On December 10, the California Attorney General’s (AG) office issued its fourth set of proposed modifications to the regulations implementing the California Consumer Privacy Act of 2018 (CCPA). The proposed modifications come despite the final regulations technically going into effect on August 14, 2020. This fourth set of proposed modifications would slightly alter the regulations pertaining to required opt-out notices. The AG’s office is accepting written public comment on the proposed changes until December 28, 2020 at 5:00 p.m. PST.
In the new Section 999.306(f), the proposed regulations would reinstate a requirement that businesses include a button icon on their websites to draw attention to the requisite “Do Not Sell My Personal Information” link (DNS link). The proposed regulations would require that the opt-out button be added to the left of the DNS link text and the button link to the same webpage that the consumer is directed to if they click directly on the DNS link.
The requirement for the opt-out button was included in the first set of proposed modifications but omitted in the second and third sets and the final rule.
The newly proposed modifications would also clarify that a business that operates offline but sells consumers’ personal information must still provide a notice of opt-out. Examples of offline notice include posting signage and giving notice over the phone.
The California Privacy Rights Act’s (CPRA) recent passage has taken some attention away from the CCPA, but the CCPA remains in effect, with its implanting regulations continuing to evolve. Adams and Reese’s Privacy, Cybersecurity and Data Management Team will continue to monitor the AG’s action on modifying the CCPA regulations.