The California Consumer Privacy Act (CCPA) is a comprehensive privacy law that may apply to businesses located in and outside of California. It was signed into law on June 28, 2018, went into effect on January 1, 2020, and became enforceable on July 1, 2020. The CCPA required the California State Attorney General to craft regulations that, among other things, operationalized the CCPA for businesses and provided guidance to consumers regarding their rights under the CCPA.1 The first CCPA regulations were approved by California’s Office of Administrative Law (OAL) on August 14, 2020. After four versions of proposed modifications and the incorporation of related feedback, on March 15, 2021, California’s Attorney General announced that the California OAL had approved additional regulations.2 The OAL’s approval of the amendments made these regulations law. Violations of the regulations are deemed violations of the CCPA. The revisions to the regulations went into effect upon approval on March 15, 2021. Just as these changes took effect, on March 17, 2021, California continued preparing for enforcement of the California Privacy Rights Act (CPRA), as California Governor Gavin Newsom announced the establishment and appointment of the inaugural five-member board for the California Privacy Protection Agency (CPPA). The CPPA was established by the CPRA and is a new administrative agency tasked with “protecting the fundamental privacy rights of consumers over their personal information.”3 The CPPA will take over rulemaking duties from the California Attorney General’s office and may bring administrative enforcement actions related to the CCPA, as well as the CPRA when it becomes effective in 2023.
In addition to the regulations set forth on August 14, 2020, the new regulations provide practical guidance for businesses’ compliance with the CCPA. The California Attorney General emphasized that the “newly-approved regulations ban so-called ‘dark patterns’ that delay or obscure the process for opting out of the sale of personal information.”4 In addition to providing clarity on opt-out requests, the regulations also address notice requirements for personal information and how businesses must handle consumer requests made by agents. The following are some of the new regulations:
- Notice of sale of personal information collected offline: Businesses that collect personal information offline and sell such personal information must provide consumers with notice of their right to opt out via offline notice.
- Optional opt-out icon: Businesses may use an opt-out icon in addition to, but not as a replacement for, the required notice of a right to opt out or a “Do Not Sell My Personal Information” link.
- Opt-out/do-not-sell requests: The regulations make clear that an opt-out request shall be easy for consumers to execute and shall require minimal steps for the consumer. The regulations expressly disallow businesses from using any opt-out method that is designed for, or would have the effect of, preventing or impairing a consumer from opting out. The regulations also require compliance with a request to opt out as soon as possible, but no later than 15 business days from the date of receipt.
- Consumer requests from authorized agents: The regulations provide clarity on CCPA provisions specifying how a business may authenticate authorized agent requests to know or to delete consumer information.
- Global privacy settings: Global privacy settings, such as a browser plug-in or a device setting that communicates or signals a client’s choice to opt out of the sale of his or her personal information, should be treated as a request to opt out of such sale. The regulations further provide guidance on how to manage any conflicts between such settings/signals and the consumer’s existing business-specific settings.
Compliance With These Changes
These revisions went into effect on March 15, 2021. As with the original regulations, businesses found to be out of compliance with the CCPA will receive a ‘notice to cure’ that provides a 30-day window for such businesses to remedy their noncompliance. Violations of CCPA regulations are deemed violations of the CCPA and can result in regulatory penalties as articulated in the CCPA. Businesses can face a regulatory fine of up to $2,500 per violation or $7,500 for each “intentional” violation of the regulations, in addition to potential liability in civil actions. Since CCPA enforcement began on July 1, 2020, the California Department of Justice has noted widespread compliance by companies doing business in California, especially in response to notices to cure.
In light of these new regulations, businesses subject to the CCPA should review the mechanisms they have in place to facilitate consumer opt-out requests to ensure compliance. Additionally, where changes are required, businesses should recall the requirement under the CCPA that notice must be reasonably accessible to consumers with disabilities and ensure that any policy changes continue to provide such accommodations. Please note the CCPA regulation amendments consist of a very small portion of the overall CCPA regulations and do not address the CPRA, which will be effective in 2023.