Updated January 21, 2021
2020 was a major year for the California Consumer Privacy Act (CCPA). After two years of anticipation, the CCPA went into effect on January 1, 2020 and then enforcement for the law began six months later on July 1, 2020. The Attorney General also submitted the final proposed regulations for the CCPA to the Office of Administrative Law (OAL) on June 1, which were approved and went into effect two months later on August 14, 2020.
However, two months after these final regulations were approved, and one month before the California Privacy Rights Act (CPRA) passed, the California Attorney General announced there would be a third set of proposed modifications to these recently approved CCPA regulations. In particular, this set of proposed changes focused on the notice of the right to opt out, the opt-out request process, the authentication of authorized agents for making requests, and the policies regarding the information of minors.
Then, on December 10, 2020, the California Attorney General issued a fourth (and supposedly final) set of proposed modifications to the regulations implementing the CCPA. These revisions were issued in response to the feedback received following the commentary period for the third set of modified draft regulations. While all four proposed modifications from the third draft are included in this fourth set of revisions, it also adds notice of the "Do Not Sell" right and focuses on the "Do Not Sell" button functionality.
Let’s take a closer look at these proposed modifications.
Four Proposed CCPA Modifications
Back on October 11, 2019, the California Attorney General first issued the long-awaited draft regulations for the CCPA, which were modified in February and March 2020 based on the input received during the relevant public comment periods. The “final” draft of the regulations was submitted by the California Attorney General to the OAL for its review and approval in June 2020. Largely unchanged from March’s draft version, the regulations were approved and took effect the same day on August 14, 2020.
In October 2020, the California Department of Justice (the Department) issued proposed modifications to four of the provisions from the recently approved amendments. For the most part, these proposed amendments restored various deletions made by the OAL in the approved August 2020 amendments. The December 2020 set of proposed modifications center around clarifying the ambiguities that were found in the third set of proposed changes regarding a consumer's right to opt out. It also introduces the use of a uniform opt-out button.
Although the Department did not provide a reason for proposing these provisions, if passed, the third and fourth set of modifications would include the following changes:
Notice of Right to Opt Out of Sale of Personal Information
The October 2020 proposed modification clarifies a business’s obligation to provide a notice of the right to opt out where the business collects personal information offline. Businesses that collect consumer personal information in a brick-and-mortar store must provide a printed paper notice or post signage in the area where the personal information is collected directing consumers to where the notice can be found online. For businesses that collect information over the phone, notice can be provided orally during the call in which the information is collected.
The modifications proposed on December 10, 2020, clear up any ambiguity by specifying that only businesses that sell the personal information collected from consumers offline or over the phone will be required to provide consumers with instructions for submitting an opt-out request.
Opt-Out Button
The newly proposed fourth set of modifications also restores the option to use a "Do Not Sell My Personal Information" button, which would be uniform across all businesses (i.e., a blue toggle icon). The opt-out button was originally introduced during the first set of CCPA regulations but was later removed based on the negative feedback received from privacy advocates. Businesses may only choose to use the button in addition to posting a notice of the right to opt-out of sales and a "Do Not Sell" link, but not in replace of them.
Should a business choose to use the new opt-out button, it must be located to the left of the "Do Not Sell" text and be the same size as the other buttons used on the website. The button must also direct consumers to the same webpage or online location as the "Do Not Sell" link.
Researchers from Carnegie Mellon University's CyLab and the University of Michigan's School of Information developed and tested dozens of icons to determine how to effectively promote consumer awareness for opting out of the sale of their personal information. Below is an illustration of what the button should look like:
Request to Opt Out
This proposed modification requires that businesses do not utilize opt-out methods that are designed to impair a consumer’s ability to opt out. More specifically, the modifications provide examples of methods businesses should not use that would disrupt a consumer’s choice to opt out, including:
- Businesses should not use confusing language
- Requests to opt out should be easy to execute and require minimal steps
- Consumers should not have to scroll through the “Do Not Sell My Personal Information” privacy policy to locate an opt-out link
- Consumers should not have to provide personal information that is not necessary in order to opt out
- Consumers should not have to click through or listen to reasons why they should not opt out before confirming their request
Authorized Agent
In the finalized August 2020 amendments, businesses could require that a consumer needs to provide an authorized agent with signed permission to submit an access or deletion request. The proposed modifications would allow the authorized agents to provide proof of their authority to act on behalf of the consumer. The authorized agent would provide proof of signed permission, rather than requiring the consumer to provide it. The business may also require that the consumer do the following:
- Verify their own identity directly with the business
- Directly confirm with the business that they provided the authorized agent permission to submit the request
Notice to Consumers Under 16 Years of Age
The fourth modification presented by the Department of Justice clarifies that businesses that have actual knowledge that they sell the personal information of minors (under the age of 16) must meet additional CCPA requirements. Currently, the CCPA specifies that these requirements only apply to the privacy policies directed at children that are under the age of 13 (Section 999.330) and between the ages of 13 and 15 (Section 999.331).
