By Rotem Perlman-Farhi and Sharon Gidalevich
October 29, 2020
Latest Changes in California Privacy Legislation
The state of California continues to be very active when it comes to privacy legislation and regulation. If your consumers are based in California, you should be aware of the California privacy legislation’s rapid changes. “
We are currently witnessing changes in three substantial aspects:
- On September 29, 2020, the California legislator has enacted AB No. 1281 and extended exemptions from certain provisions of the California Consumer Privacy Act (“CCPA”), including related to employees and companies’ personnel. Shortly before that, AB No. 713, which aims to harmonize the CCPA with the healthcare field federal legislation, was also enacted.
- On November 3, 2020, the California Privacy Rights Act (“CPRA”), which is an enhanced version of the CCPA, will go through a ballot. If approved, the CPRA will substitute the CCPA.
- On October 12, 2020, the California Attorney General (AG) has published a third set of proposed modifications to the AG Regulations, following the latest amendments to these Regulations which entered into effect on August 14, 2020.
The Proposed Changes to the AG Regulations
The CCPA has entered into effect on January 1, 2020. The purpose of the AG Regulations is to provide guidance to businesses on how to comply with the CCPA and to enhance consumers’ ability to exercise their rights over their personal information.
Although the proposed amendments to the AG Regulations were subject to the public comments, you should still get acquainted with them because you may be required to adjust your operations accordingly.
The scope of the previous set of modifications to the AG Regulations was broad and covered disclosure obligations, accessibility standards of privacy notices, use of personal information by service providers, procedural requirements to process access and deletion requests and record keeping obligations.
The current set is narrower in scope, and relates to an offline notice of the right to opt out, consumer-friendly methods for submitting requests to opt-out and authorized agent’s permission to act on behalf of the consumer.
Please note – our description below is not exhaustive and should not be read as a substitute to the full formal version of the modifications, which are available here.
Offline Notices of the Right to Opt-out of Sale of Personal Information
Every business should use notices for informing consumers of their right to require the business to cease the sale of their personal information. The proposed modifications clarify that a business that collects personal information of a consumer offline, will be required to provide to the consumer an offline notice of its right to opt-out. For example, by including such notice in a hard-copy registration form, or by providing a notice verbally through a phone call.
Consumer-friendly Methods for Submitting Requests to Opt-out
According to the CCPA, a business is required to provide two or more designated methods for submitting requests to opt-out. The proposed modifications to the AG regulations wish to clarify that submitting requests to opt-out should be easy for consumers to execute, and should require minimal steps to allow the consumer to opt-out.
If the proposed modifications are approved, among other things, businesses will not be allowed to require more steps than they require for a consumer to opt-in to the sale of personal information. Businesses will also be barred from using confusing language, such as double negatives.
Under the proposed modifications, a business may request from an authorized agent a proof that the consumer gave the agent a signed permission to submit a request to know or a request to delete, rather than obtaining such proof directly from the consumer.
Businesses that need to comply with the CCPA, will be required to conduct additional implementation work to adapt their procedures and policies to the forthcoming modified AG Regulations.