FINAL REGULATION TEXT

TITLE 11. LAW

DIVISION 1. ATTORNEY GENERAL

CHAPTER 20. CALIFORNIA CONSUMER PRIVACY ACT REGULATIONS

§ 999.306. Notice of Right to Opt-Out of Sale of Personal Information.

(a) Purpose and General Principles

(1) The purpose of the notice of right to opt-out is to inform consumers of their right to
direct a business that sells their personal information to stop selling their personal
information.
(2) The notice of right to opt-out shall be designed and presented in a way that is easy to
read and understandable to consumers. The notice shall:
a. Use plain, straightforward language and avoid technical or legal jargon.
b. Use a format that draws the consumer’s attention to the notice and makes the
notice readable, including on smaller screens, if applicable.
c. Be available in the languages in which the business in its ordinary course provides
contracts, disclaimers, sale announcements, and other information to consumers in
California.
d. Be reasonably accessible to consumers with disabilities. For notices provided
online, the business shall follow generally recognized industry standards, such as
the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the
World Wide Web Consortium, incorporated herein by reference. In other
contexts, the business shall provide information on how a consumer with a
disability may access the notice in an alternative format.
(b) A business that sells the personal information of consumers shall provide the notice of right
to opt-out to consumers as follows:

(1) A business shall post the notice of right to opt-out on the Internet webpage to which
the consumer is directed after clicking on the “Do Not Sell My Personal Information”
link on the website homepage or the download or landing page of a mobile
application. In addition, a business that collects personal information through a
mobile application may provide a link to the notice within the application, such as
through the application’s settings menu. The notice shall include the information
specified in subsection (c) or link to the section of the business’s privacy policy that
contains the same information.

Page 1 of 5
 (2) A business that does not operate a website shall establish, document, and comply with
another method by which it informs consumers of their right to opt-out. That method
shall comply with the requirements set forth in subsection (a)(2).
(3) A business that sells personal information that it collects in the course of interacting
with consumers offline shall also inform consumers by an offline method of their right
to opt-out and provide instructions on how to submit a request to opt-out. Illustrative
examples follow:
a. A business that sells personal information that it collects from consumers in a
brick-and-mortar store may inform consumers of their right to opt-out on the
paper forms that collect the personal information or by posting signage in the area
where the personal information is collected directing consumers to where the opt-
out information can be found online.
b. A business that sells personal information that it collects over the phone may
inform consumers of their right to opt-out orally during the call when the
information is collected.
(c) A business shall include the following in its notice of right to opt-out:
(1) A description of the consumer’s right to opt-out of the sale of their personal
information by the business;
(2) The interactive form by which the consumer can submit their request to opt-out online,
as required by section 999.315, subsection (a), or if the business does not operate a
website, the offline method by which the consumer can submit their request to opt-out;
and
(3) Instructions for any other method by which the consumer may submit their request to
opt-out.
(d) A business does not need to provide a notice of right to opt-out if:
(1) It does not sell personal information; and
(2) It states in its privacy policy that it does not sell personal information.
(e) A business shall not sell the personal information it collected during the time the business
did not have a notice of right to opt-out posted unless it obtains the affirmative authorization
of the consumer.
(f) Opt-Out Icon.
(1) The following opt-out icon may be used in addition to posting the notice of right to opt-
out, but not in lieu of any requirement to post the notice of right to opt-out or a “Do Not
Sell My Personal Information” link as required by Civil Code section 1798.135 and
these regulations.

Page 2 of 5
 (2) The icon shall be approximately the same size as any other icons used by the business
on its webpage.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135
and 1798.185, Civil Code.

§ 999.315. Requests to Opt-Out.

(a) A business shall provide two or more designated methods for submitting requests to opt-out,
including an interactive form accessible via a clear and conspicuous link titled “Do Not Sell
My Personal Information,” on the business’s website or mobile application. Other
acceptable methods for submitting these requests include, but are not limited to, a toll-free
phone number, a designated email address, a form submitted in person, a form submitted
through the mail, and user-enabled global privacy controls, such as a browser plug-in or
privacy setting, device setting, or other mechanism, that communicate or signal the
consumer’s choice to opt-out of the sale of their personal information.

(b) A business shall consider the methods by which it interacts with consumers, the manner in
which the business sells personal information to third parties, available technology, and ease
of use by the consumer when determining which methods consumers may use to submit
requests to opt-out. At least one method offered shall reflect the manner in which the
business primarily interacts with the consumer.

(c) If a business collects personal information from consumers online, the business shall treat
user-enabled global privacy controls, such as a browser plug-in or privacy setting, device
setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of
the sale of their personal information as a valid request submitted pursuant to Civil Code
section 1798.120 for that browser or device, or, if known, for the consumer.

