Thanks to statutory amendments and regulatory changes, compliance with the California Consumer Privacy Act (“CCPA”) continues to be a moving target. As Vedder Price previously reported, the CCPA, effective January 1, 2020, gave consumers new tools and rights for protecting their data privacy. In October 2020, the California Attorney General (“AG”) approved the “final” set of regulations interpreting the requirements of the CCPA, discussed here. Then in December 2020, the AG proposed some modifications to the regulations in response to comments about the previous set of proposed CCPA modifications.
Recently, on March 15, 2021, the AG announced that the Office of Administrative Law approved the AG’s proposed changes to the CCPA regulations. These newly approved regulations strengthen the language of the CCPA by making three changes relating to the right to opt out of sales and one change to authorized agent requests. Thus, companies that are focused on CCPA compliance should review these regulations with fresh eyes to make sure they are still compliant.
Changes to Right to Opt Out Provisions
Notice Requirement for Offline Collection
The regulations now require that a business that sells personal information it collects from consumers offline must inform consumers in an offline method of their right to opt out and must provide instructions on how to submit a request to opt out. The notice can be provided on paper forms that collect information, through signage in the area where personal information is collected, or over the phone.
Opt-Out Icon Requirements
The new regulations provide businesses with an optional Privacy Options icon. The blue icon was tested against other icons to determine the best design for communicating the privacy choices available to consumers. The use of the “do not sell” opt-out icon is optional, not mandatory. This opt-out icon “may be used in addition to posting the notice of right to opt-out, but not in lieu of any requirement to post the notice of right to opt-out or a ‘Do Not Sell My Personal Information’ link.”
The previous version of the proposed regulations indicated that “[w]here a business posts the ‘Do Not Sell My Personal Information’ link, the opt-out button shall be added to the left of the text. The opt-out button must link to the same Internet webpage or online location to which the consumer is directed after clicking on the ‘Do Not Sell My Personal Information’ link.” This was excluded from the final approved regulations. The only remaining requirement is that the icon “shall be approximately the same size as any other icons used by the business on its webpage.”
Ban on Dark Patterns and Methods That Obstruct Opt Outs
The new regulations ban so-called “dark patterns” that delay or obscure the process for opting out of the sale of personal information. Specifically, they prohibit companies from burdening consumers with confusing language or unnecessary steps, such as forcing them to click through multiple screens or listen to reasons why they should not opt out, and requiring that consumers scroll through privacy policies or similar documents after clicking the “Do Not Sell My Personal Information” link.
Use of an Authorized Agent
When a consumer uses an authorized agent to submit a request to know or a request to delete, a business may require the authorized agent to provide proof that the consumer gave the agent signed permission to submit the request. The previous regulations placed that optional requirement on the consumer.
The business may also still require the consumer to either verify its own identity with the business or directly confirm with the business that the consumer provided the authorized agent permission to submit the request.
Takeaways
The additional changes to the CCPA regulations intend to uphold the overriding principles of the CCPA: to inform consumers of their right to opt out of the sale of their personal information and to present this information to consumers in a way that is easy to read and understand.
The AG’s announcement regarding the approval of the additional regulations is a reminder to companies that it will continue with enforcement actions under the CCPA. Companies should closely review the new regulations and monitor CCPA developments to ensure their privacy programs and procedures remain compliant with current requirements.