Ad Law Access Podcast - Operationalizing CCPACCPA compliance is a cross-functional exercise that requires active participation and buy-in from business units across the organization to tackle data mapping, work flows and employee training. On the latest episode of the Ad Law Access Podcast, special counsel Tara Marciano and associates Carmen Hinebaugh and Alexander Schneider discuss the ongoing challenges of operationalizing CCPA compliance focusing broadly on two areas: rights requests and vendor agreements.

Listen on Apple,  SpotifyGoogle Podcasts,  Soundcloud or wherever you get your podcasts.

For more information on CCPA and other topics, visit:

Advertising and Privacy Law Resource Center - Operationalizing the California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) provides consumers with a right to non-discrimination when they exercise other privacy rights guaranteed by the law, such as the right to access, delete, or opt out of the sale of their personal informationThe California Consumer Privacy Act (CCPA) provides consumers with a right to non-discrimination when they exercise other privacy rights guaranteed by the law, such as the right to access, delete, or opt out of the sale of their personal information.  However, the meaning of “non-discrimination” and the exceptions to this prohibition provided in the CCPA and proposed regulations are among the more confusing aspects of California’s privacy law.

While other privacy laws contain non-discrimination provisions, the CCPA non-discrimination right is notably broader.  For example, the CCPA concept of discrimination is not limited to protected or sensitive categories, as is the case with Title VII.  Nor is it limited to a specific type of economic activity, as is the case with industry-specific laws such as the Equal Credit Opportunity Act.  Instead, CCPA’s non-discrimination right applies to all California consumers exercising any of their other rights under the Act.

This post looks at what the non-discrimination right prohibits (and allows), as well as some of the important questions that the statute and draft regulations leave open.  Critical practical issues include being able to (1) distinguish between lawful denials of CCPA rights and impermissible discrimination, and (2) justify the magnitude of financial incentives offered in connection with personal information collection, retention, and sale.  With about two months before the CCPA’s July 1 enforcement date, it’s important for businesses to confirm how they are addressing this often overlooked right and square away any final adjustments that may be prudent.

Continue Reading The CCPA Non-Discrimination Right, Explained

California Attorney General (AG) released third draft of proposed CCPA regulationsRecent putative consumer class action cases filed against Ring and Zoom raise allegations under the California Consumer Privacy Act (“CCPA”) and are likely to be the first battlegrounds over the CCPA’s potential hostility to consumer arbitration clauses.  The continued applicability of arbitration agreements is likely to be a significant (and hard-fought) issue with far-reaching implications for consumer litigation under, and involving, the CCPA.  This post reviews recent precedent concerning prior attempts by California to bar arbitration or otherwise ignore federal preemption in the context of privacy statutes in an effort to predict how the courts will navigate the CCPA’s attempted restriction on arbitration.

CCPA On Arbitration

The CCPA provides consumers with a private right of action when they are affected by a data breach of certain types of personal information.  Cal. Civ. Code § 1798.150.  The law permits recovery of statutory damages between $100 to $750 per consumer, per incident, and explicitly envisions actions proceeding on an individual or class-wide basis.  Id. at (b).  In addition to monetary damages, private consumers may seek injunctive relief under the CCPA.   1798.150(a)(1)(B).  These statutory damages and right to collective action make the CCPA a ripe target for consumer class actions.  That is further bolstered by the CCPA’s apparent limitation of parties’ ability to contract around public class actions.  Specifically, the CCPA directs that:

Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable.

Section 1798.192 (emphasis added).  Thus, the CCPA would not permit a company to force an individual arbitration based on a consumer contract where a class-wide CCPA claim is asserted.  But is that enforceable?

California’s History of Trying to Limit Arbitration

California’s history of seeking to limit parties’ rights to compel arbitration has, for years, been at the center of the dispute over the strength and reach of the Federal Arbitration Act, 9 U.S.C. § 1 et seq. (“FAA”).  The landmark case on this issue is AT&T Mobility LLC v. Concepcion, 563 U.S. 333 (2011).  In Concepcion, the United States Supreme Court addressed a clash between the FAA and California’s declaration that arbitration waivers were unconscionable and, thus, unenforceable.  The FAA won.  Based on the FAA, the Court found California could not reject arbitration agreements, even if such clauses required consumers to arbitrate individually.

