Only two months after finalizing the CCPA regulations, the California Attorney General’s office today released a new set of proposed changes, most significantly addressing “Do Not Sell My Personal Information” requests. The office has also recommended changes to the regulations related to providing notice when businesses collect personal information offline, proof required when an authorized agent submits a request on behalf of a consumer, and a grammatical change related to providing notice of how to opt in to the sale of children’s information.

  • Do Not Sell Requests. The proposed addition specifies that a “Do Not Sell” request must “be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out.” The change would prohibit businesses from using any method that is designed to or would have the effect of preventing a consumer from opting out. The proposal enumerates specific examples, such as requiring a consumer to: (1) complete more steps to opt out than to re-opt in after a consumer had previously opted out; (2) provide personal information that is not necessary to implement the opt-out request; and (3) read through a list of reasons why he or she shouldn’t opt out before confirming the request.
  • Notice for Offline Collection. The proposal requires businesses that collect personal information offline to provide an offline notice, such as providing consumers with paper forms or posting signs in a store, or giving an oral notice if collecting personal information over the phone.
  • Authorized Agent Requests. The finalized regulations previously permitted businesses to require that a consumer provide the authorized agent with signed permission to submit the access or deletion request. The proposed change shifts the burden to the authorized agent to provide proof of signed permission, rather than imposing the requirement on the consumer to provide signed permission.
  • Children’s Information. The proposed grammatical change in section 999.332, requires businesses who sell personal information of children under the age of 13 or between the ages of 13 and 15 (rather than both) to include a description of how to make a sale opt-in request in their privacy policies.

The deadline to submit written comments related to these proposals is 5:00 PM PST on October 28, 2020. We will continue to monitor and will report any changes made to the regulations once they are finalized.

***

For more updates and information on the CCPA and and other privacy topics, visit:

 

Futureproofing Privacy Programs
Building a successful privacy program requires much more than compliance with data protection laws. To thrive in today’s global, data-driven environment, companies also need to understand the political environment and public attitudes surrounding privacy in the countries in which they operate. Of course, companies must anticipate and adapt to changing privacy regulations as well. This webinar will present strategies to help meet these challenges, with a focus on setting up structures to join local awareness with global compliance approaches.

This webinar will feature Kelley Drye attorney Aaron Burstein, along with Constantine Karbaliotis, Abigail Dubiniecki and Kris Klein of nNovation LLP.

Register Here

Futureproofing Privacy Programs

Prior to the September 30 deadline to sign or veto legislation, California Governor Gavin Newsom recently took action on three bills related to data privacy. Bringing some potential certainty to the dynamic CCPA landscape, Governor Newsom signed into law AB 1281, which provides for the extension of the CCPA’s exemptions related to employee data until January 1, 2022. In 2019, the Legislature exempted from the CCPA collection of personal information from job applicants, employees, business owners, directors, officers, medical staff, and contractors until January 1, 2021. Notably, AB 1281 only goes into effect if California voters do not approve the California Privacy Rights Act (CPRA) ballot initiative on November 3rd.

However, Governor Newsom vetoed two other privacy bills that would have tightened data- and service-specific regulations beyond the CCPA’s standards. Citing the risk of unintended consequences during the COVID-19 pandemic, Governor Newsom nixed SB 980, which would have created heightened privacy and security requirements for genetic data handled by direct-to-consumer genetic testing and analysis companies. Instead, Governor Newsom directed the state’s Health and Human Services Agency and Department of Public Health to work with the Legislature to identify “a solution that achieves the privacy aims of the bill while preventing inadvertent impacts on COVID-19 testing efforts.”

The second vetoed bill, AB 1138, would have required companies that offer “social media” services to obtain parental consent before allowing a user who companies actually know to be under the age of 13 to create an account. In his veto message, Governor Newsom explained that AB 1138 “would not meaningfully expand protections for children,” but indicated that he is “open to exploring ways to build upon current law to expand safeguards for children online.”

Privacy developments in California this year are unlikely to end with the Legislature’s session. As we have discussed, the November 3rd vote on CPRA could have far-reaching implications for California privacy law. With the election only 33 days away, we will continue to monitor and post relevant updates.

On August 30th, the California legislature passed a bill to continue the employee and business-to-business (B2B) exemptions contained in the CCPA for another year. Currently, the CCPA provides two limited exemptions for employee and B2B information, whereby this information is excluded from most CCPA requirements. Both of these exemptions become ineffective January 1, 2021. Assembly Bill 1281 (“AB 1281”) would continue these exemptions until January 1, 2022.

