On October 12, 2020, the California Attorney General issued its notice and third set of proposed modifications to the regulations implementing the California Consumer Protection Act (“CCPA”). These proposed modifications would change the regulations that were approved by the California Office of Administrative Law on August 14, 2020. The California Department of Justice is accepting written comments from the public on these proposed revisions to the regulations until October 28, 2020 at 5:00 p.m. PST.
Notable changes in these regulations include:
- A requirement for businesses that collect personal information in the course of interacting with consumers offline to provide notice of the consumer’s right to opt out through an offline method;
- A requirement that the methods for consumer to opt out be easy for consumers to execute and involve minimal steps;
- Clarification of how businesses may require authorized agents and consumers to submit proof to verify their data subject requests; and
- A specific requirement that businesses subject to either Rules Regarding Consumers Under 13 Years of Age or Rules Regarding Consumers 13 to 15 Years of Age (or both) must include a description of the processes set forth in those Rules in their privacy policies.
Earlier this year on August 31, 2020, the California Legislature passed AB 1281 to extend the partially excluded employee information and business-to-business (B2B) information from the coverage of the CCPA until the end of 2021, citing primarily to the COVID-19 economic disruption in the state. This bill modified the Cal. Civ. Code § 1798.145(h) moratoria on the applicability of covered information related to job applicants, employees, contractors, and agents until the start of 2021. Previously these exemptions were set to expire January 1, 2020.
Please see Epstein Becker Green’s earlier posts discussing CCPA for more information.
Proposed Amendment to California Consumer Privacy Act (CCPA) Reaffirms Employer Notice Requirement and Employee Private Right of Action for Failure to Implement Cybersecurity Safeguards to Take Effect January 1, 2020