Final Set of CCPA Regulations Approved
October 13, 2020
On August 14, 2020, the California Office of Administrative Law officially approved the final set of regulations issued by the California Attorney General (“AG”) under the nation’s most comprehensive state-based privacy law, the California Consumer Privacy Act (“CCPA”). The approval was accompanied by an “Addendum to Final Statement of Reasons” from the AG, which “withdrew” several of the proposed regulations. The following serves as a brief summary of the notable points of revision under the final regulations:
Businesses are no longer required to obtain explicit consent prior to using personal information for a “materially different purpose” than that disclosed in the “Notice at Collection.” Under the revised framework, the sole source of regulation over additional uses now lies in the obligation to provide an updated Notice at Collection.
Businesses are no longer permitted to abbreviate the online opt-out link as “Do Not Sell My Info.” Instead, companies must include the full text outlined in the statute: “Do Not Sell My Personal Information.”
Businesses that “substantially interact” with consumers offline and sell personal information are no longer required to provide an offline notice of consumers’ right to opt-out. Instead, these companies must include the URL for the interactive web-form used to opt-out in their Notice at Collection.
Businesses are no longer required to use an opt-out method that is “easy” and avoids “impairing” the consumer’s decision to opt-out. Under the final regulations, businesses are merely obligated to “consider” ease of use when choosing and implementing an opt-out method for consumers. However, the general requirement to offer an interactive web-form to facilitate a consumer’s decision to opt-out remains unaffected.
Businesses are no longer permitted to deny a consumer request submitted by an agent if the agent fails to submit “proof” of its authorization. However, businesses may still (i) require that the consumer independently verify his or her identity with the company and confirm the authorization, and (ii) deny the request if the agent is unable to provide a signed “permission” demonstrating authorization.
The final regulations are effective immediately, with the AG reserving the right to revisit and re-issue the withdrawn provisions at a later time. Companies should confirm that their privacy policies and practices comply with the most recent version of the regulations, while being mindful of other existing CCPA obligations that were not impacted by the regulations. In addition, looking ahead to November 2020, companies should keep an eye on the evolving Consumer Privacy Rights Act.
This Data Security & Privacy Alert is intended to keep readers current on developments in the law. It is not intended to be legal advice. If you have any questions, please contact Sandy Garfinkel at 412.566.6868 or firstname.lastname@example.org, or Stephenie Scialabba at 412.566.1925 or email@example.com, or any other attorney at Eckert Seamans with whom you have been working.