Earlier this month, the nonprofit Earth Island Institute filed a lawsuit against Coca-Cola, alleging that the company falsely and deceptively represents itself as “a sustainable and environmentally friendly company, despite being one of the largest contributors of plastic pollution in the world.”

These types of lawsuits aren’t new. As more companies have started to develop Environmental, Social, and Governance (“ESG”) goals and to make claims about their progress towards achieving those goals, we’ve seen more suits challenging the accuracy of those claims. But this lawsuit is a little different.

While most lawsuits target claims about past or present results (which, in many cases, can be proven or disproven), the current lawsuits targets many aspirational and forward-looking statements (which are inherently harder to prove or disprove).

Here are a few examples of the claims Earth Island Institute cites in their complaint:

  • “Our planet matters. We act in ways to create a more sustainable and better shared future. To make a difference in people’s lives, communities and our planet by doing business the right way.”
  • Coca-Cola plans to “make 100% of our packaging recyclable globally by 2025.”
  • “Scaling sustainability solutions and partnering with others is a focus of ours.”
  • “Part of our sustainability plan is to help collect and recycle a bottle or can for every one we sell globally by 2030.”
  • “We’re using our leadership to achieve positive change in the world and build a more sustainable future for our communities and our planet.”

Earth Island Institute alleges that Coca-Cola’s campaign is misleading because “the company is far from what consumers would understand to be a sustainable business.” As evidence, the complaint cites the company’s current plastic production and casts doubts about how much of an impact the company’s sustainability plans will have in the future.

It’s too early to tell how this case will turn out, but companies that make claims based on future ESG goals will want to pay attention. If the court allows the case to go forward, it could suggest that companies will have to take greater care when talking about future goals.

Last year’s voter guide to California Proposition 24, the California Privacy Rights Act (CPRA), included a stark argument against enacting the privacy ballot initiative because it did not go far enough to protect employee privacy.  “Currently, employers can obtain all kinds of personal information about their workers and even job applicants,” the argument against Proposition 24 written by Californians for Privacy Now stated.  “Proposition 24 allows employers to continue secretly gathering this information for more years to come…”

The message did not stick.  Voters overwhelmingly enacted the CPRA, apparently judging that its provisions – including those that apply to employers – were worth an additional two-year waiting period.  The effective date of the new law is January 1, 2023.

As companies build their roadmap to CPRA compliance, that assessment should also take into account planning for employee and job applicant privacy changes.  The new law imposes first in the nation obligations that grant employees and job applicants new rights to access, correct, delete, and opt out of the sale or sharing of their personal information.  The law also prohibits discriminating against employees or job applicants who lodge privacy rights requests.

In this post, we provide an overview of topics that employers should know as the sunset of the employer exception to CCPA approaches.

Why Would CCPA Apply to Employers?

The California Consumer Privacy Act of 2018 (CCPA), which became effective on January 1, 2020, originally applied to employers.  The law defines a “consumer” as a natural person who is a California resident.  This includes employees, job applicants, contractors, or other staff of a business.

In 2019, the California legislature amended the CCPA with a stopgap measure – for one year, the CCPA would not apply to employers.  The measure, AB 25, said that personal information collected by a business in the course of the person acting as an employee, job applicant, or contractor in connection with the consumer’s employee, job applicant, or contractor role is exempt from the CCPA.  Also exempt is emergency contact information or information necessary to administer benefits.

Last year, California voters extended the employer exemption for another two years to January 1, 2023 in the CPRA ballot initiative.

What Employers are Covered by California Privacy Law?

If a business is covered by the CCPA for consumer data, it is covered for employee data.  Starting in January 2023, the CPRA thresholds for coverage are as follows:

  • Annual gross revenues in excess of $25 million in the preceding calendar year,
  • Buys, sells, or share personal information of 100,000 or more California consumers or households, or
  • Derives 50 percent or more of its annual revenues from selling or sharing California consumers’ personal information.

Some employers may be eligible for certain exemptions that are applicable to already-regulated information that they hold about their employees.  For example, credit information that employers routinely collect to assess employment eligibility may be subject to an exception, because the information is already covered under federal fair credit reporting laws.

Also, employers that have existing obligations as business associates under the Health Insurance Portability and Accountability Act (HIPAA) may also be exempt with respect to any medical, protected health information (PHI), or covered benefits information that they maintain, use, or disclose.

In general, employers are also not required to comply with CPRA obligations that conflict with other federal, state, or local laws or legal obligations, or restrict an employer’s ability to exercise or defend legal claims.  For example, affirmative legal obligations to gather and maintain certain information, such as EEO-1 reports or compensation-related information may directly conflict with CPRA.

What Constitutes Employee Personal Information?

The definition of employee “personal information” includes information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular employee.

