On December 10, 2020, California’s Attorney General formally announced a fourth round of proposed modifications to the AG’s regulations regarding the California Consumer Privacy Act (“CCPA”).
These modifications include the long-awaited proposal for a universal form of “opt-out” button for businesses to use on their websites – shown below without further ado:
The proposal responds to a mandate, in the text of CCPA, that the AG’s regulations must address “the development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information.”
In February 2020, the AG proposed a version of the opt-out button for comment. This early version of the button was withdrawn, though, leaving no button proposal in place even though the AG was statutorily mandated to promulgate one.
Now, the AG is presenting a new version of the button that was successfully tested with consumers. A study showed that when consumers viewed the new version of the button and text, they were more likely to understand that they could choose whether to allow their personal information to be sold or not (as compared to other button designs or text alone).
Businesses would not be able to use the button alone in lieu of the text “Do Not Sell My Personal Information.” Both the text and the button would have to be hyperlinked to the webpage where the consumer can opt out. The opt-out text and button would have to be of a similar size to other buttons used by the business online.
Assuming this proposed button design is implemented in the final regulations, businesses would at long last have clarity on what to put on their websites to comply with the CCPA’s opt-out requirement.
Summary of Other Modifications to Regulations
The proposal would also make a number of changes to the existing CCPA regulations:
- Businesses that collect personal information from consumers in an offline method (in a brick-and-mortar store or over the phone) would still have to provide the consumer the option to opt out of having their personal information sold to other parties. Businesses could notify consumers (1) by printing the notice on the paper forms that collect the personal information, (2) by posting signage directing consumers to where the notice can be found online or (3) orally over the phone when the information is collected.
- Businesses would be allowed to require an authorized agent who submits a request to know or a request to delete on behalf of a consumer to provide proof that the consumer gave the agent signed permission to submit the request. Anecdotally, we have seen an uptick in requests coming in to our clients from purportedly authorized agents such as Privacy Bee (a company that consumers can pay to conduct personal-data search-and-destroy missions on their behalf). This expected modification provides a new tool for businesses to manage these inquiries by requesting proof directly from the agent rather than the individual consumer.
- Businesses that knowingly sell the personal information of consumers under 16 years old would have to include a description of the processes for opting into the sale of their personal data in the business’s consumer-facing policies. These processes must include methods to ensure that the person providing consent is the child’s parent or guardian.
The deadline to submit written comments on the proposed modification is December 28, 2020 at 5:00 PM.
To subscribe to the Data Blog, please click here.
The authors would like to thank Debevoise law clerk Tricia Reville for her contribution to this article.