The California Attorney General has announced that the state’s Office of Administrative Law (OAL) granted its approval of final regulations under the California Consumer Privacy Act (CCPA). They are effective immediately.

The AG stated: “With these rules finalized, California breaks ground and leads the nation to protect and advance data privacy. These rules guide consumers and businesses alike on how to implement the California Consumer Privacy Act. As we face a pandemic of historic proportions, it is particularly critical to be mindful of personal data security.”

Besides some grammar/syntax changes, the Attorney General withdrew the following four requirements/provisions (and noted that they may be re-submitted later):

  • Provide direct notice and obtain explicit consent from an individual when wanting to use a consumer’s personal information for a purpose materially different than previously disclosed (former 999.305(a)(5)). It remains to be seen what this means in practice when we already have (a) a requirement in CCPA itself to disclose all purposes and (b) the FTC requires notice and consent for a material change in rights.
  • Provide an offline method for opt out of sale for businesses that substantially interact with consumers offline. This seems to signal that a notice of opt out on the website is sufficient.
  • Methods for submitting requests to opt out must be easy and require minimal steps. This section meant to address the issue of “dark patterns.”
  • Denying a request from an authorized agent that doesn’t submit proof of authorization. Query what this changes as a business is still allowed to require the verification of authority at the outset (999.326.(a)).

Details in this addendum to the final regulations.

Read the Attorney General’s press announcement.