On Friday, California Governor Gavin Newsom signed seven legislative proposals to amend the California Consumer Privacy Act (CCPA), marking the end of a nearly-yearlong process to make changes to the new privacy law before it goes into effect on January 1st.  The next opportunity to amend the CCPA will be in the 2020 legislative session.

The Governor’s decision to sign the amendments followed the release by the California Attorney General of draft regulations last Thursday.  The draft regulations are proposed rules that the California Attorney General seeks to use to direct businesses on how more specifically they can comply with the CCPA, whereas the amendments signed into law by the governor will replace or augment the statutory text of the CCPA.

Here’s the full list of the new laws that amend the CCPA:

  • CLARIFYING AMENDMENTS & EXEMPTIONS:  Assembly Bill 1355 exempts deidentified or aggregate consumer information from the personal information definition; creates a one-year exemption for certain B2B communications or transactions; and broadens the existing exemption for compliance with the federal Fair Credit Reporting Act (FCRA).
  • DATA BROKER REGISTRATION: Assembly Bill 1202 requires data brokers to register with the California Attorney General.
  • EMPLOYEE EXEMPTION: Assembly Bill 25 changes the CCPA so that the law does not cover collection of personal information from job applicants, employees, business owners, directors, officers, medical staff, or contractors for one year.
  • CONSUMER REQUEST FOR DISCLOSURE METHODS: Assembly Bill 1564  requires businesses to provide two methods for consumers to submit requests for information, including, at a minimum, a toll-free telephone number, but provides that, for a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information, is only required to provide an email address for submitting CCPA requests.
  • VEHICLE WARRANTIES & RECALLS: Assembly Bill 1146  exempts vehicle information retained or shared for purposes of a warranty or recall-related vehicle repair.
  • PUBLICLY AVAILABLE INFORMATION: Assembly Bill 874 streamlines the definition of “publicly available” to mean information that is lawfully made available from federal, state, or local government records. The amendment also clarifies that the definition of “personal information” excludes deidentified or aggregate consumer information.
  • Data Breach Notification:  In the context of data breaches, Assembly Bill 1130 revises the personal information definition to add specified unique biometric data, tax identification numbers, passport numbers, military identification numbers, and unique identification numbers issued on a government document in addition to those for driver’s licenses and California identification cards to these provisions. The amendment also authorize inclusion in the data breach notification involving biometric data, instructions on how to notify other entities that used the same type of biometric data as an authenticator to no longer rely on data for authentication purposes.

On Thursday, California Attorney General Xavier Becerra released draft regulations implementing the California Consumer Privacy Act (CCPA). The regulations provide the first glimpse into how the Attorney General interprets the sprawling law, which is slated to go into effect on January 1.

The new regulations cover seven topics:

