After months of public comment and sporadic guidance issued by the California Attorney General’s Office, at long last we have the final regulations under the California Consumer Privacy Act, which have been approved by the Office of Administrative Law and filed with the Secretary of State’s Office. The regulations go into effect immediately, and include changes and withdrawn proposals that range from typographical to impactful.
The California Attorney General’s office has characterized the changes to the CCPA text as “non-substantive,” and has withdrawn certain proposed provisions “for additional consideration.” The non-substantive changes are designed to improve consistency in language, and are described in detail in the Addendum to the Final Statement of Reasons. Some withdrawn provisions, however, could impact companies expected to comply with CCPA. We discuss some notable sections below.
Section 999.305. Notice at Collection, Subsection (a)(5).
With the removal of this section, businesses are no longer required to notify consumers directly and obtain explicit consent for new purposes of processing. The underlying statutory requirement imposed by Section 1798.100(b) that businesses “shall not … use personal information collected for additional purposes without providing the consumer with notice consistent with this section” remains in effect. However, the need to alter use of personal information is now an accurate update to the description of purposes in the required notice.
Section 999.306. Notice of Right to Opt-Out, Subsection (b)(2).
The removal of this provision provides businesses that operate offline greater flexibility in providing notice of the opt-out right to consumers by permitting businesses that primarily operate offline to direct consumers to an online opt-out form. It is important to note, however, that the newly renumbered Section 999.306(b)(2) still requires any business that does not operate a website to “establish, document, and comply with another method by which it informs consumers of their right to opt-out.”
Section 999.315. Requests to Opt-Out, Subsection (c).
The removal of this section reduces the number of compliance standards previously present by removing the only reference to an “easy for consumers to execute” standard attached to request mechanisms. The removal of this section also drops the only reference in the regulations to a requirement that opt-out requests require “minimal steps” to execute.
Section 999.326. Authorized Agent, Subsection (c).
This provision originally allowed a business to deny a request from an authorized agent in which the agent does not submit proof they are authorized to act on the consumer’s behalf. However, the withdrawal of this subsection does not appear to substantively alter this right, because the process is also detailed in the sections of the regulations that address each type of request.
Ultimately, the final regulations do not introduce major changes to the obligations imposed on companies. The withdrawn sections do provide more flexibility in complying with specific areas of the law, but companies that have already laid the groundwork for addressing CCPA requirements will find they are already ahead of the curve. To learn more about the CCPA and its requirements, please take a look at our prior Taft Privacy and Data Security Insights: