On Friday, August 14, 2020, the California Office of Administrative Law (OAL) approved the California Office of the Attorney General’s (OAG) final California Consumer Privacy Act (CCPA) regulations and filed them with the California Secretary of State (SOS). The regulations were immediately effective.

Notably, the final text of the regulations submitted to the SOS was modified from the one filed with the OAL. The OAG published an Addendum to the Final Statement of Reasons setting forth the changes. Many of the changes are stylistic and grammatical. However, some of the changes are substantive and will impact compliance efforts. The most notable changes are discussed below.

 

Changes to notice of right to opt-out

Shorter “Do Not Sell My Info” Option Deleted

Section 999.306 previously allowed businesses to provide the notice of right to opt-out by providing a link stating either “Do Not Sell My Personal Information” or “Do Not Sell My Info.” The final regulations remove the “Do Not Sell My Info” option “to align with the express language of the statute.”

Offline Notice Section Deleted

The final regulations deleted section 999.306(b)(2), which required businesses that substantially interact with consumers offline to provide the notice of right to opt out in an “offline method that facilitates consumer awareness of their right to opt out.” The Addendum states that the “OAG may resubmit this section after further review and possible revision.” That said, businesses that do not operate a website must provide an offline method to submit opt-out requests (section 999.306(c)(2)). Further, businesses that collect personal information offline are still required to provide an offline notice at collection that must direct consumers on where to find the “Do Not Sell My Personal Information” online if the business sells personal information.

 

Requirement to obtain consent prior to using personal information for new purpose deleted

The final regulations also deleted section 999.305(a)(5), which required businesses to obtain a consumer’s consent prior to using a consumer’s personal information for a materially different purpose than was disclosed in the notice of collection. The entire section that was removed stated:

"A business shall not use a consumer’s personal information for a purpose materially different than those disclosed in the notice at collection. If the business seeks to use a consumer’s previously collected personal information for a purpose materially different than what was previously disclosed to the consumer in the notice at collection, the business shall directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose."

The Addendum states that the “OAG may resubmit this section after further review and possible revision.”

 

Requirement to make requests to opt-out “easy” deleted

The final regulations delete section 999.315(c), which stated:

"A business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. A business shall not utilize a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out."

The Addendum states that the “OAG may resubmit this section after further review and possible revision.”

 

Authorized agent requests

The final regulations delete section 999.326(c), which stated that “A business may deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer to act on their behalf.” There was no explanation provided in the Addendum for why this provision was removed.

Under section 999.326(a), businesses still may require consumers to (1) provide the authorized agent signed permission to make the request; (2) verify the consumer’s identity directly with the business, and (3) directly confirm with the business that they provided the authorized agent permission to submit the request.”

Notably, this change only applies to requests to know and delete. For requests to opt out, section 999.315(f) still provides, in part, that “A business may deny a request from an authorized agent if the agent cannot provide to the business the consumer’s signed permission demonstrating that they have been authorized by the consumer to act on the consumer’s behalf.”

As with other deletions, the Addendum states that the “OAG may resubmit this section after further review and possible revision.”