New CCPA Regulations Look to Simplify Requirements for Businesses

The week of March 15, 2021 was a busy week for California Attorney General Xavier Becerra’s office. First, additional California Consumer Privacy Act (CCPA) regulations were released (see them here). The AG’s office was also involved in choosing and announcing the establishment of the five-member board for the California Privacy Protection Agency (CPPA) (read the announcement here). This board is charged with enforcing the California Privacy Rights Act (CPRA). On top of all of this, the AG was confirmed as the Secretary of the U.S. Department of Health and Human Services and has stepped down. Matthew “Matt” Rodriquez will serve as Chief Deputy and acting Attorney General. 

Not a bad list of “to-do” items to check off. We will focus on the CCPA regulations in this article and have a separate one for the board appointees.

The updates are to four sections of the CCPA regulations:

• Section 999.306
  • Modified to provide examples to businesses surrounding how to provide notice of the right to opt-out of the sale to consumers offline.              
    • This includes signage posted in a brick-and-mortar store as well as scripting if a business sells information that it collects over the phone.
  • Also provides a uniform icon (below) to promote consumer awareness surrounding the right to opt-out of the sale of personal information. This icon can be used in addition to, but not in lieu of, the “Do Not Sell My Personal Information” link.

• Section 999.315
  • Additional details surrounding the opt-out including that businesses must ensure submitting opt-out requests are easy for consumers.
    • Specifically calls out that opt-outs cannot be designed with the purpose of “subverting or impairing a consumer’s choice to opt-out” as well as some operational requirements.
      • While not spelled out in the regulations, this, in essence, bans “dark patterns,” which is defined under the CPRA.
  • Double-negatives and confusing language are also prohibited.
  • Further, the business cannot require the consumer to scroll through a privacy policy or similar document or webpage looking for how to submit the opt-out after clicking on the “Do Not Sell My Personal Information” link.

• Section 999.326
  • Changes to this section will allow businesses to require the authorized agent to provide proof that the consumer gave the agent signed permission to submit the request.
    • This used to read as the business could require the consumer to provide proof that the authorized agent request was permissible.
  • Businesses can still verify the identity of the consumer directly with the consumer and confirm directly with the business that they did provide permission.

• Section 999.332
  • A minor addition that could have significant impact to businesses if applicable. Businesses subject to 999.330 and/or 999.331 in the regulation are required to include a description of the processes set forth in those sections in the privacy policy.
  • These sections pertain to processing the opt-out of sale for consumers under the age of 13 in 999.330 and consumers aged 13-15 years of age in 999.331.

Next Steps:

If operating a brick-and-mortar store and collecting and selling information there or selling personal information collected over the phone, businesses will likely need to modify the way in which they notify consumers of the ability to opt-out of the sale of their information, including working with the brand team on signage surrounding these notices. In the call/support center space, if this is applicable, scripting and training will need to be updated to account for this updated notice.

Further, businesses will need to review the icon and determine if they wish to add it to their website. Important to note here that the icon cannot be used in lieu of the “Do Not Sell My Personal Information” link but can be used in addition to it. There are many sizes available for download. You can find those here.

There are numerous services that act as an authorized agent to request that a business delete or provide personal information on behalf of a consumer. Businesses would traditionally work with the consumer to provide proof that they provided the authorized agent signed permission to make the request. However, now businesses will need to work with the authorized agent. Businesses can still work with the consumer to verify the identity of the consumer.

Finally, businesses collecting and selling personal information of consumers aged 15 and below will need to update specific disclosures per 999.330 and 999.331, which are in the CCPA regulations.

If you have any questions about this update or about data privacy in general, please reach out to connect@compliancepont.com