California Formally Approves CCPA Regulations

In June, the California attorney general submitted “final” CCPA regulations to the Office of Administrative Law (OAL) for approval. Last Friday, the state released the text of the Approved Regulations and the Final Statement of Reasons. Most changes equate to “clean-up” of the AG’s draft; however, the approved regulations include the following substantive changes:

  • Removed all references to the “Do Not Sell My Info” link. This means businesses must revert to the “Do Not Sell My Personal Information” link contemplated by the statute.
  • Deleted the provision requiring businesses to obtain consumers’ explicit consent before using their personal information for purposes that are materially different than those disclosed when the business collected the information. Although this may provide additional flexibility, businesses must be mindful of other CCPA provisions and general consumer protection laws, which broadly prohibit deceptive acts and practices.
  • Deleted the provision requiring businesses to provide offline Do Not Sell notices in certain situations. Businesses must still provide point of collection notices; however, the regulations allow businesses to direct consumers to their online privacy policies to receive the disclosures.
  • Deleted the requirement for the Do Not Sell request mechanism to be “easy for consumers to execute and…require minimal steps.”
  • Deleted the provision allowing businesses to deny requests from authorized agents that do not submit proof that they have been authorized by the consumers to act on their behalf. This would be problematic if not for other CCPA provisions that limit authorized agent requests, including the ability to verify with the consumer that the agent has permission to act on his or her behalf.

The approved regulations are effective immediately.