March 19, 2021
With the California Privacy Rights and Enforcement Act (“CPRA”) almost two years out from its effective date of January 1, 2023, the California Consumer Privacy Act (“CCPA”) remains in effect—but remains a moving target for businesses seeking to comply. On March 15, 2021, the California Office of Administrative Law (“OAL”) approved additional regulations relating to the right to opt out of sale of personal information; these changes are effective immediately. Even as these changes to the CCPA took effect, California has begun preparing for enforcement of the CPRA: on March 17, 2021, California announced the appointment of the inaugural five-member board for the California Privacy Protection Agency (“CPPA”), which is empowered to draft regulations supporting to CPRA, and to enforce the CPRA after it becomes effective.
Highlights of the New CCPA Regulations
Among the notable provisions in the new CCPA regulations are the following:
- New “Do Not Sell My Personal Information” Icon (§ 999.306(f)). This new regulation permits (but does not require) businesses that sell personal information (defined under the CCPA as the disclosure of personal information to a third party “for monetary or other valuable consideration”[1]) to provide consumers with the ability to opt-out of the sale of their personal information by clicking the icon below. The icon, however, cannot replace the requirement to post the notice of the right to opt-out and the “Do Not Sell My Personal Information” link at the bottom of the business’s homepage.[2] Earlier drafts of the CCPA regulations contained examples of similar icons that businesses could use, but they were omitted from the final version of the regulations issued in August 2020.
- Offline Opt-Out Notices Explained (§ 999.306(b)(3)). The new regulations explicitly require offline businesses to inform consumers in an offline context of their right to opt-out and offer an offline method to exercise such right, but the requirements are more flexible than that those that apply to online platforms.[3] The regulations include the following examples for accomplishing this offline notice requirement.
- Notify consumers of their right to opt-out on the paper forms that collect the personal information.[4]
- Post signage in the area where the personal information is collected directing consumers where to find opt-out information online.[5]
- Inform consumers from whom personal information is collected over the phone during the call of their opt-out right.[6]
-
Mechanisms to Submit Opt-Out Requests Clarified (§ 999.306(h)). This new regulation provides that methods to submit opt-out requests should be “easy to execute and shall require minimal steps.”[7] Businesses are explicitly prohibited from using a method “that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s choice to opt-out.” The regulations include the following examples:
- The opt-out process cannot require more steps than the process to opt-in to the sale of personal information after having previously opted out or use confusing language, including double negatives (i.e., “Don’t Not Sell My Personal Information”).[8]
- Businesses cannot require consumers to scroll through a privacy policy (or similar document) to locate the mechanism for submitting a request after clicking on the “Do Not Sell My Personal Information” link. Businesses also generally cannot require consumers to click through or listen to reasons why they should not opt-out before confirming their request.
- Consumers cannot be required to provide personal information that is not necessary to implement the request (which is in addition to the August 2020 regulations’ prohibition against requiring consumers to provide additional personal information not previously collected by the business).
- Verifying Authorized Agents to Exercise Consumer Requests (§ 999.326(a)). The CCPA creates a mechanism by which an authorized agent may submit personal information-related requests on behalf of a consumer, provided the agent is registered with the Secretary of State to conduct business in California. The March 2021 regulations amended Section 999.326 to provide that businesses may require the authorized agent to provide proof that the consumer gave the agent permission to submit a request to know or delete the personal information about the consumer collected by the business. However, the new regulations do not affect a business’s ability to require consumers to verify their own identity directly with the business or confirm that they provided the authorized agent permission to submit the request.[9]
California Privacy Protection Agency Members Announced
The CPRA established the CPPA, which is “vested with full administrative power, authority, and jurisdiction to implement and enforce [along with the Attorney General]” the CPRA (Section 1798.199.10(a)).[10] The Agency will consist of five members, appointed by the Governor (who appoints the Chair and one other member), the Attorney General, the Senate Rules Committee, and the Speaker of the Assembly (each of whom appoints one member).
This week, Governor Gavin Newsom, Attorney General Xavier Becerra, Senate President pro Tempore Toni Atkins, and Assembly Speaker Anthony Rendon announced their choices for the members of the California Privacy Protection Agency. Their choices span across academia, private practice, and nonprofits. Newsom appointed Jennifer M. Urban, Clinical Professor of Law and Director of Policy Initiatives for the Samuelson Law, Technology, and Public Policy Clinic at the University of California, Berkeley School of Law, as Chair of the state agency. Newsom designated John Christopher Thompson, Senior Vice President of Government Relations at LA 2028. Becerra appointed Angela Sierra, who recently served as Chief Assistant Attorney General of the Public Rights Division. Atkins appointed Lydia de la Torre, professor at Santa Clara University Law School, where she has taught privacy law and co-directed the Santa Clara Law Privacy Certificate Program. Rendon appointed Vinhcent Le, Technology Equity attorney at the Greenlining Institute, focusing on consumer privacy, closing the digital divide, and preventing algorithmic bias.
These members are tasked with—among other things—drafting CPRA regulations by July 2022, and enforcing the CPRA when it takes effect in January 2023.
We will continue to monitor the development of the CCPA, the CPRA, and other notable state privacy laws and regulations.
_______________________
[1] Cal Civ. Code § 1798.140(t)(1).
[3] Cal. Code Regs. Tit. 11, Div. 1, Chap. 20 § 999.306(b)(3).
[4] Cal. Code Regs. Tit. 11, Div. 1, Chap. 20 § 999.306(b)(3)(a).
[6] Cal. Code Regs. Tit. 11, Div. 1, Chap. 20 § 999.306(b)(3)(b).
[7] Cal. Code Regs. Tit. 11, Div. 1, Chap. 20 § 999.306(h).
[8] Cal. Code Regs. Tit. 11, Div. 1, Chap. 20 § 999.306(h)(a).
[9] Cal. Code Regs. Tit. 11, Div. 1, Chap. 20 § 999.326(a)(1)-(2).
[10] For more information on the CPPA, please refer to our previous alert: https://www.gibsondunn.com/potential-impact-of-the-upcoming-voter-initiative-the-california-privacy-rights-act/.
This alert was prepared by Alexander Southwell, Ashlie Beringer, Ryan Bergsieker, Cassandra Gaedt-Sheckter, Jeremy Smith, and Lisa Zivkovic
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following members of the firm’s Privacy, Cybersecurity and Data Innovation practice group:
United States
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, [email protected])
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Matthew Benjamin – New York (+1 212-351-4079, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, [email protected])
Kristin A. Linsley – San Francisco (+1 415-393-8395, [email protected])
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Ashley Rogers – Dallas (+1 214-698-3316, [email protected])
Deborah L. Stein – Los Angeles (+1 213-229-7164, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, [email protected])
Europe
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0)1 56 43 13 00, [email protected])
James A. Cox – London (+44 (0) 20 7071 4250, [email protected])
Patrick Doris – London (+44 (0) 20 7071 4276, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, [email protected])
Penny Madden – London (+44 (0) 20 7071 4226, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Alejandro Guerrero – Brussels (+32 2 554 7218, [email protected])
Vera Lukic – Paris (+33 (0)1 56 43 13 00, [email protected])
Sarah Wazen – London (+44 (0) 20 7071 4203, [email protected])
Asia
Kelly Austin – Hong Kong (+852 2214 3788, [email protected])
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.