On August 14, the California Attorney General (AG) announced that the Office of Administrative Law (OAL) approved – after two and a half months – the final California Consumer Privacy Act (CCPA) regulations. The final approved CCPA regulations take effect immediately and are virtually unchanged from the regulations that the AG submitted to the OAL on June 1, 2020 (you can review our analysis of that version here). The AG also released an Addendum to the Final Statement of Reasons, which details the changes between the two versions. The changes are primarily non-substantive, but in four instances, the AG withdrew subsections for additional consideration:
- The prior § 999.305(a)(5), which required explicit consent to use a consumer’s personal information for a purpose that was materially different than those disclosed at the notice of collection, was withdrawn.
- The prior § 999.306(b)(2), which required that businesses that substantially interact with consumers offline also provide an offline method that facilitates consumer awareness of their right to opt out, was withdrawn.
- The prior § 999.315(c), which required a business’s methods for submitting opt-out requests be easy for the consumer to execute and “require minimal steps” and that the business not utilize a method that is designed or has the substantial effect of subverting a consumer’s decision to opt-out, was withdrawn.
- The prior § 999.326(c), which expressly allowed a business to deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer to act on their behalf, was withdrawn. This was likely stricken because § 999.326(a) separately and more specifically authorizes businesses to require that consumer provide signed permission to the business that the agent is authorized to make CCPA requests on the consumer’s behalf.
For each withdrawal, the AG noted that it “may resubmit this section after further review and possible revision.” Additionally, the AG deleted the “Do Not Sell My Info” title option for the opt-out link, meaning that the link must read “Do Not Sell My Personal Information.”
With an immediate effective date, a critical issue is whether the AG will begin enforcing operationally complex parts of the CCPA regulations in the near term. When the AG submitted the final proposed CCPA regulations to the OAL on June 1, 2020, it asked for the OAL to complete an expedited review within 30 business days. Instead, it took the OAL two and a half months to finalize. With the CCPA enforceable since July 1, 2020, it is not clear whether the AG will view this additional time as a sufficient justification to begin holding businesses accountable for complying with the CCPA regulations in addition to the CCPA itself. In an IAPP presentation last month, the AG’s Office privacy lead, Stacey Schesser, stated that the AG’s Office enforcement at that time was focused on compliance with the CCPA notice and do not sell requirements. That will undoubtedly change – the question is when.
Please note that the CPRA Initiative will appear on the November 2020 ballot and, if approved by California voters, will add more California privacy requirements that would take effect on January 1, 2023. Even if CPRA is approved, the CCPA and its finalized regulations will be valid and enforceable by the AG until then.