This may include name, contact information, identifiers, protected classifications (like gender, race, or sexual orientation), financial or medical information, account log in, religious or philosophical beliefs, union membership, commercial information, biometric information, internet or electronic network activity information, geolocation data, audio, electronic, visual, thermal, olfactory, or similar information, professional or employment-related information, education information, and inferences drawn from any of this information about the employee.

The contents of an employee’s mail, email, and text messages constitutes sensitive personal information, a sub-category of personal information, unless the employer is the intended recipient of the communication.

What Obligations Apply Starting in January 2023?

All CPRA obligations apply.  These include:

  • Notice:  Employees will be required to provide a comprehensive notice of their collection of personal information from employees, job applicants, and contractors, including description of the categories of personal information collected, the purposes of collection, details on disclosure of personal information, and information about retention of personal information.
  • Right to access:  Provide employees with a right to access categories of personal information and specific pieces of personal information.  This includes any inferences drawn from personal information to create a profile reflecting the employee’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
  • Right to correct:  Provide employees with the right to correct their personal information using commercially reasonable efforts.
  • Right to delete:  Provide employees the right to delete their personal information.  However, numerous statutory exemptions may apply, including allowing an employer to retain personal information reasonably anticipated by the employee within the context of an ongoing relationship with the employer, to perform a contract between the employee and employer, or to comply with a legal obligation.
  • Right to restrict uses of sensitive personal information:  Sensitive personal information includes a social security number, account log in, financial information, geolocation, racial or ethnic origin, religious beliefs, sexual orientation, health information, biometrics, and the contents of employee communications unless the employer is the intended recipient of the communication.  Starting in January 2023, an employee may be able to direct an employer to limit certain uses of sensitive personal information for specific business purposes, as well as to direct an employer to limit disclosure of sensitive personal information, absent a qualifying exemption.
  • Right to opt out:  Provide employees the right to opt out of the sale of personal information to third parties. The term “sale” is a broad term, and includes disclosing employee information to business partners, vendors, and contractors absent a written agreement containing specific terms restricting the third party’s use of that data, or a qualifying exemption.

Certain obligations are subject to change depending on action expected in the coming year from the newly constituted California Privacy Protection Agency.

What Steps Should Employers Take to Prepare?

Given the complexity of HR data and systems, as well as the sensitivity of employee data generally, it is not too early for employers to prepare for CPRA.  Such efforts might include, for example:

  • Privacy Stakeholders:  Determine the legal, HR, and technology support (internal resources or external technology solutions) responsible for the efforts necessary to build a privacy compliance program and respond to privacy rights requests.
  • Data Mapping:  Understand the information that the business collects, the categorization of data (whether personal information or sensitive personal information), the location of the data, and the steps to access, correct, or delete the data.  A major part of this effort should also include determining which data practices identified are subject to applicable exemptions from CPRA.
  • Contract Review:  Review partner contracts to correctly classify service providers and contractors from third parties, and that the contracts include the necessary restrictions depending on the classification. This effort might prioritize those partners that present more risk to the company, whether due to the nature of the processing, type, or volume of data in scope. Updating these contracts, however, might wait until there is more insight on the forthcoming CPRA regulations by the California Privacy Protection Agency (CalPPA) as to necessary terms, although the CCPA regulations are instructive.
  • Response Procedures:  Develop procedures for responding to employee requests, including managing sensitive requests while maintaining personal information as confidential and accessible to internal personnel only on a need-to-know basis.
  • Retention Policy:  Develop and document a retention policy that complies with applicable employer data retention obligations.
  • Notice:  Draft an employee privacy policy that complies with new statutory obligations under CPRA, as well as forthcoming regulations by the CalPPA.

Do Any of These Obligations Apply Now? 

Employers may have an obligation to provide a notice at or before collection of personal information that details the categories of personal information that they collect and the purposes for which personal information will be used.

However, due to an apparent drafting error in the CPRA ballot initiative, this privacy notice obligation is muddled by a textbook case of unclear statutory construction.

Here’s what happened.  Originally, AB 25 required employers to provide a privacy notice to employees.  However, the CPRA ballot initiative from last year changed a critical code section reference in an apparent drafting error.  In so doing, the CPRA ballot initiative left unclear whether the employer privacy notice is required.

AB 25 said that employers would be required to provide a privacy notice based on Cal. Civ. Code 1798.100(b).  The CPRA ballot initiative changed the reference to Cal. Civ. Code 1798.100(a).  It is possible that the drafters intended to point to subsection (a) because in the CPRA ballot initiative this code section also requires a privacy notice.  But the CPRA ballot initiative version of the code section is not actually the law until January 1, 2023.

That’s a problem because under current law (effective until December 31, 2022), Cal. Civ. Code 1798.100(a) talks about a different topic entirely – giving consumers the right to request that a business disclose the categories and specific pieces of personal information the business has collected about a consumer.