  1. Notices to Consumers: The draft regulations clarify the format and content of notices that businesses must provide to consumers when they (a) seek to collect personal information, (b) inform the consumer of the right to opt-out of the sale of personal information, (c) provide details on financial incentive programs, and (d) publish a privacy policy. The draft regulations include the following specific requirements:
    • Notices must be designed and presented in an easy-to-read, understandable way, and be ADA accessible.
    • Notices must describe, for each category of personal information collected, the categories of sources and the business or commercial purpose(s) for which the information is collected, as well as the categories of third parties with whom the business shares that information.
    • Notably, for notices provided offline, the notice must be provided prior to data collection, such as via a hard copy of the notice or prominent, in-store signage with a link to the notice.
    • Opt-out notices must contain certain content, including a description of the proof required when a consumer is using an authorized agent to help them exercise their opt-out right. The draft regulations also propose the concept of an opt-out button or logo, but such button or logo would need to be provided in addition to, and not instead of, the notice.
    • Businesses must impose restrictions on the collection of personal information when they are unable to provide notice.
  2. Handling Consumer Requests: The draft regulations propose an extensive, standardized set of rules on operationalizing the handling of consumer requests. Many of the proposed requirements are not expressly described in the CCPA. Businesses that have been working to implement the CCPA should review this section carefully and likely will need to determine if and whether to update their implementation plans to align with the Attorney General’s proposed rules. Notable proposed requirements include the following:
    • Businesses will be required to confirm the receipt of consumer requests within 10 days, re-confirm requests to delete personal information, and maintain records on handling of consumer requests for at least two years. On deletion requests, the draft regulations state that compliance with a deletion request excludes archived or back-up systems.
    • After verification of identity, businesses should respond to household requests submitted via a non-password protected account with aggregate household information.
    • If a consumer submits a request through a non-designated method, or a deficient request (unrelated to verification), the business must either treat such request as submitted correctly or provide instructions to the consumer on how to remedy the deficiencies.
    • Businesses must provide an individualized response to the consumer, and not a template general response unless the response would be the same for all consumers, and are prohibited from, under any circumstance, disclosing certain sensitive personal information.
    • If a consumer has opted out of the sale of personal information, the business must obtain a double opt-in thereafter.
    • Businesses may re-name their do-not-sell links with the label “Do Not Sell My Info” rather than only “Do Not Sell My Personal Information.”
  3. Verification of Requests: The draft regulations establish rules and procedures for verifying the identity of consumers making requests.
    • For businesses with consumer accounts, the business would generally be able to use existing authentication procedures to verify consumers. For companies that must verify non-accountholders, the draft regulations propose a series of verification procedures tailored to the type of request. For example, requests for access to specific pieces of personal information will require a business to match at least three pieces of a consumer’s personal information, and the consumer to submit a signed declaration under penalty of perjury.
    • For a request made by an authorized agent, the proposed regulations provide that the business may require written permission from the consumer and that the consumer verify their own identity directly with the business, unless the consumer has provided the agent with power of attorney pursuant to probate laws.
  4. Service Providers: The proposed regulations clarify that a service provider shall not use personal information it collects from a business or consumer in connection with its provision of services to another person or entity. However, a service provider may combine personal information to the extent necessary to detect data security incidents or protect against fraud or illegal activity.
  5. Mini-Data Broker Requirements: The proposed regulations provide that if a business annually buys, shares, or receives for commercial purposes, or sells the personal information of, 4 million consumers, it must compile a number of metrics, disclose such metrics in its privacy policy, and establish and document training. Notably, an entity need not meet the definition of a data broker (as specified in AB 1202) to be subject to this requirement.
  6. Rules Regarding Minors: The draft regulations establish rules on obtaining consent to sell personal information obtained from/about minors. To obtain parental consent to sell the personal information of minors, a business must obtain consent that is additional to any verifiable parental consent obtained under the federal Children’s Online Privacy Protection Act (COPPA).
  7. Non-Discrimination: The draft regulations provide additional guidance on how to comply with the CCPA’s non-discrimination provisions. In particular, the regulations provide detail on calculating the value of consumer data for purposes of determining whether a price or service difference is “reasonably related” to the value of the consumer’s data.

Public comments on the draft regulations are due on December 6, 2019. During the comment period, the Attorney General will hold the following public hearings:

  • December 2, 2019 – Sacramento
  • December 3, 2019 – Los Angeles
  • December 4, 2019 – San Francisco
  • December 5, 2019 – Fresno

Our firm will continue to review the draft regulations as we work with clients to develop practical guidance on complying with the CCPA. If you have questions on how the regulations may impact your business, please contact Alysa Hutnik, Katie Townley, or Alex Schneider.

On a new episode of the Ad Law Access PodcastAlex Schneider discusses the amendments to the California Consumer Privacy Act (CCPA) the California legislature voted to send to the California governor’s desk.

For additional information see the Ad Law Access blog posts:

The Ad Law Access podcast is available now through Apple PodcastsSpotifyGoogle PlaySoundCloud, and other podcast services.

Partner John Villafranco, co-chair Samantha Knox, Associate General Counsel, Competition and Regulatory, Facebook, and the Honorable Christine S. Wilson, Commissioner, Federal Trade Commission, will be speaking at the ABA’s Section of Antitrust Law’s In-House Institute at Devil’s Thumb Ranch in Tabernash, Colorado on October 14-15, 2019.

The Institute is offered to in-house counsel and attendees will engage in an exchange of ideas concerning competition and consumer protection issues, as well as other issues confronting the evolving law department.

In addition to a number of key government regulators, expected attendees include in-house counsel from the following companies, among many others:  Clorox, Coca-Cola, Del Monte, Ericsson,  Facebook, Google, Herbalife, Intel, Microsoft, Pfizer, P&G, Qualcomm, Salesforce, Siemens, Turner, Unilever, Verizon, Wal-Mart, and Whirlpool.

