed modifications appear to  strive for a simple process with minimal steps for consumers to opt out of the sale of their personal information.

The Attorney General’s Office will accept written comments on the proposed changes to the regulations until 5:00 p.m. on December 28, 2020. Comments may be sent by email to [email protected] or by mail at the address contained in the notice of the fourth set of proposed modifications.