The Office of Administrative Law’s (OAL) approval of the California Attorney General’s proposed regulations to the CCPA on August 14, 2020 was just the news we needed in 2020. Even better, because the OAL graciously approved the finalized regulations on a Friday afternoon, the weekend was spent thinking about best legal practices moving forward. One thing for sure, the finalized regulations are effective immediately.

In case you forgot how we got here, let’s rewind and tell the story of how the finalized regulations came to be. A long time ago, back in October of 2019, the AG published the proposed regulations and the public was given a legally required comment period. Based on the comments received, the AG’s office then published the first set of modified regulations on February 10, 2020. Another legally required comment period followed. On March 27, 2020, the AG published the second set of modified regulations. After another legally required comment period, the AG announced it submitted regulations to OAL for final approval on June 1, 2020. On August 14, 2020, OAL gave its approval and here we are.

For businesses who have been mindful of compliance with the proposed regulations, the finalized version of the regulations remains largely the same. However, the finalized version of the regulations disposes of a few provisions, makes corrections in others, and in true fashion, corrects something or another to do with the notice of right to opt-out and opt-out requests. With that, let’s dig into what the finalized regulations have to offer.

REMOVED FROM REGULATIONS

The following sections were withdrawn for further consideration and are not part of the finalized regulations:

  • Particularly noteworthy for Notice at Collection and additional uses, the following was withdrawn: “A business shall not use a consumer’s personal information for a purpose materially different than those disclosed in the notice at collection…[if] materially different…directly notify the consumer of this new use and obtain explicit consent…for this new purpose” (formerly known as Section 999.305(a)(5)).
  • Particularly noteworthy for Notice of Right to Opt-Out and businesses that collect PI from consumers offline, the following was withdrawn: “A business that substantially interacts with consumers offline shall also provide notice to the consumer by an offline method that facilitates consumer awareness of their right to opt-out. Such methods include, but are not limited to, printing the notice on paper forms that collect personal information, providing the consumer with a paper version of the notice, and posting signage directing consumers to a website where the notice can be found online” (formerly known as Section 999.306(b)(2)).
  • Particularly noteworthy for methods for submitting requests to opt-out, the following was withdrawn: “A business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. A business shall not utilize a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out” (formerly known as Section 999.315(c)).
  • Particularly noteworthy for denying all requests from authorized agents, the following was withdrawn: “A business may deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer to act on their behalf” (formerly known as Section 999.326(c)). However, businesses can still deny requests from an authorized agent if certain conditions are not met. For example, if an authorized agent cannot submit proof of the signed permission demonstrating the agency, a business may deny the request to opt-out. See Section 999.315(f). Originally, any proof that the agency existed was enough. Now, it is clear they need to provide a signed permission, otherwise, the opt-out request can be denied. For requests to know and delete, verification of the agency is still governed by Section 999.326(a) where the business can ask (i) the authorized agent to submit signed proof; (ii) the consumer to verify their identity directly with the business; and/or (iii) the consumer to directly confirm that the agency exists.

As noted by the AG in the Addendum, the above removed sections may be further reviewed, revised, and resubmitted by the AG.

CORRECTIONS WORTH NOTING:

  • If responding to a request to know, a business can provide information that extends back further than 12 months if it so specifies. See 999.313(c)(8).
  • Surprisingly, the finalized version the of the regulations does not included the abbreviate language for the “do not sell” link. The AG removed “DO NOT SELL MY PERSONAL INFO” from the finalized version of the regulations such that “DO NOT SELL MY PERSONAL INFORMATION,” is all that remains. According to the AG’s Addendum to the Final Statement of Reasons (“Addendum”), it was removed to more closely align with the express language of the statute. This may be true, but it begs the question why the AG put the abbreviated phrase in the regulations in the first place. We note that even if the “do not sell” link is phrased incorrectly; the violating business would have 30 days to cure once notified of the violation.
  • The Severability provision in Section 999.341 was also removed. According to the Addendum, it was removed because it was unnecessary.

DO NOT TRACK AND GLOBAL PRIVACY CONTROLS

Let’s be honest, we’re all wondering what finalized regulations means for “do not track” signals and the “global privacy controls” explicitly referenced in the regulations. There has been widespread speculation as to whether the regulations, if ever made final, would require businesses to treat “do not track” signals as verifiable requests to opt out of the sale of personal information. Interestingly, in Appendix E of the Final Statement of Reasons, submitted on June 1, 2020, the AG provided responses to comments received during the final comment period. In those responses back in June, the AG said two things: (i) businesses have the “discretion to treat a ‘do not track’ signal as a useful proxy for communicating a consumer’s privacy choices to businesses and third parties;” and (ii) global privacy controls are meant to be forward-looking as the regulations “state the privacy control be “developed’ in accordance with these regulations.” See Appendix E Responses 68 and 71. This may not fully answer the question about what to do with “do not track” signals and global privacy controls, but it is nevertheless intriguing that the AG chose to make these statements in the responses.

CONCLUSION

The fact we have finalized regulations means we can all take a breath, but just one. We know there is a strong possibility that the finalized regulations will only be effective for the next two years and four months. In what seems to be on par for 2020, all eyes are on November and the ballot initiative called the “California Privacy Rights Act of 2020.” It just might change things up for 2023.