What is a reasonable interpretation in light of this problem?  When it comes to statutory interpretation of ballot initiatives, courts generally say that the drafter’s intent does not matter.  In California, usually a court first looks at the language of the statute.  If the language is not ambiguous, the court presumes the voters intended the meaning apparent from the language.  If the language is ambiguous, then courts usually look at the ballot initiative voter materials for clues on how voters made their decision.

It is easy to see why a court might agree that the language is ambiguous.  The employer exception clearly does not provide a right of employees to access their personal information until January 1, 2023.  Giving full effect to 1798.100(a) would be hampered by the fact that the CCPA’s core instructions on how to provide access to personal information and what to provide are subject to the employer exemption.

This brings us back to the ballot initiative materials provided to voters.  The arguments against proposition 24 from Californians for Privacy Now warn that employers will be able to secretly gather personal information “for more years to come.”  Clearly, there is no recognition in the ballot initiative materials of any interim employee rights.

Bottom line?  The law right now is unclear, and so, as a practical matter, it’s a best practice (and required in a few other states) to publish a privacy notice for employees and job applicants.

Final Question:  Do Employers Have Privacy Obligations in Other States?

There are no other states that have enacted CPRA-style comprehensive privacy laws that apply to employees; for example, Virginia and Colorado explicitly exempted the employment context without a sunset.  But there are some states, such as Connecticut, that do require some form of privacy notice to employees. There are also two-party consent requirements in a number of states that are applicable to recording calls, as well laws that require disclosure about electronic monitoring.

Conclusion

The best way to address navigating these developments is to plan ahead with a compliance roadmap leading to 2023.  Figure out what resources you’ll need, including what types of internal and external support will be critical for success. Given the complexities involved, thoughtful (and realistic) preparation is a must.

*                      *                      *

CPRA Update: How to Prepare for Privacy Compliance as an Employer

Subscribe here to Kelley Drye’s Ad Law Access blog and here for our Ad Law News and Views newsletter. Visit the Advertising and Privacy Law Resource Center for update information on key legal topics relevant to advertising and marketing, privacy, data security, and consumer product safety and labeling.

Kelley Drye attorneys and industry experts provide timely insights on legal and regulatory issues that impact your business.  Our thought leaders keep you updated through advisories and articlesblogsnewsletterspodcasts and resource centers.  Sign up here to receive our email communications tailored to your interests.

Follow us on LinkedIn and Twitter for the latest updates.

Section 13(b)logThe ripple effects continue from the Supreme Court’s holding in AMG Capital Management, LLC v. FTC, explaining that Section 13(b) of the FTC Act does not allow (and never did allow) monetary remedies.

In some cases, the FTC has stricken equitable monetary remedies entirely by removing those requests for relief in amended complaints. In others, the FTC is attempting to retain its request for monetary relief by newly tying it to another statutory provision. In still others, the Agency has requested that courts ignore AMG, because Congress may, at some unspecified future date, amend the statute.

Latest update follows.

Continue Reading Post-AMG Scorecard (Updated): Different Roads Forward for the FTC in Pending Cases

The FTC yesterday took two actions that on their face seemed part of the regular course, but that could signal notable changes for financial institutions and multi-level marketing companies.  First, the FTC filed an amended complaint against RCG Advances, a merchant cash advance provider, alleging that the company violated the Gramm-Leach-Bliley Act and seeking civil penalties under a novel theory of its statutory authority.  Second, the FTC announced that it plans to review the Business Opportunity Rule this year and Commissioner Chopra issued a statement signaling that he will push to expand coverage of the Rule to include MLMs and other direct sellers not currently covered.

Civil Penalties for GLBA Violations

The FTC first sued RCG Advances in June 2020, alleging that the company deceived small businesses by misrepresenting terms of cash advances and then using unfair collection practices to compel them to pay.  The initial complaint also alleged that the companies made unauthorized withdrawals from consumers’ accounts and sought a permanent injunction and consumer redress under Section 13(b) of the FTC Act.  As we’ve covered extensively in our 13(b) blog, the Supreme Court’s unanimous decision in AMG Capital Management foreclosed the capacity to seek consumer redress, and thus the amended complaint removes that reference while otherwise mirroring the substantive allegations of the initial complaint.

The new complaint also adds a count alleging violations of GLBA for use of fraudulent statements to customers in an attempt to obtain consumer information.  GLBA is generally intended to protect consumer financial privacy by limiting when financial institutions can disclose consumers’ nonpublic personal information.  In the amended complaint, the FTC cites a seldom cited provision of GLBA that prohibits any person from “obtain[ing] or attempt[ing] to obtain . . . customer information of a financial institution relating to another person . . . by making a false, fictitious, or fraudulent statement or representation to a customer of a financial institution.”

