CCPA Regulations are Finalized and Approved with a Few Notable Changes
The California Attorney General announced on August 14, 2020 that the final regulations (Final Regulations) under the California Consumer Privacy Act (CCPA) had been approved by the California Office of Administrative Law (CA OAL) and have become effective. The proposed final regulations (Proposed Regulations) were submitted to the CA OAL for approval on June 1, 2020.1 During the CA OAL’s review process, revisions were made to the Proposed Regulations. While most of these changes were non-substantive edits and grammatical corrections, several substantive changes were made following the CA OAL’s review. This Newsflash provides a summary of the substantive changes to the Proposed Regulations, as well next steps for businesses in light of the amendments.
Substantive Changes in the Final Regulations
The Proposed Regulations included a provision that would have prohibited businesses from using a consumer’s personal information for a materially different purpose than the purposes disclosed in the consumer notice required by the CCPA. The Proposed Regulations also would have required that businesses notify consumers of a new use of the consumer’s personal information, and obtain explicit consent from the consumer if the business uses previously collected personal information for a purpose materially different from the purposes disclosed in the notice. The Final Regulations do not include these requirements.2
The Final Regulations no longer include “Do Not Sell My Info” as an optional title for the “Do Not Sell” button. This means for businesses that sell personal information, the link posted on the business’s website must be titled “Do Not Sell My Personal Information.”
The Final Regulations no longer include a requirement that businesses which substantially interact with consumers offline must provide the CCPA-mandated notice of right to opt-out to such consumer by an offline method. This means that businesses may satisfy the requirement to notify consumers of their right to opt-out by posting the necessary disclosure on the business’s website, even if the business primarily interacts with its consumers offline. However, if a business does not operate a website at all, the Final Regulations still require that the business must establish, document and comply with another method to inform consumers of their right to opt-out.
The Final Regulations no longer include a provision requiring that the methods for submitting requests to opt-out must be “easy for consumers to execute” and require “minimal steps” for consumers to request opt-out.
The Final Regulations clarify that a business may deny a CCPA consumer request from an authorized agent submitted on behalf of a consumer, if the authorized agent is unable to provide the business with signed permission from the consumer demonstrating that the authorized agent has been authorized by the consumer to act on the consumer’s behalf. Under the Proposed Regulations, the authorized agent needed only to submit “proof” to the business that the agent was authorized to act on behalf of the consumer.
Next Steps for Businesses
Since the Final Regulations are now effective, to the extent a business has not already implemented the requirements of the Final Regulations into its CCPA compliance plan, the business should review its current CCPA compliance practices against the requirements under the Final Regulations, and update its CCPA compliance practices as needed.
1) For further information regarding the regulations as proposed to the CA OAL in June, please refer to Dechert OnPoint, State Attorney General Proposes Final Regulations in Connection with California Consumer Protection Act.
2) The Federal Trade Commission has a long-standing position requiring businesses to obtain express consent from consumers before the business uses previously collected data in a manner that is materially different from the representations the company made at the time of data collection. See, e.g., FTC Staff Report: Self-Regulatory Principles For Online Behavioral Advertising (Feb. 2009). Businesses will no longer need to be concerned about an additional California-related requirement as a result of this change.