CCPA’s Third Amended Regulations

Consumer’s Right to Opt-Out Offline 

Currently, businesses that must comply with the CCPA and that “sell” personal information under the law are required to provide a right to opt-out notice in a way that “is easy to read and understandable to consumers.” For businesses with webpages, consumers should be directed to click the “Do Not Sell My Personal Information” link if the consumer wishes to opt-out.

Since enforcement of the CCPA began, there has been some confusion on what the proper procedures are for businesses that collect personal information offline. The new amendments now require businesses to provide consumers an offline method for submitting an opt-out request. For example, if the business is a brick and mortar store, the business “may inform consumers of their right to opt-out on the paper forms that collect the personal information or by posting signage in the area where the personal information is collected.”¹ The notice to consumers will inform the consumer where her/his personal information is collected and where the opt-out information can be found online. The regulations also state that the right to opt-out may be provided over the phone.

Opt-Out Icon

The new amendment also permits businesses to add an opt-out icon, in addition to the right to opt-out notice. The Attorney General has noted that the use of this “icon” is optional. The only requirement is that the icon must be approximately the same size as any other icons used by the business on its webpage. The icon may not be used as an alternative to the requirement to a 'Do Not Sell My Personal Information' opt-out notice. Thus, on balance, it is unlikely that many businesses will add the icon to their website. 

Businesses can download the icon here.

Obstruction of Opt-Out Notices

Businesses are now required to make the methods for submitting requests to opt-out easy for consumers to execute with minimal steps. When determining how to design a business’s opt-out method, “the number of steps for submitting a request to opt-out is measured from when the consumer clicks on the “Do Not Sell My Personal Information” link to completion of request.”² For example, the process for submitting a request to opt-out cannot require more steps than the steps required for a consumer to opt-in to the sale of personal information after having opted out.

The regulations also provide other examples of obstruction and require that a business: 1) not use confusing language, 2) not require a consumer to listen or click through the reasons not to submit a request to opt-out, 3) not require consumers to provide personal information not essential to implement the request, and 4) not require consumers to scroll through the text of a privacy policy to locate the mechanism for opting out.

Changes to Authorized Agent Request

The Authorized Agent regulation has also been amended to allow a business to require an authorized agent to provide proof that the consumer gave the agent signed permission to submit an access or deletion request. The prior language of the regulation suggested that the business could only direct such a request to the consumer.

Takeaways

These are not major amendments and will most likely not require an overhaul of a business’s privacy policy. However, businesses should review the amendments and consider any changes that must be made, especially concerning the process for opting-out from the “sale” of personal information and their current methods for submitting opt-out requests.

1. Cal. Civ. Code § 999.306 (b)(3)(a).

2. Cal. Civ. Code § 999.315(h)(1).