CCPA/CPRA

Round Three of Proposed Modifications to the CCPA

The California Consumer Privacy Act (CCPA) proposed updates continue to roll in as the third set of proposed modifications released by the California Department of Justice were submitted for comment through October 28, 2020. According to Michael Hellbusch of Rutan & Tucker, the latest modifications are a big deal for a lot of businesses and their websites. However, the biggest news is that the AG proposed these modifications at all especially being so close to the November 2020 election.

Modification to Section 999.306 – Offline Notice of Opt-Out

Hellbusch says, “the proposed modifications add an offline notice requirement when a business that collects personal information in the course of interacting with a consumer offline. The offline opt-out notice is required even if the business only sells the personal information it collects online via cookies or otherwise.” 

Businesses, especially those in brick-and-mortar settings, should not assume that they do not need to provide offline notices just because the only personal information they sell is collected or sold online.  In other words, if the business sells personal information, the opt-out notice must be provided at all points of collection of personal information, both online and offline. 

Modifications to Section 999.315 – Easier Methods to Opt-Out

“The modifications to this section are clearly intended to prevent dark patterns or convoluted opt-out processes,” said Hellbusch. As the proposed updates would require a business’s method for submitting requests to opt-out be easy for consumers to execute along with minimal steps to opt-out, such as the following:

  • The process for submitting a request to opt-out shall not require more steps than the business’s process for a consumer to opt-in to the sale of personal information, after previously opting out
  • A business must not use confusing language in the opt-out process
  • A business shall not require consumers to click through or listen to reasons why they should not submit a request to opt-out prior to confirming their request
  • The business’s process shall not require the consumer to provide personal information that is not necessary when submitting a request to opt-out
  • Lastly, upon clicking the “Do not sell my personal information” link, a business must not require the consumer to search or scroll through the text of a privacy policy or similar document, or webpage to locate the mechanism for submitting an opt-out request

Modifications to Section 999.626 – Authorized Agent

The modifications to the authorized agent section reinforce the need to deal with authorized agents. It also clarifies that all agents must have written proof of permission from the consumer to submit the request. In addition, businesses may require the consumer to directly verify their own identity with the business and/or directly confirm with the business that they provided the agent permission to submit the request.

Regardless of these new modifications, Truyo’s Privacy Rights platform already includes the ability to provide a link in signage or in paper form to accommodate offline opt-outs along with the workflow to process authorized agents.

Conflicting Timeline

The California Privacy Rights Act, also known as Proposition 24, is currently on the ballot in California on November 3, 2020, which will amend any CCPA regulations including these proposed modifications. The timeline associated with the proposed modifications conflicts with the CPRA and comes at an odd time, considering CPRA is likely to pass in less than a month’s time.

Although, businesses will have more considerations to keep in mind in devising a pass/no pass strategy when it comes to the CCPA vs. CPRA. We will keep you informed as new updates arise in the new set of modifications.


Author

Dan Clarke
Dan Clarke
President, Truyo
October 15, 2020

Let Truyo Be Your Guide Towards Safer AI Adoption

Connect with us today