California Approves CCPA Final Regulations

September 3, 2020

By: Linda A. Malek, Khaled Mowad, Kiyong Song, and Blaze D. Waleski

On June 1, 2020, California Attorney General Xavier Becerra submitted proposed final regulations implementing the California Consumer Privacy Act (“CCPA”) to the California Office of Administrative Law (“OAL”).  The OAL made revisions to the proposed final regulations (“Final Regulations”),1 and ultimately approved them along with an updated Addendum to the Final Statement of Reasons.2  The Final Regulations take effect immediately as of August 14, 2020.3  As a reminder, the statutory provisions of the CCPA became enforceable on July 1, 2020.  All businesses subject to the CCPA must comply with not only the statute, but also the regulations.

Changes in the Final Regulations
 

The AG’s office made several edits to the initial draft of the proposed regulations in June, which includes what the AG’s office characterizes as “non-substantive” changes intended to provide greater consistency and clarity on the CCPA (e.g., improving consistency in language, making grammatical edits, renumbering of subsections).4  The rest of such changes are detailed in the Addendum to the Final Statement of Reasons.

In addition, the AG’s office made several notable substantive changes to the proposed regulations.  Four key provisions have been removed in the final version and although other modifications to the regulations were also made, these changes are worth noting and are outlined in detail below. 

1. Notice at Collection of Personal Information [§ 999.305]

  • Removed Subsection:  § 999.305(a)(5) – “A business shall not use a consumer’s personal information for a purpose materially different than those disclosed in the notice at collection.  If the business seeks to use a consumer’s previously collected personal information for a purpose materially different than what was previously disclosed to the consumer in the notice at collection, the business shall directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose.
     
  • Underlying Statutory Provision(s):  § 1798.100(b) is the underlying statutory requirement that businesses shall not use personal information for additional purposes without providing the consumer with notice.  The statutory requirement is still in effect and enforceable.
     
  • Consequence:  Businesses must still notify consumers directly, pursuant to the statute, and obtain explicit consent from the consumer about any new purposes of processing personal information. 

2. Notice of Right to Opt-Out of Sale of Personal Information [§ 999.306]

  • Removed Subsection:  § 999.603(b)(2) – “A business that substantially interacts with consumers offline shall also provide notice to the consumer by an offline method that facilitates consumer awareness of their right to opt-out. Such methods include, but are not limited to, printing the notice on paper forms that collect personal information, providing the consumer with a paper version of the notice, and posting signage directing consumers to where the notice can be found online.
     
  • Consequence:  By removing this subsection, businesses that are subject to CCPA but operate offline arguably have more flexibility regarding their notice requirements.  Now, these offline businesses are not required to provide opt-out rights by an offline method; instead, they may presumably provide such opt-out rights via an online opt-out form.
     
  • New § 999.306(a)(2):  With the removal of the above, the subsequent subsections are appropriately renumbered.  The “new” subsection (b)(2) requires that any business that does not operate a website must, nonetheless, still “establish, document, and comply with another method by which it informs consumers of their right to opt-out.”

3. Opt-Out Requests [§ 999.315]

  • Removed Subsection:  § 999.315(c) was removed (and subsequent sections renumbered) -  “A business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out.  A business shall not utilize a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out.” (emphasis added)
     
  • Consequence:  The removed subsection (c) provided an “easy for consumers to execute” standard that applied by businesses’ request mechanisms.  It also included a “minimal steps” requirement for the request mechanisms.  Now, neither of these standards are expressly articulated, and businesses may have more flexibility regarding methods for providing consumer opt-out while still providing for ease of use, as discussed more fully below..
     
  • Ambiguity Arising From Existing Subsections:  § 999.315(a) still requires businesses to “provide two or more designated methods for submitting requests for opt-out.”  And these businesses still have the responsibility, under § 999.315(b), to “consider the methods by which it interacts with consumers . . . and ease of use by the consumer when determining which methods consumers may use to submit requests to opt-out.”  Thus, even though subsection (c) has been removed in the final implementation regulations, in practice, the policy of expecting a business to provide an opt-out method that is easy for consumers to execute appears to remain in place.  These changes provide no specific standard by which the Attorney General would enforce the businesses’ obligations to consumers’ opt-out rights and the exercises thereof, but may provide some flexibility in permissible methods used to comply with the intent of the regulations.

4. Authorized Agent [§ 999.326]

  • Removed Subsection:  § 999.326(c) was removed (and subsequent subsections renumbered) – “A business may deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer to act on their behalf.”  The Addendum to the Final Statement of Reasons provides that the Office of Attorney General “may resubmit this section after further review and possible revision.”
     
  • Consequences:  The removal of this section does not materially affect the business’s right to deny an opt-out request from an authorized agent, if the consumer does not satisfy the verification requirements of the business that the consumer has in fact given such agent permission to act on his/her behalf, as set forth in Section 999.315(f) (described below), which has remained unchanged.  The business’s general obligations to respond to consumer requests to delete their information or to know how their personal information is collected, used or shared and the ability to deny these requests also remain intact as set forth in § 999.313.

    Furthermore, the authorized agent is not deprived of his/her rights to make requests on behalf of the consumer as the final implementation regulations at  § 999.308(c)(5) still require businesses to provide clear instructions on how the authorized agent can make a request under CCPA.
     
  • Related Section § 999.315(f):  Under § 999.315(f), a consumer may designate an authorized agent to submit requests to opt-out as long as the consumer provides the agent with a signed written permission.  Under the same subsection (f), the business may deny this request “if the agent cannot provide to the business the consumer’s signed permission demonstrating that they have been authorized by the consumer to act on the consumer’s behalf.”
Other Noteworthy Changes
 

In addition to granting consumers substantial rights with respect to their personal information collected by businesses, the CCPA also provides specific protection for children.  The CCPA, from its inception, set forth regulations to impose additional requirements on data from children under 13 years of age, on top of those imposed by Children’s Online Privacy Protection Rule (“COPPA”).  The final regulations provide for these additional requirements as they were essentially proposed:  specifically, a business “that has actual knowledge that it sells the personal information of consumers at least 13 years of age and less than 16 years of age[.]” must collect opt-in consent from the consumer to the sale of the consumer’s personal information.5  Additionally, businesses collecting personal information of minor consumers must also provide a description of the processes regarding the consumers’ right to opt-out at a later time.  However, the final regulations also include a provision that permits businesses that exclusively target minor consumers but do not sell their personal information to exercise discretion as to whether to provide the notice of a right to opt-out.6

Conclusion
 

The penalties for non-compliance with the CCPA are substantial, between $2,500 and $7,500 per CCPA violation.  With CCPA enforcement commencing as of July 1, 2020, and the Final Regulations taking effect immediately, entities should carefully review their current CCPA practices and policies to ensure that they are compliant with not only the statute but also the Final Regulations.


1 Final Text of Proposed Regulations, Office of the Attorney General, State of California, https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/oal-sub-final-text-of-regs.pdf? [hereinafter Final Regulations].  Please refer to this document for all pin cites to the final implementation regulations.

2 Addendum to Final Statement of Reasons, Office of Attorney General, State of California, https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/addendum-fsor.pdf (July 29, 2020).

3 For any CCPA Regulations or related legislative and regulatory documents, please see State of Cal. Dep’t of Justice, Office of Atty. Gen. Xavier Becerra, CCPA Regulations, https://oag.ca.gov/privacy/ccpa/regs (last visited Aug. 24, 2020).

4 See Addendum to Final Statement of Reasons.

5 See Final Regulations § 999.331(a)

6 See Final Regulations § 999.332(b).