On December 10, 2020, California’s Attorney General formally announced a fourth round of proposed modifications to the AG’s regulations regarding the California Consumer Privacy Act (“CCPA”).

These modifications include the long-awaited proposal for a universal form of “opt-out” button for businesses to use on their websites – shown below without further ado:

The proposal responds to a mandate, in the text of CCPA, that the AG’s regulations must address “the development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information.”

In February 2020, the AG proposed a version of the opt-out button for comment.  This early version of the button was withdrawn, though, leaving no button proposal in place even though the AG was statutorily mandated to promulgate one.

Now, the AG is presenting a new version of the button that was successfully tested with consumers. A study showed that when consumers viewed the new version of the button and text, they were more likely to understand that they could choose whether to allow their personal information to be sold or not (as compared to other button designs or text alone).

Businesses would not be able to use the button alone in lieu of the text “Do Not Sell My Personal Information.” Both the text and the button would have to be hyperlinked to the webpage where the consumer can opt out. The opt-out text and button would have to be of a similar size to other buttons used by the business online.

Assuming this proposed button design is implemented in the final regulations, businesses would at long last have clarity on what to put on their websites to comply with the CCPA’s opt-out requirement.

Summary of Other Modifications to Regulations

The proposal would also make a number of changes to the existing CCPA regulations:

  • Businesses that collect personal information from consumers in an offline method (in a brick-and-mortar store or over the phone) would still have to provide the consumer the option to opt out of having their personal information sold to other parties. Businesses could notify consumers (1) by printing the notice on the paper forms that collect the personal information, (2) by posting signage directing consumers to where the notice can be found online or (3) orally over the phone when the information is collected.
  • Businesses must make it easy for consumers to opt out. The modifications provide five examples of what would not be allowed in an opt-out method: (1) making it harder for consumers to opt out than to opt in, (2) using confusing language, (3) requiring the consumer to provide a reason for opting out, (4) requiring additional, unnecessary consumer personal information and (5) requiring the consumer to scroll through a long privacy policy to locate the opt-out feature.
  • Businesses would be allowed to require an authorized agent who submits a request to know or a request to delete on behalf of a consumer to provide proof that the consumer gave the agent signed permission to submit the request. Anecdotally, we have seen an uptick in requests coming in to our clients from purportedly authorized agents such as Privacy Bee (a company that consumers can pay to conduct personal-data search-and-destroy missions on their behalf). This expected modification provides a new tool for businesses to manage these inquiries by requesting proof directly from the agent rather than the individual consumer.
  • Businesses that knowingly sell the personal information of consumers under 16 years old would have to include a description of the processes for opting into the sale of their personal data in the business’s consumer-facing policies. These processes must include methods to ensure that the person providing consent is the child’s parent or guardian.

The deadline to submit written comments on the proposed modification is December 28, 2020 at 5:00 PM.

To subscribe to the Data Blog, please click here.

The authors would like to thank Debevoise law clerk Tricia Reville for her contribution to this article.

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.

Author

Jim Pastore is a Debevoise litigation partner and a member of the firm’s Data Strategy & Security practice and Intellectual Property Litigation Group. He can be reached at jjpastore@debevoise.com.

Author

Christopher S. Ford is an associate in Debevoise's Litigation Department who is a member of the firm’s Intellectual Property Litigation group and Data Strategy & Security practice. He can be reached at csford@debevoise.com.

Author

Anna R. Gressel is a senior commercial litigation associate at Debevoise and a member of the firm’s Technology, Media & Telecommunications and Data Strategy & Security groups. She actively advises clients on the legal and regulatory implications of artificial intelligence (“AI”) and other emerging technologies. Her practice includes not only representing companies in regulatory inquiries concerning AI, but also assisting companies in developing AI principles and governance mechanisms. She can be reached at argressel@debevoise.com.

Author

Alexandra P. Swain is a Debevoise litigation associate. Her practice focuses on intellectual property, data privacy, and cybersecurity issues. She can be reached at apswain@debevoise.com.

Author

Tigist Kassahun is a corporate associate and a member of Debevoise’s Intellectual Property and Mergers & Acquisitions Groups. She is also active in the firm’s Data Strategy & Security practice. She can be reached at tkassahu@debevoise.com.

Author

H Jacqueline Brehmer is a Debevoise litigation associate and a member of the Data Strategy & Security Practice Group. She can be reached at hjbrehmer@debevoise.com.

Author

Frank Colleluori is an associate in Debevoise's Litigation Department. He can be reached at facolleluori@debevoise.com.