As the 45-day period for public comments on proposed regulations to implement the California Consumer Privacy Act (“CCPA”) draws to a close (comments must be submitted by 5:00 pm Pacific time on December 6), we share this report from the second of four public hearings that the Attorney General’s Office is holding this week.  Deputy Attorney General Nick Akers, joined by three colleagues from the AG’s Office, presided over the hearing, which was held on December 3 in Los Angeles.  Mr. Akers made it clear from the outset that the AG’s Office was in listening mode and would not engage in dialogue or answer substantive questions during the hearing.

Two dozen speakers took advantage of the AG Office’s attention to present a broad array of concerns about – and request changes to – the proposed regulations.  The overwhelming majority of speakers discussed operational and practical challenges that they would face if required to implement the regulations as proposed; there were few speakers representing consumer or advocacy groups.  Below are some of the main themes that emerged from the hearing.

  • Modify the Notice Requirements for Onward Sale of Data.  Speakers representing data brokers, online directories, people search services, and similar services urged the AG to rethink proposed subdivision 999.305(d).  This provision would excuse a business that “does not collect information directly from consumers” from the obligation to provide notice at the time of collection, but it would require such businesses to take one of two actions prior to selling personal information obtained indirectly: (1) provide direct notice to consumers of their right to opt out of sale; or (2) confirm that the source provided such notice, and obtain the source’s signed attestation to that effect.

Speakers asserted that these requirements are unworkable and potentially unconstitutional.  A better route, they argued, is to rely on general privacy policies, the right to opt out of sale, and the data broker registry mandated under AB 1202 to provide consumers with transparency and control.

  • Limit Do Not Sell Requirements.  Speakers presented three main objections to the AG’s proposed implementation of the right to opt out of sale.  First, these speakers objected to the “downstream notice” requirement (subdivision 999.315(f)) – which would require businesses to send opt-out requests to third parties to which they sold information within 90 days before receiving an opt-out request – arguing that the CCPA does not authorize such a requirement, and that it will require companies to breach lawful, existing contracts.  A second objection to the downstream notice requirement is that it will, in effect, impose the opt-out requirement on entities that are not subject to the CCPA and require all entities involved in a given request to respond on an unrealistically short timeline.  Finally, at least one speaker argued that the regulations should permit businesses to respond to opt-out requests received from the “Do Not Sell My Personal Information” link or browser-based opt-out signals but should not require the ability to respond to both.
  • Provide Additional Guidance About Verification and Data Security.  Speakers representing a broad array of interests argued that the proposed regulations create the potential for abuse by fraudsters, identity thieves, and other bad actors.  For instance, the direct notice requirement would likely create a flood of notices, providing perpetrators of imposter schemes with an opportunity to send fraud-related requests for consumers’ personal information with legitimate notices.  Others criticized the AG’s proposal (subdivision 999.313(d)(1)) to require businesses to treat unverifiable deletion requests as requests to opt out as an invitation to opt out of sale on the ground that it will invite bot attacks that have the effect of opting many consumers out of the sale of personal information.
  • Ease Burdens on Small Businesses.  Small business owners and representatives asked the AG to consider ways to reduce regulatory burdens on small businesses.  For instance, one suggestion was to exempt business from CCPA obligations if they meet the definition of a business only because they collect IP addresses – and no other personal information – from 50,000 or more consumers annually.
  • Clarify Exemptions for Nonprofits, Financial Institutions, and Employers.  Representatives of credit unions sought clarify about whether, and to what extent, the CCPA applies to them.  One speaker noted that many credit unions are organized as nonprofits but, as mutual benefit corporations, operate for the benefit of their members and therefore could qualify as “businesses” under the CCPA.  Others asked the AG to clarify the scope of the CCPA’s exemption for personal information collected under the Gramm-Leach-Bliley Act and California Financial Information Privacy Act, arguing that the AG should take a broad view of the exemption to prevent consumers from receiving additional – and potentially confusing – notices from financial institutions.  Finally, representatives of employee benefits administrators recommended that the AG provide guidance that broadly defines benefits that fall within AB 25’s exemption.

We will closely monitor subsequent stages of the AG’s CCPA rulemaking process.  Please contact any member of Kelley Drye’s Privacy team if you have any questions.