Register for the In-House Institute here. Should you have any questions, please call John directly (202.342.8423) or jvillafranco@kelleydrye.com

 

 

On Tuesday, September 24, 2019, the European Court of Justice issued two rulings that further defined the right to be forgotten under European laws. The right to be forgotten, also known as the right to erasure, is a fundamental tenet of the General Data Protection Regulation (GDPR). The right allows, among other things, consumers to object to the processing of their data and request erasure. Both cases decided on Tuesday involved Google, which has reportedly received requests to remove more than 3 million links pursuant to this right.

Geographic Limitations

The first case decided on Tuesday arose in 2016 after France’s privacy watchdog CNIL fined Google for refusing to de-list links globally upon request. As a policy, Google only deletes links within the European Union, stating that most searches occur on country-specific sites such as Google.fr. Google and its supporters argued that individuals should not be able to determine what information appears about them in other countries. The European Court of Justice agreed with Google, finding that the right to be forgotten cannot be enforced outside of the European Union.

Sensitive Information

In the second ruling of the day, the Court found that certain categories of data deserve special consideration from businesses when they receive a right to be forgotten request. The case was brought by individuals whose requests to remove links were denied by Google. The Court gave a mixed ruling, acknowledging that privacy considerations must be weighed against the public’s right to know, but stating that businesses should give careful consideration to requests to remove certain categories. These categories include, for example, religion, political belief, sex life and past criminal convictions. It is not yet clear how Google and other businesses will interpret and implement this decision.

***

These cases are a notable development in defining the broad rights given to European data subjects. In each case, the Court must balance individual privacy rights with the public’s right to information. While the privacy laws are different in the United States, some of these GDPR interpretations may well serve as examples for how practitioners will evaluate and apply analogous provisions under the California’s Consumer Privacy Act (CCPA) and other U.S. privacy laws.  We will continue to track these developments. For information on the GDPR and recent enforcement please see additional articles here and here, or contact Alysa Hutnik.

Last week, the California legislature voted to send five amendments to the CCPA to the California governor’s desk.  The amendments include a one-year exemption for access and deletion rights to employee data and B2B communications; a provision exempting online-only businesses from operating a toll-free number to accept consumer requests; and a new mandate for data brokers to register with the Attorney General’s office.

Governor Gavin Newsom has until October 13, 2019 to act on the legislation.  The California legislative session ended on Friday, and no additional CCPA amendments are expected before the law comes into effect on January 1, 2020.

Of the six CCPA amendments that had been pending in the California legislature, just one amendment failed to pass last week.  A.B. 846 would have provided clarity that the CCPA does not restrict financial incentive and loyalty programs.

Here’s the full list of amendments awaiting the governor’s signature:

  • CLARIFYING AMENDMENTS & EXEMPTIONS: Assembly Bill 1355exempts deidentified or aggregate consumer information from the definition of personal information; creates one-year exemption for certain B2B communications or transactions; and broadens the existing exemption for compliance with the federal Fair Credit Reporting Act (FCRA).
  • DATA BROKER REGISTRATION: Assembly Bill 1202 requires data brokers to register with the California Attorney General.
  • EMPLOYEE EXEMPTION: Assembly Bill 25 changes the CCPA so that the law would not cover collection of personal information from job applicants, employees, business owners, directors, officers, medical staff, or contractors for one year.
  • CONSUMER REQUEST FOR DISCLOSURE METHODS: Assembly Bill 1564 would require businesses to provide two methods for consumers to submit requests for information, including, at a minimum, a toll-free telephone number.  A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information would only be required to provide an email address for submitting CCPA requests.
  • VEHICLE WARRANTIES & RECALLS:Assembly Bill 1146 would exempt vehicle information retained or shared for purposes of a warranty or recall-related vehicle repair.
  • PUBLICLY AVAILABLE INFORMATION: Assembly Bill 874 streamlines the definition of “publicly available” to mean information that is lawfully made available from federal, state, or local government records. The bill also would amend the definition of “personal information” to exclude deidentified or aggregate consumer information.

On Tuesday, the FTC issued warning letters to three companies selling CBD products.  The companies, which FTC did not identify publicly, allegedly illegally advertised CBD products as being able to treat or cure serious diseases and health conditions without competent and reliable scientific evidence to support such claims. As we have written about previously, FTC and the FDA issued similar joint warning letters to three other CBD sellers earlier this year.

