The implementation of final CCPA regulations closes the door on a more than nine-month process since the first draft was published for comment on October 10, 2019. Since then, the AG released two sets of modified regulations, each subject to public comments. This process meant that California businesses were required to adopt CCPA compliance procedures by January 1—the statute’s implementation date—while lacking clarity in some key areas that had been assigned to the AG regulations. California businesses also have been subject to the AG’s enforcement authority since July 1, though the regulations had not been in effect.
The final regulations are substantially similar to the most recent draft regulations issued in June, with a few notable changes discussed below. For a full list of changes along with brief explanations, please refer to the AG’s newly issued Addendum to Final Statement of Reasons.
Key changes to the final regulations
- The option to use the shorthand phrase “Do Not Sell My Info” has been removed. According to the AG’s statement of reasons, this option—which the AG added to § 999.305 as a shorthand alternative to the “Do Not Sell My Personal Information” button—was deleted throughout the regulations “to align with the express language of the statute.” This change may impact businesses that previously relied on this option for sale opt-out links and privacy notice descriptions of the sale opt-out right.
- The requirement to obtain explicit consent for new processing purposes has been withdrawn. Section 999.305(a)(5) previously required businesses to obtain explicit consent to use personal information for a “materially different” purpose than the purposes disclosed in the privacy notice. This section has now been withdrawn, removing the explicit consent requirement. Instead, the underlying requirement in § 1798.100(b) of the CCPA still applies, which states that businesses “shall not . . . use personal information collected for additional purposes without providing the consumer with notice consistent with this section.” However, other federal considerations for making material changes to privacy policies still apply.
- The requirement for certain businesses to provide an offline privacy notice has been withdrawn. Section 999.306(b)(2) previously required businesses that substantially interact with consumers offline to “provide notice to the consumer by an offline method that facilitates consumer awareness of their right to opt-out.” Listed examples included printed notices on paper forms that collect personal information and signage directing consumers to an online notice. With this requirement withdrawn, businesses that operate substantially offline may have more flexibility in how they present notices to consumers at the time of collection.
- The service provider provision regarding collection done on behalf of the business has been revised to apply to any entity that would otherwise meet the definition of a “service provider.” Section 999.314(b) previously stated, “To the extent that a business directs a second business to collect personal information directly from a consumer, or about a consumer, on the first business’s behalf, and the second business would otherwise meet the requirements and obligations of a “service provider”…, the second business shall be deemed a service provider of the first business.” The final regulations have replaced all references to a “second business” with “second entity,” in recognition that “business” is a defined term under the CCPA. The practical implication is that this provision should be read to apply broadly to businesses or other third parties who might not otherwise be considered a “service provider.”
- The requirement that methods for submitting opt-out requests should be “easy for consumers to execute” and “require minimal steps to allow the consumer to opt-out” has been withdrawn. Section 999.315(c) previously required businesses to employ easy to use methods for submitting requests and required only minimal steps to allow consumers to opt out. It also prohibited businesses from using methods “designed with a purpose or [having] the substantial effect of subverting or impairing a consumer’s decision to opt-out.” In the absence of this requirement, it is unclear how the AG will view multi-step opt-out processes—and in practice, privacy regulators tend to view more skeptically processes that have the effect of subverting a consumer's choice—but the regulations’ express prohibition of such practices has been removed.
- Requirements around authorized agents and “written permission” have been slightly modified. The final regulations include two changes to provisions involving authorized agents. The first change relates to the newly lettered § 999.315(f) (previously § 315(g)), and clarifies that a business may deny a request from an authorized agent “if the agent cannot provide to the business the consumer’s signed permission demonstrating that they have been authorized by the consumer to act on the consumer’s behalf.” This replaces a vague statement that businesses could deny requests where the agent “does not submit proof,” and it provides some clarity on what type of proof is required. A second provision, § 999.326(c), previously reiterated that a business “may deny a request from an authorized agent that does not submit proof”; this provision has been withdrawn, presumably as a duplicative requirement. This withdrawal seems unlikely to have a substantial practical effect, as the newly amended § 999.315(f) still allows businesses to deny requests, as described above.
- The severability provision has been withdrawn. Section 999.341 previously stated: “If any article, section, subsection, sentence, clause or phrase of these regulations contained in this Chapter is for any reason held to be unconstitutional, contrary to statute, exceeding the authority of the Attorney General, or otherwise inoperative, such decision shall not affect the validity of the remaining portion of these regulations.” This section has been withdrawn entirely, with the AG’s statement of reasons stating that it “has been deleted as unnecessary.”
Taken as a whole, in addition to the numerous revisions for grammar and formatting, the final changes are fairly minor, focused on clarifying the existing text and removing a few provisions that are inconsistent with or exceeding the bounds of the underlying statute. Most of the changes described above will provide businesses with some additional degree of flexibility, with the notable exception of the changes to the shorthand “Do Not Sell My Personal Information” language. Given that the final regulations—and each of these changes—are already in effect as of August 14, 2020, businesses should promptly take whatever steps are needed to finalize their compliance processes and procedures in line with the final requirements.
Authored by Bret Cohen, Tim Tobin, Aaron Lariviere, and Julian Flamant.