Potential modifications to the US CCPA would change “Do Not Sell My Personal Information” requests, & how companies provide notice when they collect information offline.
Regulations around the California Consumer Privacy Act have only been in effect for 2 months -The regulations were approved by the state’s Attorney General Xavier Becerra on Aug. 14 – but modifications to the law are already in preparation.
The California Department of Justice released the 3rd set of proposed modifications (.PDF) to the law this week; they’re open for comment until Oct. 28.
Changes are based on comments the California Department of Justice received in Feb. & March.
While the CCPA, one of the US’s landmark data privacy laws, went into effect on Jan. 1, 2020, enforcement did not begin until this Summer, on July 1. Regulations around the law were not approved by the California Office of Administrative Law (OAL) until 2 weeks later, on Aug. 14.
Do Not Sell
Among the proposed modifications is a requirement about whether consumers should be notified about their ability to exercise their “Do Not Sell” rights when data is collected offline.
“A business that collects personal information in the course of interacting with consumers offline shall also provide notice by an offline method that facilitates consumers’ awareness of their right to opt-out,” the proposed modification says.
2 examples of how to carry this out include printing out a notice on paper forms that collect personal information or by posting a notice, on a sign, where personal information is collected, guiding consumers to a site online for example.
Businesses that collect data over the phone could provide a notice orally during a call, the modification suggests.
Another potential change to the regulations would soften the opt-out request process; specifically, it would clarify how a business can submit requests to opt out for consumers.
Says the proposed modification, these requests should be “easy for consumers to execute & shall require minimal steps to allow the consumer to opt-out.”
Potential modifications suggest companies shouldn’t use confusing language, not use double-negatives, read through a long list of legalese, or surrender personal information – essentially, consumers shouldn’t be required to ‘jump through hoops’ to submit a request to opt out.
While those would be the biggest changes, 2 other changes including a tweak to how agent requests are handled, & how companies who sell children’s information were also proposed:
- Authorised Agent Requests: Proposed section 999.326(a) clarifies that businesses may require an authorised agent to provide proof & may require a consumer to verify their request.
- Children’s Information: Proposed section 999.332(a) includes a grammatical change, which clarifies that businesses subject to section 999.330 and/or 999.331 must include a description of the processes set forth in those sections in their privacy policies.
Governor Gavin Newsom
These proposed modifications come a few days after the state’s Governor Gavin Newsom signed off on 2 amendments to the CCPA.
The 1st, AB 1281, extended the 1 year exemption for employee information & business to business information for another year, until Jan. 1, 2022.
The 2nd, AB 713, provides an exemption from the CCPA to medical information that’s governed by the state’s California Confidentiality of Medical Information Act (CMIA), or to protected health information collected via a covered entity or business associate governed by the Health Insurance Portability & Accountability Act (HIPAA) & the Federal Health Information Technology for Economic & Clinical Health Act (HITECH).