The California Attorney General is accepting comments on its proposed modifications until October 28, 2020 at 5:00pm PST, and we provide below an overview of the four changes proposed in this third set of proposed modifications, which can be reviewed in this redline document.
- 999.306(b)(3) - Clarifies that a business that collects personal information (PI) in an offline context must provide notice of the right to opt-out by an offline method.
- The revisions also include examples of offline notices (e.g., notice on paper forms used to collect PI; signage in the area where PI is collected).
- 999.315(h) - Clarifies that a business’s methods for submitting opt-out requests must be easy to use and require minimal steps. A business may not use a method that has the purpose or “substantial effect of subverting or impairing a consumer’s choice to opt-out.”
- 999.326(a) - Clarifies the proof that a business may require an authorized agent to provide and the steps a business may require a consumer to take to verify an agent request.
- This change is largely a reorganization of existing requirements in section 999.326. It clarifies that the agent (instead of the consumer) can be required to provide proof of signed permission form the consumer. A business can still require the consumer to directly verify their own identity with the business or directly confirm with the business that the agent has been authorized to submit the request.
- The existing description of this requirement uses the “and” connector between 999.330 and 999.331, which may give the impression that a written description of opt-in procedures is required only if a business is subject to both of those sections.
The notice and text of the third set of proposed modifications can be accessed here and here.
Authored by Ryan Woo and Julian Flamant.