The California Department of Justice (DOJ) just announced a third set of proposed changes to the current regulations for enforcing the California Consumer Privacy Act (CCPA). The proposed changes are available at www.oag.ca.gov/privacy/ccpa/current, along with the originally proposed regulations and “all documents relating to the rule making package, including previous modifications to the proposed regulations.
The marked-up revisions are available here. Proposed deletions are in red strike out and proposed modifications are in bold blue and underlined.
Here are the proposed changes:
- Section 999.306(b)(3)—Gives examples of how businesses that collect personal information when interacting with consumers off-line and over the phone can provide the notice of right to opt-out of the sale of personal information.
- Section 999.315, (h)—Provides guidance and illustrative examples on how a business’ methods for submitting requests to opt-out should be easy and require minimal steps. Basically, it prohibits using confusing or complicated processes that subvert or impair a consumer’s choice to opt-out such as requiring:
- More steps to opt-out than to opt-in
- Consumers to click-through or ‘listen to’ reasons for not opting out before allowing them to opt-out
- Consumers to search through a website or privacy notice in order to opt-out
- Consumers to provide more personal information than absolutely necessary to opt-out
- Confusing language like “Don’t Not Sell My Personal Information” is prohibited
- Proposed section 999.326 (a)—clarifies the proof that a business may require an authorized agent to provide, as well as what the business may require a consumer to do to verify their request.
- Proposed section 999.332(a)—clarifies that businesses subject to either section 999.330 (Consumers under 13 years old), section 999.331 (Consumers between 13 and 16), or both of these sections are required to include a description of the processes set forth in those sections in their privacy policies.
The DOJ will accept written comments regarding the proposed changes between Tuesday, October 13, 2020 and Wednesday, October 28, 2020. Please limit comments to the additions indicated in bold blue underline and the deletions indicated in red strike out. All written comments on the underlined changes must be submitted to the Department no later than 5:00 p.m. on October 28, 2020 by email to PrivacyRegulations@doj.ca.gov, or by mail to the address listed below.
Lisa B. Kim, Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013
All timely comments received that are relevant to the third set of proposed modifications indicated in blue bold underline and red strike out format will be reviewed and responded to by the Department’s staff as part of the compilation of the rule making file.
Compliant with CCPA? Awesome! Time to start thinking about CPRA!
California Consumer Privacy Act (CCPA): What’s Required and How to Comply