Third Time’s the Charm: CCPA Regulations Finally Approved With Limited Substantive Changes from June 2020 Version

On August 14, 2020, California’s Office of Administrative Law approved and filed with the California Secretary of State final regulations implementing the California Consumer Privacy Act.  The regulations, drafted by California’s Office of the Attorney General (OAG), went through three rounds of changes during the rulemaking process and were finally enacted more than two years after the CCPA was signed into law.  The CCPA is a landmark state privacy law that grants consumers new privacy rights, and requires businesses to enhance disclosures about their data practices and facilitate consumer privacy rights.  As described below, the final regulations contain a handful of non-impactful changes from the proposed regulations the OAG submitted in early June to the Office of Administrative Law:

  • Removes express requirement to “directly notify the consumer” and “obtain explicit consent” if using personal information for a “materially different” purpose.  The OAG withdrew former subsection 999.305(a)(5), which allowed businesses to use previously collected personal information of California residents for purposes other than those disclosed at the time of collection if the businesses provided notice to consumers and obtained consumers’ opt-in consent to use the personal information for the new purpose.  While this change may appear significant, in practice, it may not be.  The regulations still maintain the requirement that a “business shall not collect categories of personal information other than those disclosed in the notice at collection,” such that businesses should still ensure that their disclosures and notices at collection are drafted broadly enough to cover a range of potential uses of personal information
  • Removes requirement that businesses that “substantially interact[]” with consumers offline provide offline opt-out notices.  The OAG also withdrew former subsection 999.306(b)(2), which required businesses that “substantially interact[] with consumers offline” to “provide notice to the consumer by an offline method that facilitates consumer awareness of their right to opt-out,” and provided examples of “such methods” including, without limitation, “printing the notice on paper forms that collect personal information, providing the consumer with a paper version of the notice, and posting signage directing consumers to where the notice can be found online.”  This change means that the final regulations no longer require burdensome offline opt-out notices for businesses that operate online and offline (g., retail) or for those businesses that operate solely offline and also operate a website.  These businesses can now simply provide their opt-out notices through their websites.  See 11 Cal. Code Reg. §999.306(b)(1).

However, this change affects only how businesses may provide the notice of opt-out, not the method of opting out.  Businesses that “primarily interact” with consumers offline will still need to allow consumers to opt-out offline.  See § 999.315(b) (requiring businesses to offer at least one method of opt-out that “reflect[s] the manner in which the business primarily interacts with the consumer”).

Even more importantly, this rule change is unlikely to change compliance plans because businesses that would have had to provide opt-out notices offline must nevertheless provide notices at collection offline.  999.305(a)(3)(“notice at collection shall be made readily available where consumers will encounter it at or before the point of collection”); see also § 999.305(a)(3)(c) (describing methods of providing offline notice at collection).

  • Clarifies grounds on which businesses are expressly permitted to deny requests from authorized agents. The OAG also removed two subsections that had allowed businesses to deny authorized agent requests to know, delete, or opt-out based on the agent’s failure to “submit proof” of authorization.  Addendum to FSOR re: §§ 999.315(g); 999.326(c).  The changes to the final regulations clarify that the “proof” required in such circumstances is the submission of written authorization by the consumer, not undefined additional “proof” requirements that the business may independently develop.  See § 999.315(g), 999.326(a).
  • Opt-out link for “Do Not Sell My Personal Information”. The final regulations drop the reference to using the phrase “Do Not Sell My Info” for the link on websites and mobile apps.
  • Inconsequential changes to the final regulations pertaining to format of opt-out requests.  The OAG withdrew former subsection 999.315(c), which instructed that opt-out requests be “easy” to execute and “require minimal steps to allow the consumer to opt-out.”  However, this revision is not an invitation to complicate or overburden the opt-out process.  The regulations already prescribe the two steps that businesses must take to provide consumers with the opt-out request form.  See § 999.306(b)(1); 999.306(c) (after clicking on Do Not Sell link, notice must include webform to submit opt-out request or describe offline method to submit request).
  • Other changes. The OAG also incorporated other changes that mostly include formatting, numbering, and word choice changes for purposes of clarity and consistency.

In the instances noted above where the OAG withdrew portions of its proposed regulations, the OAG noted that it “may resubmit [such sections] after further review and possible revision.”  However, doing so will likely take some time, as additions to the regulations will likely require a new round of rulemaking (e.g., going through a process of providing notice and receiving comments in response).

The OAG may now begin enforcement of the final regulations, although all enforcement actions must be preceded by a 30-day notice to the targeted business to enable it to cure the alleged violation.