On August 14th, the Office of the Attorney General (OAG) announced the final regulations for the California Consumer Privacy Act (CCPA) had been approved by the Office of Administrative Law (OAL). According to an official press release from Attorney General Xavier Becarra, these final regulations are now in full effect.
The OAL also provided an Addendum as part of the final rulemaking package. According to the OAG, the Addendum includes “non-substantive changes for accuracy, consistency, and clarity,” as well as the withdrawal of certain provisions of the proposed regulations that were submitted for approval. It is prudent that businesses carefully review the final regulations to ensure full compliance with the final regulations and the CCPA.
Below is a brief synopsis of some changes included within the final regulations.
Aside from non-substantive modifications (e.g., formatting and grammatical corrections) the final regulations change the usage of the term “minor” to “consumer” and remove the words “Do Not Sell My Info.” The Addendum states these changes are meant to align the final regulations with the statute.
While the following provisions have been withdrawn from the final regulations, the OAL has indicated that each provision may be resubmitted for approval “after further review” by the OAG and “possible revision.” As indicated below, some of the withdrawn provisions may draw scrutiny as the OAG had previously stated these subsections were necessary to protect consumers.
Section 999.305. Notice at Collection of Personal Information – The final regulations withdrew the following subsection from the proposed regulations:
(a)(5) A business shall not use a consumer’s personal information for purpose materially different than those disclosed in the notice at collection. If the business seeks to use a consumer’s previously collected personal information for a purpose materially different than what was previously disclosed to the consumer in the notice at collection, the business shall directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose.
It is odd that this provision has been withdrawn since the OAG has previously stated this subsection was necessary “so that the consumer may affirmatively decide whether to agree” to a new use by a business of a consumer’s personal information. The OAG had reasoned this subsection allows consumers to determine whether they agree to a new or modified use of their personal information when “businesses change practices midstream.”
Section 999.306. Notice of Right to Opt-Out of Sale of Personal Information - The final regulations withdrew the following subsection from the proposed regulations:
(b)(2) A business that substantially interacts with consumers offline shall also provide notice to the consumer by an offline method that facilitates consumer awareness of their right to opt-out. Such methods include, but are not limited to, printing the notice on paper forms that collect personal information, providing the consumer with a paper version of the notice, and posting signage directing consumers to where the notice can be found online.
The OAG had previously stated this subsection clarified that when a business substantially interacts with consumers offline, the business will use an offline method to provide notice to consumers by posting signage directing consumers to where the notice “can be found online.”
Section 999.315. Requests to Opt-Out - The final regulations withdrew the following subsection from the proposed regulations:
(c) A business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. A business shall not utilize a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out.
Like 999.305, it is odd this provision was withdrawn since the OAG had stated this provision was necessary to avoid the possibility that a business creates “confusing or complex mechanisms for consumers to exercise their rights under the CCPA.” Indeed, the OAG had stated that absent this provision a business may introduce opt-out choices that are “unclear or, worse, employed deceptive dark patterns to undermine a consumer’s intended direction.”
Section 999.326. Authorized Agent - The final regulations withdrew the following subsection from the proposed regulations:
(c) A business may deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer to act on their behalf.
Approval of the CCPA regulations was the final step in what was a multi-year rulemaking process. While there may be further changes on the horizon, the enacted final regulations now require businesses to review their practices and processes to ensure full compliance with the CCPA.
For assistance in understanding the immediate impact of CCPA, the potential impact of the now enacted final regulations, and/or the establishment of a comprehensive data privacy program, please contact John Rondini, co-chair of Brook Kushman’s Cybersecurity and Data Privacy group, at 248.226.2913 or firstname.lastname@example.org.