A Guide to Recent CCPA Updates
Since the California Consumer Privacy Act (CCPA) was established, California’s privacy legislation has seen its fair share of evolutions–from the CCPA’s initial amendments to the creation of a completely new supplemental law (the California Privacy Rights Act).
Now, the California Attorney General has released additional CCPA regulations, with updates to four sections of the original law. Here’s what you need to know in order to comply:
More Guidance About Opt-Out Requests
One of the pillars of CCPA is the right to opt-out of the sale of personal data. Initially, this right was to be primarily accessed online through a clear and conspicuous “Do Not Sell My Personal Information” link on organizations’ websites. This requirement still stands, but the new regulations provide an additional opt-out icon that businesses can use.
And there is more guidance around the ways businesses can tell consumers about their right to opt-out of having their data sold–including signs in brick and mortar stores, and oral scripts for over-the-phone data collection. In order to comply, organizations should coordinate with their call/support teams on updated scripting and training, as well as working with their brand teams to create signage that meets regulations.
There are more explicit regulations surrounding the clarity of these opt-out notices– they are not allowed to be designed with the intention of “subverting or impairing a consumer’s choice to opt-out.” This essentially bans “dark patterns”— design choices intended to trick consumers into forgoing their rights or giving away their data–like double negatives (“Don’t Not Sell My Personal Data”) or burying the opt-out mechanism deep in a privacy policy. Likewise, organizations can’t force a subject to read through a list of reasons why they shouldn’t opt-out before confirming their request.
Requiring Proof from Authorized Agents
Under CCPA, certain privacy rights requests could be processed by a third-party, if the subject authorized them to make the request. As a result, many data subject request companies have started processing mass requests on customers’ behalf, presenting a headache for companies aiming to comply with CCPA’s data rights and verification requirements.
Now, organizations may require an authorized agent submitting a request to know or delete on behalf of a consumer to provide proof that the consumer authorized the request. Usually, this will involve a written statement or a signed contract.
Previously, the section said that businesses could require customers to provide proof that the authorized agent’s request was permissible. The language has changed now, putting the onus on the agent to provide proof.
This is in line with the existing verification requirements, allowing businesses to require consumers to directly verify their identity or that they authorized the agent to act on their behalf. This means that any mass requests from privacy advocates don’t need to be executed without identity verification, but also means the consumers don’t necessarily need to be directly involved in the verification process.