The CCPA brought big changes to the California data privacy landscape, including by giving California consumers the ability to learn more about how and why their data is collected, and some ability to limit business’s ability to keep and use that data.
Since it became effective on January 1, 2020, however, the CCPA landscape has shifted several times, including through initiation of enforcement in July 2020; the enactment of initial regulations in August 2020; and the California Privacy Rights Act (“CPRA”) amendments to the CCPA in November 2020. Just last week, there was yet another development: the March 15, 2021, announcement of additional CCPA regulations, which are effective immediately. These regulations concern:
California government officials also this past week recently announced the appointments of Jennifer Urban, John Thompson, Angela Sierra, Lydia de la Torre and Vinhcent Le to the newly created California Privacy Protection Agency, which is tasked with enforcing the CCPA and its regulations. The Agency was created as mandated by the CPRA and is the first regulator in the U.S. solely focused on privacy matters.
Here’s what the new regulations have changed:
New opt-out regulations
The amendments ban so-called “dark patterns” that make it difficult for consumers to opt out of the sale of their personal information. The amendments prohibit companies from burdening consumers with confusing language or unnecessary steps (aka “dark patterns”) that might limit consumers’ ability to exercise their rights to opt-out. Businesses instead are required to create an opt-out process that is transparent and easy to follow:
Consumer Use of an Authorized Agent (§ 999.326(a))
Previously when a consumer used an authorized agent to request to know or delete personal information, a business may have required the consumer to provide the business with proof that the agent has the authority to submit the request. Although businesses may still require proof of agent authority, the burden of providing such proof is now on the authorized agent and no longer the consumer. The modifications also no longer allow businesses to require a consumer to provide an authorized agent with signed permission to submit a request on his or her behalf.
Privacy Notices to Consumers Under the Age of 16 (§ 999.332(a))
These new regulations highlight the continued importance of ensuring your business is transparent in the collection and use of personal information, and that you implement policies and procedures that inform, notify, and clearly direct consumers both online and offline of their CCPA rights. You should ensure that the procedures in place to opt-out are clear, unambiguous, and not overly burdensome, and if you collect personal information of consumers under the age of 16 you should make sure that your privacy policies comply with CCPA regulations.
Nixon Peabody will continue to closely monitor and provide updates on developments and modifications to California privacy regulations.
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.
Data Privacy & Cybersecurity Alert | 09.02.20
Data Privacy and Class Action Alert | 04.06.20
Privacy Law Alert | 09.16.19