A Third Set of Modifications to the CCPA Regulations

This week, the California Department of Justice again announced a third set of proposed modifications made to the CCPA regulations summarized below.

• Examples were given of how businesses collecting personal information from consumers offline can provide the notice of right to opt-out of the sale of personal information through an offline method.
• Guidance was provided on how submitting requests to opt-out should be easy and require minimal steps.
• Methods must be designed to avoid subverting or impairing a consumer’s choice to opt-out.
• A request to opt-out shall not require more steps than that business’s process for a consumer to opt-in to the sale of personal information after having previously opted out.
• Do not use confusing language, such as double negatives (e.g., “Don’t Not Sell My Personal Information”), when providing consumers, the choice to opt-out.
• Don’t require consumers to click through or listen to reasons why they should not submit a request to opt-out before confirming their request.
  Don’t require the consumer to provide personal information that is not necessary to implement the request.
• The “Do Not Sell My Personal Information” link should not require the consumer to search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to opt-out.
• Clarification that a business may require an authorized agent to provide proof the consumer gave permission or may require a consumer to verify their request.
• Clarification that businesses that have actual knowledge that they sell the personal information of minors are required to include in their privacy policies a description of their method for verifying that the person authorizing the sale of a child’s data is actually that child’s parent or guardian.

In the meantime, the WireWheel Privacy Management Platform and DSAR Automation tools are here to help!