CCPA regulations. The fourth set of proposed modifications

Following previous modifications in October 2019, and in February and March 2020, the latest updates landed in December, delivered by the California Department of Justice.


CCPA regulations. The fourth set of proposed modifications


Each set of the previous modifications results from taking account of, and action on, the comments made to each of the developments in the earlier sets.


This latest, fourth set of modifications is primarily concerned with:

  • Ambiguities regarding a consumer’s right to opt-out
  • The use of a company opt-out button
  • Processing opt-out requests


1. The right to opt-out

The proposed modifications concerning the right to opt-out are concerned with businesses selling personal information gathered in offline situations.


The new regulation dictates that companies should provide an opt-out of selling personal data in that same situation.

  • A business that sells collects personal information that it collects in the course of interacting with consumers offline shall also provide notice inform consumers by an offline method of their right to opt-out and provide instructions on how to submit a request to opt-out by an offline method that facilitates consumers’ awareness of their right to opt-out. Illustrative examples follow.
  • A business that sells personal information that it collects from consumers in a brick-and-mortar store may inform consumers of their right to opt-out on the paper forms that collect the personal information or by posting signage in the area where the personal information is collected directing consumers to where the opt-out information can be found online.
  • A business that sells personal information that it collects over the phone may inform consumers of their right to opt-out orally during the call when the information is collected.

It delivers strong examples here—if the data is gathered during a phone call, the call must include dialogue that makes the subject aware that their data may be sold and an opportunity to opt-out from its selling. In this situation, the opt-out is verbal, as is the rest of the conversation and its arrangements and agreements.


The same must be provided then, in written arrangements, verbal methods in other situations (face-to-face, in-store, or video calling, for example), and during any other offline method.


2. The re-introduction of a company opt-out button

The use of an opt-out button looks to have been standardized by introducing a uniform logo that all companies should use when implementing the option. There are supporting instructions relevant to its use—once again, to keep the system standardized across the market.

An opt-out button was included in the first set of the CCPA regulation modifications, yet was removed due to negative feedback.


CCPA regulations. Opt-out button regulation updates

The following paragraphs were added to create a new section of the regulations, the first covers a smaller simple blue coloured tick/cross image, and the second the same image with the Do Not Sell My Personal Information wording to its right-hand side:


  1. May be used in addition to posting the notice of right to opt-out, but not in lieu of any requirement to post the notice of right to opt-out or a ‘Do Not Sell My Personal Information’ link as required by; and
  2. Where a business posts the ‘Do Not Sell My Personal Information’ link, the opt-out button shall be added to the left of the text demonstrated below. The opt-out button shall link to the same Internet webpage or online location to which the consumer is directed after clicking on the ‘Do Not Sell My Personal Information’ link.
  3. The button shall be approximately the same size as any other buttons used by the business on its webpage.

3. Processing consumers requests to opt-out

The final modification includes instruction into streamlining the opt-out process as much as possible.

  • “Requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out.”

This subsection details that the method to opt-out should be just as simple as opting in, with no additional steps included in the process. Both options should contain the same number of steps in their process.

Comments to modifications closed on December 28th 2020.

For the full set of changes and modifications can be viewed here.

About us

What is PrivacyRun?

Here at PrivacyRun we built our solution with you in mind. Our data privacy platform supports your company’s compliance with local data privacy laws like GDPR and CCPA. We enable you to monitor where and how data is handled, track employee training and keep you up to date on privacy requests – helping you navigate the complex world of privacy compliance from one place.

Let’s talk about your project

    Makeitright is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. If you consent to us contacting you and storing your personal data for this purpose, please tick the checkbox below:

    For more information about our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.