CCPA Final Regulations Overview
Generally speaking, the final changes are fairly minor. They removed some inconsistencies and clarified some ambiguous language. Most of the changes give businesses some additional degree of flexibility. One exception is the change to the shorthand “Do Not Sell My Personal Information” language.
Summary of Important Changes to the Final Regulations
- The option to use the shorthand phrase “Do Not Sell My Info” has been removed.
- The correct language is “Do Not Sell My Personal Information”.
- This change impact businesses that relied on this for opt-out links and privacy notice descriptions.
- The requirement to obtain explicit consent for new processing purposes has been withdrawn.
- CCPA previously required businesses to obtain explicit consent to use personal information for a “materially different” purpose than disclosed at the point of collection or in the privacy notice.
- The underlying requirement is that businesses cannot use personal information for additional purposes without providing the consumer with the appropriate notice. Simply put, appropriate notice rather than explicit consent is now acceptable.
- The requirement for offline businesses to provide an offline privacy notice has been withdrawn.
- Previously businesses interacting offline with consumers had to provide notice to consumers by an offline method about their right to opt-out.
- There is now more flexibility in how they present notices to consumers at the time of collection.
- The service provider provision regarding collection done on behalf of the business has been revised to apply to any entity that would otherwise meet the definition of a “service provider.”
- CCPA previously stated, if a business uses a second business to collect personal information directly from consumers on their behalf, they too will be deemed a service provider of the first business.
- The final regulations have replaced all references to a “second business” with “second entity,” in recognition that “business” is a defined term under the CCPA.
- The practical implication is that this now applies broadly to businesses now considered a “service provider.”
- The requirement that submitting opt-out requests should be “easy for consumers to execute” and “require minimal steps to opt-out” has been withdrawn.
- CCPA previously required businesses to offer easy to use methods for submitting requests to allow consumers to opt out. It also prohibited businesses from subverting or impairing a consumer’s decision to opt-out.
- In the absence of this requirement, it is unclear how the AG will view multi-step opt-out processes.
- Requirements around authorized agents and “written permission” have been slightly modified.
- Clarification has been given that a business may deny a request from an authorized agent if the agent cannot provide the consumer’s signed permission they have been authorized to act on the consumer’s behalf.
- The severability provision has been withdrawn.
- CCPA previously stated that, if any particular language or section of the CCPA was held to be unconstitutional or exceeding the authority of the Attorney General, it won’t affect the validity of the remaining portion of these regulations.
- This section has been withdrawn entirely.
Suggested Blog Posts
Now that the Schrems II decision is behind us and the EU-US Privacy Shield no longer provides a valid legal basis for...
What’s the right time to invest in privacy technology? Wait too long and you’ll struggle to manage the growing volume...
Having worked on Privacy Shield, and reading the Schrems II decision today, I thought it would be helpful to share...