On August 14, 2020, the California Office of Administrative Law (“OAL”) approved in part and withdrew in part the Regulations regarding the California Consumer Privacy Act (“CCPA”). While most of the changes are non-substantive, the OAL withdrew certain provisions of the Regulations and resubmitted them to the Attorney General’s Office for further review. Approved sections went into effect immediately.
Among the more notable provisions withdrawn was 999.305(a)(5), which would have required businesses to obtain express consent from consumers before using previously collected information for a materially different purpose. Rather than obtaining express consent, businesses must comply with Section 1798.100(b) of the CCPA, which prohibits businesses from using personal information “collected for additional purposes without providing the consumer with notice consistent with this section.” Because initial notice can generally be accomplished through an online privacy policy, it appears that updates to an online privacy policy may suffice if a business intends to start using previously collected personal information for an additional purpose.
The OAL also made three changes relating to consumers’ opt-out right: (1) withdrawing a provision that required businesses that substantially interacted with consumers offline to provide notice of the right to opt-out via an offline method; (2) withdrawing a provision that required businesses to make the opt-out process to be “easy” and “require minimal steps”; and (3) requiring businesses to entitle their opt-out page as “Do Not Sell My Personal Information” as opposed to “Do Not Sell My Info.” While the latter change is non-substantive, it is a concrete change that many businesses may need to make.
Finally, while much has been made of the OAL’s withdrawal of a provision stating that businesses may deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer (previously Section 999.326(c)), that may be a change without practical effect. Indeed, Section 999.326(a)(1) still allows businesses to require that a consumer provide the authorized agent with signed permission to submit requests to know or delete. And, similarly, Section 999.315(f) allows businesses to deny a request to opt-out submitted by an authorized agent if the agent cannot provide to the business the consumer’s signed permission. Accordingly, it appears that businesses arguably may be able to deny requests if they are unable to verify that an authorized agent has a consumer’s written permission to submit requests on their behalf.
Under California law, the Attorney General’s Office has one year to resubmit withdrawn sections after further review and possible revision. Whether or not the Attorney General’s Office revises and/or resubmits those provisions will likely be influenced by whether the California Privacy Rights Act is passed on the upcoming ballot.