AB 1281 was crafted as a backstop in case the California Consumer Privacy Act (“CPRA”) does not pass during the state’s November 3rd general election.  AB 1281 only takes effect if the legislation is enacted and voters do not approve of CPRA. If CPRA receives enough votes (which most anticipate is likely), the ballot initiative would extend the exemptions until January 1, 2023. To learn more about CPRA and to view a comparison between CPRA and CCPA, visit our past blog post here and our podcast here.

Governor Newsom has until September 30th to sign AB 1281 into law. If neither AB 1281, nor CPRA becomes law, the CCPA employee and B2B exemptions will expire on January 1, 2021. Please contact any of the attorneys in Kelley Drye’s Privacy Group if you would like assistance with California privacy compliance.

The California Office of Administrative Law today approved the CCPA Regulations that the California Attorney General submitted in June, and the regulations are effective immediately. As we discussed here, the now-final regulations, for the most part, substantively match those that the AG released in March, with a few notable changes.

Significantly, the AG has removed the shortened “Do Not Sell My Info” language throughout the final regulations to align with the statutory language. While the final regulations do not explicitly prohibit abbreviations, this removal indicates that businesses must include the full “Do Not Sell My Personal Information” language in their website link to an opt-out request. This is consistent with the statute, which requires businesses to include “a clear and conspicuous link on the business’s Internet homepage, titled ‘Do Not Sell My Personal Information’” that links to an opt-out request. Apparently, there is no room for flexibility on this display.

The Addendum to the Final Statement of Reasons also identifies four other provisions that the AG has “withdrawn”:

  • Former § 999.305(a)(5) requiring a business to provide notice and obtain explicit consent prior to using a consumer’s personal information for a “materially different purpose” than disclosed in the notice at collection.
  • Former § 999.306(b)(2) requiring businesses that substantially interact with consumers offline to provide consumers with an offline notice informing them of their right to opt-out.  In other words, there is no longer an express requirement to provide an offline Do Not Sell My Personal Information notice, such as a paper form or store signage. Notably, the obligation to provide an offline Notice at Collection still applies.
  • Former § 999.315(c) indicating that a business must implement an easy opt-out method for consumers, and must not use a method that would impair a consumer’s decision to opt-out (though a business is still required to consider ease of use when implementing an opt-out method).
  • Former § 999.326(c) permitting a business to deny a request from an authorized agent who does not submit proof of consumer authorization (though a business may still require a consumer to verify his or her identity directly with the business when using an authorized agent, and the business may deny opt-out requests from an authorized agent if the agent cannot provide signed permission that demonstrates authorization from the consumer).

While the Addendum does not provide any rationale for these withdrawals, it notes that the AG “may resubmit [the withdrawn] section[s] after further review and possible revision.” The Addendum also identifies other “non-substantive changes” the AG has made, including grammatical and syntax modifications.

While July 1 marked the CCPA’s enforcement date, the finalized regulations solidify an entity’s requirements under the CCPA to comply with the CCPA as clarified through the now-finalized regulations. With each violation subject to a penalty of between $2,500 and $7,500, entities should carefully review their current CCPA practices to ensure compliance with both the statute and the final regulations.

If you have questions on how the finalized regulations may affect your business, please contact Alysa Hutnik and Lauren Myers.  If you have other CCPA questions, please see our other CCPA blog posts and our Advertising and Privacy Law Resource Center.

The replay for our July 30, 2020 California Consumer Privacy Act (CCPA) for Procrastinators: What You Need To Do Now If You Haven’t Done Anything Yet webinar is available here.

The coronavirus pandemic has put many things on hold, but CCPA enforcement is not one of them. The California Attorney General’s enforcement authority kicked in on July 1, 2020, and companies reportedly have begun to receive notices of alleged violation. In addition, several class actions have brought CCPA claims. Although final regulations to implement the CCPA have yet to be approved, compliance cannot wait.

If you’re not yet on the road to CCPA compliance (or would like a refresher), this webinar is for you. We covered:

  • Latest CCPA developments
  • Compliance strategies
  • Potential changes to the CCPA if the California Privacy Rights Act (CPRA) ballot initiative passes

Anyone who has not begun their CCPA compliance efforts or thinks they need a refresher should watch this webinar.

To view the presentation slides, click here.

To view the webinar recording, click here.

Subscribe to our Ad Law News and Views newsletter to receive information on our next round of webinars and to stay current on advertising and privacy matters.

Visit the Advertising and Privacy Law Resource Center for additional information for additional information, past webinars, and educational materials.

