Just over a year after the California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018, the California Attorney General (AG) released their proposed regulations for public consultation. What followed was a series of amendments, modifications, and additional rounds of regulations being released up until the present day.
The California Privacy Rights Act (CPRA) will enter into force on January 1, 2023. Looking back on the evolution of California’s first comprehensive privacy law can give us indications of trends in the fast-evolving privacy landscape in the US. It may even give us a clue as to where we may be heading in the future.
Let’s explore the timeline of CCPA amendments, starting with the bill’s passage in 2018 and bringing us up to the latest developments in privacy law in California.
After passing the California State Legislature, the Governor of California signed the CCPA into law on June 28, 2018. The law established new rights for California residents:
The CCPA was the first comprehensive privacy legislation in the US to become law, setting a new standard and point of comparison for state legislatures and Congress.
More than a year after its passage, the California Attorney General (AG) released proposed regulations to offer practical guidance to organizations preparing for CCPA compliance.
The proposed regulations clarified some terms to help prevent misinterpretation. It also introduced new specifics of operationalizing the law in the context of day-to-day operations, which addressed five key areas of the CCPA:
The public had until December 19, 2019 to submit comments regarding these proposed CCPA regulations.
Following the public comment period, the California AG issued modified proposed CCPA regulations.
The most significant change was the introduction of the opt-out button, which organizations could implement next to the posted notice of the right to opt out. The modified proposed regulations indicated that submission methods for opt-outs must be simple for consumers to execute. Notably, opt-out settings via a privacy controls page cannot pre-select consent for consumers.
Regarding consumer requests, businesses would not have to search for personal information if:
The modifications also clarified that a loyalty program would not be considered discriminatory.
The AG’s office accepted public comments through February 25, 2020.
Following a third comment period, the California Attorney General issued a second set of modified draft CCPA regulations to further clarify and define obligations.
Notably, businesses would no longer be prohibited from pre-selecting opt-in choices. Consumers have to select the option to opt out. Regulators also removed the option to include an opt-out button next to a “Do Not Sell” link.
Regulators barred entities from charging consumers or authorized agents for request verification.
The modified regulations took steps to protect sensitive types of personal information. When responding to requests to know, businesses can’t provide social security numbers, health insurance ID numbers, biometrics, or other sensitive types of personal information. However, they must inform the consumer that they have collected it.
On June 1, 2020, the California Attorney General submitted the final version of the CCPA regulations to the Office of Administrative Law (OAL) for a 30-working-day review period. The OAL’s role is to ensure the regulations are “clear, necessary, legally valid, and available to the public.”
The AG requested that the OAL expedite the process so enforcement could begin on July 1, 2020, as originally intended. If the OAL rejected the regulations, the AG’s office would have to revise, resubmit, and possibly host another public comment period.
The California AG announced on August 14 that the OAL had approved the final CCPA regulations, which would immediately go into effect.
The final regulations include a few substantive changes, such as:
The California Department of Justice (DOJ) notified the public on October 12, 2020 that it would be issuing a third round of revisions to CCPA regulations.
One modification offered an example of providing opt-out notices to consumers in brick-and-mortar stores and over the phone.
The DOJ also provided guidance regarding the ease of using opt-out mechanisms. The number of steps to opt out cannot exceed the number to opt in. Confusing language is not allowed, such as double negatives, and consumers cannot be forced to go through reasons not to opt out before confirming their requests. When clicking a “Do Not Sell” link, consumers should not have to scroll or search through the page to make their request.
Additionally, if a business deals with the personal information of minors under 13 or between 13-15 years old, it must explain the related processes in its privacy notice..
The public comment period for this third round of revisions concluded on October 28, 2020.
On December 10, 2020, the California AG released the fourth round of modifications to the CCPA regulations.
This round clarified opt-out notices in offline interactions, including who’s obligated to do so, and included illustrative examples.
The other major change was the re-inclusion of an optional opt-out button, which regulators had previously removed in March 2020. The button may accompany a “Do Not Sell” link but cannot replace it. The size and design also changed.
The public comment period was open through December 28, 2020.
The California AG announced the approval of additional CCPA regulations on March 15, 2021. These updates officially banned “dark patterns” that obscure the opt-out process. The changes also prohibited confusing language, unnecessary steps, or delays in opting out of the sale of personal information.
The regulations also identified what an entity might require an authorized agent to furnish when acting on behalf of a consumer and what consumers may have to present for a rights request.
The California Privacy Protection Agency (CPPA), responsible for CCPA enforcement, released draft proposed CCPA regulations on May 27, 2022.
The proposed regulations addressed enforcement, agency audit rights, dark patterns, and updated CCPA terminology and concepts.
A sworn complaint alleging a violation of CCPA can be filed online, in person, or via mail with the Enforcement Division of the CPPA. It must identify the entity violating the CCPA, state the facts supporting each violation, include documentation or evidence, authorize agency follow-up communication, and come signed under penalty of perjury.
The CPPA gained the authority to audit organizations and ensure CCPA compliance.
Regulators stated any method used to obtain consent that doesn’t follow lawful requirements represents a dark pattern, which invalidates consent. For example, opting in choices must be equal and symmetrical to opting out from the consumer perspective.
The proposed regulations outlined methods to allow consumers to opt out of the sale or sharing of personal information and limit the use of sensitive personal information via web forms, mail, phone, or in-person interactions.
The enforcement agency planned to debate the regulations at the June 8 CPPA board meeting prior to opening a public comment period.
The CPPA released a revised version of its draft CCPA regulations ahead of a scheduled board meeting.
Key changes were made to the earlier issued regulations, including an update to no longer require businesses to identify the third parties that collect personal information on their websites in their privacy notices at the time of collection. There were also changes to the relevant language and the accompanying explanatory document that says in some instances an analytics business can be a service provider and not a third party.
In regard to Dark Patterns and consumer preferences, the proposed modifications included multiple modifications to the design requirements for submitting CCPA requests and obtaining consent. Notably, restrictions on using buttons in larger sizes or more “eye-catching colors” have been deleted in order to “simplify implementation at this time.” The modifications also stated that a business’s intent should be considered in determining whether a user interface is a dark pattern. Relatively minor changes to the provisions on opt-out preference signals included additional technical specifications that a signal in a format commonly used and recognized by a business may include a “Java Script object.”
There were further updates on sensitive data and service provider data, that sought to clarify how these types of information can be used in relation to the CCPA.
The Board discussed its proposed modifications to the draft CCPA regulations in a meeting held on October 28, 2022. Additional changes to the draft regulations were instructed to be made and a new, 15-day public comment period was launched.
On November 3, the Board released a further revised version and recommended several additional changes to clarify the use of opt-out preference signals. This included adding language to clarify:
The Board also recommended the use and disclosure of sensitive personal information has to be reasonably necessary and proportionate to achieve the purposes listed and, in relation to enforcement, that it can consider the amount of time a business has had to come into compliance as well as good faith efforts to comply.
Public comments can be submitted until November, 21.
It is expected that the regulations will be completed by early 2023, however the CPPA appears to anticipate multiple additional rulemaking processes.
As evidenced by the CCPA timeline, the regulations are constantly evolving. And when it comes into effect on January 1, the CPRA will further increase your company’s privacy obligations to consumers.
OneTrust CPRA solutions monitors regulations issued by the CPPA and the California AG to ensure our platform aligns your privacy program with the latest requirements.