Since CCPA came into effect the California Attorney General, Xavier Becerra, has issued additional guidance to help explain and clarify certain parts of the law.
Since CCPA came into effect California’s Attorney General, Xavier Becerra, has issued additional guidance to help explain and clarify certain parts of the law.
In 2020, the AG’s office has issued two separate releases with modifications to the draft bill, each in response to a comment period for key stakeholders. The modifications shed new light on how elements of the law will be enforced, and cleared up some questions that had been raised by observers.
Becerra’s guidance in early 2020 came during the six-month period between the time when the CCPA was officially made law and the time when the AG began to enforce punishments for CCPA violators. Let’s take a look at where the AG’s additional guidance made an impact:
Following last August’s clarifications to the California Consumer Privacy Act (CCPA), the state’s Attorney General announced new regulations under this act on March 15, 2021. California’s Office of Administrative Law gave final approval to these amendments, which largely pertain to user experience (UX) when it comes to exercising privacy rights.
While much attention has focused on the CCPA’s impact on online data privacy, there is now a requirement for businesses that collect consumers’ information offline (as in a brick-and-mortar store or a phone-based transaction) to inform consumers of their opt-rights using an offline method.
The Attorney General offered websites an optional opt-out icon to include as a signpost for consumers to locate the opt-out right and “Do Not Sell My Personal Information” link on websites.
A new regulation explicitly bans dark patterns in UX, which are design components that make it more difficult for consumers to exercise their privacy rights. As an example of a dark pattern, a business might use obscure or confusing language in presenting the opt-out choice. Under the new set of regulations, the opt-out process shall be easy for consumers, needing minimal steps on the consumers’ part.
When a consumer uses a third party, known as an authorized agent, to carry out an access or deletion request, a company can require the authorized agent to indicate the consumer explicitly signed off on the request. Previously, it was up to the consumer to choose whether the authorized agent provided such proof to the company.
The ban on dark patterns in UX is an important step forward in demystifying privacy for everyday users. Companies should take stock of their process for users to opt-out; any unnecessary pages or unclear language should be simplified into an approachable presentation, free from any intimidating language. As some in-person business activity resumes in 2021, teams should make sure that the same approachable language in their online opt-out process carries over into the in-person or over-the-phone customer experience. The bottom-line of the new regulations is that companies should implement a straightforward, unintimidating process for users to exercise their CCPA rights.
The “Do Not Sell” requirement was amended such that “Do Not Sell My Info” is not listed as acceptable language for the homepage link requirement. This means only “Do Not Sell My Personal Information” is the only explicitly mentioned acceptable language to use when allowing consumers to exercise this right. If your business has implemented a “Do Not Sell My Info” link on your homepage, it must be modified to “Do Not Sell My Personal Information”.
Next, the California AG deleted the provision that allowed businesses to deny requests from authorized agents who can’t show proof that they’re authorized to act on consumers’ behalf. However, there are other CCPA provisions that allow businesses some ability to verify authority, including permission to verify with the consumer that the authorized agent has been cleared represent them.
The AG also removed the requirement that businesses offer an offline mechanism for filing Do Not Sell requests. Instead, businesses can direct users to their online service for managing those requests.
There were additional clarifications around the upfront consent needed to use consumer data for explicit purposes and the user experience requirements for Do Not Sell requests.
The final round of CCPA clarifications skews business-friendly. Some of the more onerous requirements around the Do Not Sell requirement were eased or alleviated. With that said, it’s notable that businesses may now need to do more legwork when scoping their dealings with authorized agents purporting to represent California consumers. Perhaps the highest-level takeaway is that the CCPA text is actually finalized – at least until California returns to the ballot box on November 4, 2020 to vote on “CCPA 2.0”, The California Privacy Rights Act.
Per Future of Privacy Forum policy counsel Pollyanna Sanderson:
This essentially leaves the CCPA as a notice and consent regulatory model, with extra room for potentially coercive consent mechanisms.
The March additional guidance from the AG’s office provided finer-grained updates to the law’s text, to the point where it appears the final shape of CCPA is close-to-complete. Whether there will be another set of additional guidance or simply a final proposed regulation in advance of the July 1 enforcement deadline remains to be seen.
The second round of AG guidance removed previous direction on how “personal information” should be interpreted for businesses collecting IP addresses. This leaves the proper approach to this issue ambiguous and could be a source of future confusion for CCPA observers.
Possibly in response to negative feedback on the proposed opt-out button (above), the updated guidance removed this illustrated example but did not remove the opt-out notice requirements for businesses on web properties.
A business cannot require consumers to pay a fee for the verification of their request to know or delete their data. Additionally, if an organization requires extra verification, that organization must compensate for all accrued notarization fees.
The February updates make it mandatory for organizations that profit from consumer data to reveal and define a value to the consumer’s value.
Consumers with disabilities are better protected with the updates as organizations that collect personal data must follow recognized industry standards regarding accessibility.
The guidelines recommended a toggle-like button with text adjacent to it, see the image below:
* Note, this opt-out button guidance was rescinded in the March update.
Ethyca’s VP of Engineering Neville Samuell recently spoke at the University of Texas at Austin’s Texas McCombs School of Business about privacy engineering and its role in today’s digital landscape. Read a summary of the discussion by Neville himself here.
Learn more about all of the updates in the Fides 2.24 release here.
Ethyca’s Senior Software Engineer Adam Sachs goes through the thought process of creating Fideslang, the privacy engineering taxonomy that standardizes privacy compliance in software development.
Learn more about all of the updates in the Fides 2.23 release here.
Our Senior Software Engineer Dawn Pattison walks you through implementing data minimization into your business.
Learn more about all of the updates in the Fides 2.22 release here.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Request a Demo