In the ensuing decade, the Court has re-confirmed the Concepcion decision against subsequent challenges, including from California.  Of particular relevance, in 2015, the Court confirmed that class action waiver clauses in consumer agreements are enforceable, even in the face of contrary California state law.  DirecTV, Inc. v. Imburgia, 577 U.S. __, 136 S.Ct. 463, 468, 193 L.Ed.2d 365 (2015).  The Court also confirmed that arbitration agreements with a class action waiver remain valid, even where consumers are presented with the practical hurdle that a plaintiff’s costs of individually arbitrating might far exceed the potential individual recovery available.  American Express Co. v. Italian Colors Restaurant, 570 U.S. 228 (2013).

In 2017, the California Supreme Court held that arbitration clauses that left individual consumers without the ability to obtain public injunctive relief were unenforceable.  McGill v. Citibank, N.A., 2 Cal. 5th 945 (2017).  Currently pending before the United States Supreme Court is a petition for a writ of certiorari on the question of “whether California’s public-policy rule conditioning the enforceability of arbitration agreements on acquiescence to public-injunction proceedings is preempted by the FAA.”  AT&T Mobility LLC v. McArdle, No. 19-1078.

Privacy Laws Cannot Overcome Federal Preemption

Given the unique nature of the privacy protections of the CCPA and lack of parallel federal privacy protections, it is instructive to see how courts have approached preemption of prior California privacy statutes.  In 2012, California’s Attorney General brought suit against Delta Airlines alleging that the lack of a clearly-disclosed privacy policy in the “Fly Delta” app violated the California Online Privacy Protection Act (CalOPPA), Cal. Bus. & Prof. Code §§ 22575-22579.  Delta challenged the state’s ability to bring consumer protection claims against commercial airlines given the federal Airline Deregulation Act of 1978, Pub. L. 95-504, 49 U.S.C. § 1371, et seq.  The court dismissed, finding that the federal statute preempted the statutory requirements of CalOPPA.  State of California v. Delta Air Lines, Inc., Case No. CGC-12-526741 (Cal. Sup. Ct. May 9, 2013).  The decision was affirmed by the California Court of Appeals.  Case No. A139238, 2016 WL 3001805 (Cal. Ct. App. May 25, 2016).

Conclusion

Recent precedent supports the continuing viability of arbitration clauses, including as part of consumer contracts that waive class actions.  It further confirms that California’s attempts to circumvent federal law, including in the privacy space, are likely to be struck down based on preemption.  Thus, all signs point towards the continued ability of companies to compel arbitration, including individual arbitration, over CCPA claims.

That said, it remains to be seen how far the California courts (federal or state) might permit or force litigants to proceed before that likely outcome is reached.  Thus, despite potential contract terms that include an otherwise valid arbitration clause and class action waiver, CCPA defendants such as Ring and Zoom may need to engage in multiple rounds of motion practice and appeals before getting clarity on the forum in which their cases will even be heard.

Another consideration:  until there is a decision that the CCPA is preempted by the FAA, the CCPA litigation occurring now may be the only cases to provide clarification as to some of the vague provisions of the CCPA (evident by the inconsistent interpretations and compliance applications in the marketplace).  Once CCPA claims are addressed mainly through arbitration, guidance will be left to the California Attorney General’s Office and the more limited number of cases initiated by that Office.

If you have privacy, cyber, or related litigation questions, our team of compliance and litigation specialists would be happy to speak with you.  More information about Kelley Drye’s Privacy and Information Security Litigation team can be found here.

