2020 has been a major year for the California Consumer Privacy Act (CCPA). After two years of anticipation, the CCPA went into effect on January 1, 2020 and then enforcement for the law began six months later on July 1, 2020. The Attorney General also submitted the final proposed regulations for the CCPA to the Office of Administrative Law (OAL) on June 1, which were approved and went into effect two months later on August 14, 2020.
However, two months after these final regulations were approved, and one month before voting on the California Privacy Rights Act (CPRA) begins, the California Attorney General announced there would be a third set of proposed modifications to these recently approved CCPA regulations. In particular, the new set of proposed changes focus on the notice of the right to opt out, the opt-out request process, the authentication of authorized agents for making requests, and the policies regarding the information of minors.
Let’s take a closer look at these proposed modifications.
Four Proposed CCPA Modifications
Back on October 11, 2019, the California Attorney General first issued the long-awaited draft regulations for the CCPA, which were modified in February and March 2020 based on the input received during the relevant public comment periods. The “final” draft of the regulations was submitted by the California Attorney General to the OAL for its review and approval in June 2020. Largely unchanged from March’s draft version, the regulations were approved and took effect the same day on August 14, 2020.
Now, the California Department of Justice (the Department) has issued proposed modifications to four of the provisions from the recently approved amendments. For the most part, these proposed amendments restore various deletions made by the OAL in the approved August 2020 amendments.
Although the Department did not provide a reason for proposing these provisions, if passed, the third set of modifications would include the following changes:
Notice of Right to Opt Out of Sale of Personal Information
This proposed modification clarifies a business’s obligation to provide a notice of the right to opt out where the business collects personal information offline. Businesses that collect consumer personal information in a brick-and-mortar store can provide a printed paper notice or post signage in the area where the personal information is collected directing consumers to where the notice can be found online. For businesses that collect information over the phone, notice can be provided orally during the call in which the information is collected.
Request to Opt Out
This proposed modification requires that businesses do not utilize opt-out methods that are designed to impair a consumer’s ability to opt out. More specifically, the modifications provide examples of methods businesses should not use that would disrupt a consumer’s choice to opt out, including:
- Businesses should not use confusing language
- Requests to opt out should be easy to execute and require minimal steps
- Consumers should not have to provide personal information that is not necessary in order to opt out
- Consumers should not have to click through or listen to reasons why they should not opt out before confirming their request
In the finalized August 2020 amendments, businesses could require that a consumer needs to provide an authorized agent with signed permission to submit an access or deletion request. The proposed modifications would allow the authorized agents to provide proof of their authority to act on behalf of the consumer. The authorized agent would provide proof of signed permission, rather than requiring the consumer to provide it. The business may also require that the consumer do the following:
- Verify their own identity directly with the business
- Directly confirm with the business that they provided the authorized agent permission to submit the request
Notice to Consumers Under 16 Years of Age
The fourth modification presented by the Department of Justice clarifies that businesses that have actual knowledge that they sell the personal information of minors (under the age of 16) must meet additional CCPA requirements. Currently, the CCPA specifies that these requirements only apply to the privacy policies directed at children that are under the age of 13 (Section 999.330) and between the ages of 13 and 15 (Section 999.331).
CCPA Comparison Chart
(If Passed Nov. 3, 2020)
(Approved Sept. 29, 2020)
OAL Proposed Modifications
(Announced Oct. 12, 2020)
|Opt Out Requests||
At least two methods of submitting an opt-opt request for the sale of personal information must be provided (e.g., a “Do Not Sell My Personal Information” link on the website, phone number, etc.).
At least two methods of submitting an opt-opt request for the sale of personal information must be provided (e.g., a “Do Not Sell or Share My Personal Information” link on the website, phone number, etc.).
A business’s methods for submitting requests to opt-out should be easy and require minimal steps.
|Consumers Under the Age of 16||
If a minor is less than 13 years old, a business must obtain authorization (opt in) from a parent or guardian. If a minor is between the ages of 13 and 16 years old, a business can obtain authorization (opt-in) from the minor.
Fine of $2,500 per violation.
Extends the opt-in right to explicitly include the sharing of PI for behavioral advertising purposes. A business must wait 12 months before asking a minor for consent to sell or share his or her PI after the minor has declined to provide it.
Fine of $7,500 per violation.
|Employee and B2B Exemption||
Exemption sunsets on January 1, 2021, but may be extended by the legislature
Exemption permanently sunsets January 1, 2023
Exemption extended until January 1, 2022
A California resident may use an authorized agent to submit a right to know request or a request to delete by provide the agent with written authorization.
Businesses should provide consumers or their authorized agents with easily accessible means to allow consumers to obtain their personal information, to delete it, or correct it, and to opt-out of its sale.
When a consumer uses an authorized agent to submit a request to know or a request to delete, a business may require that the consumer authorized agent provide proof that the consumer gave the agent signed permission to submit the request.
Currently, the third set of modified draft regulations are subject to a public comment period, with a deadline of October 28, 2020 at 5 PM PT. Regardless of the outcome of these modifications, organizations should start becoming familiar with the changes, especially since the last set of amendments went into effect immediately upon approval.
If you need further information on these newly proposed CCPA modifications, or want to stay current on all things CCPA, Focal Point is here to help.
Get more insights into the latest privacy news.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.