California AG Proposes Edits to CCPA Regulations

In August, just before the California Office of Administrative Law (OAL) approved CCPA regulations, the Office of the Attorney General (OAG) withdrew several provisions from its draft regulations. The OAG noted at the time that it might resubmit these provisions after further review and possible revision. Yesterday, the OAG solicited comments on newly proposed regulations that would reinstate some of the withdrawn provisions. Below is a summary of the original (withdrawn) provisions and the new proposal:

Offline Do Not Sell Notices
  • Original Proposal: businesses that substantially interact with consumers offline must provide offline notice of consumers’ Do Not Sell (DNS) rights. Illustrative examples include printed disclosures and signs posted in retail locations to direct consumers to an online notice.
  • New Proposal: largely tracks the original proposal except it: (1) applies to any business that collects personal information offline (no substantial interaction prerequisite); and (2) includes another illustrative example (providing oral notice during phone calls).
DNS Opt-Out Process
  • Original Proposal: requires the opt-out method to be easy to use and require minimal steps to opt-out. Prohibits the use of methods that impair consumers’ ability to opt-out.
  • New Proposal: mirrors the original proposal and adds five illustrative examples of impermissible practices including confusing opt-out instructions, requiring consumers to scroll through a privacy policy to receive DNS disclosures, and requiring consumers to provide unnecessary information to submit a DNS request.
Authorized Agent
  • Original Proposal: allows businesses to deny a CCPA request from an authorized agent that does not submit proof that they have been authorized by the consumer to act on their behalf.
  • New Proposal: mirrors the original proposal (in substance).

For most businesses, the most significant change would be the requirement to provide offline DNS notices. One option may be to combine this with offline point of collection disclosures; however, the draft regulations do not specify whether the DNS notice is required each time the business collects PI offline or only the first time it collects PI from each consumer.

The AG will accept comments on the proposed edits until 5:00 pm PST on October 28, 2020.