The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Proposed Modifications to the CCPA Issued

by Chris Brook on Thursday October 15, 2020

Contact Us
Free Demo
Chat

Potential modifications to the CCPA would change “Do Not Sell My Personal Information” requests and how companies provide notice when they collect information offline.

Regulations around the California Consumer Privacy Act have only been in effect for two months - technically the two-month anniversary was yesterday, the regulations were approved by the state's Attorney General Xavier Becerra on August 14 - but modifications to the law are already in the works.

The California Department of Justice released the third set of proposed modifications (.PDF) to the law this week; they're open for comment until October 28.

The changes are based on comments the California Department of Justice received in February and March.

While the CCPA, one of the nation's landmark data privacy laws, went into effect on January 1, 2020, enforcement around the law didn't begin until this summer, on July 1. Regulations around the law weren’t approved by the California Office of Administrative Law (OAL) until two weeks later, on August 14.

Among the proposed modifications is a requirement around whether consumers should be notified about their ability to exercise their "Do Not Sell" rights when data is collected offline.

"A business that collects personal information in the course of interacting with consumers offline shall also provide notice by an offline method that facilitates consumers’ awareness of their right to opt-out," the proposed modification reads.

Two examples of how to carry this out include printing out a notice on paper forms that collect personal information or by posting a notice, on a sign somewhere, where personal information is collected, guiding consumers to a site online for example. Businesses that collect data over the phone could provide a notice orally during a call, the modification suggests.

Another potential change to the regulations would ease the opt-out request process; specifically it would clarify how a business can submit requests to opt out for consumers. According to the proposed modification, these requests should be "easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out."

The potential modifications suggest companies shouldn't use confusing language, not use double-negatives, read through a long list of legalese, or surrender personal information - essentially, consumers shouldn't be required to jump through hoops to submit a request to opt out.

While those would be the biggest changes, two other changes including a tweak to how agent requests are handled and how companies who sell children's information were also proposed:

  • Authorized Agent Requests:  Proposed section 999.326(a) clarifies that businesses may require an authorized agent to provide proof and may require a consumer to verify their request.
  • Children’s Information:  Proposed section 999.332(a) includes a grammatical change, which clarifies that businesses subject to section 999.330 and/or 999.331 must include a description of the processes set forth in those sections in their privacy policies.

The proposed modifications come a few days after the state's Governor Gavin Newsom signed off on two amendments to the CCPA. The first, AB 1281, extended the one year exemption for employee information and business to business information for another year, until January 1, 2022. The second, AB 713, provides an exemption from the CCPA to medical information that's governed by the state's California Confidentiality of Medical Information Act (CMIA) or to protected health information collected via a covered entity or business associate governed by the Health Insurance Portability and Accountability Act (HIPAA) and the federal Health Information Technology for Economic and Clinical Health Act (HITECH).

Tags: Government, Data Privacy

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.