The California Attorney General released another set of proposed amendments to the regulations for the California Consumer Privacy Act (“CCPA”). See information page here. These amendments are expected to go into effect in early 2021. These new regulations will take effect and apply to the CCPA as currently enacted and will also apply to Proposition 24 when it becomes effective on January 1, 2023. Proposition 24 was a ballot initiative approved by California voters on November 3, 2020. Proposition 24 substantially amends the CCPA, expands consumer privacy rights and, generally, makes requirements for businesses more stringent.

The focus of these particular amendments is the mechanics of how consumers are to exercise their to “opt out” of having their personal information sold, shared or transferred to a business that did not collect the information. As a reminder, the CCPA requires businesses that collect personal information to provide consumers notice of what information is collected, what business purpose(s) the information is collected and will be used for and notice of to whom the information will be sold, shared or transferred. Further, the CCPA requires that most businesses obtain explicit consent for collecting and selling personal information and, as noted, businesses must provide an opportunity for consumers to “opt out.”

The “opt out” issue has been difficult for the competing business and advocacy interests to reconcile. Essentially, businesses do not like the “opt out” provision for several reasons. First, it is administratively cumbersome requiring businesses to segregate and separate their databases before sale or transfer or sharing. Second, having consumers opt out reduces the quantity of the data making it less valuable to buyers and/or business partners. Finally, the quality of the data may suffer if certain types of consumers turn out to be more likely than other types to opt out. As an analogy, consider targeted demographics for television ratings. Generally, advertisers “chase” younger viewers. Any technology that allows younger viewers to avoid the advertising reduces the value of the television audience. In a similar manner, if valued demographics like college-educated internet users tend to opt out of having their information collected more than other less-desired demographics, then the value of the whole data set degrades.

To avoid this, businesses were beginning to implement strategies to make it more difficult to opt out. The new set of proposed regulations issued for the CCPA is aimed at preventing that. Previous versions of the regulations also attempted to rectify the problem, but earlier versions of the regulations were withdrawn. Now the Attorney General is focusing on preventing businesses from interfering with the opt out provisions.

In summary, the amendments require the following:

• The opt out option must be “easy” — this means that the opt out option must be prominent, easy to locate on a website, must NOT have more steps than necessary for execution and must NOT require consumers to provide more information than necessary to execute
• Offline businesses that interact with consumers must provide the same sort of notice required for online businesses and must obtain the same types of consents — again, the opt out option must be “easy”
• Makes all notice and consent requirements (including opt out information) applicable online business chiefly dealing with children under the age of 15

For more information, contact the data privacy lawyers at Revision Legal at 231-714-0100.

Proposition 24 and the CPRA: What Changed After 2020

Proposition 24, approved by California voters in November 2020, enacted the California Privacy Rights Act (CPRA), which significantly expanded the CCPA. The CPRA took effect January 1, 2023. Key changes include: the creation of a new state privacy agency (the California Privacy Protection Agency, or CPPA) to enforce the law; expanded rights for consumers including the right to correct inaccurate personal information; a new category of “sensitive personal information” subject to heightened protections; and new restrictions on the use of automated decision-making technology. Under the CPRA, “sensitive personal information” includes Social Security numbers, precise geolocation data, racial or ethnic origin, religious beliefs, genetic data, biometric data for identification purposes, health information, and sexual orientation. Businesses that use sensitive personal information for any purpose beyond providing the requested service must provide a specific disclosure and opt-out mechanism.

The Do Not Sell or Share Link: Legal Requirements

The CPRA replaced the CCPA’s “Do Not Sell My Personal Information” link requirement with a broader obligation to provide a “Do Not Sell or Share My Personal Information” link, reflecting the CPRA’s addition of “sharing” personal information for cross-context behavioral advertising as a separately regulated activity. The Global Privacy Control (GPC) signal—a browser-level mechanism that communicates a consumer’s opt-out preference—must be honored by covered businesses as a valid opt-out request under California law. This means that a consumer who has enabled GPC in their browser is automatically opted out across every subject website they visit, without having to click an opt-out link on each individual site. Businesses must implement technical infrastructure to detect and honor GPC signals.

Employee and B2B Data: Full CCPA Coverage Since 2023

The original CCPA had temporary exemptions for personal information collected in employment and business-to-business contexts. Those exemptions expired on January 1, 2023. Personal information collected from California employees, job applicants, contractors, and owners is now fully subject to the CCPA/CPRA, including the obligations to provide privacy notices, respond to consumer rights requests, and maintain reasonable security measures. Businesses with California employees must update their employment privacy notices and establish internal processes for responding to employee data access, deletion, and correction requests.

Enforcement: CPPA Authority and Private Right of Action

The California Privacy Protection Agency has authority to impose administrative fines of up to $2,500 per unintentional violation and up to $7,500 per intentional violation or violation involving the personal information of a child under age 16. These fines are per-violation and can compound rapidly in a single enforcement action. Additionally, the CCPA/CPRA provides a private right of action for consumers whose non-encrypted or non-redacted personal information is exposed as a result of a business’s failure to implement reasonable security procedures. Statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater.

Contact a Privacy Law Attorney

CCPA/CPRA compliance is an ongoing obligation, not a one-time project. The regulations are actively evolving, and the CPPA is expected to issue additional rulemaking on automated decision-making, cybersecurity audits, and risk assessments. The privacy attorneys at Revision Legal assist businesses in building compliant data practices and responding to regulatory inquiries. Contact us at 231-714-0100.