Ad Law Access Podcast

January 1, 2020 was the effective date for the California Consumer Privacy Act (CCPA).  As we reported and summarized in our Q1 2020 CCPA Litigation Round-Up, private litigants wasted no time in filing consumer-related causes of action under the new law.

Here, we provide an update on material developments in that first wave of claims and report on additional private lawsuits commenced in the first half of the year.  We have further categorized the recently-filed cases based on those stemming from a data breach versus not.  In the latter category, the cases are further split based on the underlying alleged violations – last quarter, non-breach based claims related to the disclosures and opt-out mechanisms required by the CCPA as well as the scope of “personal information” covered by the CCPA.

1. Update on Cases Reported in Q1 2020

Continue Reading CCPA Litigation Round-Up: Q2 2020

The California Consumer Privacy Act (CCPA) right to non-discrimination explainedOn June 24, 2020, the Secretary of State of California announced that the California Privacy Rights Act (CPRA), had enough votes to be eligible for the November 2020 general election ballot. CPRA is a ballot initiative, which, if adopted, would amend and augment the California Consumer Privacy Act (CCPA) to increase and clarify the privacy rights of California residents.  The result is a law that is closer in scope to robust international privacy laws, such as the GDPR. For more information on the CCPA, please see our posts here.

To be eligible for the November 2020 ballot, CPRA needed to obtain over 623,212 verified signatures. If passed by a simple majority of California voters in November, as is looking likely, the CPRA will become effective on January 1, 2021, with most compliance obligations required by January 1, 2023. With the exception of the access right, the CPRA would apply only to personal information collected after January 1, 2022. Additionally, the CPRA would extend the CCPA’s temporary business to business exemption and employee data exemptions (which are scheduled to sunset on January 1, 2021) until January 1, 2023.

Until January 1, 2023, businesses would need to comply with the CCPA and any finalized regulations in force (which could mean both CCPA and CPRA regulations). The Attorney General would preserve its authority to issue CCPA regulations and enforcement during this period, and a new privacy agency would be formed with its own rulemaking and enforcement authority.

For more information on the comparison between CCPA and CPRA, please see our chart below. While there are no immediate action items, companies may benefit from reviewing the CPRA requirements to assess what changes may be necessary should the ballot pass. And a reminder — the CCPA enforcement date is set for July 1, 2020, although it is not yet clear whether the CCPA regulations will be effective by then; the Office of Administrative Law’s review remains pending. Please contact any of the attorneys in Kelley Drye’s Privacy Group if you would like assistance in California privacy compliance.

  CCPA CPRA
“Business” Threshold $25 million annual revenue; or 50,000+ consumers; or 50% of annual revenue derived from selling consumers personal data $25 million annual revenue; or buys, sells or shares 100,000+ consumers or households; or 50% of annual revenue derived from selling or sharing consumers’ personal data
Operative date January 1, 2020 January 1, 2023, and applies only to personal information collected on or after January 1, 2022, except with regard to access requests.
Employee and B2B exemptions Sunsets January 1, 2021 Sunsets January 1, 2023
“Sold” and “Shared” Definitions “Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating … for monetary or other valuable consideration. The term “sold” is broadened to “sold or shared.” This change is accompanied by a change in the definition of what it means to sell, which removes the carve-out for sharing personal information with a service provider (although this point is addressed in a more narrow definition of “third party”).
Service Providers and Contractors

A Service Provider is an entity “that processes information on behalf of a business … provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business…”

 

Introduces new requirements to qualify as a “service provider” and adds a new definition of a “contractor” that mirrors the definition of a service provider.

Clarifies and provides additional requirements regarding service providers’ use of the data, such as a requirement that service providers silo the data they learn about a consumer from other sources.  (This is more restrictive than the AG CCPA regulations).

Requires contractual terms, similar to the GDPR.

Consent Consent is not required in the CCPA. However, the definition of sale contains guidance regarding “intentional interactions.”

Consent is defined as any freely given, specific, informed and unambiguous indication of the consumer’s wishes by which he or she… signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose.

Introduces the concept of “dark patterns” defined as a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice, as further defined by regulation.  Agreement obtained through use of dark patterns does not constitute consent.

Sensitive information Does not contain separate provisions for sensitive information (other than increased verification requirements.) Contains disclosure, opt-out, and purpose limitation requirements for sensitive information.
Automated Decision-Making N/A

Introduces concept of “profiling.”

Calls for regulations requiring businesses’ response to access requests to include meaningful information about the logic involved in such profiling, as well as a description of the likely outcome of the process with respect to the consumer.

