The California Office of the Attorney General issued a Notice of Third Set of Proposed Modifications to its regulations relating to the California Consumer Privacy Act on Oct. 12. Written comments will be accepted until 5 pm on Oct. 28, 2020.
There are four modifications, which the AG summarizes in its notice.
First, “[p]roposed section 999.306, subd. (b)(3), provides examples of how businesses that collect personal information in the course of interacting with consumers offline can provide the notice of right to opt-out of the sale of personal information through an offline method.”
This proposed modification is not surprising since the examples are similar to how § 999.305(b) and (c) describe how a business that interacts with consumers offline can provide the notice at collection with printed forms, signage or orally by telephone. The notice provided by an offline method must “facilitate[] consumers’ awareness of their right to opt-out.” Section 999.306(d) still provides that the opt-out notice is not required if the business does not sell personal information and so states in its privacy policy.
Second, “[p]roposed section 999.315, subd. (h), provides guidance on how a business’s methods for submitting requests to opt-out should be easy and require minimal steps. It provides illustrative examples of methods designed with the purpose or substantial effect of subverting or impairing a consumer’s choice to opt-out.”
This proposed modification explains that it must be easy for consumers to opt-out of the sale of their personal information, and that it can take no more steps to opt-out than it takes to opt-in. There can be no language intended to dissuade opt-out, the opt-out link cannot force consumers to search through text to find the mechanism for submitting a request, and only personal information necessary to complete the request may be collected. Additionally, no confusing language may be used, and the AG provides this example of a double-negative: “Don’t Not Sell My Personal Information.”
Third, “[p]roposed section 999.326, subd. (a), clarifies the proof that a business may require an authorized agent to provide, as well as what the business may require a consumer to do to verify their request.”
The current regulations provide that when a consumer submits a request through an authorized agent, the business may require that the consumer “[p]rovide the authorized agent signed permission to do so.” This proposed modification shifts the business’s focus to the agent, who may be required “to provide proof that the consumer gave the agent signed permission to submit the request.”
Fourth, “[p]roposed section 999.332, subd. (a), clarifies that businesses subject to either section 999.330, section 999.331, or both of these sections are required to include a description of the processes set forth in those sections in their privacy policies.”
Section 999.332 relates to notices that must be provided when consumers are under the age of 16. This proposed modification is simply a clean-up that changes an “and” to “and/or.” Section 999.330 pertains to the opt-in process when a business “has actual knowledge that it sells the personal information of a consumer under the age of 13 . . .” Section 999.331 applies when consumers are 13 to 15 years of age.
Overall, these proposed modifications seem straightforward and likely won’t be the cause of much consternation, particularly in comparison to the looming ballot initiative vote on the California Privacy Rights Act of 2020.
WEBINAR
Now is the time to fine-tune your CCPA compliance. Join me to learn how to get your business ready to comply with the CCPA during “CCPA Enforcement Is Almost Upon Us! Are You Ready?” Click here to register.