The CCPA brought big changes to the California data privacy landscape, including by giving California consumers the ability to learn more about how and why their data is collected, and some ability to limit business’s ability to keep and use that data.
Since it became effective on January 1, 2020, however, the CCPA landscape has shifted several times, including through initiation of enforcement in July 2020; the enactment of initial regulations in August 2020; and the California Privacy Rights Act (“CPRA”) amendments to the CCPA in November 2020. Just last week, there was yet another development: the March 15, 2021, announcement of additional CCPA regulations, which are effective immediately. These regulations concern:
- consumers’ rights to opt-out of the sale of their personal information by covered businesses offline;
- transparency in the processes allowing consumers to opt-out of the sale of their personal information;
- authorized agents’ ability to submit requests on behalf of consumers regarding their personal information; and
- privacy notices to consumers under age 16.
California government officials also this past week recently announced the appointments of Jennifer Urban, John Thompson, Angela Sierra, Lydia de la Torre and Vinhcent Le to the newly created California Privacy Protection Agency, which is tasked with enforcing the CCPA and its regulations. The Agency was created as mandated by the CPRA and is the first regulator in the U.S. solely focused on privacy matters.
So what changed?
Here’s what the new regulations have changed:
New opt-out regulations
The amendments ban so-called “dark patterns” that make it difficult for consumers to opt out of the sale of their personal information. The amendments prohibit companies from burdening consumers with confusing language or unnecessary steps (aka “dark patterns”) that might limit consumers’ ability to exercise their rights to opt-out. Businesses instead are required to create an opt-out process that is transparent and easy to follow:
- Businesses Selling Personal Information Offline (§ 999.306(b)(3)). Businesses that sell consumer personal information that the businesses collected offline are now required to inform consumers through an offline method of their right to opt-out. They also must give instructions on how to submit the opt-out request offline. For example, a business that collects personal information over the phone may choose to inform consumers during the call of their right to opt-out, as the personal information is being collected. ((§ 999.306(b)(3)(b)).
- New Optional Opt-Out Icon (§ 999.306(b)(3)(f)). The new regulations allow covered businesses to use an optional privacy opt-out icon. This icon, however, does not replace the CCPA’s requirement to provide notice of the right to opt-out or a “Do Not Sell My Personal Information” link. If a business decides to use the icon (image below), the icon should be similar in size to all icons on the business’ webpage.
- Consumer Opt-Out Process Transparency (§ 999.315(h)). Businesses need to ensure that opting out is easy, with minimal steps for consumers to follow. Businesses are not allowed to use methods that make it difficult or confusing. For example, the regulations prohibit the following in an opt-out process:
- using “confusing” and ambiguous language, or “double negatives”;
- requiring consumers to provide additional unnecessary information in order to submit the opt-out request; and
- requiring consumers to take more steps to opt-out of a covered business’ sale of their personal information than to opt-in to such sale.
Consumer Use of an Authorized Agent (§ 999.326(a))
Previously when a consumer used an authorized agent to request to know or delete personal information, a business may have required the consumer to provide the business with proof that the agent has the authority to submit the request. Although businesses may still require proof of agent authority, the burden of providing such proof is now on the authorized agent and no longer the consumer. The modifications also no longer allow businesses to require a consumer to provide an authorized agent with signed permission to submit a request on his or her behalf.
Privacy Notices to Consumers Under the Age of 16 (§ 999.332(a))
The new amendment clarifies that businesses that sell the personal information of children under the age of 13 “and/or” between the ages of 13 and 15 must include a description of how to opt-out of such sale in their privacy policy.
How do these new modifications affect you as a covered business?
These new regulations highlight the continued importance of ensuring your business is transparent in the collection and use of personal information, and that you implement policies and procedures that inform, notify, and clearly direct consumers both online and offline of their CCPA rights. You should ensure that the procedures in place to opt-out are clear, unambiguous, and not overly burdensome, and if you collect personal information of consumers under the age of 16 you should make sure that your privacy policies comply with CCPA regulations.
Nixon Peabody will continue to closely monitor and provide updates on developments and modifications to California privacy regulations.