Ad Law Access Podcast

The CCPA grants the California Attorney General (AG) the authority to enforce the CCPA starting on July 1, 2020.  Last month, the AG confirmed no intention to delay that enforcement date due to the COVID-19 pandemic, despite mounting industry pressure.The CCPA grants the California Attorney General (AG) the authority to enforce the CCPA starting on July 1, 2020.  Last month, the AG confirmed no intention to delay that enforcement date due to the COVID-19 pandemic, despite mounting industry pressure.

Even if enforcement begins July 1st, companies must contend with another glaring obstacle: the AG has not yet issued final regulations.  The AG has a narrow window to complete its final regulations, leaving companies with less than three months advance notice to implement highly technical final regulations.  If the AG fails to meet its statutory deadlines, the AG’s enforcement of the CCPA would begin before final regulations are issued.

In March, the AG released a third draft of CCPA regulations, with comments due on March 27th.  Now, the AG can either issue another round of proposed regulations or finalize the regulations.  The third draft had far fewer changes than previous drafts, indicating the AG may be ready to finalize the regulations, although the AG has remained largely silent in explaining the reasoning behind any changes to its various drafts.

Once the AG is ready to issue final regulations, the AG will send the regulations to the Office of Administrative Law, which generally has up to 30 working days to review regulations, although an executive order linked to the COVID-19 crisis extends the Office’s deadline by 60 calendar days.

Once reviewed, the Office transmits the final rule to the Secretary of State for adoption.  The effective date of the final CCPA regulations depends on the date that the Office files the regulations with the Secretary of State.  For example:

  • If filed March 1 – May 31: the effective date is July 1.
  • If filed June 1 – August 31: the effective date is October 1.
  • Another effective date may be possible if the AG demonstrates good cause.

As a result of this timeline, the AG is likely aiming to complete the final regulations in April, to provide the Office with sufficient time to complete the rulemaking process by May 31st and implement the regulations by July 1st.  Any delay could push the effective date of new rules to October 1st, well past the statutory enforcement date of July 1.

Given this timeframe, companies seeking to comply with the new CCPA regulations should not wait for final regulations to stand up compliance processes.  With enforcement slated to arrive either at the same time as or before the effective date of new regulations, covered businesses should work with privacy counsel to prepare for CCPA as soon as possible.

We will continue to follow new developments that may impact the timeframes for implementation of the CCPA regulations.  If you have questions on how the regulations may impact your business, please contact Alysa Hutnik or Alex Schneider at Kelley Drye.

 

Kelley Drye's Ad Law Access Podcast

The California Consumer Privacy Act (CCPA) took effect January 1, 2020.  While the California Attorney General’s enforcement authority is delayed until July 1, private litigants have already started to file direct claims under the CCPA as well as other consumer-related causes of actions predicated on alleged CCPA violations.  Notably, the California Attorney General takes the position that enforcement actions can cover violations that predate July 1, 2020.

As detailed in our prior posts (see, e.g., here and here), the CCPA expressly provides for only a limited private right of action related to data security breaches.  Cal. Civ. Code 1798.150.  Private plaintiffs can recover actual damages or statutory damages of $100 to $750 per statutory violation.  While a broader potential private right of action was considered, which would have permitted individuals to sue for additional CCPA violations, that amendment (SB 561) failed.

Nevertheless, private litigants have thus far filed CCPA-related claims in cases where breaches have occurred, but also in cases where no breach is alleged.  A quarter of the year in, we consider here how the CCPA has already impacted consumer class action claims.

Barnes v. Hanna Andersson LLC and Salesforce.com Inc., Case No. 4:20-cv-00812 (N.D. Cal.)

On February 3, 2020, California consumer Bernadette Barnes filed a putative class action Complaint against retailer Hanna Andersson arising from a data breach.  The breach (which occurred in September-November 2019), allegedly resulted in the loss of personally identifiable information (“PII”), including unencrypted credit card and consumer information.  Plaintiff also sued the cloud vendor Salesforce.com that allegedly stored the PII at issue.

