Since CCPA came into effect the California Attorney General, Xavier Becerra, has issued additional guidance to help explain and clarify certain parts of the law.
Since CCPA came into effect California’s Attorney General, Xavier Becerra, has issued additional guidance to help explain and clarify certain parts of the law.
In 2020, the AG’s office has issued two separate releases with modifications to the draft bill, each in response to a comment period for key stakeholders. The modifications shed new light on how elements of the law will be enforced, and cleared up some questions that had been raised by observers.
Becerra’s guidance in early 2020 came during the six-month period between the time when the CCPA was officially made law and the time when the AG began to enforce punishments for CCPA violators. Let’s take a look at where the AG’s additional guidance made an impact:
Following last August’s clarifications to the California Consumer Privacy Act (CCPA), the state’s Attorney General announced new regulations under this act on March 15, 2021. California’s Office of Administrative Law gave final approval to these amendments, which largely pertain to user experience (UX) when it comes to exercising privacy rights.
While much attention has focused on the CCPA’s impact on online data privacy, there is now a requirement for businesses that collect consumers’ information offline (as in a brick-and-mortar store or a phone-based transaction) to inform consumers of their opt-rights using an offline method.
The Attorney General offered websites an optional opt-out icon to include as a signpost for consumers to locate the opt-out right and “Do Not Sell My Personal Information” link on websites.
A new regulation explicitly bans dark patterns in UX, which are design components that make it more difficult for consumers to exercise their privacy rights. As an example of a dark pattern, a business might use obscure or confusing language in presenting the opt-out choice. Under the new set of regulations, the opt-out process shall be easy for consumers, needing minimal steps on the consumers’ part.
When a consumer uses a third party, known as an authorized agent, to carry out an access or deletion request, a company can require the authorized agent to indicate the consumer explicitly signed off on the request. Previously, it was up to the consumer to choose whether the authorized agent provided such proof to the company.
The ban on dark patterns in UX is an important step forward in demystifying privacy for everyday users. Companies should take stock of their process for users to opt-out; any unnecessary pages or unclear language should be simplified into an approachable presentation, free from any intimidating language. As some in-person business activity resumes in 2021, teams should make sure that the same approachable language in their online opt-out process carries over into the in-person or over-the-phone customer experience. The bottom-line of the new regulations is that companies should implement a straightforward, unintimidating process for users to exercise their CCPA rights.
The “Do Not Sell” requirement was amended such that “Do Not Sell My Info” is not listed as acceptable language for the homepage link requirement. This means only “Do Not Sell My Personal Information” is the only explicitly mentioned acceptable language to use when allowing consumers to exercise this right. If your business has implemented a “Do Not Sell My Info” link on your homepage, it must be modified to “Do Not Sell My Personal Information”.
Next, the California AG deleted the provision that allowed businesses to deny requests from authorized agents who can’t show proof that they’re authorized to act on consumers’ behalf. However, there are other CCPA provisions that allow businesses some ability to verify authority, including permission to verify with the consumer that the authorized agent has been cleared represent them.
The AG also removed the requirement that businesses offer an offline mechanism for filing Do Not Sell requests. Instead, businesses can direct users to their online service for managing those requests.
There were additional clarifications around the upfront consent needed to use consumer data for explicit purposes and the user experience requirements for Do Not Sell requests.
The final round of CCPA clarifications skews business-friendly. Some of the more onerous requirements around the Do Not Sell requirement were eased or alleviated. With that said, it’s notable that businesses may now need to do more legwork when scoping their dealings with authorized agents purporting to represent California consumers. Perhaps the highest-level takeaway is that the CCPA text is actually finalized – at least until California returns to the ballot box on November 4, 2020 to vote on “CCPA 2.0”, The California Privacy Rights Act.
Per Future of Privacy Forum policy counsel Pollyanna Sanderson:
This essentially leaves the CCPA as a notice and consent regulatory model, with extra room for potentially coercive consent mechanisms.
The March additional guidance from the AG’s office provided finer-grained updates to the law’s text, to the point where it appears the final shape of CCPA is close-to-complete. Whether there will be another set of additional guidance or simply a final proposed regulation in advance of the July 1 enforcement deadline remains to be seen.
The second round of AG guidance removed previous direction on how “personal information” should be interpreted for businesses collecting IP addresses. This leaves the proper approach to this issue ambiguous and could be a source of future confusion for CCPA observers.
Possibly in response to negative feedback on the proposed opt-out button (above), the updated guidance removed this illustrated example but did not remove the opt-out notice requirements for businesses on web properties.
A business cannot require consumers to pay a fee for the verification of their request to know or delete their data. Additionally, if an organization requires extra verification, that organization must compensate for all accrued notarization fees.
The February updates make it mandatory for organizations that profit from consumer data to reveal and define a value to the consumer’s value.
Consumers with disabilities are better protected with the updates as organizations that collect personal data must follow recognized industry standards regarding accessibility.
The guidelines recommended a toggle-like button with text adjacent to it, see the image below:
* Note, this opt-out button guidance was rescinded in the March update.
We enjoyed two great days of security and privacy talks at this year’s Symposium on Usable Privacy and Security, aka SOUPS Conference! Presenters from all over the world spoke both in-person and virtually on the latest findings in privacy and security research.
At Ethyca, we believe that software engineers are becoming major privacy stakeholders, but do they feel the same way? To answer this question, we went out and asked 337 software engineers what they think about the state of contemporary privacy… and how they would improve it.
The UK’s new Data Reform Bill is set to ease data privacy compliance burdens on businesses to enable convenience and spark innovation in the country. We explain why convenience should not be the end result of a country’s privacy legislation.
Our team at Ethyca attended the PEPR 2022 Conference in Santa Monica live and virtually between June 23rd and 24th. We compiled three main takeaways after listening to so many great presentations about the current state of privacy engineering, and how the field will change in the future.
For privacy engineers to build privacy directly into the codebase, they need agreed-upon definitions for translating policy into code. Ethyca CEO Cillian unveils an open source system to standardize definitions for personal data living in the tech stack.
Masking data is an essential part of modern privacy engineering. We highlight a handful of masking strategies made possible with the Fides open-source platform, and we explain the difference between key terms: pseudonymization and anonymization.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Book a Demo