On March 15, 2021, the California Office of Administrative Law (“OAL”) approved additional regulations to the CCPA. These regulations were originally proposed at the end of 2020 (which we covered here).  The changes are effective immediately. The modifications largely focus on (1) changes impacting those companies that “sell” information, and (2) the verification process for rights requests made by authorized agents.

Specifically, the regulations touch on the following areas:

  • “Offline” notices. Organizations that “sell” personal information collected in the course of interacting with consumers offline need to provide consumers with an offline notice of their right to opt-out. This should include instructions about how consumers can opt-out. For example, brick-and-mortar stores may post signage where the information is collected directing individuals where the information to opt-out can be found online.
  • “Opt-out” icon.  For companies selling information, the regulations provide an icon that may be used in addition to (and not in lieu of) having the link on the bottom of a website for consumers to opt-out. If businesses choose to use the button, it must be located to the left of the link and must be the same size as other buttons used by businesses on the website.
  • Requests to opt-out. Methods for submitting requests to opt-out should not be designed with the purpose of subverting a consumer’s choice to opt-out. The regulations provide a number of illustrative examples for avoiding these kind of “dark patterns.” For example, requiring consumers to click through or listen to unnecessary reasons why they should not submit a request to opt-out before confirming their request. Companies should also not require a consumer to provide personal information that is unnecessary to implement an opt-out request. Consumers should also not be required to search or scroll through the text of a privacy policy once they have clicked on the “Do Not Sell My Personal Information Link” in order to find the request to opt-out mechanism.

Putting it Into Practice. These updates to the regulations will likely have little to no impact to those organizations that are not “selling” information or receiving a high volume (or any) rights requests from authorized agents. However, organizations that are “selling” information may want to confirm that the userflow for their do-not-sell link, notice and mechanism are transparent and do not require any unnecessary steps. In the Final Statement of Reasons, the Attorney General noted that these changes stemmed in part from the office’s experience in enforcing the CCPA. Thus now given some of these itemized examples, particularly for opt-out requests, this is likely to be an area that the OAG’s office will continue to look to for potential non-compliance.