(1) Any privacy control developed in accordance with these regulations shall clearly
communicate or signal that a consumer intends to opt-out of the sale of personal
information.

(2) If a global privacy control conflicts with a consumer’s existing business-specific

privacy setting or their participation in a business’s financial incentive program, the
business shall respect the global privacy control but may notify the consumer of the
conflict and give the consumer the choice to confirm the business-specific privacy
setting or participation in the financial incentive program.

(d) In responding to a request to opt-out, a business may present the consumer with the choice
to opt-out of sale for certain uses of personal information as long as a global option to opt-
out of the sale of all personal information is more prominently presented than the other
choices.

(e) A business shall comply with a request to opt-out as soon as feasibly possible, but no later
than 15 business days from the date the business receives the request. If a business sells a
consumer’s personal information to any third parties after the consumer submits their
request but before the business complies with that request, it shall notify those third parties

Page 3 of 5
 that the consumer has exercised their right to opt-out and shall direct those third parties not
to sell that consumer’s information.

(f) A consumer may use an authorized agent to submit a request to opt-out on the consumer’s
behalf if the consumer provides the authorized agent written permission signed by the
consumer. A business may deny a request from an authorized agent if the agent cannot
provide to the business the consumer’s signed permission demonstrating that they have been
authorized by the consumer to act on the consumer’s behalf. User-enabled global privacy
controls, such as a browser plugin or privacy setting, device setting, or other mechanism,
that communicate or signal the consumer’s choice to opt-out of the sale of their personal
information shall be considered a request directly from the consumer, not through an
authorized agent.

(g) A request to opt-out need not be a verifiable consumer request. If a business, however, has a
good-faith, reasonable, and documented belief that a request to opt-out is fraudulent, the
business may deny the request. The business shall inform the requestor that it will not
comply with the request and shall provide an explanation why it believes the request is
fraudulent.

(h) A business’s methods for submitting requests to opt-out shall be easy for consumers to
execute and shall require minimal steps to allow the consumer to opt-out. A business shall
not use a method that is designed with the purpose or has the substantial effect of subverting
or impairing a consumer’s choice to opt-out. Illustrative examples follow:

(1) The business’s process for submitting a request to opt-out shall not require more steps
than that business’s process for a consumer to opt-in to the sale of personal information
after having previously opted out. The number of steps for submitting a request to opt-
out is measured from when the consumer clicks on the “Do Not Sell My Personal
Information” link to completion of the request. The number of steps for submitting a
request to opt-in to the sale of personal information is measured from the first
indication by the consumer to the business of their interest to opt-in to completion of
the request.

(2) A business shall not use confusing language, such as double-negatives (e.g., “Don’t Not
Sell My Personal Information”), when providing consumers the choice to opt-out.

(3) Except as permitted by these regulations, a business shall not require consumers to
click through or listen to reasons why they should not submit a request to opt-out before
confirming their request.

(4) The business’s process for submitting a request to opt-out shall not require the
consumer to provide personal information that is not necessary to implement the
request.

(5) Upon clicking the “Do Not Sell My Personal Information” link, the business shall not
require the consumer to search or scroll through the text of a privacy policy or similar
document or webpage to locate the mechanism for submitting a request to opt-out.

Page 4 of 5
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135,
1798.140 and 1798.185, Civil Code.

§ 999.326. Authorized Agent.

(a) When a consumer uses an authorized agent to submit a request to know or a request to
delete, a business may require that the consumer authorized agent to provide proof that the
consumer gave the agent signed permission to submit the request. The business may also
require the consumer to do either of do the following:

(1) Provide the authorized agent signed permission to do so.

(2)(1) Verify their own identity directly with the business.

(3)(2) Directly confirm with the business that they provided the authorized agent
permission to submit the request.

(b) Subsection (a) does not apply when a consumer has provided the authorized agent with
power of attorney pursuant to Probate Code sections 4121 to 4130.

(c) An authorized agent shall implement and maintain reasonable security procedures and
practices to protect the consumer’s information.

(d) An authorized agent shall not use a consumer’s personal information, or any information
collected from or about the consumer, for any purposes other than to fulfill the consumer’s
requests, verification, or fraud prevention.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.110,
1798.115, 1798.130, and 1798.185, Civil Code.

§ 999.332. Notices to Consumers Under 16 Years of Age.

(a) A business subject to sections 999.330 and/or 999.331 shall include a description of the
processes set forth in those sections in its privacy policy.

(b) A business that exclusively targets offers of goods or services directly to consumers under
16 years of age and does not sell the personal information without the affirmative
authorization of consumers at least 13 years of age and less than 16 years of age, or the
affirmative authorization of their parent or guardian for consumers under 13 years of age, is
not required to provide the notice of right to opt-out.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135
and 1798.185, Civil Code.

Page 5 of 5