The FTC then advances a novel theory to assert that it has the authority to obtain civil penalties under GLBA because it empowers the FTC to enforce it “in the same manner and with the same power and authority as the [FTC] has under the Fair Debt Collection Practices Act [FDCPA].”   The Dodd-Frank Act amended the FDCPA in 2010 to provide that violations may be enforced “in the same manner as if the violation had been a violation of a Federal Trade Commission trade regulation rule.”  Notably, the GAO as recently as February 2019 issued a report noting that the “FTC does not have civil penalty authority for violations of requirements under the Gramm-Leach-Bliley Act (GLBA).”

The limits of this theory are likely to be tested in litigation, but it’s clear that the FTC continues to make good on its promise to push for creative monetary solutions in the wake of the AMG decision.  Yesterday’s action follows last week’s new use of the Restore Online Shoppers’ Confidence Act (ROSCA) to obtain civil penalties for alleged misrepresentations unrelated to negative option offers themselves, as we covered here.

Expanding Coverage of the Business Opportunity Rule

Within an hour of announcing the amended complaint against RCG seeking civil penalties, the FTC also signaled that it would seek to expand another civil penalty authority by altering the coverage of the Business Opportunity Rule.  Published in 2011, the Business Opportunity Rule requires sellers of “business opportunities” to provide certain earnings disclosure documents in writing and prohibits specified misrepresentations related to earnings potential.

In the rulemaking record, the FTC considered and deliberately excluded MLMs from coverage on the grounds that “the varied and complex structure of MLMs makes it exceedingly difficult to make an accurate earnings disclosure and likely would require different disclosures for different levels of participation in the company.”   In yesterday’s announcement, Commissioner Chopra issued a statement signaling that he supports reversing that decision and revising the Rule to cover MLMs and potentially others in what he refers to as the “gig economy,” which would in turn open up the FTC’s civil penalty authority for income misrepresentations by those entities.

With Chopra likely to depart the Commission soon to head the CFPB, the question is whether other commissioners, including now confirmed Commissioner Lina Khan, will take up the cause.

The Senate recently passed the Country of Origin Labeling Online Act (COOL Online Act) with overwhelming bipartisan support. Currently, U.S. law requires that external packaging for many products state the product’s country of origin. The uptick in online shopping and the sale of imported products, however, has increased interest in requiring country of origin disclosures for online offers. The proposed legislation would require online sellers to disclose country of origin in online product descriptions and online advertisements. The designation would be in a manner consistent with the Customs and Border Protection origin marking regulations and section 304 of the Tariff Act of 1930. The legislation would also require conspicuous disclosure of the seller’s location and, if applicable, the country in which any parent corporation of such seller is located.

Critics of the legislation have concerns about potential inconsistency with other regulatory requirements and the burden associated with identifying and tracking the origin of a specific product, particularly for products that may be sourced from different countries or that may be purchased through an intermediary.

The FTC, not Customs, would enforce the act and certainly has experience with other statutes that require country of origin disclosures in advertising. We will continue to track the legislation.

*                           *                           *

Colorado Passes Privacy Bill: How Does it Stack Up Against California and Virginia?

Subscribe here to our Ad Law News and Views newsletter and visit the Advertising and Privacy Law Resource Center for update information on key legal topics relevant to advertising and marketing, privacy, data security, and consumer product safety and labeling.

www.adlawaccess.comThere are some really smart lawyers at the FTC.  For over 40 years, they were able to convince the federal judiciary (and, let’s face it, most of us) that the FTC had an authority that a unanimous Supreme Court in AMG Capital Management concluded it did not have.  Following the decision, there has been a good deal of crowing by parties that are currently or regularly adverse to the FTC.  But as we wait and see whether Congress might act to provide new statutory language (you can’t restore what the Supreme Court concluded never existed), one thing is abundantly clear:  the FTC is not going to sit by idly.

If you thought otherwise, you have not been paying attention.  We have been told to expect more Section 19 cases, stepped-up rulemaking, collaboration with State Attorneys General, the dusting-off of the FTC’s Penalty Offense Authority, and reliance on other statutes enforced by the FTC that provide for civil penalties up to $43,280 per violation.

This week, with the announcement of the MoviePass settlement, the FTC made good on its word.  In its complaint, the FTC alleged that MoviePass “violated the Restore Online Shoppers’ Confidence Act (ROSCA) [which] requires that firms be truthful with consumers when marketing negative option services—such as subscriptions—over the Internet.”

Republican Commissioner Christine Wilson agreed with her Democratic counterparts.  In her concurring opinion, she conceded that post-AMG, “the temptation to test the limits of our remaining sources of authority is likely to be strong.”  Nevertheless, she supported the Commission’s action, while acknowledging that the settlement is the first time the Commission alleged a violation of ROSCA when the “undisclosed material terms do not relate specifically to the negative option feature but, instead, to the underlying good or service marketed through the feature.”  In her view, MoviePass’s conduct is consistent with congressional intent. She further noted:

Given the inaugural use of ROSCA for this purpose, it is appropriate that the Commission is foregoing civil penalties.  Businesses need predictability about the manner in which laws will be enforced and should be afforded the ability to contest new uses of authority. This case will serve as notice to the market, and future violations of this type may warrant civil penalties.