On the latest episode of the Ad Law Access Podcast, partner Kristi Wolff discusses FDA’s recent CBD warning letters, Commissioner nominee Dr. Stephen Hahn’s confirmation hearings, and a preview of this week’s Cannabis Law Update webinar.

On Thursday, December 5, from Noon – 1:00 Eastern we will be holding a webinar on the emerging cannabis regulatory and litigation landscape. This program will cover several areas, including the following:

  • Litigation trends
  • Prop 65 applicability
  • Trade and customs issues
  • What cannabis legalization means for government contractors

Register here: https://kelleydrye.zoom.us/webinar/register/WN_KnY4hTq-RVSpoLS7a7O4Xw

For additional information see the Cannabis Law Update blog.

The Ad Law Access podcast is available now through Apple PodcastsSpotifyGoogle PlaySoundCloud, and wherever you get your podcasts.

On November 26, 2019, Senator Maria Cantwell (D-WA) along with other Democratic senators across four key Senate committees introduced the Consumer Online Privacy Right Act (“COPRA”).  Per Senator Klobuchar’s description, COPRA “establishes digital rules of the road for companies, ensures that consumers have the right to access and control how their personal data is being used, and gives the Federal Trade Commission and state attorneys general the tools they need to hold big tech companies accountable.”

The bill would empower consumers with control over their personal information, including access, deletion, correction, and portability rights. The bill also would provide the FTC with broader powers to combat privacy harms.  Notably, the bill would establish a private right of action for consumers and would not preempt more stringent state privacy laws.  The following chart highlights key aspects of the Scope, Rules, Exceptions, and Enforcement of the COPRA bill.

Scope & Jurisdiction

COPRA covers all businesses with an average annual revenue over $25 MM (among other requirements), who are subject to the FTC Act and process or transfer information that identifies, or is “reasonably linkable” to an individual or consumer device.

COPRA excludes small businesses, non-profit organizations, political campaigns, banks, or other entities not already subject to the FTC’s jurisdiction.

Privacy & Data Security Rights

Duty of Loyalty & Right to Data Security: Codifies the FTC’s interpretation of reasonable privacy and data security standards. Requires businesses to designate privacy and data security officers in charge of ensuring compliance with COPRA.

Right to Access & Transparency: Incorporates provisions similar to the CCPA right to access data and privacy policy disclosure requirements.

Right to Delete: Broader than the CCPA in that there are no business purpose exceptions to retain consumer data.  If a consumer requests that a business delete covered data, the business must delete the data and inform service providers and third parties of the deletion request.

Right to Correct Inaccuracies: Businesses must provide a consumer a mechanism to correct inaccurate or incomplete data and must notify service providers and third parties of the correction.

Right to Controls: Incorporates provisions similar to the CCPA right to opt-out of the sale or transfer of consumer information.  The FTC would be responsible for promulgating rules for compliance with this right.

Right to Data Minimization: Businesses can not process or transfer data unless it is “reasonably necessary, proportionate, and limited” to carry out the specific processing and transfer purposes described in the privacy policy; carry out a specific processing purpose or transfer after a covered entity has obtained affirmative express consent; or for a purpose specifically permitted by the Act.

Civil Rights

Businesses cannot discriminate based on data that differentiates people based on their perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, biometric information, lawful employment, or disability.

Businesses must offer people the same housing, employment, credit, educational opportunity, and public accommodation to every person.  Businesses are also required to conduct impact assessments to ensure algorithmic decision-making is not discriminating based on data that may differentiate people using those traits.

Exceptions Businesses do not need to comply with the Rights above if:

  • It is demonstrably impossible
  • It would prevent the business from carrying out internal audits, performing accounting functions, processing refunds, or fulfilling warranty claims
  • The request is made about publically available information
  • It would interfere with First Amendment rights
  • It would impair the privacy rights of another consumer
  • The request would prevent the business processing the data for a specific purpose that a consumer authorized or the authorization fell under an exemption
Third Parties & Service Providers

Service providers are exempt from several provisions in the Act.  However, they must delete, correct, or de-identify data subject to consumers’ requests under the Act.  Service providers must only use data in the way their contract provides and can’t sell data to a third party without affirmative express consent from the business.

Third parties cannot process data inconsistent with the expectations of a reasonable consumer.  In receiving data, third parties can reasonably rely on the representations of the businesses and service providers.

