But businesses in California still have their backs up

An obligatory website icon aimed at providing consumers with a visual indication that they can opt out of their personal data being sold has been scrapped in the latest series of amendments to California’s upcoming state privacy law.

In the second set of modifications (PDF) proposed this month, lawmakers behind the California Consumer Privacy Act (CCPA) has removed the reported limitation put on businesses to shore up their data collection practices by implementing a ‘useable icon and tagline’ (PDF) for consumers.

The icon was meant to communicate to consumers their right to opt out of their personal data being sold to third parties – a measure that was put forward in the CCPA legislation and a source of substantial controversy between privacy advocates and enterprise alike.


BACKGROUND CCPA the ‘first of many’ state-level US privacy laws on the horizon


David Oberly, associate at US law firm Blank Rome, thinks that this criticism prompted the removal of the icon, or button, in the latest CCPA draft regulations. Critics were concerned that “the button would generate significant confusion”, Oberly said in an email to The Daily Swig.

“While the button looked like it would operate like a ‘switch’ to effect an opt out – the regulations required that the button actually operate as a link to the company’s Notice of Right to Opt-Out,” he said.

CCPA enforcement: Three months and counting

The CCPA was enacted on January 1, 2020. Many companies already complying with its measures, mainly in the form of data collection notices and overall operational changes.

For-profit businesses that collect the personal information of California residents, making at least 50% of their annual revenue from selling the information, are required to comply with the state legislation.

New modifications to the bill were published on March 11, and the CCPA will officially start to be enforced as of July 1 this year.

“The enforcement start date also may be leading some companies into a false sense of security, as it is reasonable to posit that the [attorney general] may pursue enforcement actions against companies that failed to comply with the law any time after the law went into effect on January 1,” Oberly explained.

Further changes to the CCPA have been called “substantial and sufficiently related” by California’s attorney general, Xavier Becerra, who has opened the comment period on its latest revisions to the law until March 27, 2020.

If major changes were made since the law’s last public consultation on February 10 (PDF), an extended comment period of 45 days would be permitted.

Consumer-focused legislation

Aside from the opt-out button, which Oberly said is still anticipated to feature in the finalized version of the law, the modifications put forward in March outline the sources a business uses to collect consumer data within the company’s privacy policy.

Reasons for the data collection, alongside a list of the types of information a business will collect, are also required, and have changed little from the first round of amendments that were put forward. Certain guidance on the definition of personal information has been deleted.

“Use plain, straightforward language and avoid technical or legal jargon,” the proposed regulation states.

An opt-out link within a business notice of data collection – initially mandated under the original CCPA rules – is no longer stipulated in the new draft law. A clarification has additionally been made that there is no need for a business to provide a notice of data collection if it is not selling consumer information.

“Businesses instead are now only required to ask the consumer if they would like to submit a request to opt out if the company denies the consumer’s request to delete, without having to automatically stop selling the consumer’s data,” Oberly added.

Rush towards compliance

Despite some of the appearing relaxation to privacy measures, businesses have still expressed concerns over the short three-month period they now have left to attain CCPA compliance ahead of the enforcement date.

Many, including five major advertising trade groups, have called for a delay, asking the attorney general for a six-month compliance period. There have already been several class action lawsuits filed against businesses, claiming CCPA violations.

A US federal privacy law also remains on the horizon, which means the possibility that the CCPA, and other state “copycat” bills, might be preempted by any national legislation that is to come to pass.

“As more and more states enact their own versions of the CCPA, each with their own varying requirements, companies that operate in multiple states will begin to face substantial compliance headaches in attempting to comply with a complex web of differing privacy obligations,” Oberly said.

“In turn, this will place sizeable pressure on Congress to enact a uniform consumer privacy law that will apply uniformly across all 50 states, which has already started to mount at this juncture.”


RELATED Will California’s AB5 labor law cause havoc for cybersecurity consultants?