Her Republican counterpart was not convinced.  Commissioner Noah Phillips, in his dissenting opinion, stated his concerns.  First, he noted that one of the benefits of establishing liability for a rule violation is to obtain a penalty, and here, with MoviePass and its principals in bankruptcy making this a no-money order, “our announcement of sweeping new liability and introduction of a lack of clarity to the market about required disclosures . . . is ill advised.”  Second, “the statutory interpretation pushed by the Commission in this case is far from obvious.”  And third, the Commission failed to define standards for “material terms” and, without any guidance, companies may continually be at risk for a post hoc civil penalty.

In his conclusion, Commissioner Phillips recognized that the Commission’s decision to apply ROSCA broadly and expand its reach “comes just weeks after the Supreme Court’s decision in AMG” but he does not believe that the FTC’s “loss of authority under one statute somehow creates authority elsewhere.”

Back in January, during oral argument in AMG, Justice Kavanaugh touched on the temptation to interpret statutes broadly to achieve an end:

I worked in the Executive Branch for many years, so I understand how this happens.  When you are in the Executive Branch or an independent agency, you want to do good things and prevent or punish bad things, and sometimes your statutory authority is borderline.  And it could be war policy or immigration or environmental or what have you, but with good intentions the agency pushes the envelope and stretches the statutory language to do the good or prevent the bad.  The problem is this results in a transfer of power from Congress to the Executive Branch to decide whether to exercise this new authority.  That’s a particular concern, at least for me, with independent agencies.  So – and why isn’t the answer here for the agency to seek this new authority from Congress for us to maintain the principle [of] separation of powers . . . ?

Well, Mr. Justice, the Commission can do both.  With MoviePass, the envelope is being pushed.  And later today, the House Energy & Commerce Committee will mark up H.R. 2668, the Consumer Protection and Recovery Act, which would authorize the FTC to seek permanent injunctions and other equitable relief, including restitution and disgorgement, to redress perceived consumer injury. The legislation is likely to move through the House and to the Senate, where its fate will be decided.

*                           *                           *

Subscribe here to our Ad Law News and Views newsletter and visit the Advertising and Privacy Law Resource Center for update information on key legal topics relevant to advertising and marketing, privacy, data security, and consumer product safety and labeling.

 

 

The Colorado Legislature recently passed the Colorado Privacy Act (“ColoPA”), joining Virginia and California as states with comprehensive privacy legislation. Assuming Colorado Governor Jared Polis signs the bill (SB 21-190) into law, ColoPA will go into effect on July 1, 2023.

How does the measure stack up against the VCDPA and the CCPA (as amended by CPRA)? The good news is that, in broad terms, ColoPA generally does not impose significant new requirements that aren’t addressed under the CCPA or VCDPA. Below, we compare key provisions of ColoPA against California’s and Virginia’s laws and call attention to a few areas where Colorado has struck out on its own.

