With More Changes Made at the Regulatory Review Process, the CCPA Regulations Finally Come into Effect

On August 14, 2020, the California Attorney General announced approval by the Office of Administrative Law (OAL) of final Regulations under the California Consumer Privacy Act (CCPA). Proposed final Regulations were submitted to the OAL by Attorney General Becerra on June 1, 2020.  The approved Regulations go into effect immediately.

During OAL’s review process, additional revisions were made to the proposed regulations.  Although most of these changes are grammatical and stylistic, there are several substantive deletions.  Specifically, the Attorney General withdrew the following four provisions, ostensibly for additional consideration and possible revision:

• A provision in 999.305 (Notice at Collection of Personal Information) which expressly prohibited businesses from using personal information for a purpose materially different from that disclosed in the notice at collection. If the business sought to use previously collected personal information for a materially different purpose, it was required to directly notify the consumer of the new use and obtain explicit consent from the consumer to use the information for the new purpose.   Although consistent with the Fair Information Practice Principle of use limitation embodied in some privacy regulations, this requirement arguably went beyond the explicit requirements of the CCPA.

• A provision in §999.306 (Notice of Right to Opt-Out of Sale of Personal Information) which required businesses that substantially interact with consumers offline to provide notice to consumers by offline methods that facilitates consumers’ awareness of their right to opt-out of the sale of their personal information, such as printing a notice on paper forms that collect information, providing consumers with paper version of the notice, or posting signage directing consumers to where notice can be found online.

• A provision in 999.315 (Requests to Opt-Out) which required that business’s methods for submitting requests to opt-out be easy for consumers to execute and require minimum steps to allow consumers to opt-out. Under this provision, businesses were expressly prohibited from utilizing a method that is designed with the purpose of has the substantial effect of subverting or impacting a consumer’s decision to opt-out.

• A provision in 999.326 (Authorized Agent) which expressly provided that a business may deny a request from an authorized agent that does not submit a proof that they have been authorized by the consumer to act on their behalf. Even though this provision has been deleted from the final Regulations, businesses will likely to continue abide by it to minimize risk of unauthorized disclosures and deletions.

Another notable change appears in §999.313(c)(8) which clarifies that businesses might designate a longer time period covered by a consumer’s verifiable request to know than a minimum statutorily prescribed 12-month period.

The California Attorney General has been enforcing the CCPA since July 1, 2020, but so far, his enforcement was limited to the provisions in the Act itself.  As the Regulations now have the force of the law, all businesses subject to the CCPA must now comply with their provisions, and the Attorney General will be enforcing them going forward.

 Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653