California AG Proposes “Modifications” to Consumer Privacy Act (CCPA)


As businesses work on compliance with the California Consumer Privacy Act (CCPA) a new proposal deals with the notice of the:

  • Right to opt-out of a business' "sale" of their personal information, and
  • Do Not Sell My Personal Information Opt In/Out Button (reinstates the requirement for a "button" on a website calling attention to the link to "Do Not Sell My Personal Information.")
  • Covers medical device companies, not "covered entities" under HIPAA
In new Section 999.306(f), the proposed regulations has published an icon to be used as the "opt-out button" to be used in addition to posting the notice of right to opt-out, but not in lieu of any requirement to post the notice of right to opt-out or a "Do Not Sell My Personal Information" link" as required in the CCPA.

(Proposed Regulations Section 999.306(f)(1))

It also requires that where a business posts the DNS link, "the opt-out button shall be added to the left of the text ... The opt-out button shall link to the same Internet webpage or online location to which the consumer is directed after clicking on the "Do Not Sell My Personal Information" link." (Proposed Regulations Section 999.306(f)(2))

The draft regulations are subject to a public comment period. The deadline to submit written comments is December 28, 2020 at 5:00 p.m. (PST).

Happy holidays!