Additional Modifications to the CCPA

Since CCPA came into effect California’s Attorney General, Xavier Becerra, has issued additional guidance to help explain and clarify certain parts of the law.

In 2020, the AG’s office has issued two separate releases with modifications to the draft bill, each in response to a comment period for key stakeholders. The modifications shed new light on how elements of the law will be enforced, and cleared up some questions that had been raised by observers.

Becerra’s guidance in early 2020 came during the six-month period between the time when the CCPA was officially made law and the time when the AG began to enforce punishments for CCPA violators. Let’s take a look at where the AG’s additional guidance made an impact:

March 15, 2021

Following last August’s clarifications to the California Consumer Privacy Act (CCPA), the state’s Attorney General announced new regulations under this act on March 15, 2021. California’s Office of Administrative Law gave final approval to these amendments, which largely pertain to user experience (UX) when it comes to exercising privacy rights.

Offline Opt-Outs

While much attention has focused on the CCPA’s impact on online data privacy, there is now a requirement for businesses that collect consumers’ information offline (as in a brick-and-mortar store or a phone-based transaction) to inform consumers of their opt-rights using an offline method.

Optional Opt-Out Icon

The Attorney General offered websites an optional opt-out icon to include as a signpost for consumers to locate the opt-out right and “Do Not Sell My Personal Information” link on websites.

Ban on Dark Patterns

A new regulation explicitly bans dark patterns in UX, which are design components that make it more difficult for consumers to exercise their privacy rights. As an example of a dark pattern, a business might use obscure or confusing language in presenting the opt-out choice. Under the new set of regulations, the opt-out process shall be easy for consumers, needing minimal steps on the consumers’ part.

Consent Process for Authorized Agents

When a consumer uses a third party, known as an authorized agent, to carry out an access or deletion request, a company can require the authorized agent to indicate the consumer explicitly signed off on the request. Previously, it was up to the consumer to choose whether the authorized agent provided such proof to the company.

Key Takeaways: March 15, 2021

The ban on dark patterns in UX is an important step forward in demystifying privacy for everyday users. Companies should take stock of their process for users to opt-out; any unnecessary pages or unclear language should be simplified into an approachable presentation, free from any intimidating language. As some in-person business activity resumes in 2021, teams should make sure that the same approachable language in their online opt-out process carries over into the in-person or over-the-phone customer experience. The bottom-line of the new regulations is that companies should implement a straightforward, unintimidating process for users to exercise their CCPA rights.

August 17, 2020

Acceptable Language for “Do Not Sell”

The “Do Not Sell” requirement was amended such that “Do Not Sell My Info” is not listed as acceptable language for the homepage link requirement. This means only “Do Not Sell My Personal Information” is the only explicitly mentioned acceptable language to use when allowing consumers to exercise this right. If your business has implemented a “Do Not Sell My Info” link on your homepage, it must be modified to “Do Not Sell My Personal Information”.

Denying Requests from Certain Authorized Agents

Next, the California AG deleted the provision that allowed businesses to deny requests from authorized agents who can’t show proof that they’re authorized to act on consumers’ behalf. However, there are other CCPA provisions that allow businesses some ability to verify authority, including permission to verify with the consumer that the authorized agent has been cleared represent them.

Offline “Do Not Sell” Mechanism Not Required

The AG also removed the requirement that businesses offer an offline mechanism for filing Do Not Sell requests. Instead, businesses can direct users to their online service for managing those requests.

Additional Clarifications

There were additional clarifications around the upfront consent needed to use consumer data for explicit purposes and the user experience requirements for Do Not Sell requests.

Key Takeaways: August 17, 2020

The final round of CCPA clarifications skews business-friendly. Some of the more onerous requirements around the Do Not Sell requirement were eased or alleviated. With that said, it’s notable that businesses may now need to do more legwork when scoping their dealings with authorized agents purporting to represent California consumers. Perhaps the highest-level takeaway is that the CCPA text is actually finalized – at least until California returns to the ballot box on November 4, 2020 to vote on “CCPA 2.0”, The California Privacy Rights Act.

Per Future of Privacy Forum policy counsel Pollyanna Sanderson:

This essentially leaves the CCPA as a notice and consent regulatory model, with extra room for potentially coercive consent mechanisms.

March 11, 2020

The March additional guidance from the AG’s office provided finer-grained updates to the law’s text, to the point where it appears the final shape of CCPA is close-to-complete. Whether there will be another set of additional guidance or simply a final proposed regulation in advance of the July 1 enforcement deadline remains to be seen.

Removal of “Personal Information” Interpretation

The second round of AG guidance removed previous direction on how “personal information” should be interpreted for businesses collecting IP addresses. This leaves the proper approach to this issue ambiguous and could be a source of future confusion for CCPA observers.

Removal of Opt-Out Guidance

Possibly in response to negative feedback on the proposed opt-out button (above), the updated guidance removed this illustrated example but did not remove the opt-out notice requirements for businesses on web properties.

Privacy Policies

Privacy policies must now identify the categories of sources from which personal information is collected, and identify the business or commercial purposes for collecting or selling the information. This brings the Privacy Policy requirements for California businesses marginally closer in-line with GDPRs “legal basis” principle.

February 10, 2020

Abolishing personal data-request related fees

A business cannot require consumers to pay a fee for the verification of their request to know or delete their data. Additionally, if an organization requires extra verification, that organization must compensate for all accrued notarization fees.

Confirming a disclosure of financial incentives

The February updates make it mandatory for organizations that profit from consumer data to reveal and define a value to the consumer’s value.

Strengthened consumer access for individuals with disabilities

Consumers with disabilities are better protected with the updates as organizations that collect personal data must follow recognized industry standards regarding accessibility.

Provided visual guidelines for use of an opt-out button on a webpage

The guidelines recommended a toggle-like button with text adjacent to it, see the image below:

* Note, this opt-out button guidance was rescinded in the March update.