Businesses must conduct reasonable oversight and due diligence on service providers and third party transfers of data.

Private Right of Action COPRA provides a private right of action for individuals to assert violations.  Any violation of the Act, or of a regulation promulgated under it, will be considered an “injury in fact.”  Damages range from $100 to $1000 per violation per day.  Arbitration agreements and class action waivers are invalid in disputes arising under COPRA.
Federal & State Enforcement

Within two years, the FTC must create a new bureau to assist in exercising their authority under the Act and other Federal laws addressing privacy, data security, and related issues.  A violation of this Act is treated as a violation of the FTC Act.

One year after enactment, a CEO (or equivalent) and data privacy officers must review and certify to the FTC that they maintain adequate internal controls and reporting structures to ensure compliance with this Act.

Businesses will be required to have a privacy and data security officer, who ensures the business has a comprehensive written privacy and data security program, annually conducts risk assessments and facilitates ongoing compliance with this Act.

This Act does not preempt any state laws that afford “a greater level of protection to individuals protected under this Act.”  It only preempts directly conflicting state laws.  The Act does not preempt any other private rights of action but the FTC can intervene in individual enforcement actions under COPRA.

COPRA was introduced in anticipation of the Senate Committee on Commerce, Science, and Transportation December 4th hearings entitled “Examining Legislative Proposals to Protect Consumer Data Privacy.”  While it remains unclear if there will be enough momentum for this bill to advance, the scope and direction of the legislation underscore the change in the privacy law landscape in the US, and that California’s CCPA may only be the start.  If you have further questions about how these developments may apply to your business, please feel free to contact any of our Privacy team members at Kelley Drye.

The week after Thanksgiving is always a busy one and this year does not disappoint. We are pleased to be holding the following educational opportunities this week:

California Consumer Privacy Act Workshop Los Angeles Edition
In Los Angeles, on Wednesday, December 4, we will be holding the latest in our series of California Consumer Privacy Act (CCPA) Workshops. This edition will come a day after the California Attorney General’s public hearing on the draft regulations, which we will recap. Like the others, this will be an interactive discussion on CCPA interpretation questions and compliance strategies, will include a deep dive into understanding and applying core CCPA provisions; industry benchmarking; preventing unintended “sales” of data; updating applicable privacy policy provisions and other disclosures; and considerations for business partner and vendor management. A reception to support networking with your privacy peers will follow the program. To find out more about this this invitation only in-person workshop, please contact workshop@kelleydrye.com.

Politics in the Workplace
Also on December 4, at 12 Eastern,  Barbara Hoey, Chair of Kelley Drye’s Labor and Employment Practice; Christie Grymes Thompson, Chair of the firm’s Advertising Law Practice, and David Frulla, Chair of the firm’s Campaign Finance and Political Law for a discussion on best practices for handling all aspects of politics in the workplace. This one-hour webinar will review federal and state rules regarding employees’ political activity and speech in the workplace; how to protect your company’s brand and reputation in the context of political fundraising and advocacy; and how to comply with federal campaign finance laws when your company or its executives engage in political activity. To register for this webinar, please contact marketing@kelleydrye.com.

Cannabis Regulatory Update
On December 5 at 12 Eastern, special counsel Beth JohnsonBez SternJoseph Green, and associate Melissa Brewer will present a comprehensive cannabis regulatory update.  Topics include the impact of cannabis legalization on government contractors, an update on developing cannabis litigation issues, a review of Prop 65 applicability, and a primer on cannabis customs issues.  To register, click here.

If you cannot attend any of these events, stay up to date with our Ad Law Access blog and podcast, the Cannabis Law Update blog and get a preview of the new Advertising and Privacy Law Resource Center.

Last Monday, Google released its answer to the CCPA: a new “service provider” contract.  Given Google’s widely used advertising and analytics technologies, Google’s new contract has the potential to influence how website publishers, advertisers, the Ad Tech industry, and software as a service (SaaS) providers approach compliance with California’s new privacy law.

No “Sales” if Sharing with a Service Provider

To explain Google’s move, it’s helpful to understand that the CCPA incentivizes a business-service provider relationship.  A business can provide a service provider personal information without calling the disclosure a “sale” or offering an opt-out option.  When a business provides personal information to a service provider, the business receives liability protections so long as the business does not have actual knowledge or reason to believe that the service provider is violating the CCPA.

