CCPA regulations: Deadline approaching for comments to proposed modifications

The California Attorney General is accepting comments on its proposed modifications until October 28, 2020 at 5:00pm PST, and we provide below an overview of the four changes proposed in this third set of proposed modifications, which can be reviewed in this redline document.

• 999.306(b)(3) - Clarifies that a business that collects personal information (PI) in an offline context must provide notice of the right to opt-out by an offline method.
  • The revisions also include examples of offline notices (e.g., notice on paper forms used to collect PI; signage in the area where PI is collected).
• 999.315(h) - Clarifies that a business’s methods for submitting opt-out requests must be easy to use and require minimal steps. A business may not use a method that has the purpose or “substantial effect of subverting or impairing a consumer’s choice to opt-out.”
  • The revisions also include guidance for meeting this requirement (e.g., avoid confusing language; do not require consumers to click through/listen to reasons why they should not submit a request to opt out; do not require the consumer to provide PI that is not necessary to implement the request; after the consumer clicks the DNSMPI link, do not require the consumer to search or scroll through the text of a privacy policy to locate the opt-out mechanism).
• 999.326(a) - Clarifies the proof that a business may require an authorized agent to provide and the steps a business may require a consumer to take to verify an agent request.
  • This change is largely a reorganization of existing requirements in section 999.326. It clarifies that the agent (instead of the consumer) can be required to provide proof of signed permission form the consumer. A business can still require the consumer to directly verify their own identity with the business or directly confirm with the business that the agent has been authorized to submit the request.
• 999.332(a) - Clarifies that a business that either has actual knowledge that it sells the PI of consumers under 13 years of age (section 999.330), or has actual knowledge that it sells the PI of consumers over 13 years of age but under 16 years of age (section 999.331), must include a description of the relevant opt-in procedures in its privacy policy.
  • The existing description of this requirement uses the “and” connector between 999.330 and 999.331, which may give the impression that a written description of opt-in procedures is required only if a business is subject to both of those sections.

The notice and text of the third set of proposed modifications can be accessed here and here.

Authored by Ryan Woo and Julian Flamant.