Photo of Sheila MillarPhoto of Tracy Marshall

The long trudge towards final regulations implementing the California Consumer Privacy Act (CCPA) continues. In December of last year, the California Attorney General issued a fourth set of proposed regulations. These additions were approved by the California Office of Administrative Law (OAL) on March 15, 2021 and took effect immediately. Here are the key changes businesses should know about.

New “Do Not Sell” Icon

The new regulations offer a voluntary opt-out icon that may be used in addition to (but not in place of) posting the notice of a California consumer’s right to opt-out of the sale of personal information.

Businesses must post the notice of right to opt-out on the webpage that consumers are directed to after clicking on the “Do Not Sell My Personal Information” link on their homepage (or landing page/menu in the case of mobile apps).

Businesses Must Streamline the Opt-Out Request Process

Businesses must ensure that their notices of the right to opt-out use simple language, are easy for consumers to understand, and require minimal steps to complete. Businesses cannot require consumers to click through or listen to reasons why they should not submit a request to opt-out, provide personal information that is not necessary to implement the request, or search or scroll through a privacy policy, similar document, or webpage to submit a request to opt-out.

Offline Opt-Out Notices

Businesses that collect personal information from consumers offline must also inform consumers by an offline method of their right to opt-out, as follows:

  • Businesses that collect personal information from consumers in a physical location may inform consumers of their right to opt-out via paper forms or signage
  • Businesses may inform consumers of their right to opt-out during a phone call in which the business collects personal information

In both scenarios, businesses must tell consumers where to find the opt-out information online.

Authorized Agents

California residents are permitted to use authorized agents to submit requests to know or to delete their personal information. The new regulations clarify that businesses may require consumers to prove that an agent has permission to submit the request and to verify their own identity directly with the business.

California Privacy Protection Agency Board Appointments

While the state continues to fine-tune the CCPA regulations – and application of the CCPA to employee information remains deferred until 2022 – the clock is already ticking on the newest iteration of California’s privacy law, the California Privacy Rights Act (CPRA). Although CPRA does not take effect until 2023, the ballot initiative directed establishment of the California Privacy Protection Agency (CPPA) in advance of the effective date. Governor Gavin Newsom, in conjunction with state officials, has appointed the first slate of CPPA members.

With the enactment of the Virginia Consumer Data Protection Act, and with other states also considering privacy legislation, the U.S. landscape is quickly becoming more confusing for consumers and businesses alike.