California Attorney General adopts another round of CCPA regulations

Published on

The California Attorney General adopted new regulations in March that may require changes to how businesses are communicating to consumers about their rights under the CCPA. These regulations are aimed at practices that the Attorney General’s office views as unfair to consumer and has pursued in enforcement letters to companies to date. Every company doing business in California that must comply with the CCPA should review its communication to customers about the CCPA.

Offline notice of sales of personal information

Businesses that collect personal information from consumers offline and also sell that information must now give consumers notice of their right to opt-out of such sale via an offline method. The communication should provide direction on how to exercise that right. Example methods include providing the disclosure on paper forms used to collect personal information and posting signs in the area where personal information is collected.

Optional opt-out icon

The Amendments includes an optional opt-out “Privacy Options” icon that businesses can use in addition to providing a notice of the right to opt-out and the “Do Not Sell My Personal Information” link as required by the CCPA and Regulations. If the icon is used, it must be approximately the same size as any other icons on the business’s website.

Requirements for facilitating consumer opt-out requests

The Amendments require that opt-out methods are “easy for consumers to execute” and “require minimal steps.” It explicitly prohibits methods that are “designed with the purpose” or have the “substantial effect” of subverting or impairing a consumer’s opt-out choice.

Authorized agent requests

The Regulations previously allowed businesses to require a consumer to provide the business with signed permission before an authorized agent could submit a request to know or request to delete on the consumer’s behalf. This approach was eliminated in favor of one where businesses can require authorized agents to provide “proof” that the consumer gave the agent signed permission to submit requests to know or delete on behalf of the consumer.

The Amendments permit a business to require the consumer to either verify their own identity directly with the business or directly confirm with the business that the consumer provided the authorized agent permission to submit the request to know or delete.

Key takeaways

All businesses should review the Amendments and consider the need to make corresponding updates to their CCPA policies and procedures, such as updating the mechanisms available for authorized agents to submit requests.