
On March 15, the California Office of the Attorney General announced that additional regulations relating to the California Consumer Privacy Act (CCPA) had been approved, effective immediately.
The new regulations affect four sections of the regulations approved in August 2020.
Section 999.306. Notice of Right to Opt-Out of Sale of Personal Information.
- Section 999.306(a)(b)(3) is added to provide examples of how a business that sells consumers’ personal information (PI) and interacts with consumers offline can provide notice of the right to opt-out and instruction on how to do so. The examples describe the use of paper forms or signage, or providing the information by telephone.
- New section 999.306(f) provides an opt-out icon “designed by Carnegie Mellon University’s Cylab and the University of Michigan’s School of Information and tested against other icons to determine the best design for communicating the privacy choices available to consumers.” Use of the icon is optional and doesn’t replace other opt-out notice requirements.
Section 999.315. Requests to Opt-Out.
- Section 999.315(h) is added to reiterate that the methods provided for opt-out must be easy and not designed to discourage opt-out. For example, there cannot be more steps to opt-out than there are to opt-in, the process cannot include messages describing the reasons why opt-out should not be exercised, and consumers cannot be required to scroll through lengthy text, like a privacy policy, to locate the opt-out mechanism. And, my favorite, double negatives cannot be used, such as “Don’t Not Sell My Personal Information.” Hopefully, most businesses wouldn’t never not do that.
Section 999.326. Authorized Agent.
- Section 999.326(a) is modified so that a business may require that the authorized agent, rather than the consumer, provide proof of permission from the consumer. The consumer may still be required to verify their identity directly with the business or directly confirm that permission was granted to the authorized agent.
Section 999.332. Notices to Consumers Under 16 Years of Age.
- Section 999.332(a) previously stated that “a business subject to sections 999.330 [consumers 13 to 15 years of age] and 999.331 [consumers under 16 years of age] shall include a description of the [opt-in] processes set forth in those sections in its privacy policy.” The word “and” has been replaced with “and/or.”
For more information and insight from Maurice Wutscher on data privacy and security laws and legislation, visit https://mauricewutscher.com/data-privacy-and-security/.