Companies Must Soon Equalize Opt-In, Opt-Out Processes in California, Lawyer Warns
California privacy enforcers may soon be “counting clicks” to make sure it doesn’t take more steps for consumers to opt out than to opt in, warned privacy attorney Webb McArthur on a Hudson Cook webinar Tuesday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
That’s because a forthcoming California Privacy Protection Agency requirement -- approved last month by the CPPA Board as part of a broader package that also covered automated decision-making technology (ADMT) -- will require opt-out processes to have the same or fewer steps than the process to opt in, said McArthur.
It’s one of a few new requirements getting “less press” than the ADMT rules, the Hudson Cook lawyer said. Another will require privacy policies to be placed not only on a company’s homepage, but on any page where the company collects personal information, he said. In addition, consumers will soon be able to request data from longer than 12 months ago, to the extent that data exists, he said.
The CPPA submitted board-approved regulations on ADMT, cyber audits, risk assessments, insurance and other California Consumer Privacy Act (CCPA) updates to the Office of Administrative Law on Aug. 8, which means OAL must finalize them by Sept. 22, or they are approved automatically (see 2508120025). Various privacy lawyers have said they expect OAL to approve them.
During another law firm’s webinar last week, a Troutman privacy lawyer advised organizations to immediately implement a new rule requiring websites to display to users that they are honoring universal opt-out preference signals.