California Attorney General Xavier Becerra announced this week that the Office of Administrative Law approved additional California Consumer Privacy Act (CCPA) regulations, which became effective March 15, 2021.
The additional changes to the regulations primarily affect businesses that sell the personal information of California residents. The changes include a uniform Opt-Out Icon for the purpose of promoting consumer awareness of the right to opt-out of the sale of personal information, guidance to businesses regarding opt-out requests, including what not to do, and changes regarding the proof that a business may require for authorized agents and consumer verifications.
New sections of the regulations include a requirement that a business that sells personal information it collects from consumers offline shall also inform consumers by an offline method of their right to opt-out and provide instructions on how to submit a request to opt-out. The new regulations state that the Opt-Out Icon may be used in addition to posting the notice of the right to opt-out, but not in lieu of any requirement to post the notice of right to opt-out or a “Do Not Sell My Personal Information” link. (A link to download the Opt-Out Icon can be found here.)
With respect to authorized agents, a business may require that the consumer authorized agent provide proof that the consumer gave the agent signed permission to submit the request. The business may also require the consumer to do either of the following: (1) verify their own identity directly with the business or (2) directly confirm with the business that it provided the authorized agent permission to submit the request.
Other new sections of the regulations state that a business’s methods for submitting requests to opt-out should be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. Examples of methods that businesses should not use are specified in the regulations and include:
- The process for opting out shall not require more steps than the business process for opting in to the sale of personal information;
- The business should not use confusing language such as double negatives (Don’t Not Sell My Personal Information);
- The business shall not require consumers to click through or to listen to reasons they should not submit a request to opt-out before confirming their request;
- The business cannot require the process for submitting a request to opt-out to require the consumer to provide personal information that is not necessary to implement the request; and
- Upon clicking the “Do Not Sell My Personal Information” link, the business shall not require the consumer to search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to opt-out.
The bottom line for these additional changes to the CCPA regulations is that the overriding principles remain the same: inform consumers of their right to opt-out of the sale of their personal information and present this information to consumers in a way that is easy to read and understand.
The proposed modifications also add language that states that submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. Businesses are not to use confusing language for opt-out requests or to require consumers to click through or listen to reasons why they should not submit a request to opt out. Businesses may not require consumers to provide personal information that is not necessary to implement the request, nor can a business require the consumer to search or scroll through the text of a privacy policy to locate the mechanism to opt out. In short, the proposed modifications appear to strive for a simple process with minimal steps for consumers to opt out of the sale of their personal information.