CCPA Regs Update Covers Opt Outs, Authorized Agents, Children’s Privacy Notice

October 12, 2020Alerts

The California Office of the Attorney General has issued proposed modifications to the state's California Consumer Privacy Act (CCPA) Regulations. The changes, released on October 12, 2020, have been submitted for comment through October 28, 2020.

Key Changes

The proposed amendments restore the deletions made by the Office of Administrative Law (OAL) in August in connection with:

  • Notice of opt out offline
  • Ease of the opt-out request process
  • Authentication of the authorized agent, with some detail/examples added.

The modifications also make an important clarification involving the content of privacy policies regarding children's information. The changes do not propose the restoration of the section on the need to obtain consent to use an individual's data for a materially different purpose (which was deleted by the OAL in August). 

Offline Opt-Out Notice

Businesses that collect information offline are required to provide a notice of the right to opt out offline. For bricks-and-mortar settings, the Regs suggest providing a printed paper notice, and for collection over the phone, providing the notice orally during the call in which the information is collected.

Easy Methods to Opt Out

A business’s methods for submitting requests to opt out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt out.

A business shall not use a method that is designed with the purpose or that has the substantial effect of subverting or impairing a consumer’s choice to opt out. (This is brings back language similar to the former 999.306(c) which the AG in the Final Statement of Reasons stated was a prohibition against dark patterns.) Specifically:

  • The business’s process for submitting a request to opt out shall not require more steps than that business’s process for a consumer to opt into the sale of personal information after having previously opted out.
  • A business shall not use confusing language such as double negatives.
  • A business shall not require consumers to click through or listen to reasons why they should not submit a request to opt-out before confirming their request.
  • The business’s process for submitting a request to opt out shall not require the consumer to provide personal information that is not necessary to implement the request.
  • The business shall not require the consumer, upon clicking the “Do Not Sell My Personal Information” link, to search or scroll through the text of a privacy policy or similar document or web page to locate the mechanism for submitting a request to opt out.

Authenticating the Authorized Agent

The amendments would allow a business to require an authorized agent filing a request on behalf of a consumer to provide proof that the consumer gave the agent signed permission to submit the request. The business may also require the consumer to do either of do the following:

  • Verify their own identity directly with the business
  • Directly confirm with the business that they provided the authorized agent permission to submit the request

Addition to Privacy Policy Regarding Children

The Regs clarify that a business that is subject to either Section 999.330 (Collection of information from Consumers Under 13 Years of Age) or Section 999.331 (Collection of Information Consumers 13 to 15 Years of Age), or to both of them, needs to include the information set forth in these sections in its privacy policy.

Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the firm's GDPR Compliance & International Privacy Practice. For questions about CCPA compliance, she can be reached at 215.444.7313 or [email protected].