Only two months after finalizing the CCPA regulations, the California Attorney General’s office today released a new set of proposed changes, most significantly addressing “Do Not Sell My Personal Information” requests. The office has also recommended changes to the regulations related to providing notice when businesses collect personal information offline, proof required when an authorized agent submits a request on behalf of a consumer, and a grammatical change related to providing notice of how to opt in to the sale of children’s information.
- Do Not Sell Requests. The proposed addition specifies that a “Do Not Sell” request must “be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out.” The change would prohibit businesses from using any method that is designed to or would have the effect of preventing a consumer from opting out. The proposal enumerates specific examples, such as requiring a consumer to: (1) complete more steps to opt out than to re-opt in after a consumer had previously opted out; (2) provide personal information that is not necessary to implement the opt-out request; and (3) read through a list of reasons why he or she shouldn’t opt out before confirming the request.
- Notice for Offline Collection. The proposal requires businesses that collect personal information offline to provide an offline notice, such as providing consumers with paper forms or posting signs in a store, or giving an oral notice if collecting personal information over the phone.
- Authorized Agent Requests. The finalized regulations previously permitted businesses to require that a consumer provide the authorized agent with signed permission to submit the access or deletion request. The proposed change shifts the burden to the authorized agent to provide proof of signed permission, rather than imposing the requirement on the consumer to provide signed permission.
- Children’s Information. The proposed grammatical change in section 999.332, requires businesses who sell personal information of children under the age of 13 or between the ages of 13 and 15 (rather than both) to include a description of how to make a sale opt-in request in their privacy policies.
The deadline to submit written comments related to these proposals is 5:00 PM PST on October 28, 2020. We will continue to monitor and will report any changes made to the regulations once they are finalized.
For more updates and information on the CCPA and and other privacy topics, visit:
Futureproofing Privacy Programs
Building a successful privacy program requires much more than compliance with data protection laws. To thrive in today’s global, data-driven environment, companies also need to understand the political environment and public attitudes surrounding privacy in the countries in which they operate. Of course, companies must anticipate and adapt to changing privacy regulations as well. This webinar will present strategies to help meet these challenges, with a focus on setting up structures to join local awareness with global compliance approaches.