Twists in the Plot: California AG Releases Final CCPA Regulations
With a little time to consider the finalized California Consumer Privacy Act regulations released by the California Attorney General on August 14, 2020, it is clear that some last-minute negotiations (or perhaps just some thoughtful additional analysis) took place that led to some unexpected changes. The lion’s share of the regulation requirements have been discussed in depth, so let’s just focus on the following noteworthy changes:
- Language for Do Not Sell Link. Prior versions enabled companies selling personal information to include a link reading “Do Not Sell My Info,” but that language is no longer acceptable and must instead read “Do Not Sell My Personal Information” as called for in the statute. (Section 999.305(b)(3))
- Agent Verification. While requests to know and delete from an authorized agent of the data subject continue to require significant validation, where the authorized agent is merely making an opt-out request, a signed permission is sufficient verification. (Section 999.315(f))
- Financial Incentive. The definition for “financial incentive” no longer includes payments/etc. in connection with the “retention” of personal information. Thus, in line with the statute, the requirements concerning financial incentives will not be broadened beyond those offered in connection with the “collection, deletion, or sale” of personal information. (Section 999.301(j))
- Offline Notice. The final regulations removed the requirement that a privacy notice be provided where the business interacts with consumers offline to collect information (e.g., through an in-store, handwritten e-mail sign-up list). Businesses will instead be able to provide the notice solely on the website. If the business does not have a website, though, it would of course need to provide the notice in connection with the collection of personal data. (Section 999.306(b))
- Opt-Out Method. The AG had provided that the method of opt-out be “easy for consumers to execute” and “require minimal steps.” While an overly-complicated opt-out procedure will likely still be found to be noncompliant, the removal of this vague language will avoid some additional uncertainty. (Section 999.315)
These changes together signal the Attorney General’s acceptance that some of the steps it had previously taken to broaden the reach of the CCPA went too far, or that clarification was necessary. The enforcement of the regulations, which has begun, will need to play out before we can understand them fully. But one thing we do know is that the regulations will be short-lived and will require significant overhaul if the California Privacy Rights Act of 2020 ballot initiative passes in November and becomes law in 2023. Stay tuned.