CCPA Update: Comment Period Closes on Third Round of Proposed Modifications to CCPA Regulations; CCPA Litigation Gaining Steam; Consumer Groups and Major Newspapers Urge “No” Vote on California’s Privacy Initiative

New privacy developments continue to come from California, with a new proposed modifications to CCPA regulations, continuing CCPA litigation, and voting beginning on Proposition 24, an initiative to overhaul the CCPA.  We provide insight into each below.

Proposed Third Modified CCPA Regulations

In mid-October 2020, just a few months after the “finalization” of the regulations, the California Office of Attorney General proposed a handful of proposed modifications to regulations implementing the California Consumer Privacy Act.  The abbreviated comment period for the proposed modifications closed on October 28th, which means the Attorney General must now review the comments, draft a response, and either further modify the proposed regulations or submit them in their current form for approval by the California Office of Administrative Law (OAL).

However, the proposed modifications, if approved by OAL, are not likely to have a significant impact on CCPA compliance programs.  Rather, they comprise common sense clarifications of existing regulations or revive provisions and interpretations that were included in versions of proposed regulations (which many businesses used to guide their early CCPA compliance efforts), but removed from the August 2020 final regulations.  Other modifications simply streamline existing regulations or correct typographical errors.

Below we provide a brief summary and analysis of each of the four sections of proposed modifications to CCPA regulations:

  • Clarification that businesses that collect personal information offline that also sell personal information must provide notice of consumers’ opt-out rights by an offline method – Proposed section 999.306(b)(3) provides the following concrete examples of acceptable methods by which a business that collects information offline may provide notice of consumers’ rights to opt-out of the sale of their information:
  • Including the notice on the paper forms that collect the personal information;
  • Posting signage in the area where personal information is collected that direct consumers to the online opt-out notice (e.g., in privacy policy)
  • Providing notice orally where personal information is collected over the phone.

Existing regulations include identical examples of how businesses that collect personal information offline can provide notice at collection.  § 999.305(a)(3).  Notices at collection must already include links to opt-out notices (for those businesses that sell personal information) (§ 999.305(b)(3)).

  • Requirement that businesses offer methods for submitting opt-out requests that are “easy” and “require minimal steps” –  Proposed § 999.315(h) instructs that a business’s methods for submitting opt-out requests should be easy, require minimal steps, and not be designed in a manner that has the “substantial effect of subverting or impairing” a consumer’s choice to opt-out.  Examples of how not to design opt-out links are provided, including not requiring consumers to click-through or listen to reasons why they should not submit a request to opt-out before confirming their request, and not using confusing language such as “Don’t Not Sell My Personal Information.”  Additionally, businesses cannot require consumers to provide personal information that is unnecessary to implement the opt-out request, nor should consumers be required to scroll through a privacy policy to locate the opt-out mechanism.

This proposed regulation, without the examples, is identical to former section 999.315(c), which was included in regulations the Attorney General submitted in July 2020 for OAL approval, but removed (without explanation) in the final regulations. Many businesses already designed their CCPA compliance efforts based on draft regulations that included this identical language, so the impact of re-inserting the language now is not likely to be significant.  Moreover, the examples of how not to describe opt-out mechanisms are common sense applications of the law, some of which are already separately prohibited.  See, e.g., § 999.315(a) (requiring opt-out links state “Do Not Sell My Personal Information”).

  • Creating internal consistency with methods to verify agents submitting data subject requests.  When presented with a data subject request from an agent of a consumer, proposed section 999.326(a) instructs that the business may require the agent to provide proof that the consumer gave the agent permission to submit a request on their behalf.  It includes a corresponding edit to existing regulations that deletes a provision stating that the business may require that the consumer “provide the authorized agent with permission [to act on the consumer’s behalf],” as that concept is subsumed in the requirement that the agent provide proof of such permission.

This same concept was included in earlier versions of proposed regulations and removed only in the final August 14, 2020 version.  Additionally, the option to ask the agent for proof of the consumer’s permission already exists in that portion of the regulations pertaining to opt-out requests made by agents (999.315(g)).  Its inclusion here harmonizes agent verification methods for opt-out requests and verification methods advocated more generally for all agent-submitted CCPA data subject rights requests.

  • Corrects typographic error to clarify businesses that sell personal information of minors under 16 must include descriptions of how parents or minors 13 and over can opt-in to the sale of their personal information – Proposed section 999.332 adds the word “or” to the provision that currently states businesses that are subject to sections 999.330 (sellers of personal information to minors under 13) and331 (sellers of personal information to minors between 13 and 16) must include in their privacy policies descriptions of how parents or minors can opt-in to the sale of their personal information.

Looking ahead, with the close of the comment period, the Attorney General will next evaluate the comments and send the proposed regulations for approval by the OAL.

Absent the COVID-19 pandemic, these modifications would have been the last round of edits to CCPA regulations the Attorney General could have made during the year-long formal rulemaking process it initiated on October 11, 2019.  California administrative law provides that once an agency initiates formal rulemaking, it has one year to complete the process.  However, due to the pandemic, Governor Newsom has twice extended the deadline.  As it currently stands, modifications may be issued until February 8, 2021.

CCPA Litigation – Gaining Steam

Since the CCPA went into effect on January 1, 2020, there have been 66 cases filed around the country that include alleged violations of the CCPA.  The vast majority of those cases have been filed in federal courts in California, with the bulk filed in the Northern District, followed by the Central District.  The rate at which the cases were filed was initially slow, but began to pick up in early March and did not appear to slow down during COVID-related shut downs.

Rulings from many of these initial cases are expected in the weeks ahead and could provide important guidance about how courts will interpret the many ambiguities in the law.  Several of the early cases were voluntarily dismissed, either through settlements or for other reasons.

California Privacy Rights Act – Proposition 24 Remains Hotly Contested

We will soon know whether the initiative to substantially overhaul the CCPA, known now as Proposition 24, will become law.  Polls conducted by the Yes on 24 group, which maintains a significant funding advantage over the No on 24 campaign, have indicated the measure would pass by a solid majority.  However, several newspapers and consumer advocacy groups have come out against the initiative, blasting it for not going far enough to protect privacy rights by, for example, including a limited private right of action and not mandating that consumers affirmatively grant permission to share their personal information, rather than opting out after the fact.

Should the initiative pass, businesses will have until January 1, 2023 to comply, with enforcement first beginning on July 1, 2023.  The new California Privacy Protection Agency the initiative creates will be responsible for promulgating regulations to implement the initiative and must do so by July 1, 2022.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.