According to the FTC’s press release, the companies claimed their products could cure serious diseases such as cancer, alzheimer’s, fibromyalgia, and multiple sclerosis.  At least one company’s website, however, took it a step further by claiming “CBD ‘works like magic’ to relieve ‘even the most agonizing pain’ better than prescription opioid painkillers” and “the company . . . has participated in ‘thousands of hours of research’ with Harvard researchers.”

The letters directed the recipient companies to review all claims, including testimonials, to ensure they are supported by competent and reliable scientific evidence.  As readers of this blog likely know, advertisers are required to substantiate all objectively provable claims and cannot use testimonials as a means to make claims that they cannot otherwise substantiate. Given that cannabis, including hemp, was a controlled substance for decades, there has been limited research conducted to date.  Put another way, although users may have experienced favorable results, this does not excuse the advertiser from properly substantiating their claims.

Consumers increasingly want to feel good about their buying decisions and like-minded companies often look for ways to communicate how they align with consumers in the marketplace through “cause marketing.”

Advertising and Marketing and Consumer Product Safety practice groups chair Christie Grymes Thompson covers a specific type of cause marketing – the commercial coventure (CCV) – in the latest episode of the Ad Law Access PodcastCause Marketing – Commercial Co-Ventures: What You Need to Know Before Getting Started.

Commercial coventures are typically when a company teams up with a charity to offer a product or service or to sponsor an event, and consumer’s purchase or participation in the event triggers a donation to the charity. Christie discusses the statutes that apply to co-venturers and what you need to know to get started.

You can find the Ad Law Access podcast through your favorite streaming service (Apple Podcasts, Spotify, Google Play, Stitcher, SoundCloud, and others).

This week marks the final opportunity for California lawmakers to amend the CCPA before the legislative session closes on Friday, September 13th.  The legislative posture of the amendments changed last Friday, when the Senate made changes to all of the active amendments.  These bills still require an affirmative vote of both houses this week before they can head to the Governor’s desk for a signature.  The Governor then has until October 13th to sign the bills into law.

Substantive changes were made to the following three amendments, AB 846, AB 1355, and AB 1202, as follows:

  • AB 846 (loyalty programs) now only would permit the sale of personal information collected through loyalty programs in very limited circumstances, and limits the third party purchaser’s retention and use of such data other than for eligibility purposes.
  • AB 1355 (clarifying amendments & exemptions) now adds a one-year exemption under the CCPA for personal information obtained by a business through B2B communications or transactions, specifically in the context of (a) the business conducting due diligence regarding a company, nonprofit, or government agency, or (b) the provision or receipt of a product or service to or from a company, nonprofit, or government agency.
  • AB 1202 (data broker registration) removed a provision that would have satisfied the compliance obligations of registered data brokers through website notices.

Otherwise, the Senate made technical changes to the amendments, confirming that the amendments are compatible and that their order of enactment will not have an unintended legal impact.  Procedurally, these changes mean that the amendments must be approved not only by the California Senate but also by the California Assembly.

Here’s the full list of pending amendments, as of September 9th:

  • LOYALTY PROGRAMS: Assembly Bill 846 would remove loyalty/rewards programs from the discrimination provisions of the CCPA but under very limited circumstances that are likely to materially affect how and if such programs are offered to California residents.
    • What’s New?  The new language in the amendment would permit the limited sale of personal information to a third party that is collected as part of a loyalty, rewards, premium features, discounts, or club card program “in order for the third party to provide the consumer with a financial incentive, sale, or other discount” but only when:  (1) the business obtains the consumer’s express consent to sell the information to the specific third party (and where the consumer has the option to participate in the program on equal terms with other participants without providing consent); and (2) the third party can only use the personal information to identify the consumer’s discount eligibility, and does not otherwise retain, use, or disclose the personal information separate from such eligibility determination.
  • CLARIFYING AMENDMENTS & EXEMPTIONS: Assembly Bill 1355 exempts deidentified or aggregate consumer information from the definition of personal information; creates a new, one-year exemption for certain B2B communications or transactions; and broadens the existing exemption for compliance with the federal Fair Credit Reporting Act (FCRA).
    • What’s New?  AB 1355 adds a limited, one-year exemption from the notice and rights provisions of the CCPA for personal information obtained from representatives of a business who communicate or transact with another business.  The exemption applies when a consumer is a “natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency.”

