California AG’s Additional Regulations to CCPA Take Effect

On March 15, 2021, the California Attorney General’s Office (“CAG”) announced approval by the Office of Administrative Law of the fourth set of modifications to the California Consumer Privacy Act regulations. The minor modifications accepted in the fourth proposal clarify the CCPA, although developments will continue until after implementation of the California Privacy Rights Act, which is effective on January 1, 2023.

Offline Notice

Businesses that sell personal information collected from consumers offline must inform consumers of the right to opt-out by an offline method. For a brick-and-mortar store, informing consumers of their opt-out right may be done on the paper forms used to collect the personal information or by posted signage where the personal information is collected. Businesses that sell personal information collected over the phone may inform the consumer of opt-out rights during the call. Importantly, the regulations require informing consumers specifically of their opt-out rights so a general disclosure of privacy rights may be insufficient.

Opt-out Button

Businesses may use a CAG-designed “opt-out” button in addition to providing notice of the right to opt-out. Businesses that choose to use the optional “opt-out” button must place the button directly to the left of the “Do Not Sell My Personal Information” link. Further, the button must be the same size as all other buttons on the page and must link to the same webpage or online location as the “Do Not Sell My Personal Information” link. Although the regulatory text is unclear, a response from the CAG to comments filed during the rulemaking process indicates that use of the button is, in fact, optional.

Authorized Agent

Businesses may deny a consumer rights request from an authorized agent acting on behalf of the consumer if the agent does not submit proof of authorization from the consumer. Businesses may contact the consumer to validate the authorization, but the regulations appear to preclude contacting the consumer to obtain the authorization in the first instance.

* Aaron Parry contributed to this post.