On August 14, 2020, California Attorney General Xavier Becerra released final implementing regulations for the California Consumer Privacy Act (CCPA). The CCPA became enforceable on July 1, 2020, and Becerra’s office submitted a final proposed draft of the regulations to the California Office of Administrative Law (OAL) on June 1, 2020. The Proposed Regulations have gone through several revisions since the publication of the initial draft in October of 2019. The OAL approved the final version along with an updated Addendum to the Final Statement of Reasons. The final implementing regulations take effect immediately. All businesses subject to the CCPA must now comply with both the statute and the regulations.
The final implementing regulations are similar to the draft proposed in June. However, the AG’s office has made several changes it characterizes as “non-substantive” and withdrawn certain proposed provisions “for additional consideration.” The “non-substantive” changes are intended to improve consistency in language (e.g., ensuring “consumer” is used throughout the regulations, or reorganizing definitions in alphabetical order) and are described in detail in the Addendum to the Final Statement of Reasons.
Some of the withdrawn provisions may affect CCPA compliance. These changes are discussed below.
Section 999.305: Notice at Collection of Personal Information
Subsection (a)(5) has been withdrawn and the subsequent sections re-lettered accordingly.
- Subsection (a)(5) previously read “A business shall not use a consumer’s personal information for a purpose materially different than those disclosed in the notice at collection. If the business seeks to use a consumer’s previously collected personal information for a purpose materially different than what was previously disclosed to the consumer in the notice at collection, the business shall directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose.
With the removal of this section, businesses are no longer required to notify consumers directly and obtain explicit consent for new purposes of processing. The underlying statutory requirement imposed by Section 1798.100(b) that businesses “shall not … use personal information collected for additional purposes without providing the consumer with notice consistent with this section” remains in effect, but in practical terms the key requirement for altering use of personal information is now an accurate update to the description of purposes in the mandated notice.
Section 999.306: Notice of Right to Opt-Out of Sale of Personal Information
Subsection (b)(2) has been withdrawn and subsequent sections renumbered.
- Subsection (b)(2) previously read: “A business that substantially interacts with consumers offline shall also provide notice to the consumer by an offline method that facilitates consumer awareness of their right to opt-out. Such methods include, but are not limited to, printing the notice on paper forms that collect personal information, providing the consumer with a paper version of the notice, and posting signage directing consumers to where the notice can be found online.”
The removal of this section gives businesses that operate offline more flexibility in providing notice of the opt-out right to consumers – most notably, by arguably permitting businesses that primarily operate offline to direct consumers to an online opt-out form. However, the newly renumbered Section 999.306(b)(2) still requires any business that does not operate a website to “establish, document, and comply with another method by which it informs consumers of their right to opt-out.”
Section 999.315: Requests to Opt-Out
Subsection (c) has been withdrawn and subsequent section renumbered.
- Subsection (c) previously read: “A business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. A business shall not utilize a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out.”
The removal of this section reduces the number of compliance standards previously present in the regulations by removing the only reference to an “easy for consumers to execute” standard attached to request mechanisms. The withdrawal of this section also drops the only reference in the regulations to a requirement that opt-out requests require “minimal steps” to execute.
The practical consequences of removing this section are less clear – the responsibility for businesses to consider the method by which they interact with consumers when choosing opt-out request mechanisms remain in place, as do the general obligations to provide two methods for submitting such requests. Despite this provision’s removal, the Attorney General may still look unfavorably on a request mechanism designed to have the “substantial effect of subverting or impairing a consumer’s decision to opt-out,” and such a form would arguably still qualify as an “unfair or deceptive trade practice,” which are prohibited under both state and federal law.
Section 999.326: Authorized Agent
Subsection (c) has been withdrawn and subsequent sections renumbered.
- Subsection (c) previously read: “A business may deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer to act on their behalf.”
This subsection’s withdrawal does not appear to substantively alter the ability of businesses to refuse requests from authorized agents, as that process is also detailed in the sections of the regulations that cover each type of request.
Section 999.315 (f) (formerly subsection (g)) has been updated to clarify that a business may deny a request to opt-out submitted by a consumer’s authorized agent “if the agent cannot provide to the business the consumer’s signed permission demonstrating that they have been authorized by the consumer to act on the consumer’s behalf.” This update clarifies what an authorized agent must provide.
Overall, the final regulations do not introduce major changes to the obligations imposed on businesses in the same way that each prior draft did. While the withdrawn sections give businesses more flexibility in complying with specific areas of the law, the major obligations imposed under the June 1 draft remain largely untouched.
The most important development is that the regulations are no longer theoretical, and complying with them is no longer a forward-looking exercise but rather an active obligation for businesses operating within the scope of the CCPA.