In turn, the service provider is restricted from keeping, using, or disclosing personal information for purposes other than “business purposes” spelled out in the service provider contract.

How to Determine if an AdTech Partner is a Service Provider?

But many in the Ad Tech industry have not yet publicly addressed their practices within the context of the CCPA, which has left companies to scrutinize existing contracts, the partner’s publicly-posted terms, statements, privacy policies, and to evaluate the partner’s actual tracking activity, to help determine if there is support for a service provider classification.  Other Ad Tech players have asserted that CCPA does not change their practices, but that no “sales” are occurring, leaving many publishers and advertisers to determine if their business can withstand taking on the risk that this assertion will be rejected once the Attorney General evaluates the practice.

At bottom, there is not yet consensus in the AdTech industry on how to assess CCPA within the context of digital advertising.  Enter Google.  Google offers an array of advertising and analytics services.  But is Google an eligible service provider?

In favor of this classification is the definition of a “business purpose,” which includes “performing services on behalf of the business…, including … providing advertising or marketing services, [or] providing analytic services…”  Under this interpretation, Google obtains personal information to provide services to the business, but is using the personal information only as allowed under the CCPA.

But in the absence of clear contract or terms of service, there is ambiguity on whether this explanation would be enough to support a CCPA service provider classification.  For example, it’s possible, absent clear restrictions, that Google or another Ad Tech service provider might use third party cookies for ad tracking or bid requests sent to third party programmatic buyers involving pooled personal information of customers. That practice would involve broader sharing and usage of personal information than what clearly fits within a service provide construct.  Further, it’s also possible that some Ad Tech partners might use that personal information for their own purposes, such as their own marketing efforts or other commercial purposes.

Google’s response to these compliance concerns is to offer businesses covered by the CCPA both clarity as to which of its solutions, by default, only use personal information for purposes on behalf of the customer, such as Google Analytics, Google Ad Words Customer Match, among others.  And, for other solutions, customers have to enable “restricted data processing” for Ad Manager, Ad Manager 360, AdMob, AdSense, and Google Ads services.  When companies enable restricted data processing, they essentially “turn off” any interest-based advertising and other broader usage of the data that is not on behalf of a customer.  Google explains, “When a publisher [using Ad Manager] enables restricted data processing, Google will limit how it uses data and begin serving non-personalized ads only.  Non-personalized ads are not based on a user’s past behavior.  They are targeted using contextual information, including coarse (such as city-level, but not ZIP/postal code) geo-targeting based on current location, and content on the current site or app or current query terms.”  To further support a “service provider” classification and remove any ambiguity, Google’s service provider contract expressly affirms that, “with respect to customer personal information processed while restricted data processing is enabled … Google will act as Customer’s service provider…”

For solutions that are not enabled to restrict data processing, Google will let  individual consumers opt out in accordance with the rights offered in the CCPA.

This development will have ripple effects on the industry given that Google, as a major player, provides core turnkey Ad Tech solutions where it is the only provider linking the publisher, advertiser, and end consumer.  This gives Google latitude to implement contract language and new tools to restrict data processing, and to then apply those restrictions across Google’s services.  By comparison, a solution being discussed by the Interactive Advertising Bureau would require disparate Ad Tech players to all enter into a common contract that governs sharing of personal information and restricts “commercial purpose” uses of personal information.

But both concepts recognize that online programmatic interest-based advertising often involves a broader sharing and use of personal information, as defined by the CCPA, that includes a “sale,” and there’s a need to distinguish which relationships and practices involve a “service provider” (where there is not a “sale”), and which entities in that exchange facilitate a sale of personal information.

Google will not require customers complying with its online terms to opt in to the new contract.  The contract takes effect as of January 1, 2020 to the extent that the CCPA applies.

Next Steps

CCPA’s compressed timeline for compliance has resulted in late-breaking developments by major players in the industry on how they are interpreting and responding to CCPA requirements, whether in the role of a business, service provider, or third party.  This necessitates a responsive compliance framework that tracks these developments and makes appropriate modifications, as needed.  This is particularly the case with digital advertising.  If you have further questions about how these developments apply to your business, please feel free to contact any of our Privacy team members at Kelley Drye.

