New CCPA Developments
To print this article, all you need is to be registered or login on Mondaq.com.
The California Attorney General’s Office has finalized additional regulations implementing
the California Consumer Privacy Act of 2018 (the CCPA). The new
regulations, found here, are the most recent in a series of
regulations that build on the rules last adopted in August 2020.
The new regulations have a number of developments that companies
doing business in California need to consider:
- Do Not Sell Button.
The regulations introduce, but do not require, the use of a blue
opt-out icon designed by Carnegie Mellon University’s Cylab and
the University of Michigan’s School of Information. While
earlier versions of the regulations discussed placement of the
icon, the only mandates that remain are that the icon is the same
size as others on the web page. Businesses can download the icon here. Importantly, the icon may be used in
addition to, but not in place of, the existing do not sell
- Ongoing Enforcement.
While the Attorney General has not been active in bringing
enforcement actions for violations of the CCPA, the Attorney
General’s office has actively issued notices to cure
violations. The press release accompanying the new regulation
notes that there has been “widespread compliance . especially
in response to notices to cure.” Last year, Supervising Deputy
AG Stacey Schesser told the IAPP, the International Association of
Privacy Professionals, that enforcement targeted online businesses
that were missing key privacy disclosures or “Do Not
Sell” links, and came in response to consumer complaints,
including on social media.
The future of enforcement will depend on a number of factors,
including the impact of the newly formed California Privacy
Protection Agency and the Governor’s nomination of Rob Bonta as
Attorney General to succeed Xavier Becerra, who was recently
confirmed as U.S. Secretary of Health and Human Services.
- Offline Notices. The
new regulations also address personal information that is collected
offline. Businesses that sell information they collect offline now
need to provide and inform consumers of an offline method to submit
opt-out requests, and provide instructions on how to do so. The
regulations suggest paper forms where the initial information is
captured, signage, or via phone.
- Clearly Identifying the
Opt-Out Option. Under the new regulations, businesses must
make opt out requests “easy for consumers to execute” and
with minimal steps – no more than necessary to provide the personal
information. The regulations also prohibit “dark
patterns” or other visual tricks to minimize or hide the
method by which consumers can opt-out of having their information
sold or shared. The regulations list examples of subterfuge that
businesses should avoid, including confusing language; requiring
the consumer to read, listen to, or click through reasons they
shouldn’t opt out; and requiring consumers to read or scroll
through privacy policies or other notices after selecting the
“Do Not Sell My Personal Information” option.
- Authorized Agents.
The regulations now state that a business may require an authorized
agent to provide proof that a consumer gave the agent signed
permission to submit the request. In prior regulations, that was
- CPRA Appointees. In
related news, the Governor, Attorney General, Senate
President pro tem and Assembly Speaker announced appointees to the
five-person CPRA board. They are Berkeley Law Professor Jennifer
Urban; former Southern California Edison executive John Christopher
Thompson; former Chief Assistant Attorney General of the Public
Rights Division Angela Sierra, who oversaw the Consumer Protection
Section’s Privacy Unit; Santa Clara Law Professor Lydia de la
Torre; and Vinhcent Le, Technology Equity attorney at the
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Technology from United States