Skip to main content

Holiday Gift from California AG: FOURTH Set of Proposed “Modifications” to CCPA Regs Already in Effect

As businesses continue to work on compliance with the California Consumer Privacy Act (CCPA) and the multiple versions of regulations issued by the Attorney General’s Office, Attorney General Becerra has issued yet another set of proposed modifications to the regulations implementing the CCPA.  This fourth set of proposed modifications comes on the heels (and builds on) the third draft set of modifications issued in October.   That October revision had not been finalized after comments had been received.  

This new set of modifications deal with more revisions to the regulations relating to the notice of the right to opt-out of a business’ “sale” of their personal information, and specifically reinstating the requirement for a “button” on a website calling attention to the link to “Do Not Sell My Personal Information.”    In new Section 999.306(f), the proposed regulations have once again published an icon to be used as the “opt-out button” to be used “in addition to posting the notice of right to opt-out, but not in lieu of any requirement to post the notice of right to opt-out or a “Do Not Sell My Personal Information” link” as required in the CCPA and the regulations. (Proposed Regulations Section 999.306(f)(1))

Opt In/Out Button

But wait – there’s more. If you are a business that provides California residents with the “Do Not Sell” link on your website, you have a new button as well:

Do Not Sell My Personal Information Opt In/Out Button

The proposed regulations require that where a business posts the DNS link, “the opt-out button shall be added to the left of the text … The opt-out button shall link to the same Internet webpage or online location to which the consumer is directed after clicking on the “Do Not Sell My Personal Information” link.” (Proposed Regulations Section 999.306(f)(2))

According to the AG’s website, the fourth set of modified draft regulations are subject to another public comment period. The deadline to submit written comments is December 28, 2020 at 5:00 p.m. (PST).

Happy holidays!

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.