November 3, 2022
CCPA regulations: A timeline of amendments
11 Min Read
Just over a year after the California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018, the California Attorney General (AG) released their proposed regulations for public consultation. What followed was a series of amendments, modifications, and additional rounds of regulations being released up until the present day.
The California Privacy Rights Act (CPRA) will enter into force on January 1, 2023. Looking back on the evolution of California’s first comprehensive privacy law can give us indications of trends in the fast-evolving privacy landscape in the US. It may even give us a clue as to where we may be heading in the future.
Let’s explore the timeline of CCPA amendments, starting with the bill’s passage in 2018 and bringing us up to the latest developments in privacy law in California.
June 28, 2018: CCPA signed into law
After passing the California State Legislature, the Governor of California signed the CCPA into law on June 28, 2018. The law established new rights for California residents:
- The right to know what personal information is being collected
- The right to know if their personal information is being sold or disclosed
- The right to opt-out of the sale of their personal information
- The right to access their personal information
- The right to deletion upon request
- The right to non-discrimination when exercising these rights
The CCPA was the first comprehensive privacy legislation in the US to become law, setting a new standard and point of comparison for state legislatures and Congress.
October 10, 2019: First round of proposed regulations released
More than a year after its passage, the California Attorney General (AG) released proposed regulations to offer practical guidance to organizations preparing for CCPA compliance.
The proposed regulations clarified some terms to help prevent misinterpretation. It also introduced new specifics of operationalizing the law in the context of day-to-day operations, which addressed five key areas of the CCPA:
- Notice requirements: Entities must provide notice at or before data collection, including the opportunity to opt-out of sale, using straightforward and clear language, and made accessible to people with disabilities. These notices must list what personal information is being collected and the purposes of collection and state that they will not use that information for any other purpose.
- Handling requests: Businesses have to offer two or more methods for consumer rights requests, including a toll-free telephone number and a web form available via their consumer-facing websites. Teams must acknowledge receipt of requests within 10 days and process them within 45 days, starting when the request is received.
- Verifying identity practices: Account holders can log in to satisfy verification requirements. Non-account holders can provide two data points to access data categories or three data points to access personal information.
- Minors: Entities must establish distinct procedures for opting into a sale for individuals above 16 years old versus those between 13 and 16 years old. Parents or guardians must be verified before opting into sales for minors under 13 years old.
- Financial incentives: The proposed regulations declared financial incentives discriminatory, including price or service differences to those who opt-in.
The public had until December 19, 2019 to submit comments regarding these proposed CCPA regulations.
February 10, 2020: Attorney General issues modified proposed regulations
Following the public comment period, the California AG issued modified proposed CCPA regulations.
The most significant change was the introduction of the opt-out button, which organizations could implement next to the posted notice of the right to opt out. The modified proposed regulations indicated that submission methods for opt-outs must be simple for consumers to execute. Notably, opt-out settings via a privacy controls page cannot pre-select consent for consumers.
Regarding consumer requests, businesses would not have to search for personal information if:
- It’s not maintained in a searchable or accessible format
- It’s not sold or used for commercial purposes
- It’s used for legal or compliance purposes only
- A description of the personal information categories that may apply to the inquiring consumer is provided
The modifications also clarified that a loyalty program would not be considered discriminatory.
The AG’s office accepted public comments through February 25, 2020.
March 11, 2020: Second set of modified draft regulations issued
Following a third comment period, the California Attorney General issued a second set of modified draft CCPA regulations to further clarify and define obligations.
Notably, businesses would no longer be prohibited from pre-selecting opt-in choices. Consumers have to select the option to opt out. Regulators also removed the option to include an opt-out button next to a “Do Not Sell” link.
Regulators barred entities from charging consumers or authorized agents for request verification.
The modified regulations took steps to protect sensitive types of personal information. When responding to requests to know, businesses can’t provide social security numbers, health insurance ID numbers, biometrics, or other sensitive types of personal information. However, they must inform the consumer that they have collected it.
June 1, 2020: Attorney General submits final CCPA regulations
On June 1, 2020, the California Attorney General submitted the final version of the CCPA regulations to the Office of Administrative Law (OAL) for a 30-working-day review period. The OAL’s role is to ensure the regulations are “clear, necessary, legally valid, and available to the public.”
The AG requested that the OAL expedite the process so enforcement could begin on July 1, 2020, as originally intended. If the OAL rejected the regulations, the AG’s office would have to revise, resubmit, and possibly host another public comment period.
August 14, 2020: Final CCPA regulations go into effect
The California AG announced on August 14 that the OAL had approved the final CCPA regulations, which would immediately go into effect.
The final regulations include a few substantive changes, such as:
- Children and minors now referred to as consumers under 13 and consumers under 16
- Explicit consent no longer required to use a consumer’s personal information for a materially different purpose than stated during the collection
- Requirements removed for ease of use and minimal steps to opt out of sale
- No longer required to provide an offline notice method for businesses that substantially interact with consumers offline
October 12, 2020: Attorney General announces third round of regulation revisions
The California Department of Justice (DOJ) notified the public on October 12, 2020 that it would be issuing a third round of revisions to CCPA regulations.
One modification offered an example of providing opt-out notices to consumers in brick-and-mortar stores and over the phone.