Plaintiff seeks to represent a nationwide class including: “All individuals whose PII was compromised in the data breach announced by Hanna Andersson on January 15, 2020,” as well as a California sub-class.  Plaintiff does not include a cause of action under the CCPA, but relies upon the CCPA as a predicate for her claim under California’s Unfair Competition Law, Cal. Bus. & Prof. Code §17200 (“UCL”), along with causes of action for negligence and a declaratory judgment.

Sheth v. Ring LLC, Case No. 2:20-cv-01538 (C.D. Cal.)

On February 18, 2020, Seattle, Washington consumer Abhi Sheth filed a putative class action Complaint against California-based video doorbell and security camera manufacturer Ring.  Plaintiff alleges inadequate security measures for handling PII as well as unauthorized disclosure to third parties.

Plaintiff seeks to represent a class of consumers defined as: “All persons residing in the United States who purchased a Ring Security Device within the applicable statute of limitations period.  Plaintiff’s CCPA claim alleges improper collection and use of personal information without notice, and failing to provide the required notice of a right to opt out of the sale of personal information to third parties.  Plaintiff does not allege that Ring had any specific data breach or security event that triggered the claim.  Plaintiff asserts seven other causes of action arising from the same facts:  invasion of privacy; negligence; breach of implied warranty of merchantability; breach of implied contract; unjust enrichment; and violations of the UCL and California Legal Remedies Act, Cal. Civ. Code § 1750, et seq. (“CLRA”).

Significantly, the arbitration clause in Ring’s consumer agreement may create the first opportunity to balance the CCPA’s perceived hostility to arbitration, on the one hand, and the parties’ contract and policy underlying the Federal Arbitration Act, on the other.  That issue is expected to be a heavy battleground in CCPA consumer class actions, making this a potentially important first test on that issue.

On March 5, the Sheth case was consolidated with four other privacy-related cases pending against Ring and on March 31, the separate Sheth case was closed.  The continuing matter, In re: Ring LLC Privacy Litigation, Case No. 2:19-cv-10899 (C.D. Cal.), began with a December 26, 2019 Complaint that does not reference the CCPA; however, the Court’s February 11 Consolidation Order permits the plaintiffs to file a Consolidated Complaint after interim class counsel is appointed.  It is reasonable to expect that the updated pleading and addition of Sheth to the consolidated action could inject the CCPA more directly into the overall claims.

Burke v. ClearviewAI, Inc., Case No. 3:20-cv-00370 (S.D. Cal.)

On February 27, 2020, California consumer Sean Burke and Illinois consumer James Pomerene filed a putative class action Complaint against ClearviewAI (and its two founders) alleging the improper collection and sale of PII and biometric information in violation of, among other laws, the CCPA.  Clearview “scrapes” websites (scanning, extracting, and copying images) to compile a comprehensive database that allegedly includes over three billion images and PII of consumers, which Clearview sells to law enforcement and private entities.  Plaintiffs allege that Clearview collected and used their PII without notice or consent in violation of the CCPA.

Plaintiffs seek to represent three California-related sub-classes:

(a) Sub-Class One (the “CCPA Class”) (Cal. Civ. Code § 1798.100, et seq): All persons who, while residing in California, had their California Biometric Information collected and/or used by Clearview without prior notice by Clearview and without their consent.

(b) Sub-Class Two (the “Commercial Misappropriation Class”) (Cal. Civ. Code § 3344): All persons who, while residing in California, had their Photograph or likeness knowingly used by Clearview for commercial gain without their consent.

(c) Sub-Class Three (the “Unjust Enrichment Class”): All persons who, while residing in California, had their California Biometric Information misappropriated by Clearview from which Clearview was unjustly enriched.

The Complaint also asserts claims under the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (“BIPA”) as well as specific causes of action for violations of the UCL, commercial misappropriation, and unjust enrichment.

Cullen v. Zoom Video Communications, Inc., Case No. 5:20-cv-02155 (N.D. Cal.)

On March 30, 2020, California consumer Robert Cullen filed a putative class action Complaint against online video-conferencing provider Zoom alleging the failure to properly safeguard user information and improper disclosure of individual and business information to third parties, including Facebook.  The allegations arise from a March 26 Vice Media report that purports to detail unauthorized sharing and data vulnerabilities of Zoom.

