Press "Enter" to skip to content

California Attorney General’s Latest CCPA Regulations Approved

California Consumer Privacy Act (CCPA) Opt-Out Icon

On March 15, the California Office of the Attorney General announced that additional regulations relating to the California Consumer Privacy Act (CCPA) had been approved, effective immediately.

The new regulations affect four sections of the regulations approved in August 2020.

Section 999.306. Notice of Right to Opt-Out of Sale of Personal Information.

  • Section 999.306(a)(b)(3) is added to provide examples of how a business that sells consumers’ personal information (PI) and interacts with consumers offline can provide notice of the right to opt-out and instruction on how to do so. The examples describe the use of paper forms or signage, or providing the information by telephone.
  • New section 999.306(f) provides an opt-out icon “designed by Carnegie Mellon University’s Cylab and the University of Michigan’s School of Information and tested against other icons to determine the best design for communicating the privacy choices available to consumers.” Use of the icon is optional and doesn’t replace other opt-out notice requirements.

Section 999.315. Requests to Opt-Out.

  • Section 999.315(h) is added to reiterate that the methods provided for opt-out must be easy and not designed to discourage opt-out. For example, there cannot be more steps to opt-out than there are to opt-in, the process cannot include messages describing the reasons why opt-out should not be exercised, and consumers cannot be required to scroll through lengthy text, like a privacy policy, to locate the opt-out mechanism.  And, my favorite, double negatives cannot be used, such as “Don’t Not Sell My Personal Information.” Hopefully, most businesses wouldn’t never not do that.

Section 999.326. Authorized Agent.

  • Section 999.326(a) is modified so that a business may require that the authorized agent, rather than the consumer, provide proof of permission from the consumer. The consumer may still be required to verify their identity directly with the business or directly confirm that permission was granted to the authorized agent.

Section 999.332. Notices to Consumers Under 16 Years of Age.

  • Section 999.332(a) previously stated that “a business subject to sections 999.330 [consumers 13 to 15 years of age] and 999.331 [consumers under 16 years of age] shall include a description of the [opt-in] processes set forth in those sections in its privacy policy.” The word “and” has been replaced with “and/or.”

For more information and insight from Maurice Wutscher on data privacy and security laws and legislation, visit

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.