New Round of CCPA Regulations Released For Comment

New CCPA regulations seem tailored to address problems turned up by Consumer Reports on how difficult it can be to block businesses  from using a person’s personal information.

The California Attorney General’s Office (OAG) has released yet another revision of the regulations necessary to implement the “California Consumer Privacy Act” (CCPA) (AB 375) and comments are due by 28 October. Of course, if Proposition 24 passes next month, the “California Privacy Rights Act” will largely replace the CCPA, requiring the drafting of even more regulations. Nonetheless, what everyone thought was the final set of CCPA regulations took effect on 14 August, but in the notice from the Office of Administrative Law was notice that the AG had withdrawn four portions of the proposed regulations. In the new draft regulations, the AG explained:

The new Section 999.306, pertaining to a business’s obligations to notify people of their right to opt out of the sale of their personal information, is expanded to encompass offline data collection. Specifically, it would require any non-online businesses that are collecting information to provide notification that people may opt out of any selling of their information. Of course, under the CCPA, people may not merely opt out of having their information collected. The privacy-minded must, instead, request that their personal information be deleted. And, it also bears note that the CCPA defines sell to include virtually any transmission of personal information:

“Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

And so, people may exercise their right to stop businesses from selling or sharing their personal information even though the business itself could still collect and use it. In any event, if a recent report is accurate and foretells the future, this may become a meaningless right. Consumer Reports released a study it did on specifically on the this right. For those people (like me) who expected a significant number of businesses to make it hard for people to exercise their rights, this study confirms this suspicion. Consumer Reports noted more than 40% of data brokers had hard to find links or extra, complicated steps for people to tell them not to sell their personal information.

Interestingly, the next revised Section of CCPA regulations is designed to address the findings of the Consumer Reports findings, suggesting the OAG was well aware of this problem. Section 999.326 requires:

A business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out.  A business shall not use a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s choice to opt-out.

The OAG provided a number of illustrative examples of how businesses should effectuate this requirement, most of which are plainly aiming at tricks and tactics to fool or frustrate people.

The revised Section 999.326 provides more detail on how businesses may respond to a person’s use of an authorized agent in submitting requests to know or delete. A business may demand proof of representation. I suspect the use of a service or product to communicate a person’s privacy preferences with businesses may fall into the category of authorized agents. It seems quite likely that some businesses will always require such verification as a means of adding friction to the process. But still, I’m guessing the OAG may have had concerns about unauthorized agents trying to access people’s personal information.

Finally, revised Section 999.332 makes clear that any businesses collecting the personal information of children under the age of 13 or teenagers between the ages of 13 and 15 must include in its privacy policies the provisions of the regulations effectuating the heightened privacy rights afforded these two groups under the CCPA.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by My pictures are CC0. When doing composings: from Pixabay