The fine print: California finalizes, enacts data privacy rules
Proposition 24, the California Privacy Rights Act, was written by many of the same proponents of the Consumer Privacy Act.
The final version of California’s sweeping new data security regulations arrived earlier this month with two surprises: an effective-immediately order and several missing provisions.
California Attorney General Xavier Becerra revealed his office on July 29 withdrew four sections from the regulations that were sent in June to the Office of Administrative Law for final approval.
The rescissions don’t make wholesale amendments to the landmark consumer privacy law, although they do raise questions about why Becerra quietly made any last-minute changes. Becerra’s office did not immediately respond to questions about the revisions from The Recorder.
The July 29 addendum said Becerra’s office “may resubmit” the deleted sections “after further review and possible revision.”
“The changes are substantive,” said Duane Morris partner Michelle Hon Donovan, a privacy and data protection specialist in California who has been tracking the rules.
The approved regulations took effect Aug. 14. Based on when the attorney general’s office submitted the rules to the Office of Administrative Law, they were not originally expected to take effect until Oct. 1.
“That, to me, is the biggest takeaway here,” Donovan said. Business owners who assumed they would have time to reach compliance with the new rules need to get moving, she said.
The provisions deleted by the attorney general’s office include:
- Language requiring businesses to obtain consumers’ explicit consent before using their personal information for any new business purpose. Businesses had complained about this provision, characterizing it as an overreach of the original statute, which only requires that companies provide a new notice of their intent to use the date for a new purpose.
- A requirement that businesses, including brick-and-mortars, that substantially communicate with their customers offline tell those customers about their rights to opt-out of data collection through paper notices or signs directing them to a website policy. Businesses can now use just a website to provide notice to customers.
- Mandates that a business’s methods for handling requests to opt out “shall be easy for consumers to execute” and “require minimal steps.” The deleted section also prohibited businesses from using a method “designed with the purpose or [that] has the substantial effect of subverting or impairing a consumer’s decision to opt-out.”
- Language allowing a business to deny a request from a customer’s agent who does not offer proof they’ve been authorized by that customer to act on their behalf. The approved regulations also delete the option for businesses to use the phrase “Do Not Sell My Info” on a hyperlink directing consumers to privacy choices instead of “Do Not Sell My Personal Information.”
Businesses and customers will have fewer than three months to adapt to the new rules before Californians consider new privacy laws at the ballot box.
Proposition 24, the California Privacy Rights Act, was written by many of the same proponents of the Consumer Privacy Act. The measure would add information-protection requirements for businesses and create a new agency outside of the attorney general’s office to enforce consumer privacy laws.
Keep reading: