By Jeewon Kim Serrato
Final regulations to implement the California Consumer Privacy Act were released on August 14, 2020, and are now enforceable.
The regulations cleared their final regulatory hurdle – review and approval by the California Office of Administrative Law (OAL) – more than two years after the law originally passed and after several rounds of changes to proposed regulations. The latest round of changes were made on July 29th, during the midst of the OAL review, but were made public only after the regulations were finalized.
The final regulations leave in tact the vast majority of regulations the Office of the Attorney General (OAG) originally submitted for administrative review in early June. We provide below a summary of the changes and what to expect in future rulemaking and amendments to the CCPA.
The provisions that have been changed from the June 2020 version of the proposed regulations include:
- Removal of the “Do Not Sell My Info” Option. One of the most notable changes in the final regulations is the removal of the option for businesses to use the words “Do Not Sell My Info” in the link for the notice of right to opt out of “sale.” In the Addendum to Final Statement of Reasons, the OAG explains that the words “or ‘Do Not Sell My Info’” were deleted throughout the regulations to align with the express language of the statute. This option was originally included in the October 11, 2019 version of the proposed regulations by the OAG to give businesses a shorthand for the opt-out right notice. This, however, was not approved by the OAL as it was found not to be consistent with the statutory requirement
- Withdrawal of the Explicit Consent Option. The OAG withdrew former section 999.305(a)(5) which would have allowed businesses to use previously collected personal information of California residents for purposes other than those disclosed at the time of collection if they provided notice to consumers and obtained consumers’ opt-in consent to use the personal information for the new purpose. The statute nowhere prevents businesses from using data with opt-in consent. Businesses can always provide new notice and recollect the personal information, but for practical reasons, this is not optimal. Since the OAG signaled in the Addendum that this provision may be reconsidered and submitted again for OAL consideration, it is worth monitoring future rulemaking to see if the regulations can provide further flexibility on the usage of data for secondary purposes. .
- Withdrawal of Offline Opt-out Method. The OAG withdrew the requirement that businesses which “substantially interact” with consumers offline make their notice of opt-out available offline (former § 999.306(b) (2)). Without further guidance, businesses should continue to comply with the notice of right to opt out requirements found in Section 999.306 and the pre-collection notice requirements of Section 999.305(a)(3)(c), which includes the requirement to provide notice where consumers will encounter it at or before the point of collection of any personal information. Businesses that do not directly collect personal information from consumers should look at the advantages Section 999.305(e) of the Final Regs provides to registered data brokers.
- Withdrawal of the Minimal Steps Requirement. The OAG withdrew the high-level instructions in former section 999.315(c) to design opt-out requests so they “require minimal steps to allow the consumer to opt-out.” Without any further modifications to the regs, businesses should continue to comply with other portions of the regulations which direct businesses with greater specificity how to streamline access to opt-out notices (e.g., §§ 999.306(b)(1) and 999.306(c)).
- Withdrawal of the Authorized Agent Proof Requirement. The OAG also withdrew the subsection that would have allowed businesses to deny data subject requests from authorized agents if the agent fails to “submit proof” of authorization. Without further rulemaking, businesses may rely on the final regulations Section 999.326(a)(1-3) which includes three hurdles that a business may require before a consumer is able to use an authorized agent to submit a request and Section 999.326(b), which refers to the Probate Code for the requirements of establishing a valid power of attorney form of authorization.
As stated in the Addendum, the OAG may seek to issue before October 11, 2020 (the one-year anniversary of the first set of proposed CCPA regulations) another set of proposed regulations under its existing rulemaking authority to revise and resubmit the four (4) subsections that were withdrawn. It is also possible that the Governor may extend the one-year deadline by 60 calendar days, which may give until December 10 for the OAG to issue revisions to the four withdrawn sections (see Executive Order N-40-20).
For CCPA watchers, on August 30th, the California legislature voted to amend the CCPA (AB-1281) to extend the partial exemptions for employee data and business-to-business data through January 1, 2022 if the CPRA (see below) does not pass. The bill is now on the Governor’s desk for approval, which most believe will occur. The exemptions are currently set to expire on January 1, 2021. If CPRA passes, it would extend the exemptions for two years, through January 1, 2023.
Another possible change to the CCPA could come in the form of Prop. 24, the highly-publicized California Privacy Rights Act (CPRA) that would significantly amend the CCPA. The initiative, sponsored by Alistair Mactaggart, one of the co-authors of the original CCPA, eventually made it on the ballot, after proponents went to court to ensure they would not be penalized by COVID-19-related challenges they encountered in the qualification process. In an unusual twist, privacy and consumer advocacy groups have banded together to oppose Prop. 24, citing flaws in the measure and calling into question the use of the initiative process to pass complex privacy legislation, especially when the law has only recently gone into effect.