Final CCPA Regulations Approved with Changes

On August 14, 2020, the California Office of Administrative Law (OAL) approved the final California Consumer Privacy Act (CCPA) regulations that were submitted by the California Attorney General (AG) on June 1, 2020. The regulations took effect immediately upon approval. As we discussed previously, the CCPA, which took effect on January 1, 2020, grants California residents certain rights including the right to access, delete, and opt-out of the sale of their personal information. For the most part, the OAL made minimal changes to the March 2020 version of the regulations submitted by the AG.

According to the OAL’s Addendum to the Final Statement of Reasons, (i) the OAL made non-substantive technical changes for accuracy, consistency, and clarity purposes, and (ii) the AG withdrew certain provisions for additional consideration, including:

• 999.305(a)(5) requiring a business to notify a consumer before using the consumer’s personal information for a purpose “materially different” than the purpose disclosed in the notice at collection. Notably, § 999.305(b)(2) still requires a business to include in its notice at collection “the business or commercial purpose(s) for which the categories of personal information [collected] will be used.”

• 999.306(b)(2) requiring a business that substantially interacts with consumers offline to provide an offline notice to consumers of their right to opt-out of the sale of their personal information. Notably, § 999.305(b)(3) still requires a business that maintains an offline notice at collection to direct consumers to its online opt-out mechanism.

• 999.315(c) prohibiting a business from providing a method for submitting requests to opt-out that is designed to or has the substantial effect of “subverting or impairing” a consumer’s decision to opt-out. Notably, § 999.315(b) still requires that a business consider the “ease of use” of the opt-out method it provides.

• 999.326(c) permitting a business to deny a request from an authorized agent if the agent does not submit proof that the agent has been authorized by the consumer to act on the consumer’s behalf. Notably, § 999.326(a) still permits a business to require a consumer to confirm with the business that they provided an authorized agent permission to submit a request to know or delete; and § 999.315(f) separately permits a business to deny an opt-out request from an authorized agent if the agent cannot provide to the business the consumer’s signed permission.

A change of note for businesses that sell personal information, is the removal of the phrase “Do Not Sell My Personal Info” throughout the regulations, including in a provision allowing its use as the title of the link businesses must display on their website homepage. The OAL noted the change was made to align the regulations with the statute. The statute uses the phrase “Do Not Sell My Personal Information” rather than “Do Not Sell My Personal Info.”

The OAL’s approval gives long-awaited finality to the CCPA regulations which were first made available for public comment in October 2019. The California Attorney General has been able to enforce the CCPA since July 1, 2020, and the AG’s office has indicated it will not delay enforcement in light of the coronavirus pandemic. Given that non-compliance can result in civil penalties of $2,500 to $7,500 per violation, businesses that have yet to address their CCPA obligations, should do so now. If you have questions about whether CCPA applies to your organization or how to comply, please contact Kevin Coy, Montserrat C. Miller, or Erin E. Doyle.