BLOG POST

Tech & Sourcing @ Morgan Lewis

TECHNOLOGY TRANSACTIONS, OUTSOURCING, AND COMMERCIAL CONTRACTS NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

CCPA Regulations Updated and Finally Approved

The California state attorney general issued a press release on August 14 stating that the Office of Administrative Law (OAL) has approved the California Department of Justice’s regulations regarding the California Consumer Privacy Act (CCPA) and filed them with the California secretary of state, making the regulations effective immediately.

As previously discussed, the attorney general first released draft regulations in October 2019 and made subsequent modifications in February and March 2020. The draft final text of the proposed regulations were submitted to the OAL in June 2020. On July 29, 2020, the attorney general submitted an Addendum (July Addendum) to the regulations. The final regulations that were adopted on August 14 adopted the proposed changes from the July Addendum but otherwise are essentially the same as the June draft. Here are a few of substantive changes found in the final version:

  • “Do Not Sell My Info” Phrase Eliminated. The final regulations at Section 999.305(b) and (f) as well as Section 999.306(b)(1) do not allow companies to use the wording “Do Not Sell My Info” to link to an opt-out page. Businesses are required to use the phrase “Do Not Sell My Personal Information” on their website in giving consumers the notice of right to opt out of the sale of their personal information.
  • Offline Opt-Out Notice Requirement Removed. The final regulations removed the requirement for businesses that substantially interact with customers offline to provide in-store signage or other printed “hard copy” notices to customers of their right to opt out. Stores that primarily interact with customers offline are only required to post the notice on their website or use “any other method” by which the consumer can submit a request to opt out. See Section 999.306(c). Despite the removal of the opt-out notice requirement for offline businesses, it is important to note that the CCPA maintains the requirement for businesses to notify consumers "at or before the point of collection" of the "categories of personal information to be collected and the purposes" for which the information will be used. Therefore, the practical impact of the removal of the offline opt-out notice is minimal because the "notice at collection" still needs to be provided at or before the point of collection whenever a business collects personal information offline.
  • Prohibition Against Use of Personal Information for a “Materially Different” Purpose Removed. Prior drafts of the CCPA included the following language in Section 999.305(a) that would have required businesses to obtain explicit consent from a customer for any new use of information than what was previously disclosed:,

A business shall not use a consumer’s personal information for a purpose materially different than those disclosed in the notice at collection. If the business seeks to use a consumer’s previously collected personal information for a purpose materially different than what was previously disclosed to the consumer in the notice at collection, the business shall directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose.

This change also may be of little consequence because companies that use consumers’ personal information for a different purpose from what was originally disclosed without obtaining additional consent may be in jeopardy of violating California consumer protection laws. Furthermore, California Civil Code Section 1798.100(b) states that “[a] business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section."

  • Authorized Agents Must Have Signed Written Permission. The final regulations clarify that businesses may deny requests to opt out made by authorized agents on behalf of consumers if an authorized agent does not submit signed permission from the consumer giving the agent such authority to act on the consumer’s behalf. See Section 999.315(f).

We previously discussed additional details regarding the CCPA and summarized the practical steps that companies can take to maintain compliance with the CCPA in this recent blog post and Insight. For more information, visit our CCPA resource center.