Right to Correct N/A Gives consumers the right to correct inaccurate information.
Opt Out of Targeted Advertising The CCPA does not restrict targeted advertising if it can be conducted without “selling” data.

Providing advertising or marketing services is a business purpose but this does not include “Cross-Context Behavioral Advertising,” a newly defined term to describe ads targeted to consumers based on a profile or predictions about the consumer related to the consumer’s activity over time and across multiple businesses or distinctly-branded services, websites or applications.

Contains a broader opt-out provision (for both “sale” and “sharing”) and specifically limits service providers from engaging in any “cross-context behavioral advertising.”

Retention The CCPA does not contain any requirements that businesses disclose their retention practices to consumers.

Businesses must disclose, at the time of collection: the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine such period.

A business cannot retain personal information for longer than is reasonably necessary for that disclosed purpose.

GDPR Concepts

·        

N/A

 

Contains language to promote the following GDPR principles:

  • Data Minimization
  • Purpose Limitation
  • Duty to Avoid Secondary Use
Enforcement

Enforced by the Attorney General

 

 

Allows a 30 day period to cure violations

Establishes the California Privacy Protection Agency that would have a broad scope of responsibilities and enforcement powers.

Security breaches include email/password/challenge questions.

Modifies the 30-day cure period to apply to a private right of action for security breach violations, rather than for general privacy violations of the law.

Fines for violations involving children’s personal data are tripled.

 

 

Advertising and Privacy Law Resource Center

On June 2, California Attorney General Xavier Becerra announced that he had submitted final CCPA regulations to the Office of Administrative Law (OAL) for review. The final regulations are substantively identical to the second set of modified proposed regulations, which the AG released in March. In addition, the AG issued a Final Statement of Reasons that (1) explains the changes between the first draft and final regulations, and (2) is accompanied by Appendices that respond to each public comment received throughout the rulemaking process – including written comments submitted in response to each draft of proposed regulations and those provided at the four public hearings held in December 2019.

We have described below some of the key provisions of the final regulations, which will impose additional requirements on businesses, service providers, and third parties and data brokers, and likely require the design and implementation of new processes. Whatever hardship the regulations may cause, it is clear that the AG is prioritizing consumer privacy, explaining that the office “has made every effort to limit the burden of the regulations while implementing the CCPA” and does not believe the regulations are “overly onerous or impractical to implement, or that compliance would be overly burdensome or would stifle businesses or innovation.” Continue Reading CCPA Update: Final Regulations Submitted but No Changes from Prior Draft

Ad Law Access Podcast - Operationalizing CCPACCPA compliance is a cross-functional exercise that requires active participation and buy-in from business units across the organization to tackle data mapping, work flows and employee training. On the latest episode of the Ad Law Access Podcast, special counsel Tara Marciano and associates Carmen Hinebaugh and Alexander Schneider discuss the ongoing challenges of operationalizing CCPA compliance focusing broadly on two areas: rights requests and vendor agreements.

Listen on Apple,  SpotifyGoogle Podcasts,  Soundcloud or wherever you get your podcasts.

For more information on CCPA and other topics, visit:

Advertising and Privacy Law Resource Center - Operationalizing the California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) provides consumers with a right to non-discrimination when they exercise other privacy rights guaranteed by the law, such as the right to access, delete, or opt out of the sale of their personal informationThe California Consumer Privacy Act (CCPA) provides consumers with a right to non-discrimination when they exercise other privacy rights guaranteed by the law, such as the right to access, delete, or opt out of the sale of their personal information.  However, the meaning of “non-discrimination” and the exceptions to this prohibition provided in the CCPA and proposed regulations are among the more confusing aspects of California’s privacy law.

While other privacy laws contain non-discrimination provisions, the CCPA non-discrimination right is notably broader.  For example, the CCPA concept of discrimination is not limited to protected or sensitive categories, as is the case with Title VII.  Nor is it limited to a specific type of economic activity, as is the case with industry-specific laws such as the Equal Credit Opportunity Act.  Instead, CCPA’s non-discrimination right applies to all California consumers exercising any of their other rights under the Act.

This post looks at what the non-discrimination right prohibits (and allows), as well as some of the important questions that the statute and draft regulations leave open.  Critical practical issues include being able to (1) distinguish between lawful denials of CCPA rights and impermissible discrimination, and (2) justify the magnitude of financial incentives offered in connection with personal information collection, retention, and sale.  With about two months before the CCPA’s July 1 enforcement date, it’s important for businesses to confirm how they are addressing this often overlooked right and square away any final adjustments that may be prudent.

Continue Reading The CCPA Non-Discrimination Right, Explained