CCPA regulations: Deadline approaching for comments to proposed modifications

On October 12, the California Attorney General announced a new set of proposed modifications to the CCPA regulations. Although this third set of proposed modifications is relatively brief, they would reinstate some provisions that were removed at earlier phases of the rulemaking and could impact a number of CCPA compliance efforts. The announcement also signals that the California Attorney General intends to continue refining the CCPA regulations even though they would eventually become displaced if California voters approve the California Privacy Rights Act (Proposition 24)—“CCPA 2.0”—as part of the November 3 election.

The California Attorney General is accepting comments on its proposed modifications until October 28, 2020 at 5:00pm PST, and we provide below an overview of the four changes proposed in this third set of proposed modifications, which can be reviewed in this redline document.

  • 999.306(b)(3) - Clarifies that a business that collects personal information (PI) in an offline context must provide notice of the right to opt-out by an offline method.
    • The revisions also include examples of offline notices (e.g., notice on paper forms used to collect PI; signage in the area where PI is collected).
  • 999.315(h) - Clarifies that a business’s methods for submitting opt-out requests must be easy to use and require minimal steps. A business may not use a method that has the purpose or “substantial effect of subverting or impairing a consumer’s choice to opt-out.”
    • The revisions also include guidance for meeting this requirement (e.g., avoid confusing language; do not require consumers to click through/listen to reasons why they should not submit a request to opt out; do not require the consumer to provide PI that is not necessary to implement the request; after the consumer clicks the DNSMPI link, do not require the consumer to search or scroll through the text of a privacy policy to locate the opt-out mechanism).
  • 999.326(a) - Clarifies the proof that a business may require an authorized agent to provide and the steps a business may require a consumer to take to verify an agent request.
    • This change is largely a reorganization of existing requirements in section 999.326. It clarifies that the agent (instead of the consumer) can be required to provide proof of signed permission form the consumer. A business can still require the consumer to directly verify their own identity with the business or directly confirm with the business that the agent has been authorized to submit the request.
  • 999.332(a) - Clarifies that a business that either has actual knowledge that it sells the PI of consumers under 13 years of age (section 999.330), or has actual knowledge that it sells the PI of consumers over 13 years of age but under 16 years of age (section 999.331), must include a description of the relevant opt-in procedures in its privacy policy.
    • The existing description of this requirement uses the “and” connector between 999.330 and 999.331, which may give the impression that a written description of opt-in procedures is required only if a business is subject to both of those sections.


The notice and text of the third set of proposed modifications can be accessed here and here.


Authored by Ryan Woo and Julian Flamant.

Mark Brennan
Washington, D.C.
Bret Cohen
Washington, D.C.
Tim Tobin
Washington, D.C.
Julian Flamant
Senior Associate
Washington, D.C.


This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2022 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.