New CCPA Developments

The California Attorney General’s Office has finalized additional regulations implementing the California Consumer Privacy Act of 2018 (the CCPA). The new regulations, found here, are the most recent in a series of regulations that build on the rules last adopted in August 2020. The new regulations have a number of developments that companies doing business in California need to consider:

  • Do Not Sell Button. The regulations introduce, but do not require, the use of a blue opt-out icon designed by Carnegie Mellon University’s Cylab and the University of Michigan’s School of Information. While earlier versions of the regulations discussed placement of the icon, the only mandates that remain are that the icon is the same size as others on the web page. Businesses can download the icon here. Importantly, the icon may be used in addition to, but not in place of, the existing do not sell procedures.
  • Ongoing Enforcement. While the Attorney General has not been active in bringing enforcement actions for violations of the CCPA, the Attorney General’s office has actively issued notices to cure violations. The press release accompanying the new regulation notes that there has been “widespread compliance … especially in response to notices to cure.” Last year, Supervising Deputy AG Stacey Schesser told the IAPP, the International Association of Privacy Professionals, that enforcement targeted online businesses that were missing key privacy disclosures or “Do Not Sell” links, and came in response to consumer complaints, including on social media.

    The future of enforcement will depend on a number of factors, including the impact of the newly formed California Privacy Protection Agency and the Governor’s nomination of Rob Bonta as Attorney General to succeed Xavier Becerra, who was recently confirmed as U.S. Secretary of Health and Human Services.

  • Offline Notices. The new regulations also address personal information that is collected offline. Businesses that sell information they collect offline now need to provide and inform consumers of an offline method to submit opt-out requests, and provide instructions on how to do so. The regulations suggest paper forms where the initial information is captured, signage, or via phone.
  • Clearly Identifying the Opt-Out Option. Under the new regulations, businesses must make opt out requests “easy for consumers to execute” and with minimal steps – no more than necessary to provide the personal information. The regulations also prohibit “dark patterns” or other visual tricks to minimize or hide the method by which consumers can opt-out of having their information sold or shared. The regulations list examples of subterfuge that businesses should avoid, including confusing language; requiring the consumer to read, listen to, or click through reasons they shouldn’t opt out; and requiring consumers to read or scroll through privacy policies or other notices after selecting the “Do Not Sell My Personal Information” option.
  • Authorized Agents. The regulations now state that a business may require an authorized agent to provide proof that a consumer gave the agent signed permission to submit the request. In prior regulations, that was optional.
  • CPRA Appointees. In related news, the Governor, Attorney General, Senate President pro tem and Assembly Speaker announced appointees to the five-person CPRA board. They are Berkeley Law Professor Jennifer Urban; former Southern California Edison executive John Christopher Thompson; former Chief Assistant Attorney General of the Public Rights Division Angela Sierra, who oversaw the Consumer Protection Section’s Privacy Unit; Santa Clara Law Professor Lydia de la Torre; and Vinhcent Le, Technology Equity attorney at the Greenlining Institute.

Jeffer Mangels Butler & Mitchell’s Cybersecurity and Privacy Group works with companies to create procedures and policies that comply with the CCPA and other state, federal and international privacy and security laws, as well as address data breach incidents.

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.