California is continuing to make news with respect to its privacy laws. California's Attorney General recently announced the approval of new amendments to regulations of the California Consumer Privacy Act (CCPA). The new amendments create additional regulations governing consumer opt-out rights under the CCPA, including the creation of a new "Opt-Out Icon," which are effective immediately. Meanwhile, as businesses begin preparations for the California Privacy Rights Act (CPRA), which becomes effective on January 1, 2023, the inaugural board members of the California Privacy Protection Agency (CPPA) have now been appointed by designated state officials.
These latest developments continue to highlight that privacy laws remain a moving target and businesses must create privacy management programs that are flexible to fluid regulations and evolving business models. This is especially true as numerous states consider their own privacy legislation. This alert summarizes the latest changes to the CCPA and how the CPPA appointments could impact the CPRA.
CCPA Amendments
The notable provisions in the CCPA Amendments include the following and are effective immediately:
- Offline Opt-Out Notices. Businesses that collect personal information offline and sell such information are now required to implement specific methods to offer opt-out rights to such consumers. This includes the following options:
- notify the consumer on paper forms that are collecting the information;
- post signage in the area where the personal information is collected; or
- if collecting information over the phone, inform the consumer of the opt-out right orally when the information is collected.
- New Opt-Out Icon. After years of debate, the new amendments include an "Opt-Out Icon" that businesses can use on their websites in addition to posting the notice of right to opt-out. A business cannot post the icon in lieu of posting the opt-out notice or the "Do Not Sell My Personal Information" link already required by the regulations. The new icon is not a required to be included on a business's website. The new privacy icon can be found here.
- Methods for Submitting Opt-Out Requests. The new amendments also require that the steps for submitting an opt-out request "require minimal steps" to allow consumers to opt-out. Specifically, the process for submitting a request to opt-out cannot require more steps than the process for a consumer to opt-in to the sale of personal information after previously opting-out. A business is also prohibited from using confusing language in its process to allow consumers to opt-out, cannot require consumers to click through or listen to reasons why they should not submit a request to opt-out, and shall not require consumers to provide personal information that is not necessary to implement the opt-out request.
- Requests from Authorized Agents. With respect to consumer requests made by authorized agents, the amendments now allow businesses the option of requiring the authorized agent to provide proof that the consumer gave the agent permission to submit the request. Businesses may also require authorized agents to verify their own identity with the business or directly confirm with the consumer that they provided permission to the authorized agent to submit the request.
CPPA Inaugural Board Members Appointed
California Governor Gavin Newsom, in conjunction with other state officials, announced the inaugural board members of the CPPA. The CPPA was established by the CPRA and is the first privacy-specific regulator in the United States. The CPPA will be chaired by Jennifer M. Urban, a Professor and Director of Policy Initiatives for the Samuelson Law, Technology, and Public Policy Clinic at the University of California Berkeley School of Law. The other four members include the Chief Assistant Attorney General of the Public Rights Division in California, a professor from the Santa Clara University Law School, an attorney from the Greenlining Institute, and a Senior Vice President of Government Relations at LA 2028, which is focused on organizing the city's upcoming Olympic Games.
The CPPA will oversee rulemaking for the CPRA, which includes establishing regulations by July 2022. It is also charged with enforcing the CPRA after it becomes effective on January 1, 2023. The emphasis on legal and educational backgrounds of the inaugural board members appears to reflect the desired intent of the CPPA to both educate consumers on their privacy rights and enforce non-compliance through administrative actions. We will continue to monitor the CPPA and any developments regarding the CPRA regulations.
If you have any questions regarding the CCPA amendments, the upcoming CPRA, or other state privacy legislation, please contact the authors, Matthew G. White, CIPP/US, CIPP/E, CIPM, PCIP, or Alexander F. Koskey, CIPP/US, CIPP/E, or any member of Baker Donelson's Data Protection, Privacy, and Cybersecurity Team.