New Changes to CCPA Intending to “Empower Data Privacy” Approved

On Monday, March 15, 2021, the Attorney General of California, Xavier Becerra announced new regulations that will be implemented into the California Consumer Privacy Act of 2018 (“CCPA”), effective immediately. The new changes to the law have been integrated into the section of CCPA that addresses the requirements for providing notice of a consumer’s right to opt-out of the sale of personal information.

The purpose of this provision is to assist consumers with the ability to request that businesses do not sell their personal information. There are many nuances to this section of the CCPA, however, in general, it requires businesses to be clear about a consumer’s right to opt-out. This may be accomplished by using plain language and by placing the notice in an accessible location where consumers will be informed of their rights before the collection of information occurs. For example, the required “Do Not Sell My Personal Information” link should be placed on the homepage of the website or the landing page of a mobile application.

With that said, the new modifications to the regulation include changes to requirements for (1) offline collection of personal information, (2) an optional icon that may be used to assist in notifying consumers of their rights, and (3) a requirement for minimizing the steps required for opting-out of the sale of personal information.

Offline Collection of Personal Information

The new changes to the law include provisions relating to the notice required for collection of information via offline methods. Specifically, the regulations require businesses that sell personal information, which they have collected offline, to inform consumers of their right to opt-out and provide instructions on how to submit a request to opt-out of the sale of their information.

This new provision provides illustrative examples, where, for example, if a brick-and-mortar store were to collect personal information that it intends to sell, it would need to inform customers of their opt-out rights. Examples of how such a business may comply with CCPA are listed, including informing customers of their right to opt-out on papers being signed, or, for example, by posting signage in the area where the information is collected, which directs the consumer where they may opt-out online. Further, if the information is being collected over the phone, the business may inform the consumer of its right to opt-out orally during the call when the information is collected.

Optional Icon to Provide Consumer Notice

The next change to the regulation provides an optional icon that may be used online to indicate to consumers that there is an op-out right for the collection of information. However, this icon does not replace the existing requirement to provide a “Do Not Sell My Personal Information” link or the requirement to provide notice of the right to opt-out.

Further, if the below icon is used by a business, the regulation stipulates that it shall be implemented in a size that is approximately the same size as any other icons used by the business on its webpage.

According to the announcement by the Attorney General, the above icon was designed by Carnegie Mellon University’s Cylab and the University of Michigan’s School of Information in an effort to determine the best design for communicating privacy choices to consumers.

Minimizing the Steps Required for Opting-Out

Finally, and likely the most significant new requirement, is a clarification as to the technical process for opting-out of the sale of information. Under the new language of CCPA, the method for submitting requests to opt-out shall “be easy” to execute, which means that the process must have “minimal steps to allow the consumer to opt-out” and a business is not allowed to try and subvert or impair a consumer’s choice to opt-out.

The regulation also provided illustrative examples of this provision such as the following:

  • A business should not use a process that requires more steps to opt-out of the sale of personal information than it would take for the consumer to actually opt-into the sale of such information.
  • A business is not allowed to use “confusing language, such as double-negatives” when providing a choice to opt-out.
  • A business should not require consumers to click through or listen to reasons why they should not opt-out.
  • The business should not require the consumer to provide additional personal information not necessary to implement the request; and
  • The business should not require the consumer to scroll through a privacy policy or webpage to locate where they may request to opt-out after clicking the “Do Not Sell My Personal Information” link.

The right to opt-out of the sale of personal information is a key aspect of the CCPA and has been a requirement throughout the life of the regulation. Although there have been several changes to CCPA over time, some appear to help clarify how businesses may comply with the regulation, such as the illustrative examples from above.