California Attorney General Issues Further Revisions to CCPA Opt-Out Requirements
On March 15, 2021, the California Attorney General (AG) issued further amendments to the implementing regulations of the California Consumer Privacy Act (CCPA), clarifying how a business must facilitate a consumer’s exercise of their right to opt-out of the sale of their personal information. These amendments take effect immediately.
The amendments come as the state prepares to conduct new rounds of rulemaking to implement the recently-passed California Privacy Rights Act (CPRA).
Below we summarize the latest amendments to the CCPA regulations.
The Latest Amendments
The March 15 amendments affirmatively prohibit a business from making the process to opt-out of the sale of a consumer’s information burdensome or confusing. Specifically, the revised regulation requires that the opt-out process require only minimal steps. The amendment prohibits:
- An opt-out process that includes more steps than required to opt-in to the sale of personal information (after having previously opted-out);
- The use of confusing language, such as a double negative “Don’t Not Sell My Personal Information;”
- Requiring a consumer to click through or listen to reasons why they should NOT opt-out, except as otherwise allowed by the CCPA;
- Requiring the consumer to scroll through the text of the privacy policy or other webpage or document to locate the opt-out link.
The amendments also offer an optional icon for use in addition to posting the notice of right to opt-out or the “Do Not Sell My Personal Information” link. The icon can be downloaded here.
Further, specific examples are provided to explain how a business that collects information from consumers offline (such as in a store or over the phone) can ensure the consumer knows how to exercise their opt-out right. These examples include by providing prominent notice at the point of collection, such as printing the notice on a paper form or including a sign in the area of the store where information is collected. Where information is collected over the phone, the regulations require that a business inform the consumer orally how they may opt-out from the sale of their information.
Finally, in addition to the revisions related to opt-out, this latest round of revisions amends the provisions detailing how a business may authenticate authorized agent requests to know or to delete information.
***
As states continue to move forward on privacy laws—including California’s new rulemaking efforts to implement the CPRA and the passage of an omnibus privacy law in Virginia just weeks ago—it is crucial that businesses keep their fingers on the pulse of emerging privacy laws in the United States. Our team has helped entities of all sizes from various sectors parse through complicated state law issues – from determining whether and how state law applies to developing compliance programs. If your organization has questions about California or Virginia laws – and the impacts of these development on your business – do not hesitate to reach out.