California Approves Final California Consumer Privacy Act Regulations

Aug 19, 2020

Reading Time : 3 min

By: Natasha G. Kohne, Rebecca Kocsis (Legal Project Analyst)

The regulations accepted by the OAL contained revisions from the OAG, which are summarized in an addendum to the final statement of reasons (“Addendum”). The Addendum is available here.

Summary of Changes

The OAG classifies many of the changes to the regulations as non-substantive and meant to improve accuracy, consistency and clarity. For example, the word “minor” was changed to “consumer” in order to align the regulations with the statute. However, the provisions the OAG withdrew or modified reflect the key substantive changes.

The OAG withdrew certain provisions for additional consideration. As specified in the Addendum, the following provisions were withdrawn:

  • 999.305(a)(5): A business shall not use a consumer’s personal information for a purpose materially different than those disclosed in the notice at collection. If the business seeks to use a consumer’s previously collected personal information for a purpose materially different than what was previously disclosed to the consumer in the notice at collection, the business shall directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose.
  • 999.306(b)(2): A business that substantially interacts with consumers offline shall also provide notice to the consumer by an offline method that facilitates consumer awareness of their right to opt-out. Such methods include, but are not limited to, printing the notice on paper forms that collect personal information, providing the consumer with a paper version of the notice and posting signage directing consumers to where the notice can be found online.
  • 999.315(c): A business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. A business shall not utilize a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out.
  • 999.326(c): A business may deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer to act on their behalf.

Other notable changes include:

  • Deletion of “Do Not Sell My Info” Option for Opt-Out Link. The regulations removed the option to use “Do Not Sell My Info” rather than the longer form “Do Not Sell My Personal Information” for a business’s opt-out link, which was present in several provisions. The Addendum notes that this was done “to align with the express language of the statute.”
  • Businesses Can Require Signed Permission for Authorized Agents for Consumer Opt-Outs. The OAG revised § 999.315(f) (previously §999.315(g)), which addresses the ability of a consumer to use an authorized agent to submit a request to opt-out, to specify that a business may deny a request from an authorized agent “if the agent cannot provide to the business the consumer’s signed permission demonstrating” that they have been authorized to act on the consumer’s behalf. Previously, the regulations included the broad statement that businesses can require that an authorized agent submit proof that they could act on the consumer’s behalf. The Addendum noted that this was changed for “clarity and to be consistent with other parts of the regulation.”

Looking Ahead

Now that the regulations are in effect, businesses should immediately review their outward facing privacy policies, opt-out links (where relevant) and internal procedures to ensure that they comply with the regulations requirements. As we noted in our analysis of the final draft regulations in a June 29 Bloomberg Law article, titled “Decoding CCPA’s Final Regulations Before Act Takes Effect,” the regulations provide additional detail on key CCPA obligations including proper notices, service provider provisions and how to comply with consumer requests.

The CCPA is one of the most comprehensive and far-reaching privacy laws in the United States, offering California consumers control over their personal information and strong privacy protections for consumers. Since the CCPA was signed into law on June 28, 2018, it has gone through two rounds of amendments before going into effect on January 1, 2020. The AGO’s office has been consistent in its commitment to enforce the CCPA. The regulations have taken effect on the heels of the July 1, 2020 effective date for the AG’s enforcement power. Although the regulations have just become effective, California residents have taken full advantage of the private right to action, which we discussed in Law360 in “Lessons From 6 Months Of Calif. Privacy Law Litigation.”

We will continue to monitor developments with the AG’s enforcement of the CCPA, as well as class action cases that cite the CCPA. If you have any questions about your company’s obligations, and compliance and risk mitigation efforts, please contact a member of the Akin Gump Cybersecurity, Privacy and Data Protection team.

Share This Insight

Previous Entries

Data Dive

September 17, 2024

Following the publication of the European Union’s Artificial Intelligence Act (AI Act or Act) on 12 July 2024, there are now a series of steps that various EU bodies need to take towards implementation. One of the first key steps is in relation to the establishment of codes of practice to “contribute to the proper application” of the AI Act.

...

Read More

Data Dive

August 6, 2024

On July 30, 2024, the Senate passed the Kids Online Safety and Privacy Act (S. 2073) via an overwhelmingly bipartisan vote of 91-3 shortly before departing for the August recess.

...

Read More

Data Dive

July 18, 2024

On 12 July 2024, the European Union Artificial Intelligence Act (AI Act or Act) was published in the Official Journal of the European Union (EU), marking the final step in the AI Act’s legislative journey. Its publication triggers the timeline for the entry into force of the myriad obligations under the AI Act, along with the deadlines we set out below. The requirement to ensure a sufficient level of AI literacy of staff dealing with the operation and use of AI systems will, for example, apply to all providers and deployers on 2 February 2025.

...

Read More

Data Dive

July 18, 2024

On June 18, 2024, the United States Securities and Exchange Commission (SEC) announced a settlement with R.R. Donnelley & Sons Company (RRD) for alleged internal control and disclosure failures following a ransomware attack in 2021. Without admitting or denying the SEC’s findings, the business communications and marketing services provider agreed to pay a civil penalty of over $2.1 million to settle charges alleging violations of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (Exchange Act) and Exchange Act Rule 13a-15(a).1

...

Read More

Data Dive

June 11, 2024

In May, the National Institute of Standards and Technology (NIST) issued updated recommendations for security controls for controlled unclassified information (CUI) that is processed, stored or transmitted by nonfederal organizations using nonfederal systems, (NIST Special Publication 800-171 (SP 800-171), Revision 3). These security requirements are “intended for use by federal agencies in contractual vehicles or other agreements that are established between those agencies and nonfederal organizations.”1 While these new controls are only applicable to nonfederal entities that agree to comply with the new issuance, Revision 3 signals the next phase of expected security for government contractors.

...

Read More

Data Dive

May 31, 2024

On May 21, 2024, the European Union finalized the adoption of the groundbreaking EU Artificial Intelligence Act, a comprehensive and sector-agnostic legislation that extends globally. This 420-page Act aims to regulate the deployment and development of AI systems, categorizing them into high-risk and low-risk, and even banning certain types of AI. The Act emphasizes trust, transparency, and accountability in AI usage, promoting the safe integration of AI technologies. This legislation sets a potential global benchmark for AI regulation, although its complexity may pose interpretative and implementation challenges for stakeholders. We set out the key provisions below.

...

Read More

Data Dive

May 30, 2024

On May 17, 2024, Colorado Governor Jared Polis signed into law S.B. 205, a pioneering piece of legislation aimed at regulating high-risk AI systems. This new law, set to take effect on February 1, 2026, introduces stringent requirements for AI developers and deployers, focusing on risk management and the prevention of algorithmic discrimination. This legislation marks a significant step in state-level AI regulation, potentially setting a precedent similar to the impact of GDPR on privacy laws.

...

Read More

Data Dive

May 30, 2024

On April 4, 2024, Kentucky became the fifteenth state to enact a comprehensive data privacy law, with Governor Andy Beshear signing the Kentucky Consumer Data Protection Act (KCDPA) into law. The Kentucky law will go into effect on January 1, 2026. This makes Kentucky the third state in 2024 to enact such a law, following New Jersey and New Hampshire.

...

Read More

© 2024 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.