Third Set of Proposed Modifications To CCPA Regulations Published
Regulations regarding the notice of the right to opt-out, requests to opt out and authorized agents are subject to changes in the third set of proposed modifications to the CCPA.
Although all provisions of the California Consumer Privacy Act (CCPA) became final on August 14, 2020, the California Attorney General has already released another set of modifications just two months later.
On October 12, 2020, the Department of Justice provided notice of a third set of proposed modifications to the CCPA. The modifications are subject to a public comment period and the deadline to submit written comments is on October 28, 2020 at 5 p.m. PST. Comments are limited to the changes proposed in this third set of modifications.
The modifications include four changes:
§ 999.306: Additional requirements have been proposed under § 999.306 (b)(3), which expand the requirement of businesses to provide the notice of right to opt-out to consumers. If a business collects information while interacting with consumers offline, then it must ensure that consumers are provided an offline notification of their right to opt-out. The proposed amendment provides two examples of what an offline notification may look like:
If information is collected at a physical location, then the notice can either be printed on the physical documents being signed or posted as signage within the area where the information is being collected. The signage should provide information on where the notice to opt-out can be found online.
If information is collected over the phone, then the business may provide notice orally during the phone call where the consumer’s information is collected.
§ 999.315: The duty of businesses has expanded to ensure that requests to opt-out require minimal steps and are easy for consumers to carry out. This modification is in effort to ensure that businesses are not making it especially burdensome for consumers to exercise their right to opt-out. The amendment offers five examples of what constitutes violative practices:
Requests to opt-out should not require more steps than the process for consumers to opt-in to the sale of information after previously opting out.
Confusing language, such as double-negatives (“Don’t Not Sell My Personal Information”), should not be used when notifying consumers of their right to opt-out.
Businesses cannot provide consumers with a list of reasons as to why they shouldn’t opt-out before they submit their requests.
No unnecessary personal information shall be collected from consumers during the process of opting out.
§ 999.326: Previously, consumers could be required to provide proof that they gave an agent permission to submit a request to know or a request to delete on their behalf. Under the proposed modification, the responsibility to provide proof that a consumer gave signed permission has been transferred to the agent.
§ 999.332: The final modification offers clarity and provides that businesses subject to either § 999.330, § 999.331 or both must include a description of the processes set forth in their privacy policies.
The Department will consider all relevant comments that are submitted on time and will provide a response within the compilation of the rulemaking file.
Datawallet is the world’s leading blockchain based data privacy compliance platform. Being the first company to champion the concept of Consumer First Compliance, we not only enable enterprises to comply with complex international data privacy regulations such as CCPA and SB-220 in the United States, GDPR in Europe, and POPI in South Africa. But we furthermore provide users of our clients the ability to fully understand their data and make informed decisions about its usage.
If you want to jump right in and become compliant, start your free trial of our easy-to-use compliance platform here (no credit card required).
Need something tailormade for your organization? Contact us at firstname.lastname@example.org.CCPARegulatory UpdatesDatawalletConsumer PrivacyNews