CCPA Final Regulations Overview

On August 14, 2020, California Attorney General Xavier Becerra announced the approval of final regulations under the California Consumer Privacy Act (CCPA). The approved regulations go into effect immediately. Given that the final regulations are already in effect as of August 14, 2020, businesses should finalize their CCPA compliance processes and procedures in accordance with the final requirements.

Generally speaking, the final changes are fairly minor. They removed some inconsistencies and clarified some ambiguous language. Most of the changes give businesses some additional degree of flexibility. One exception is the change to the shorthand “Do Not Sell My Personal Information” language.

Summary of Important Changes to the Final Regulations

1. The option to use the shorthand phrase “Do Not Sell My Info” has been removed.
   • The correct language is “Do Not Sell My Personal Information”.
   • This change impact businesses that relied on this for opt-out links and privacy notice descriptions.
2. The requirement to obtain explicit consent for new processing purposes has been withdrawn.
   • CCPA previously required businesses to obtain explicit consent to use personal information for a “materially different” purpose than disclosed at the point of collection or in the privacy notice.
   • The underlying requirement is that businesses cannot use personal information for additional purposes without providing the consumer with the appropriate notice. Simply put, appropriate notice rather than explicit consent is now acceptable.
3. The requirement for offline businesses to provide an offline privacy notice has been withdrawn.
   • Previously businesses interacting offline with consumers had to provide notice to consumers by an offline method about their right to opt-out.
   • There is now more flexibility in how they present notices to consumers at the time of collection.
4. The service provider provision regarding collection done on behalf of the business has been revised to apply to any entity that would otherwise meet the definition of a “service provider.”
   • CCPA previously stated, if a business uses a second business to collect personal information directly from consumers on their behalf, they too will be deemed a service provider of the first business.
   • The final regulations have replaced all references to a “second business” with “second entity,” in recognition that “business” is a defined term under the CCPA.
   • The practical implication is that this now applies broadly to businesses now considered a “service provider.”
5. The requirement that submitting opt-out requests should be “easy for consumers to execute” and “require minimal steps to opt-out” has been withdrawn.
   • CCPA previously required businesses to offer easy to use methods for submitting requests to allow consumers to opt out. It also prohibited businesses from subverting or impairing a consumer’s decision to opt-out.
   • In the absence of this requirement, it is unclear how the AG will view multi-step opt-out processes.
6. Requirements around authorized agents and “written permission” have been slightly modified.
   • Clarification has been given that a business may deny a request from an authorized agent if the agent cannot provide the consumer’s signed permission they have been authorized to act on the consumer’s behalf.
7. The severability provision has been withdrawn.
   • CCPA previously stated that, if any particular language or section of the CCPA was held to be unconstitutional or exceeding the authority of the Attorney General, it won’t affect the validity of the remaining portion of these regulations.
   • This section has been withdrawn entirely.

Are you ready to comply with CCPA? Take our short quiz to find out.