Press "Enter" to skip to content

California Attorney General Proposes Additional Modifications to CCPA Regulations

CCPAThe California Office of the Attorney General issued a Notice of Third Set of Proposed Modifications to its regulations relating to the California Consumer Privacy Act on Oct. 12. Written comments will be accepted until 5 pm on Oct. 28, 2020.

There are four modifications, which the AG summarizes in its notice.

First, “[p]roposed section 999.306, subd. (b)(3), provides examples of how businesses that collect personal information in the course of interacting with consumers offline can provide the notice of right to opt-out of the sale of personal information through an offline method.”

This proposed modification is not surprising since the examples are similar to how § 999.305(b) and (c) describe how a business that interacts with consumers offline can provide the notice at collection with printed forms, signage or orally by telephone.  The notice provided by an offline method must “facilitate[] consumers’ awareness of their right to opt-out.”  Section 999.306(d) still provides that the opt-out notice is not required if the business does not sell personal information and so states in its privacy policy.

Second, “[p]roposed section 999.315, subd. (h), provides guidance on how a business’s methods for submitting requests to opt-out should be easy and require minimal steps. It provides illustrative examples of methods designed with the purpose or substantial effect of subverting or impairing a consumer’s choice to opt-out.”

This proposed modification explains that it must be easy for consumers to opt-out of the sale of their personal information, and that it can take no more steps to opt-out than it takes to opt-in.  There can be no language intended to dissuade opt-out, the opt-out link cannot force consumers to search through text to find the mechanism for submitting a request, and only personal information necessary to complete the request may be collected. Additionally, no confusing language may be used, and the AG provides this example of a double-negative: “Don’t Not Sell My Personal Information.” 

Third, “[p]roposed section 999.326, subd. (a), clarifies the proof that a business may require an authorized agent to provide, as well as what the business may require a consumer to do to verify their request.”

The current regulations provide that when a consumer submits a request through an authorized agent, the business may require that the consumer “[p]rovide the authorized agent signed permission to do so.”  This proposed modification shifts the business’s focus to the agent, who may be required “to provide proof that the consumer gave the agent signed permission to submit the request.”

Fourth, “[p]roposed section 999.332, subd. (a), clarifies that businesses subject to either section 999.330, section 999.331, or both of these sections are required to include a description of the processes set forth in those sections in their privacy policies.”

Section 999.332 relates to notices that must be provided when consumers are under the age of 16.  This proposed modification is simply a clean-up that changes an “and” to “and/or.”  Section 999.330 pertains to the opt-in process when a business “has actual knowledge that it sells the personal information of a consumer under the age of 13 . . .”  Section 999.331 applies when consumers are 13 to 15 years of age.

Overall, these proposed modifications seem straightforward and likely won’t be the cause of much consternation, particularly in comparison to the looming ballot initiative vote on the California Privacy Rights Act of 2020.


Now is the time to fine-tune your CCPA compliance. Join me to learn how to get your business ready to comply with the CCPA during “CCPA Enforcement Is Almost Upon Us! Are You Ready?” Click here to register.

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.