New CCPA Regulations Issued by California Attorney General
On March 15, 2021, new regulations published under the California Consumer Privacy Act (CCPA) further define how businesses may communicate privacy options on the internet.
The new regulations ban “dark patterns” that delay the process for opting out of the sale of personal information and specifically prohibit companies from using confusing language or forcing consumers to click through multiple screens that list reasons why they should not opt-out.
In addition, the regulations formalize businesses’ ability to use an optional Privacy Options blue icon to communicate privacy choices to consumers:
The opt-out icon may be used in addition to posting the notice of right to opt-out, but not in lieu of any requirement to post the notice of right to opt-out or a “Do Not Sell My Personal Information” link.
The California Privacy Rights Act (CPRA), passed in November 2020, will transition some of the Attorney General’s responsibilities under the CCPA to the California Privacy Protection Agency, however the Attorney General will retain the authority to go to court to enforce the CPPA. Enforcement of CPRA will begin in 2023. Since July 1, 2020, the Attorney General’s office has sent out “Notices to Cure” to thousands of companies doing business in California that it asserted were not in compliance with the CCPA. Should your business receive a “Notice to Cure”, take it seriously and remember that it provides a 30-day window to cure the issue. Be sure to check with your counsel to determine whether you need to update any of your CCPA privacy notices due to the new regulations or should you receive a “Notice to Cure”.