California Attorney General Proposes Fourth Set of CCPA Regulation Changes


December 18, 2020

The California attorney general released a fourth set of proposed modifications to the California Consumer Privacy Act regulations; notable regulatory changes include a new opt-out button for websites and an offline notice of the right to opt out.

The California attorney general issued a fourth set of proposed modifications to the regulations implementing the California Consumer Privacy Act (CCPA) on December 10, 2020. The attorney general’s office issued this latest proposed modifications in response to comments received in response to the third set of draft modifications released on October 12, 2020. Because the third set of proposed modifications was never finalized by the California Office of Administrative Law (OAL), the California attorney general issued the fourth set of proposed modifications to address stakeholder comments and better conform the proposed regulations to the CCPA. The proposed modifications additionally update the publicly available “rulemaking package” with research papers and other materials relied upon by the California attorney general in drafting the proposed regulations.

The fourth set of proposed CCPA regulations, if approved by the OAL, build on the third draft set of modifications to require the following:

  • A new opt-out button for websites (proposed Section 999.306(f)). The proposed modifications introduce a new opt-out button for use online to promote consumer awareness of the opportunity to opt out of the sale of personal information. Businesses may use the proposed button in addition to, but not in place of, the required notice of the right to opt out. If a business uses the proposed button to solicit opt-out requests, then the button shall be approximately the same size as other buttons used on the business’s website. The button must also link to the same webpage or online location to which a consumer is directed after clicking on the “Do Not Sell My Personal Information” link, and appear as follows:
  • Do not sell my personal information button

  • Offline notice of the right to opt out of the sale of personal information (proposed Section 999.306(b)(3)). For businesses that sell personal information collected from consumers in the course of interacting with them offline, the proposed modifications require that businesses inform consumers of their right to opt out of the sale of their personal information by an offline method. For example, if a business collects personal information in a brick-and-mortar establishment, then it may inform consumers of their opt-out right on the paper form used for collection of the information or by posting signage in the area of collection. If a business sells personal information that it collects over the phone, then the proposed modifications say that during the call consumers may be informed orally of their right to opt-out.

The proposed modifications would also add provisions in a new Section 999.315(h) requiring that opt-out procedures be easy to use and providing five examples of methods or practices that should be avoided (such as use of confusing language, requiring multiple steps or requiring submission of additional personal information). Lastly, the proposed modifications revise the “Authorized Agent” provisions in Section 999.326(a), allowing a business to require that the authorized agent and the consumer provide proof that such agent is acting on the consumer’s behalf. These two proposals had been included in the third set of proposed modifications, but were not included in the final regulations approved by the OAL.

The California attorney general is accepting public comments on the proposed regulations through December 28, 2020. With the CCPA and its regulations continuing to change, including the recent passage of the California Privacy Rights Act of 2020, businesses should continue to stay abreast of legislative and regulatory developments to verify CCPA and, ultimately, CPRA compliance obligations in California’s ever-changing privacy landscape.

Additional Resources

Morgan Lewis has set up a CCPA resource center designed to guide companies and institutions of all sizes through the challenges of this new regulatory environment.


The Morgan Lewis privacy team is providing practical privacy advice to more than 200 businesses on compliance with the CCPA and proposed regulations. If you have any questions or would like more information, please contact any of the following Morgan Lewis lawyers:

San Francisco
Reece Hirsch
Carla Oakley
Michelle Park Chiu
Kevin Benedicto

Los Angeles
Joseph Duffy

Gregory Parks
Ezra Church
Kristin Hadgis
Julian Williams

New York
Martin Hirschprung

Washington, DC
Ronald Del Sesto
Dr. Axel Spies