Press "Enter" to skip to content

California Attorney General’s Latest CCPA Regulations Approved

California Consumer Privacy Act (CCPA) Opt-Out Icon

On March 15, the California Office of the Attorney General announced that additional regulations relating to the California Consumer Privacy Act (CCPA) had been approved, effective immediately.

The new regulations affect four sections of the regulations approved in August 2020.

Section 999.306. Notice of Right to Opt-Out of Sale of Personal Information.

  • Section 999.306(a)(b)(3) is added to provide examples of how a business that sells consumers’ personal information (PI) and interacts with consumers offline can provide notice of the right to opt-out and instruction on how to do so. The examples describe the use of paper forms or signage, or providing the information by telephone.
  • New section 999.306(f) provides an opt-out icon “designed by Carnegie Mellon University’s Cylab and the University of Michigan’s School of Information and tested against other icons to determine the best design for communicating the privacy choices available to consumers.” Use of the icon is optional and doesn’t replace other opt-out notice requirements.

Section 999.315. Requests to Opt-Out.

  • Section 999.315(h) is added to reiterate that the methods provided for opt-out must be easy and not designed to discourage opt-out. For example, there cannot be more steps to opt-out than there are to opt-in, the process cannot include messages describing the reasons why opt-out should not be exercised, and consumers cannot be required to scroll through lengthy text, like a privacy policy, to locate the opt-out mechanism.  And, my favorite, double negatives cannot be used, such as “Don’t Not Sell My Personal Information.” Hopefully, most businesses wouldn’t never not do that.

Section 999.326. Authorized Agent.

  • Section 999.326(a) is modified so that a business may require that the authorized agent, rather than the consumer, provide proof of permission from the consumer. The consumer may still be required to verify their identity directly with the business or directly confirm that permission was granted to the authorized agent.

Section 999.332. Notices to Consumers Under 16 Years of Age.

  • Section 999.332(a) previously stated that “a business subject to sections 999.330 [consumers 13 to 15 years of age] and 999.331 [consumers under 16 years of age] shall include a description of the [opt-in] processes set forth in those sections in its privacy policy.” The word “and” has been replaced with “and/or.”

For more information and insight from Maurice Wutscher on data privacy and security laws and legislation, visit https://mauricewutscher.com/data-privacy-and-security/.

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, and is focused on advising clients with respect to federal and state consumer financial protection laws and data privacy and security, and he is a Certified Information Privacy Professional though the International Association of Privacy Professionals. He also brings to the table experience as a litigator, chief compliance and ethics officer, director of legislative affairs, federal lobbyist, and administrative hearings officer. Eric earned his Juris Doctor from Washington University School of Law, and his Bachelor of Business Administration from Southern Methodist University. He is a member of the International Association of Privacy Professionals, the Receivables Management Association International (RMAI), and ACA International. He is admitted to practice law in Texas and Missouri and in the U.S. District Courts for the Northern, Southern, Eastern, and Western Districts of Texas. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.