Skip to main content

Kick the CCPA Compliance Program Back Into Gear

2020 “back to school” has a whole new meaning in the age of COVID-19.   Now, it is finally time for companies to take compliance with the California Consumer Privacy Act (“CCPA”) off the back burner and implement policies and procedures and processes.  The California Attorney General’s final regulations are in place and approved (“Final Regulations”), and ready for enforcement.  The Final Regulations include additional revisions, which are important for businesses to consider as they move forward with the CCPA compliance.

These changes appear in the Attorney General’s Addendum to Final Statement of Reasons, which can be found here.  They include corrections, clarifications, and the withdrawal of four provisions “for additional consideration.”  The Attorney General’s office withdrew a total of four provisions from the Final Regulations.  This means that, for the time being, the Attorney General will not enforce these four requirements, but some companies had already made certain changes to implement the “not quite final” regulations.  These will need to be updated to match the Final Regulations.  The Addendum makes it clear, however, that the Attorney General may still resubmit the deleted sections “after further review and possible revision.”  We will continue to monitor the CCPA legal developments and any subsequent revisions to the regulations.     

Deleted Provisions:

  • Section 999.305(a)(5).  This controversial provision arguably exceeded the scope of the CCPA in that it required a business to obtain explicit consent from the consumer before using their personal information for any new business purpose, as opposed to simply requiring a notice.  With it withdrawn, mere notice of a new use should now suffice.  
  • Section 999.306(b)(2).  This provision previously required a business that substantially interacts with consumers offline to provide an offline notice to consumers of their right to opt out.  This notice could be in a form of a signage or paper form, which was said to be difficult for some businesses to implement.  Now companies may rely solely on their website as the basis to provide the notice of the right to opt out to their consumers.  
  • Section 999.315(c).  This provision previously contained a requirement that a business’s method for consumers’ submitting requests to opt out be easy and involve only minimal steps, so as to minimize the burden on the consumers.  It also prohibited a business from using “a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out.”  With this provision deleted, businesses can now utilize any reasonable and appropriate method for accepting opt-out requests, although they should still strive to make the process simple, if possible.
  • Section 999.326(c).  This provision previously allowed a business to deny a request from a consumer’s authorized agent if the agent did not submit proof that they have been authorized to act on the consumer’s behalf.  The final regulations, however, still require the agent to be registered with the Secretary of State to conduct business in California.  As a practical matter, businesses cannot immediately deny a consumer’s request for insufficient proof of authorization but can still deny it if the request is ultimately unverifiable.

Additional Changes:

Several other changes were made and were dubbed “non-substantial.”  The following of these changes are worth noting, however:

  • Previously, the regulations allowed companies to use the shorthand phrase ““Do Not Sell My Info.”  However, this phrase has now been removed from sections 999.305(b)(3), 999.305(f)(1), 999.306(b)(1) and 999.315(a) of the regulations.  Businesses, therefore, can no longer use this shorter phrase on a hyperlink directing consumers to their privacy choices.  They must now revert to the statute’s original language:  “Do Not Sell My Personal Information.”
  • Previously, the regulations stated in Section 999.308(c)(1)(e) that the privacy policy must describe the sources from which personal information is collected “in a manner that provides consumers a meaningful understanding of the information being collected.”  This provision has now been deleted.  Business must still identify “categories of sources from which the personal information is collected,” however.

The Final Regulations are now final and fully effective, which means that any companies that were previously awaiting additional guidance from the AG’s office now have all the tools and requirements at their disposal.  We expect the Attorney General’s office to turn its full attention to enforcing the CCPA.  It is, therefore, important, to ensure full compliance with the CCPA, especially for those businesses that have not been actively considering how these Final Regulations affect their compliance programs.   

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.