This week, NAD issued a decision in a case involving a commercial for Air Wick Scented Oil that includes some valuable lessons about claim substantiation.

One version of the commercial starts with a family of four engaged in various activities while crowded into a small corner of an otherwise empty living room. A voiceover states: “You don’t live in one corner. Fragrance shouldn’t either. Air Wick’s new technology releases fragrance upwards and outwards. So now, you can fill every corner with fragrance.” Animated arrows and flowers flow from the top of the Air Wick product and reach into every corner of the room.

Air Wick Commercial

NAD determined that the commercial conveyed two key claims: (1) that the product enables fragrance to fill the four corners of a room; and (2) that the product does this better than others on the market. Although the advertiser presented a Computational Fluid Dynamics analysis with visual simulations of what the fragrance plumes emitted by the device should look like under certain pre-specified conditions, NAD found that that the substantiation wasn’t sufficient to support the claims.

There are a few points in the decision that are worth highlighting because they tend to come up frequently.

  • The tests were conducted in a “steady state” that did not take into consideration variables, such as air flow throughout a room. Although NAD acknowledged that tests don’t need to account for every possible variable, “there is reasonable middle ground between a room awhirl with moving air and the steady state that the advertiser’s simulations were based upon.”
  • The analysis of the fragrance uniformity in the tests was conducted at 25 cm and 50 cm above the device. This did not fit well with the broader message about how consumers “don’t live in a corner” and the product can “fill every corner [of the room] with fragrance.”
  • Although the testing instruments showed a 25% improvement in fragrance distribution over the previous model, there was nothing in the report to indicate whether that difference would be perceptible to consumers.

Test protocols and results are often debated before the NAD. When designing your protocol, it’s important to try to mirror actual use conditions as closely as possible. Make sure your claims are tailored to the test results. And keep in mind that although higher test scores are a necessary perquisite to any superiority claim, they may not be enough – consumers must also be able to perceive the differences themselves.

On the latest episode of the Ad Law Access Podcast, associates Carmen Hinebaugh and Lauren Myers make their podcast debut with a discussion on materiality and clear and conspicuous disclosures.

For additional information see our new Advertising and Privacy Law Resource Center (https://www.kelleydrye.com/Advertising-and-Privacy-Law-Resource-Center), an online hub for advertising, privacy, and consumer protection legal information.

Also see the following Ad Law Access blog posts:

The Ad Law Access podcast is available now through Apple PodcastsSpotifyGoogle PlaySoundCloud, and wherever you get your podcasts.

California is not the only state focused on privacy.  The New Jersey Attorney General’s Office recently emphasized how the Office is prioritizing its enforcement of such issues. Over its first year, the newly-created Data Privacy & Cybersecurity Section within the New Jersey Division of Law has initiated its own actions and joined several multi-state investigations.  Privacy also plays a prominent role in private actions and draft legislation in the Garden State.  Companies marketing or selling to New Jersey consumers or otherwise operating in the state should take steps to confirm their privacy compliance.

Reported Data Breaches

According to statistics released by the New Jersey Attorney General and Division of Consumer Affairs on October 31, 2019, there were 906 separate data breaches reported to the New Jersey State Police in 2018, compared to 958 breaches in 2017.  The number of individual residents impacted declined significantly from 2017 to 2018.  While over 4 million residents were impacted by 2017 breaches, that number fell to approximately 358,000 in 2018.  The 2018 total, however, is still nearly three-times the 116,000 residents impacted in 2016.

State Enforcement Actions

In response to these breach figures, New Jersey actively enforced against lax privacy practices.  Through the first three quarters of 2019, the Attorney General reported $6.4 million in recoveries.  Additionally, New Jersey served a leading role in several large-scale, multi-state recoveries for consumers over the last 9 months.  For example:

  • New Jersey was part of the Leadership Committee pushing the investigation and resolution of claims arising from a 2017 data breach at credit reporting agency Equifax that will result in payment of $575 to $700 million ($6.36 to NJ) as part of a global resolution of claims by the FTC, 50 U.S. states and territories, and individual consumers.
  • New Jersey was also one of 30 states to resolve data breach and consumer privacy claims against health insurer Premera Blue Cross Blue Shield.  Premera’s network had exposed the Social Security and sensitive health information of 10.4 million consumers, including approximately 40,000 NJ residents.  That settlement includes $10 million to the states (including $72,168 to NJ) as well as a $32 million fund for consumers and $42 million in required cybersecurity upgrades at Premera.
  • New Jersey was also part of the multi-state resolution of claims against retailer Neiman Marcus in response to a breach involving shoppers’ credit card numbers and other personal information.  NJ received $57,465 as part of a $1.5 million settlement, which impacted approximately 17,000 individuals with NJ addresses.

