New CCPA Developments
The California Attorney General’s Office has finalized additional regulations implementing the California Consumer Privacy Act of 2018 (the CCPA). The new regulations, found here, are the most recent in a series of regulations that build on the rules last adopted in August 2020. The new regulations have a number of developments that companies doing business in California need to consider:
- Do Not Sell Button. The regulations introduce, but do not require, the use of a blue opt-out icon designed by Carnegie Mellon University’s Cylab and the University of Michigan’s School of Information. While earlier versions of the regulations discussed placement of the icon, the only mandates that remain are that the icon is the same size as others on the web page. Businesses can download the icon here. Importantly, the icon may be used in addition to, but not in place of, the existing do not sell procedures.
- Ongoing Enforcement. While the Attorney General has not been active in bringing enforcement actions for violations of the CCPA, the Attorney General’s office has actively issued notices to cure violations. The press release accompanying the new regulation notes that there has been “widespread compliance … especially in response to notices to cure.” Last year, Supervising Deputy AG Stacey Schesser told the IAPP, the International Association of Privacy Professionals, that enforcement targeted online businesses that were missing key privacy disclosures or “Do Not Sell” links, and came in response to consumer complaints, including on social media.
The future of enforcement will depend on a number of factors, including the impact of the newly formed California Privacy Protection Agency and the Governor’s nomination of Rob Bonta as Attorney General to succeed Xavier Becerra, who was recently confirmed as U.S. Secretary of Health and Human Services.