Regulations implementing the California Consumer Privacy Act (CCPA) became final last week, following approval by the California Office of Administrative Law (OAL). While four provisions from the final regulations were removed by OAL during the review process, with the exception of one change, the deletions are expected to have little substantive impact.
The final regulations also include several alterations to align terminology for consistency, as well as make grammatical clarifications. There is one substantive change—businesses can no longer use the shortened phrase "Do Not Sell My Info" on a website homepage to link to the opt-out page: rather, they can only use "Do Not Sell My Personal Information."1
The California Attorney General (CA AG) announced on Friday, August 14, 2020, that the regulations would be effective immediately. We previously summarized some of the key compliance tasks that the regulations impose on businesses.
Impact of Withdrawn Provisions
Opt-In Consent for New Use (§ 999.305(a)(5))
This provision would have required a business seeking to use collected personal information for a materially different purpose than previously disclosed to notify the consumer and obtain "explicit consent" for the new use. Withdrawal of this provision may have little substantive impact, however.
The CCPA itself prohibits businesses from "us[ing] personal information collected for additional purposes without providing the consumer with notice."2 While the CCPA does not expressly require consent in this circumstance, such may be required by federal law if the new purpose is materially different.
Notice of Opt-Out Rights When Personal Information Is Collected Offline (§ 999.306(b)(2))
This provision would have required businesses that "substantially interact" with consumers offline to provide notice of consumers' right to opt out. Again, this will not have a substantive impact on a business' obligations because businesses are still obligated to provide a "notice at collection," including when the business collects personal information offline.
The notice at collection must include information about the categories of personal information collected and the purposes of collection, as well as a link to, or URL for the "do not sell my personal information" webform, if the business "sells" personal information.
Easy Process for Opting Out (§ 999.315(c))
This provision would have mandated that the opt-out process be "easy," with minimal steps required, and prohibited a business from using methods that impair the consumer's ability to make a decision to opt out.
This deletion is unlikely to have a substantive impact, as businesses are still required to offer "a global option to opt-out of the sale of all personal information" under § 999.315(d). Moreover, federal and state consumer protection laws generally protect against any practices deemed to be unfair or deceptive.
Documentation Required for Requests Submitted by Authorized Agent (§ 999.326(c))
This provision allowed businesses to deny requests submitted by authorized agents on behalf of consumers if the authorized agents did not submit "proof" of authorization by the consumer. A similar requirement exists elsewhere in the regulations.
However, § 999.315(e) permits businesses to deny a request from an authorized agent if the agent does not provide the consumer's "signed permission." That provision was changed slightly—it previously required "proof" and now requires "signed permission," which may essentially be the same thing.
Businesses may not have much time to digest the regulations before California privacy law changes again. Californians will vote in November on the California Privacy Rights Act ballot initiative (CPRA), which, if passed, would significantly change businesses' obligations and trigger another rulemaking process. Further, two amendments to the CCPA continue to percolate in the California legislature.
The first, AB 713, would modify the law to exempt from the CCPA all de-identified personal health information collected by an entity covered by the Health Insurance Portability and Accountability Act (HIPAA), or a business associate of that entity, if that information has been de-identified according to procedures set forth in HIPAA. Previously, de-identifying data would take it out of the scope of HIPAA but potentially leave it subject to the CCPA based on the CCPA's definition of personal information.
The other bill, AB 1281, would extend to January 1, 2022 the exceptions for employees and business-to-business communications—currently set to sunset on January 1, 2021.
Importantly, the CA AG has not enforced the CCPA yet. Businesses should follow the CA AG's enforcement activity as it unfolds and adapt their approach to compliance accordingly.