Skip to main content

CCPA: When “Final” Doesn’t Mean What You Think It Means (with apologies to The Princess Bride)

Earlier this week, the California Department of Justice unexpectedly released a third set of proposed modifications to the CCPA regulations. This move took place only two months after the California Attorney General’s Office “finalized” the long-awaited CCPA regulations. The latest changes relate to offline notices, “Do Not Sell My Personal Information” opt-out requests, authorized agent requests, and children’s information, as discussed below.

As a reminder, the Department initially published its proposed regulations almost exactly a year ago, on October 12, 2019. It then devoted a large part of 2020 to collecting public comments, carefully considering them, and releasing several sets of modifications to its proposed regulations in February and March of 2020.

The Office of Administrative Law (OAL) then approved the modified regulations, and the regulations became final on August 14, 2020, as discussed in our August blog post. And, as we reported in greater detail last month, those Final Regulations included key deleted and new additional provisions, which had an immediate impact on businesses and their CCPA compliance obligations for the duration of 2020 and beyond.

Here are the latest key changes the AG’s office is now considering:

  1. Offline Collection Notice:  Proposed section 999.306(b)(3) now offers examples of how businesses that collect personal information while interacting with their consumers offline can provide the notice of their right to opt-out of the sale of personal information through an offline method. 
  2. Opt-Out Requests:  Proposed section 999.315(h) now offers examples and further guidance on how a business’s methods for consumers submitting requests to opt-out should require only minimal steps. It also instructs businesses not to use confusing language, such as double negatives; not to collect more PI than necessary; and not to require consumers to click through or listen to reasons why they should not opt out (with some exceptions).
  3. Authorized Agent Requests:  Proposed section 999.326(a) clarifies that businesses may require an authorized agent to provide proof and may require a consumer to verify their request.
  4. Children’s Information:  Proposed section 999.332(a) includes a grammatical change, which clarifies that businesses subject to section 999.330 and/or 999.331 must include a description of the processes set forth in those sections in their privacy policies.

The AG’s deadline to submit written comments is October 28, 2020. A full text of the proposed changes can be found here. Businesses should carefully consider the latest set of modifications in deciding whether to comment and how these latest proposed changes impact their CCPA obligations moving forward. Meanwhile, we will continue to monitor and share with our readers any additional changes to the regulations and other CCPA-related developments.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.