On October 12, the California Attorney General announced a new set of proposed modifications to the CCPA regulations. Although this third set of proposed modifications is relatively brief, they would reinstate some provisions that were removed at earlier phases of the rulemaking and could impact a number of CCPA compliance efforts. The announcement also signals that the California Attorney General intends to continue refining the CCPA regulations even though they would eventually become displaced if California voters approve the California Privacy Rights Act (Proposition 24)—“CCPA 2.0”—as part of the November 3 election.
The California Attorney General is accepting comments on its proposed modifications until October 28, 2020 at 5:00pm PST, and we provide below an overview of the four changes proposed in this third set of proposed modifications, which can be reviewed in this redline document.
- 999.306(b)(3) - Clarifies that a business that collects personal information (PI) in an offline context must provide notice of the right to opt-out by an offline method.
- The revisions also include examples of offline notices (e.g., notice on paper forms used to collect PI; signage in the area where PI is collected).
- 999.315(h) - Clarifies that a business’s methods for submitting opt-out requests must be easy to use and require minimal steps. A business may not use a method that has the purpose or “substantial effect of subverting or impairing a consumer’s choice to opt-out.”
- 999.326(a) - Clarifies the proof that a business may require an authorized agent to provide and the steps a business may require a consumer to take to verify an agent request.
- This change is largely a reorganization of existing requirements in section 999.326. It clarifies that the agent (instead of the consumer) can be required to provide proof of signed permission form the consumer. A business can still require the consumer to directly verify their own identity with the business or directly confirm with the business that the agent has been authorized to submit the request.
- The existing description of this requirement uses the “and” connector between 999.330 and 999.331, which may give the impression that a written description of opt-in procedures is required only if a business is subject to both of those sections.