A Third Set of Modifications to the CCPA Regulations
• read
It seems like we’ve been talking about the CCPA for a very long time. The first proposed CCPA language came out in October 2019. The California DOJ received feedback during public commentary periods and went through several rounds of modifications to the proposed regulations, based on those comments. After all of the contemplation the final version of the CCPA regulations became effective in August reading very much like the previous versions.
This week, the California Department of Justice again announced a third set of proposed modifications made to the CCPA regulations summarized below.
- Examples were given of how businesses collecting personal information from consumers offline can provide the notice of right to opt-out of the sale of personal information through an offline method.
- Guidance was provided on how submitting requests to opt-out should be easy and require minimal steps.
- Methods must be designed to avoid subverting or impairing a consumer’s choice to opt-out.
- A request to opt-out shall not require more steps than that business’s process for a consumer to opt-in to the sale of personal information after having previously opted out.
- Do not use confusing language, such as double negatives (e.g., “Don’t Not Sell My Personal Information”), when providing consumers, the choice to opt-out.
- Don’t require consumers to click through or listen to reasons why they should not submit a request to opt-out before confirming their request.
- Don’t require the consumer to provide personal information that is not necessary to implement the request.
- The “Do Not Sell My Personal Information” link should not require the consumer to search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to opt-out.
- Clarification that a business may require an authorized agent to provide proof the consumer gave permission or may require a consumer to verify their request.
- Clarification that businesses that have actual knowledge that they sell the personal information of minors are required to include in their privacy policies a description of their method for verifying that the person authorizing the sale of a child’s data is actually that child’s parent or guardian.
If the history of CCPA is any indication there are likely to be additional clarifications on key compliance issues facing covered businesses and their service providers. We will continue to update on CCPA and other related developments as they unfold.
In the meantime, the WireWheel Privacy Management Platform and DSAR Automation tools are here to help!