The amendment would enable a business to claim the exemption with regard to “personal information reflecting a written or verbal communication or a transaction between the business and the consumer.”  Importantly, such communications or transaction with the business must occur solely within the context of the business either (a) “conducting due diligence regarding” such company, partnership, sole proprietorship, nonprofit, or government agency, or (b) “providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.”

In addition, new language in AB 1355 revises the exemption for compliance with the FCRA, clarifying that activity involving the disclosure or use of personal information by a consumer reporting agency, furnisher of information, or user of a consumer report is exempt from the CCPA as long as that activity is regulated by the FCRA.  The exemption does not apply in the case of a data breach actionable under the CCPA’s private right of action.

  • DATA BROKER REGISTRATION: Assembly Bill 1202 requires data brokers to register with the California Attorney General.
    • What’s New?  Earlier versions of the amendment included a provision that would have enabled data brokers to satisfy their obligation under California law to inform consumers about personal information collected and the purposes of collecting such information by posting that information on the data broker’s website.  The latest version of the amendment removes this language.

The following amendments moved forward without substantive changes.

  • EMPLOYEE EXEMPTION: Assembly Bill 25 changes the CCPA so that the law would not cover collection of personal information from job applicants, employees, business owners, directors, officers, medical staff, or contractors for one year.
  • CONSUMER REQUEST FOR DISCLOSURE METHODS: Assembly Bill 1564 would require businesses to provide two methods for consumers to submit requests for information, including, at a minimum, a toll-free telephone number.  A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information would only be required to provide an email address for submitting CCPA requests.
  • VEHICLE WARRANTIES & RECALLS:Assembly Bill 1146 would exempt vehicle information retained or shared for purposes of a warranty or recall-related vehicle repair.
  • PUBLICLY AVAILABLE INFORMATION: Assembly Bill 874 streamlines the definition of “publicly available” to mean information that is lawfully made available from federal, state, or local government records. The bill also would amend the definition of “personal information” to exclude deidentified or aggregate consumer information.

The FTC and the New York Attorney General recently announced a record-setting $170 million ($136 million to the FTC and $34 million to the NY AG) joint settlement with Google. The settlement resolves allegations that YouTube violated the Children’s Online Privacy Protection Act (“COPPA”) and is the largest penalty the FTC has ever received in a COPPA case, easily dwarfing the agency’s next-highest $5.7 million settlement with TikTok.

In the complaint, the agencies alleged that YouTube violated the COPPA Rule because the site did not provide direct notice to parents of, or attempt to obtain verifiable parental consent prior to, collecting children’s personal information. Although the site markets itself as general audience and prevents users under age 13 from creating an account, the complaint alleged that YouTube had actual knowledge that it collected children’s personal information, including persistent identifiers, through the child-directed channels commercial entities operate on the site. This “actual knowledge” made YouTube an “operator” subject to the COPPA Rule.

The complaint also noted that, while identifying itself as a general audience platform not subject to COPPA, YouTube promoted its site as the “favorite website for kids 2-12” in pitches to toy companies and manually rated its content based on age group. Still, the company treated any content self-identified as child-directed similarly to any other content in terms of monetization and behavioral advertising practices.

The settlement’s injunctive provisions include:

  1. Developing and implementing a system for channel owners to designate whether their content is child-directed;
  2. Providing annual COPPA training for employees who manage child-directed channel owners;
  3. Making reasonable efforts to ensure that parents receive direct notice of the collection, use, or disclosure of children’s personal information;
  4. Posting prominently a link to that COPPA notice on any area of the site that collects children’s personal information;
  5. Obtaining verifiable parental consent prior to collecting, using, or disclosing children’s personal information; and
  6. Ceasing disclosing, benefiting from, or using any children’s personal information collected prior to the settlement within 90 days of the compliance date in January of 2020.

Although not specifically required by the settlement, YouTube also recently announced that it will be creating a site specifically for children’s content. Parents will be able to filter videos based on a child’s age, and track their children’s viewing history, and the site will not use behavioral advertising. Previously, the kids’ site was only available via mobile app.

Children’s privacy has been a hot topic recently, with the FTC announcing a request for comment on the COPPA Rule and legislators proposing updated COPPA legislation. Initial reports indicate that Congress sees this settlement as a slap on the wrist for the tech giant, as the total monetary penalty is allegedly less than two-days’ worth of profits for Google. Similar complaints were made after the FTC’s Facebook settlement, but it is left to be seen if disappointment with either settlement will be enough to push Congress to identify a new privacy enforcer via federal legislation.