Here we go again! On March 15th, 2021, the California Department of Justice (“Department”) announced approval of modifications to the California Consumer Privacy Act’s (CCPA) regulations, originally introduced in December of 2020. The new regulations mainly modify provisions related to a consumer’s right to opt out of sale of their personal information, with the aim of “protecting consumers from unlawful business practices that may be deceptive or misleading”. The changes to the regulations are effective immediately.
“California is at the cutting edge of online privacy protection, and this newest approval by OAL clears even more hurdles in empowering consumers to exercise their rights under the California Consumer Privacy Act,” said Attorney General Becerra in the press release announcing the latest modifications to the CCPA regulations. “These protections ensure that consumers will not be confused or misled when seeking to exercise their data privacy rights.”
Right to Opt-Out Modifications
- Ban on Dark Patterns that Delay or Obscure Opt-Outs. The newly approved regulations prohibit what AG Becerra references as “dark patterns” that cause ambiguity in the process of a consumer’s opting out of sale of their personal information. The regulations provide five examples of prohibitive measures related to opt-out methods including developing confusing language such as “double negatives” or unnecessary steps such as requiring consumers to click through multiple screens before opting out. A business’s methods for submitting requests to opt-out must be easy for consumers to execute and require minimal steps to allow the consumer to opt-out.
- Offline Opt-Out Methods. A business that sells personal information that it collects in the course of interacting with consumers offline shall also inform consumers by an offline method of their right to opt-out and provide instructions on how to submit a request to opt-out. For example, a brick-and-mortar store may inform consumers via paper forms or by posting signage in the area where personal information is collected and directing consumers to where opt-out information can be found online.
- Privacy Icon. In addition, the latest regulations also provide covered businesses with an optional privacy options icon, which can be used in addition to posting the notice of right to opt out, but not in lieu of any related requirements. The icon should be the approximately the same size as any other icon used by the business on its webpage. The icon was developed by Carnegie Mellon University’s Cylab jointly with the University of Michigan’s School of Information by testing the icon against other icons to determine the most effective design for communicating to the consumer its right to opt out. The icon is available for download here.
Authorized Agent.
The latest regulations also address the use of an authorized agent. When a consumer uses an authorized agent to submit a request to know or a request to delete, a business may require the authorized agent to provide proof that the consumer gave the agent signed permission to submit the request. Previously, this requirement was placed on the consumer.
That said, a business may still require a consumer to verify their own identity directly with the business or directly confirm with the business that they provided the authorized agent permission to submit the request.
Takeaway
AG Becerra’s press release reminds companies that enforcement of the law is alive and well, but that the Department has been pleased to see widespread compliance by companies doing business in California, particularly in response to “notice to cure”, which provides companies a 30-day window to remedy their noncompliance. Companies should continue to monitor CCPA developments and ensure their privacy programs and procedures remain aligned with current compliance requirements.