California again modifies CCPA regs; appoints privacy agency’s board
On March 15, the California attorney general announced approval of additional regulations implementing the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1, 2020. According to the announcement, the newly-approved amendments strengthen the language of CCPA regulations approved by OAL last August (covered by InfoBytes here). Specifically, the new amendments:
- Require businesses selling personal information collected in the course of interacting with consumers offline to provide consumers about their right to opt out via offline communications. Consumers must also be provided instructions on how to submit opt-out requests.
- Provide an opt-out icon for businesses to use in addition to posting a notice of right to opt-out. The amendments note that the opt-out icon may not be used in lieu of requirements to post opt-out notices or “do not sell my personal information” links.
The AG’s press release also notes that the California Privacy Rights Act (CPRA), which was approved by voters last November and sought to amend the CCPA, will transfer some of the AG’s responsibilities to the California Privacy Protection Agency (CPPA), covered by InfoBytes here; however, the AG will retain the authority to go to court to enforce the law. Enforcement of the CPRA will begin in 2023.
Additionally, on March 17, the California governor announced appointments to the five-member inaugural board for the CPPA, consisting of experts in privacy, technology, and consumer rights. The CPPA is tasked with protecting the privacy rights of consumers over their personal information, and “will have full administrative power, authority, and jurisdiction to implement and enforce” the CCPA and the CPRA, including bringing enforcement actions before an administrative law judge.