The proposed modification – a grammatical change adding the word “or” - would require that businesses targeting individuals under the age of 16 (regardless of if they are under 13 or between 13-15) must include in their privacy policy a description of how to request to opt in.
CCPA Comparison Chart
| Domain |
CCPA (Effective Jan. 1, 2020) |
CPRA (Passed Nov. 3, 2020) |
OAL Proposed Modifications (Announced Dec. 10, 2020) |
AB 1281 (Approved Sept. 29, 2020) |
|
Notice of the Right to Opt-Out |
When a business collects consumers' personal information offline, it may include the notice in printed forms that collect personal information, provide the consumer with a paper version of the notice, or post signage directing consumers t where the notice can be found online.
When a business collects personal information over the phone or in person, it may provide the notice orally.
|
N/A |
When a business sells the personal information collected from consumers offline, it must provide a printed paper notice or post signage where he notice can be found online. When a business sells the personal information collected from consumers over the phone or in person, itt may provide the notice orally. |
N/A |
|
Opt-Out Button |
For the development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information. |
For the development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information. |
In addition to posting a notice of the right to opt-out of the sale and a "Do Not Sell My Personal Information" link, businesses can also employ the use of a uniform button. It must be located to the left of the "Do Not Sell" text and be he same size as he other buttons used on he website. |
N/A |
|
Opt-Out Requests |
At least two methods of submitting an opt-out request for the sale of personal information must be provided (e.g., a "Do Not Sell My Personal Information" link on the website, phone number, etc.). |
At least two methods of submitting an opt-out request for the sale of personal information must be provided (e.g., a "Do Not Sell or Share My Personal Information" link on the website, phone number, etc.). |
A business's methods for submitting requests to opt-out should be east and require minimal steps. |
N/A |
| Consumers Under the Age of 16 |
If a minor is less than 13 years old, a business must obtain authorization (opt in) from a parent or guardian. If a minor is between the ages of 13 and 16 years old, a business can obtain authorization (opt-in) from the minor.
Fine of $2,500 per violation. |
Extends the opt-in right to explicitly include the sharing of PI for behavioral advertising purposes. A business must wait 12 months before asking a minor for consent to sell or share his or her PI after the minor has declined to provide it. Fine of $7,500 per violation. |
Businesses that have actual knowledge that they sell the personal information of consumers under the age of 13 or between the ages of 13 and 16 (or both) must ensure that their privacy policy articulates the requirements listed in sections 999.330 and/or 999.331. |
N/A |
| Authorized Agents |
A California resident may use an authorized agent to submit a right to know request or a request to delete by provide the agent with written authorization. |
Businesses should provide consumers or their authorized agents with easily accessible means to allow consumers to obtain their personal information, to delete it, or correct it, and to opt-out of its sale. |
When a consumer uses an authorized agent to submit a request to know or a request to delete, a business may require that the consumer authorized agent provide proof that the consumer gave the agent signed permission to submit the request. |
N/A |
|
Employee and B2B Exemption |
Exemption sunsets on January 1, 2021, but may be extended by the legislature |
Exemption permanently sunsets January 1, 2023 |
N/A |
Exemption extended until January 1, 2022 |
The third set of modified draft regulations were subject to a public comment period, with a deadline of October 28, 2020 at 5 PM PT. Roughly 20 comments were received in response to these revisions, leading to the release of the fourth set of proposed changes. The Attorney General's Office was accepting public comments to the latest modifications up until December 28, 2020. Regardless of the outcome of these modifications, organizations should start becoming familiar with the changes, especially since the first set of amendments went into effect immediately upon approval.
If you need further information on these newly proposed CCPA modifications, or want to stay current on all things CCPA, Focal Point is here to help.
Get more insights into the latest privacy news.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.