  • Establishing consumer rights. As with the VCDPA and the CCPA, ColoPA provides rights for access, deletion, correction, portability, and opt out for targeted advertising, sales, and certain profiling decisions that have legal or similar effects. Unlike CCPA, Colorado consumers can only use an authorized agent for sale opt-out requests.
  • Universal opt-out requests. ColoPA also requires the Attorney General to establish technical specifications for a universal targeted advertising and sale opt-out (e.g., global privacy control) by July 1, 2023, which controllers must honor starting July 1, 2024. Note there also will be CPRA regulations on this point with compliance likely due by January 1, 2023. Unlike CPRA, which makes the global privacy control optional, controllers must comply with the universal opt-out under ColoPA.
  • Appealing consumer rights decisions. Like Virginia, ColoPA requires controllers to set up mechanisms permitting consumers to appeal a controller’s decision not to comply with a consumer’s request. The controller must then inform the consumer of its reasons for rejecting the request and also inform the consumer of his or her ability to contact the Attorney General “if the consumer has concerns about the result of the appeal.”
  • Requiring data protection assessments. Similar to GDPR, and consistent with the VCDPA, ColoPA requires data protection assessments (“DPAs”) for certain processing activities, namely, targeted advertising, sales, certain profiling, and processing of sensitive personal data. As with Virginia, the Colorado Attorney General has the right to request copies of a controller’s DPAs.
  • Consent for certain processing. Again following Virginia’s lead, ColoPA requires opt-in consent for the processing of sensitive personal information, which covers categories such as racial or ethnic origin, religious beliefs, citizenship, or genetic or biometric data used for uniquely identifying an individual. ColoPA also requires consent for processing children’s data, with a “child” being any individual under the age of 13. Unlike the VDCPA, ColoPA does not require COPPA-compliant consent for such processing, but ColoPA does exempt from the law personal data that is processed consistent with COPPA requirements.
  • Right to cure. ColoPA allows controllers to cure violations and is unique by establishing the longest right to cure, at 60 days, and also because the statute repeals the provision on January 1, 2025. Thus, while the Attorney General initially must give a controller notice and an opportunity to cure any violation before taking enforcement action, the Attorney General will be able to act without such notice from January 1, 2025 onward.
  • Establishing controller duties. ColoPA establishes certain duties for controllers, including the duties of transparency, purpose specification, data minimization, avoiding secondary use, care, avoiding unlawful discrimination, and duties regarding sensitive data. These duties create related obligations, such as providing a privacy policy, establishing security practices to secure personal data, and obtaining consent prior to processing sensitive data or children’s data.
ColoPA VCDPA CCPA
Thresholds to Applicability Conduct business in CO or produce products or services targeted to CO and (a) control or process personal data of at least 100,000 consumers; or (b) derive revenue or receive a discount on the price of goods or service from selling personal data or controls personal data of at least 25,000 consumers Conduct business in or produce products or services targeted to VA and (a) control or process personal data of at least 100,000 consumers; or (b) derive over 50% of gross revenue from the sale of personal data and process or control personal data of at least 25,000 consumers Conduct business in CA and collect personal information of CA residents and: (a) has $25 million or more in annual revenue for preceding  calendar year as of Jan. 1 of calendar year; (b) annually buys, sells, or shares personal data of more than 100,000 consumers or households; or (c) earns more than 50% of its annual revenue from selling or sharing consumer personal information
Consent Requires opt-in consent for processing sensitive personal data, including children’s data Requires opt-in consent for processing sensitive personal data, and COPPA-compliant consent for processing children’s data Requires opt-in consent for sharing PI for cross-context behavioral advertising for children under 16, including parental consent for children under 13
Opt-Out Required for targeted advertising, sales, and profiling for legal or similarly significant effects Required for targeted advertising, sales, and profiling for legal or similarly significant effects Required for profiling, cross-contextual advertising, and sale; right to limit use and disclosure of sensitive personal information
Other Consumer Rights Access, Deletion, Correction, Portability Access, Deletion, Correction, Portability Access, Deletion, Correction, Portability
Authorized Agents Permitted for opt-out requests N/A Permitted for all requests
Appeals Must create process for consumers to appeal refusal to act on consumer rights Must create process for consumers to appeal refusal to act on consumer rights N/A
Private Cause of Action No No Yes, related to security breaches
Cure Period? 60 days until provision expires on Jan. 1, 2025 30 days No
Data Protection Assessments Required for targeted advertising, sale, sensitive data, certain profiling Required for targeted advertising, sale, sensitive data, certain profiling Annual cybersecurity audit and risk assessment requirements to be determined through regulations

Given the significant overlap among the three privacy laws, companies subject to ColoPA should be able to leverage VCDPA and CCPA implementation efforts for ColoPA compliance. If ColoPA is any example, other state privacy efforts may not veer too far from the paths VCDPA and CCPA have forged. The key will be to closely monitor how CalPPA and the Colorado Attorney General address forthcoming regulations and whether they add new distinct approaches for each state. Check back on our blog for more privacy law updates.

*                           *                           *

Colorado Passes Privacy Bill: How Does it Stack Up Against California and Virginia?

Subscribe here to our Ad Law News and Views newsletter and visit the Advertising and Privacy Law Resource Center for update information on key legal topics relevant to advertising and marketing, privacy, data security, and consumer product safety and labeling.

Kelley Drye attorneys and industry experts provide timely insights on legal and regulatory issues that impact your business.  Our thought leaders keep you updated through advisories and articlesblogsnewsletterspodcasts and resource centers.  Sign up here to receive our email communications tailored to your interests.

Follow us on LinkedIn and Twitter for the latest updates.

Just a few months after California officials announced the nominations of the inaugural Board members of the California Privacy Protection Agency (“CalPPA”), the CalPPA released the agenda for its first board meeting on June 14, 2021. The meeting will be held remotely in accordance with California Executive Order N-29-20, but the public may still participate via videoconference or telephone.

Why June 14th Meeting is Significant: While much of the CalPPA’s June 14 agenda focuses on administrative tasks, such as open meeting requirements, the Administrative Procedures Act, conflicts of interest, and subcommittee assignments, this meeting is also expected to mark the CalPPA’s first public steps toward developing California Privacy Rights Act (“CPRA”) regulations. Notably, according to the agenda, the CalPPA plans to provide official notice to California Attorney General Rob Bonta that the Board will assume rulemaking authority as of July 1, 2021, pursuant to CPRA Section 1798.199.40(b).  The CalPPA may issue new CPRA regulations as well as “adopt, amend, and rescind regulations” under the CCPA.