The DOJ also provided guidance regarding the ease of using opt-out mechanisms. The number of steps to opt out cannot exceed the number to opt in. Confusing language is not allowed, such as double negatives, and consumers cannot be forced to go through reasons not to opt out before confirming their requests. When clicking a “Do Not Sell” link, consumers should not have to scroll or search through the page to make their request.
Additionally, if a business deals with the personal information of minors under 13 or between 13-15 years old, it must explain the related processes in its privacy notice..
The public comment period for this third round of revisions concluded on October 28, 2020.
December 10, 2020: Fourth round of CCPA modifications released
On December 10, 2020, the California AG released the fourth round of modifications to the CCPA regulations.
This round clarified opt-out notices in offline interactions, including who’s obligated to do so, and included illustrative examples.
The other major change was the re-inclusion of an optional opt-out button, which regulators had previously removed in March 2020. The button may accompany a “Do Not Sell” link but cannot replace it. The size and design also changed.
The public comment period was open through December 28, 2020.
March 15, 2021: Additional CCPA regulations announced
The California AG announced the approval of additional CCPA regulations on March 15, 2021. These updates officially banned “dark patterns” that obscure the opt-out process. The changes also prohibited confusing language, unnecessary steps, or delays in opting out of the sale of personal information.
The regulations also identified what an entity might require an authorized agent to furnish when acting on behalf of a consumer and what consumers may have to present for a rights request.
May 27, 2022: CPPA releases draft proposed regulations
The California Privacy Protection Agency (CPPA), responsible for CCPA enforcement, released draft proposed CCPA regulations on May 27, 2022.
The proposed regulations addressed enforcement, agency audit rights, dark patterns, and updated CCPA terminology and concepts.
A sworn complaint alleging a violation of CCPA can be filed online, in person, or via mail with the Enforcement Division of the CPPA. It must identify the entity violating the CCPA, state the facts supporting each violation, include documentation or evidence, authorize agency follow-up communication, and come signed under penalty of perjury.
The CPPA gained the authority to audit organizations and ensure CCPA compliance.
Regulators stated any method used to obtain consent that doesn’t follow lawful requirements represents a dark pattern, which invalidates consent. For example, opting in choices must be equal and symmetrical to opting out from the consumer perspective.
The proposed regulations outlined methods to allow consumers to opt out of the sale or sharing of personal information and limit the use of sensitive personal information via web forms, mail, phone, or in-person interactions.
The enforcement agency planned to debate the regulations at the June 8 CPPA board meeting prior to opening a public comment period.
October 17, 2022: The CPPA releases revised Proposed CCPA Regulations
The CPPA released a revised version of its draft CCPA regulations ahead of a scheduled board meeting.
Key changes were made to the earlier issued regulations, including an update to no longer require businesses to identify the third parties that collect personal information on their websites in their privacy notices at the time of collection. There were also changes to the relevant language and the accompanying explanatory document that says in some instances an analytics business can be a service provider and not a third party.
In regard to Dark Patterns and consumer preferences, the proposed modifications included multiple modifications to the design requirements for submitting CCPA requests and obtaining consent. Notably, restrictions on using buttons in larger sizes or more “eye-catching colors” have been deleted in order to “simplify implementation at this time.” The modifications also stated that a business’s intent should be considered in determining whether a user interface is a dark pattern. Relatively minor changes to the provisions on opt-out preference signals included additional technical specifications that a signal in a format commonly used and recognized by a business may include a “Java Script object.”
There were further updates on sensitive data and service provider data, that sought to clarify how these types of information can be used in relation to the CCPA.
October 28, 2022: CPPA discuss Modified Proposed CCPA Regulations at board meeting
The Board discussed its proposed modifications to the draft CCPA regulations in a meeting held on October 28, 2022. Additional changes to the draft regulations were instructed to be made and a new, 15-day public comment period was launched.
November 3, 2022: CPPA requests public comment on revised proposed CCPA Regulations
On November 3, the Board released a further revised version and recommended several additional changes to clarify the use of opt-out preference signals. This included adding language to clarify:
- That opt-out preference signals should apply both to pseudonymous profiles and to consumer profiles associated with a particular browser or device.
- That consumers enrolled in a financial incentive uses an opt-out signal, can be asked whether they want to opt-out of the financial incentive program. And if the consumer does not indicate that they want to opt out of a financial incentive program, the business may ignore that opt-out preference signal
- That if a business does not ask when the opt-out preference signal conflicts with a financial incentive program, the business should still apply the opt-out preference to the browser, device, and/or the consumer
The Board also recommended the use and disclosure of sensitive personal information has to be reasonably necessary and proportionate to achieve the purposes listed and, in relation to enforcement, that it can consider the amount of time a business has had to come into compliance as well as good faith efforts to comply.
Public comments can be submitted until November, 21.
It is expected that the regulations will be completed by early 2023, however the CPPA appears to anticipate multiple additional rulemaking processes.
Accelerate time to compliance with OneTrust CPRA solutions
As evidenced by the CCPA timeline, the regulations are constantly evolving. And when it comes into effect on January 1, the CPRA will further increase your company’s privacy obligations to consumers.
OneTrust CPRA solutions monitors regulations issued by the CPPA and the California AG to ensure our platform aligns your privacy program with the latest requirements.