On March 15, California Attorney General (AG) Xavier Becerra announced additional regulations relating to the “sale” of consumers’ personal information as defined under the California Consumer Privacy Act (CCPA). Namely, these new regulations:
- Address how businesses that sell personal information collected offline must inform consumers of their opt-out rights in an offline setting. Cal. Code Regs. tit. 11, ยง 999.306(b)(3).
- Create an opt-out icon that businesses may use in addition to existing requirements for giving notice of consumers’ opt-out rights. Cal. Code Regs. tit. 11, ยง 999.306(f).
- Restrict how businesses can present opt-out methods, so as not to subvert or impair a consumer’s choice to opt out. For example:
- Businesses may not require more steps to opt out than the amount of steps needed to re-opt-in to the sale of personal information;
- Businesses should not use confusing language, such as double negatives, when referencing consumers’ opt-out rights;
- Businesses should generally not present consumers with reasons why they should not opt out while processing an opt-out request;
- Businesses should not require that consumers provide personal information while opting out except as necessary to implement the opt-out request; and
- The online opt-out mechanism should not require consumers to search or scroll through a privacy policy or similar document in order to learn how to submit an opt-out request. Cal. Code Regs. tit. 11, ยง 999.315(h).
- Amend what a business may require from an authorized agent that submits a request on behalf of a consumer and what the business may require from the consumers to verify requests made by agents. Cal. Code Regs. tit. 11, ยง 999.326(a).
- Clarify that businesses who sell the personal information of consumers younger than 13 years old or between 13 and 16 years old must describe opt-in requirements in the businesses’ online privacy policy (the former regulation used “and” instead of “or”). Cal. Code Regs. tit. 11, ยง 999.332(a).
A few days later, on March 17. California Governor Gavin Newsom, AG Becerra and others announced the five-member inaugural board for the California Privacy Protection Agency (CPPA), the new administrative agency charged with protecting the fundamental privacy rights of consumers over their personal information. The Announcement and link to the members’ bios is available here.
If you have any questions about these new regulations or the CCPA in general, please contact Jenn Coughlin (; 267.930.4774), Jim Monagle (; 267.930.1529), Melissa J. Sachs (; 267.930.4747) or another Mullen Coughlin representative.