Keypoint: The California Attorney General's office once again published proposed modifications to its CCPA regulations. The modifications primarily focus on making changes to the provisions dealing with the right to opt out and authorized agent requests.

On October 12, 2020, the California Department of Justice published a third set of proposed modifications to its California Consumer Privacy Act (CCPA) regulations. The deadline to submit written comments is October 28, 2020.

The proposed modifications were published less than two months after the CCPA regulations went into effect on August 14, 2020. In general, the proposed changes focus on the provisions concerning the notice of the right to opt-out, requests to opt-out, and the use of authorized agents for making requests.

The proposed modifications are as follows:

§ 999.306. Notice of Right to Opt-Out of Sale of Personal Information

The modifications would add section (b)(3) to this section, stating:

(3) A business that collects personal information in the course of interacting with consumers offline shall also provide notice by an offline method that facilitates consumers' awareness of their right to opt-out. Illustrative examples follow:

a. A business that collects personal information from consumers in a brick-and mortar store may provide notice by printing the notice on the paper forms that collect the personal information or by posting signage in the area where the personal information is collected directing consumers to where the notice can be found online.

b. A business that collects personal information over the phone may provide the notice orally during the call where the information is collected.

§ 999.315 Requests to Opt-Out

The modifications would add a new section (h) to this regulation, requiring that a "business's methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out." Businesses also would be prohibited from using "a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer's choice to opt-out." The proposed regulation provides the following "illustrative examples":

(1) The business's process for submitting a request to opt-out shall not require more steps than that business's process for a consumer to opt-in to the sale of personal information after having previously opted out. The number of steps for submitting a request to opt-out is measured from when the consumer clicks on the "Do Not Sell My Personal Information" link to completion of the request. The number of steps for submitting a request to opt-in to the sale of personal information is measured from the first indication by the consumer to the business of their interest to opt-in to completion of the request.

(2) A business shall not use confusing language, such as double-negatives (e.g., "Don't Not Sell My Personal Information"), when providing consumers the choice to optout.

(3) Except as permitted by these regulations, a business shall not require consumers to click through or listen to reasons why they should not submit a request to optout before confirming their request.

(4) The business's process for submitting a request to opt-out shall not require the consumer to provide personal information that is not necessary to implement the request.

(5) Upon clicking the "Do Not Sell My Personal Information" link, the business shall not require the consumer to search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to opt-out.

§ 999.326 Authorized Agent

The modifications would rework the authorized agent regulation to provide that businesses may require the authorized agent to provide proof that the consumer gave the agent signed permission to submit the request. The prior version allowed businesses to ask the consumer to provide such information.

§ 999.332. Notices to Consumers Under 16 Years of Age.

The modifications would make the following change to § 999.332(a):

A business subject to sections 999.330 and/or 999.331 shall include a description of the processes set forth in those sections in its privacy policy.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.