What’s Ahead:  The CalPPA has until July 1, 2022 to adopt final regulations under the CPRA, and businesses will need to closely track these developments as they design their compliance strategy for CPRA (including how to leverage existing CCPA compliance, and harmonize compliance with Virginia’s new privacy law).  The CPRA calls for regulations on a vast array or issues, which could materially impact compliance strategies.  Among the different topics include:

  • Opt-Outs for Sale, Sharing, and Profiling, and Limiting Use of Personal Information:  CPRA grants the CalPPA the authority to adopt regulations that further define consumers’ opt-out rights, and to adopt regulations that define “intentional interactions,” which in turn define the scope of exceptions to “sale” and “sharing.” The CalPPA is also charged with issuing rules about “profiling” opt-out rights, and this area is worth watching closely because it is not aligned with Virginia’s new privacy law.  CPRA defines “profiling” as the “automated processing of personal information, . . . to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”  A profiling opt-out under CPRA could apply to any first-party data use that meets this definition.  (The narrower profiling opt-out right under the Virginia Consumer Data Protection Act is limited to the “furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”)
  • Other aspects of opt-out rights that could be initial rulemaking targets include (a) “technical specifications” for global privacy controls; and, with the potential addition of a feature to indicate that the user is under the age of 13 or between 13 and 15 years old; (b) standards for consent to sell or share personal information, or use or disclose sensitive personal information, for businesses that respond to opt-out signals; and (c) “harmonizing” CCPA rules governing privacy notices, opt-out mechanisms, and “other operational mechanisms” to “promote clarify and functionality . . . for consumers.”
  • Access Requests:  CPRA directs the CalPPA to define the scope of responses to consumer requests for specific pieces of personal information.  CPRA suggests that these regulations may exclude system log and other information that “would not be useful to the consumer,” as well as define authentication standards for access to sensitive personal information.
  • Business Purposes:  It also is possible that the CalPPA will focus initially on “further defining” business purposes for which contractors and service providers may combine personal information from multiple businesses, and whether there are some functions that may relate to interest-based advertising, for example, that can still be within a service provider scope.

While the CPRA’s substantive provisions will not be effective until January 2023, the earlier businesses have insight on how the CalPPA will potentially address these and other areas in the new regulations, the more time there will be to craft, build, and roll out compliance strategies.  Stay tuned for further updates. We will continue to keep a close watch on further developments with the Board and the CalPPA’s activities.

How to Join CalPPA’s Initial Meeting:

To join the meeting by Zoom videoconference: https://zoom.us/j/94536763262

To join the meeting by telephone: 1 (669)900-9128; Webinar ID: 945 36763262

*                           *                           *

 

CPRA Update: CalPPA Gets Started with Inaugural Meeting and Agenda

Subscribe here to Kelley Drye’s Ad Law Access blog and here for our Ad Law News and Views newsletter. Visit the Advertising and Privacy Law Resource Center for update information on key legal topics relevant to advertising and marketing, privacy, data security, and consumer product safety and labeling.

Kelley Drye attorneys and industry experts provide timely insights on legal and regulatory issues that impact your business.  Our thought leaders keep you updated through advisories and articlesblogsnewsletterspodcasts and resource centers.  Sign up here to receive our email communications tailored to your interests.

Follow us on LinkedIn and Twitter for the latest updates.

Food and Beverage Litigation HighlightsWelcome to our April + May combined report on food litigation, regulatory trends and events.  We have a lot to report in the food world, with a number of litigation currents starting to form, and some new waves building.  Let’s see what happened….

New Filings

Cheesy Goodness?  General Mills was hit with five putative class actions challenging its Annie’s mac and cheese marketing representations that the product is “Made with Goodness” when, in fact, it contains potentially harmful chemicals known as ortho-phthalates which are linked to asthma, breast cancer and diabetes.  The cases are pending in the Southern and Eastern Districts of New York and the Northern District of California.  The Kraft Heinz Company was named in similar suits filed in the Northern District of California and the Northern District of Illinois.

Sparkling Water/Seltzer:  A number of companies were named in putative class actions alleging that various sparkling water products misrepresented the nature of the flavoring agents used.  For example, a complaint against Whole Foods (filed in the Southern District of New York) alleges that the Lemon Raspberry Italian Sparkling Mineral Water does not contain an appreciable amount real lemons or real raspberries.  Similarly, a complaint against Kroger (filed in the Northern District of California) challenges the non-disclosure of artificial flavoring chemicals.  Finally, Molson Coors Beverage Company was named in a class action alleging that its “Vizzy” brand hard seltzers are marketed as containing a significant amount of healthful qualities and nutrients such as vitamin C which, according to the complaint, falsely implies that alcoholic beverages could provide health benefits.