Private Consumer Actions

The millions of New Jersey residents impacted by data breaches and cybersecurity threats over the last several years has served as a large pool of potential private litigants.  The New Jersey courts remain an active destination for putative consumer class actions arising from data security and privacy issues.  In addition to recovery for losses, New Jersey’s Consumer Fraud Act includes provisions that can allow for treble damages as well as awards for all costs and attorney fees.  Such provisions make privacy and data breach issues a ripe target for private consumer claims.

Similarly, the District of New Jersey has handled a number of complex privacy matters, including the recently-formed Multi-District Litigation arising from a data breach at American Medical Collection Agency Inc. that implicates patient data from approximately 20 million people related to Quest Diagnostics and LabCorp.

Legislative Focus on Privacy

Following the national trend, New Jersey’s lawmakers have shown a consistent interest in increased regulation of data privacy and cybersecurity.  There are at least 18 separate bills currently pending in the Legislature that address privacy and cybersecurity.  That includes both Senate and Assembly legislation that would require development and implementation of a “comprehensive information security program” by businesses that handle personal information.  In May, Governor Murphy signed a bill expanding the definition of personal information to include online account information as part of the State’s data breach notification law.

With the increased public awareness of comprehensive privacy and cyber legislation garnered by the EU’s GDPR and California’s CCPA, businesses should be prepared for other states to follow suit.  Given its prior history as a leader on consumer-focused legislation, companies can expect New Jersey legislators to seriously consider additional privacy legislation.

New Jersey is only one example of how consumer privacy issues are being addressed at the state level.  Harmonizing business practices across state lines may prove challenging as these new laws regulating data practices are enacted.  For now, as a best practice, it’s helpful to:

  • Take steps to keep privacy and cybersecurity practices, policies, and procedures in line with each state where your customers reside;
  • Determine if your compliance program takes into account and reasonably addresses foreseeable risks to the personal information in your control, and whether this risk analysis is documented so you can point to it if needed if there’s a future lawsuit or government investigation;
  • Evaluate whether the business has sufficiently invested in adequate privacy and cybersecurity and insurance coverage that takes into account how the business, laws, and potential exposure are evolving; and
  • Consult with experienced practitioners in this area that can help guide and counsel your business on options for making practical updates to your compliance program mindful of the changing legal landscape.

Last week, the FTC announced that AT&T had agreed to pay $60 million to settle litigation over allegations that the company misled customers by advertising “unlimited” data plans that were subject to significant limitations. If you work in the mobile or broadband spaces, you should check out this analysis by our friends at CommLaw Monitor. But the settlement includes some valuable lessons, even if you don’t work in those spaces.

Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, summed up one of the key issues in the case as follows: “AT&T promised unlimited data –  without qualification –  and failed to deliver on that promise. While it seems obvious, it bears repeating that Internet providers must tell people about any restrictions on the speed or amount of data promised.” Other companies have similar requirements with respect to any material restrictions on their offers.

The settlement prohibits AT&T from making claims about the speed or amount of its mobile data – including describing it as “unlimited” – unless it clearly discloses any material restrictions in close proximity to those claims. The order goes into detail about how the disclosures must be made. For example, if the company makes the claim on a web page, the material restrictions must appear on that page itself, near the triggering representation.” Using links or pop-ups isn’t sufficient.

We’ve posted about the benefits and limits of disclosures before. (Click here, for example). Disclosures can help to clarify a claim, but if the disclosure is necessary to prevent the claim from being misleading, putting the clarifying language in the fine print is probably not going to help you.

For additional information see the Ad Law Access blog posts:

The Ad Law Access podcast is available now through Apple PodcastsSpotifyGoogle PlaySoundCloud, and other podcast services.