On March 15, 2021, the California Attorney General approved additional regulations for the California Consumer Privacy Act (CCPA), which focuses on the right to the right to opt-out of sale, authorized agents, and notices to consumers under 16 years of age.  Specifically, sections 999.306, 999.315, 999.326 and 999.332 were revised and/or added to the CCPA regulations in this final review.  This privacy quick tip highlights the changes that were made.

  • 999.306 Notice of Right to Opt-Out of Sale of Personal Information.

In § 999.306(b)(3), the Attorney General added a requirement for businesses that sell personal information they collect offline to also inform consumers through an offline method of their right to opt-out and provide instructions on how to do so.  This provision lists examples of such notices, such as informing consumers via the paper form that the business used to collect personal information or through signage in the area where the information is collected, which directs the consumer to where the opt-out information can be found online.  Lastly, the regulations added the option for businesses that sell information they collect over the phone to inform the consumer of the right to opt-out orally.

In § 999.306(f), the Attorney General added an opt-out icon that may be used in addition to posting the notice of the right to opt-out.  This provision noted that the icon should not be used in lieu of the Do Not Sell My Personal Information link (“DNS link”) and should be the same size as other icons the business uses.

Takeaway:  Because this provision is optional, it does not obligate businesses to make any changes to its approach to sale of personal information, but instead provides them with stylistic alternative.

  • 999.315 Requests to Opt-Out

The California Attorney General added guidance on requests to opt-out.  The new regulations explain that methods for submitting a request to opt-out, which is measured from the time the consumer clicks the DNS link to completion of the request, shall not require more steps than the process for opting in, which is also measured from the time a consumer indicates a desire to opt-in to completion of the request.

Additionally, businesses should not do the following:  (1) use confusing language in the DNS link, such as a double negative; (2) require the consumer to read reasons why they should not opt-out unless permitted under the regulations; (3) require the consumer to provide personal information that is not necessary to implement the request; (4) after clicking the DNS link, require the consumer to search through a document or privacy policy to locate the mechanism for opting out.

Takeaway:  Businesses should reevaluate their opt-out of sale mechanisms to ensure they comply with these additional obligations.

  • 999.326 Authorized Agent

Initially, this section permitted businesses that received requests via an authorized agent to either require consumers to provide proof that they provided an authorized agent signed permission to submit requests on their behalf, require consumers to verify their identity directly with the business, or require consumers to directly confirm with the business that they provided the authorized agent permission to submit the request.  This section was revised to remove the option for businesses to require consumers to provide signed permission.  Instead, businesses may now only ask the agent to provide proof that the consumer gave signed permission.  Businesses, however, may still require consumers to verify their identity directly with the business, or require consumers to directly confirm with the business that they provided the authorized agent permission to submit the request.

Takeaway:  If businesses routinely ask consumers to provide proof of signed permission when authorized agents make CCPA requests, they should revise their procedures to instead ask the agent to show proof of this permission or rely on the other two available alternatives.

  • 999.332 Notices to Consumers Under 16 Years of Age.

Initially, businesses subject to § 999.330 (Consumers Under 13 Years of Age) and § 999.331 (Consumers 13 to 15 Years of Age) were required to include a description of their process for obtaining opt-in consent from minors (or their parents or guardian if under 13) in their privacy policy.  This was revised to require businesses subject to either § 999.330 or § 999.331 to include a description of their opt-in processes for minors in their privacy policies.

Takeaway:  Businesses that sell the personal information of consumers under the age of 16 should make sure their privacy policies include a description of how they obtain consent to do so.