On March 15, 2021, the California Attorney General (CA AG) announced the approval of additional CCPA regulations. According to the CA AG, the additional amendments are intended to clarify how businesses should implement the Do Not Sell requirements and the permissible methods for verifying CCPA requests submitted on behalf of consumers by an authorized agent.
Implementation of Do-Not-Sell Requirements. The new regulations focus on providing consumers with easy means to opt-out of the sale of their personal information and prohibiting businesses from using any deceptive or misleading methods when presenting consumers with the choice to opt out. In practice the amended regulations explicitly prohibit businesses from using any methods that could confuse, trick or burden consumers that try to exercise their right to opt-out of sales of their personal information, such as by:
- Using confusing language or patterns (e.g. double negatives, deceptive user interface);
- Requiring consumers to first read or listen to reasons why they should not opt-out prior to being able to submit a request (e.g., “are you sure?, don’t miss out by clicking…, if you click opt-out then…”);
- Using opt-out methods that require the consumer to provide additional personal information that is not required for implementing the opt out (e.g., require consumers to provide name and address before opting the consumer out of retargeting cookies);
- Using a Do Not Sell link that does not take the consumer directly to the opt-out function, tool, or icon; or
- Implementing a method that requires the consumer to take significantly more steps to opt-out than the number of steps necessary to opt-in to the sale of their personal information.
In addition, the CA AG approved the proposed ‘Privacy Option’ icon for purposes of communicating privacy choices to a consumer: .Use of the icon is voluntary but if a business chooses to use the icon, it should have about the same size as any other icons used on the business’s website.
However, using the icon does not relieve businesses from any notice obligations or providing a Do Not Sell My Personal Information link on the business’s website.
Further, where businesses collect personal information by interacting with consumers offline (e.g., in-person events, hotels, brick and mortar retail) or over the phone, businesses are required to inform consumers about their right to opt out of sales of their personal information through the respective offline channel, such as by posting clear and visible signage in the area where the consumer interaction takes place, by providing consumers with information how opt-out rights can be exercised online (e.g., hardcopy notices), or by informing consumers about the right to opt out over the phone.
Lastly, the amendments address the proof that a business may require an authorized agent to provide when an agent submits a rights request on a consumer’s behalf. Notably, as amended, the regulations would still permit a business to directly verify the consumer’s identity or directly confirm with the consumer the agent’s authority to submit the request on the consumer’s behalf.