Karen L. Neuman
Washington, D.C. +1 202 261 3354
On March 15, 2021, the California Attorney General (AG) announced that the California Office of Administrative Law approved a set of proposed amendments2 (previously summarized here) to the final California Consumer Privacy Act (CCPA) regulations that went into effect on August 14, 2020 (Regulations). The AG’s press release3 explains that the modifications, among other things, ban “dark patterns” that obscure the process for opting out of the sale of personal information through confusing language or unnecessary steps. The release also offers some insight into the AG’s enforcement of the CCPA to date, disclosing that the office appears to have used notices to cure to promote compliance.
This Newsflash provides a summary of key changes4 made to the Regulations by the Amendments, as well as next steps for businesses that may be impacted by the Amendments.
Businesses that collect personal information from consumers offline and sell that personal information must now give consumers notice of the right to opt-out of such sale via an offline method and instructions on how to exercise that right. The Amendments include illustrative examples of acceptable offline notice methods for businesses that collect personal information offline:
The Amendments offer an optional opt-out “Privacy Options” icon that businesses can use in addition to providing a notice of the right to opt-out and the “Do Not Sell My Personal Information” link as required by the CCPA and Regulations. If the icon is used, it must be approximately the same size as any other icons on the business’s website.
The Amendments require businesses that sell personal information to implement opt-out methods that are “easy for consumers to execute” and “require minimal steps.” These methods cannot be “designed with the purpose” or have the “substantial effect” of subverting or impairing a consumer’s opt-out choice. The Amendments provide illustrative good practices of how businesses can meet these requirements:
The Regulations previously allowed businesses to require a consumer to provide the business with signed permission before an authorized agent could submit a request to know or request to delete on the consumer’s behalf. This approach was eliminated in favor of one where businesses can require authorized agents to provide “proof” that the consumer gave the agent signed permission to submit requests to know or delete on behalf of the consumer.
The Amendments permit a business to require the consumer to either verify their own identity directly with the business or directly confirm with the business that the consumer provided the authorized agent permission to submit the request to know or delete.
Businesses that sell consumers’ personal information will want to carefully review the mechanisms they have in place to facilitate consumer opt-out requests to ensure that the mechanisms are clear and easy for consumers to use. In particular, businesses should carefully consider the illustrative good practices in the Amendments that may impact their existing opt-out processes; for example, the requirement that consumers should not be required to take more clicks to make an opt-out request than required for an opt-in request may be particularly challenging for website or mobile app developers to implement.