More Vanilla:  April and May saw two new vanilla filings, including a case against Prairie Farms Dairy, Inc., alleging that the defendant’s “Premium Vanilla” ice cream was falsely labeled as containing “natural colors and flavors” (Northern District of Illinois) and a case against Hostess alleging that its vanilla wafer products were falsely advertised as containing real vanilla (Missouri state court).

More Natural: The past two months have seen a slew of new “natural” filings in the food industry.  Such filings challenge of synthetic preservatives and other ingredients including citric acid (3 cases), ascorbic acid (1 case), artificial coloring (1 case), and monk fruit extract, which is alleged to be natural but processed with artificial solvents and additives (1 case).  The filings were made across the country, including in Missouri state court (4 cases), the Central District of California (1 case), and the Southern District of Illinois (1 case).  In addition to the natural allegations relating to monk fruit extract, a case against Chobani also challenges claims relating to “complete nutrition,” “advanced nutrition” and the use of a “+” symbol in connection with prebiotics and probiotics which, according to the complaint, falsely suggests that the product has more pre- and probiotics than other comparable foods.

Coffee, Please:  We have also seen an uptick in coffee-related class actions, with two actions alleging that ground coffee products artificially inflate the number of cups that can be made from their contents given the directions for use.

Delivery Fees:  April and May saw a continued trend of challenges relating to food delivery charges during the pandemic, with cases filed against GrubHub, alleged to have charged an undisclosed $2.50/delivery fee on top of its $9.99/month “Unlimited Free Delivery” for GrubHub+ users, and against Panera, alleged to have falsely promised a flat delivery charge on food deliveries ordered through Panera’s app and website.  Both cases are pending in California state court.

Food Settlements  Continue Reading Food Industry Regulatory and Litigation Highlights – April and May 2021

The California Privacy Rights Act (CPRA), effective January 1, 2023, adds “contractors” to the list of entities that a business may entrust with customer data.  So what is a “contractor?”  And how are “contractors” different from other entities described by California privacy law, such as “service providers” or “third parties?”

As it turns out, the answer is surprising.  Contractors are nearly identical to service providers, with just two differences:  contractors are not data processors; and contractors must make a contractual certification in CCPA contracts.  Moreover, contractors are not even new entities, and were already described in existing California privacy law.

Origins of “Contractors” in CCPA

To help explain the origins of the new contractor classification, we start with the California Consumer Privacy Act (CCPA).  Under the CCPA, now in effect, each disclosure of personal information from a covered business to another entity is regulated, either via consumer opt out preferences or via contractual restrictions.  Altogether, there are three potential data flows described in the CCPA:  business to third party, business to service provider, and business to a person who is not a third party.  We describe each in turn:

  • Business to Third Party:  First, when a business discloses personal information to a third party, this constitutes the “sale” of personal information (unless an exception applies, such as in the context of an intentional disclosure).  The CCPA grants consumers the right to opt out of such sales of their personal information to prevent these data flows.

As an example, selling a marketing list to a third party or sharing profile information with an adtech partner in most cases would be considered a sale of personal information to a third party.

  • Business to Service Provider:  Second, when a business discloses personal information to a service provider, no “sale” occurs and there is no right of consumers to opt out.  The requirements for the recipient to be a service provider are that (1) the service provider processes personal information on behalf of the business, and (2) the service provider agrees to retain, use, or disclose the personal information only for business purposes specified in a written contract.

Service providers provide technical, professional, and other business support to the business.  For example, a service provider might offer various services such as cloud-based servers or software, consulting, or e-commerce fulfillment services.

  • Business to a Person Who Is Not a Third Party:  Finally, there is a rarely discussed third option in the CCPA.  The CCPA states that any recipient of personal information that agrees to certain enhanced contractual terms is not a third party.  This third category requires that the recipient agree to contractual terms that mirror service provider contractual terms, along with three additional terms:  (1) to refrain from selling the personal information, (2) to refrain from retaining, using, or disclosing the information outside the direct business relationship between the recipient and the business, and (3) to certify that the recipient understands the above contractual restrictions.

This third option is significant to avoid the “sale” of personal information.  If the recipient is not a third party, then a sale can only occur if the recipient is a “business” under CCPA.  In many cases, the recipient will not be a business either, typically because the recipient does not determine the purposes and means of processing the personal information.

As an example, if an authorized reseller furnishes a manufacturer with a list of new orders for fulfillment, and the manufacturer agrees to use the list only to fulfill orders, the manufacturer is not a third party.   Because the manufacturer does not determine the purposes and means of processing the personal information it receives, the manufacturer is not acting as a “business.”  No sale occurs.

Similarly, if an identity verification service sends personal information to a company to assist that company with confirming the identity of an applicant for service, and the company agrees contractually to limit its use and disclosure of the information for business purposes, the recipient is not a third party or business and no sale occurs from the identity verification service to the business.

Here’s a summary of the entities that may receive personal data under the CCPA: Continue Reading CPRA Update: What is a “Contractor?”