Plaintiff seeks to represent a class comprised of: “All persons and businesses in the United States whose personal or private information was collected and/or disclosed by Zoom to a third party upon installation or opening of the Zoom video conferencing application.”

Plaintiff asserts a claim under the CCPA for Zoom’s alleged collection and use of PII without adequate notice and failing to prevent unauthorized disclosure.  Plaintiff asserts related claims under the UCL and CLRA based on the same conduct and violation of, inter alia, the CCPA.  Plaintiff also alleges negligence, invasion of privacy, and unjust enrichment.

While these initial CCPA-related cases remain at the earliest stages, they demonstrate the ways in which consumer plaintiffs will use the CCPA in class actions.  Notably, however, not all consumer privacy complaints filed since January incorporated the CCPA.  Indeed, two consumer complaints filed in March 2020 in the Northern District of California make allegations arising from a consumer data breach, but do not include any claim under (or even reference to) the CCPA.

I.C., a minor by and through his natural parent, Nasim Chaudhri and Amy Gitre v. Zynga, Inc., Case No. 3:20-cv-01539 (N.D. Cal.); Carol Johnson and Lisa Thomas v. Zynga, Inc., Case No. 3:20-cv-02024 (N.D. Cal.). 

On March 3, 2020, Plaintiffs Amy Gitre and I.C. filed a putative class action Complaint arising from video game manufacturer Zynga’s alleged failure to protect PII of its users, including both adults (Gitre) and minors (I.C.).  Plaintiffs filed a fourteen-count Complaint that includes statutory and common law claims arising from the alleged failure to properly secure account holders’ PII.  In September 2019, a hacker publicly claimed to have breached Zynga’s database and was able to extract information concerning 218 million users.  The breach is alleged to have included users from some of Zynga’s most popular games: Words With Friends; Draw Something; and OMGPOP.  On September 12, 2019, Zynga posted a “Player Security Announcement” that confirmed the breach.

Plaintiffs seek to represent a nationwide class of: “All individuals in the United States whose PII was obtained or maintained by Zynga and compromised as a result of the Zynga data breach described herein” as well as adult and minor sub-classes.  The causes of action include:  negligence; negligent misrepresentation; negligence per se (under Section 5 of the FTC Act); unjust enrichment; violation of state data breach laws (including failure to safeguard data and failure to provide adequate notice of the breach); intrusion upon seclusion; and declaratory judgment (seeking an injunction compelling proper security of PII).  There are no references to, or causes of action under, the CCPA.

On March 23, a follow-on suit was filed in the same court raising similar allegations.  The Plaintiffs, Carol Johnson and Lisa Thomas, seek an identical nationwide class as well as Missouri and Wisconsin sub-classes, based on the citizenship of the Plaintiffs.  The Complaint asserts a narrower list of causes of action regarding negligence, negligence per se, unjust enrichment, and declaratory judgment.  Again, there are no references to, or causes of action under, the CCPA.

We will continue to monitor the various claims, as well as court decisions in CCPA litigations.  If you have any questions about defending and/or preparing for a potential privacy consumer class action, please reach out to our team.

Advertising and Privacy Law Resource Center

 California Attorney General (AG) released third draft of proposed CCPA regulationsOn Wednesday, the California Attorney General (AG) released a third draft of proposed CCPA regulations for public comment.  The draft contains a series of technical corrections, along with a handful of substantive incremental modifications to the prior draft.  The limited number of changes signals that the rulemaking process is reaching an end.

The following is a summary of key modifications the AG is proposing in the latest draft:

  • Service Providers – The AG revised the exemptions to the general rule that service providers may not retain, use, or disclose personal information obtained in the course of providing services.

First, the AG removed an exemption allowing service providers to perform the services specified in the written contract with the business that provided the personal information.  In its place, the AG added a new exemption: “to process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA.”  This new exemption significantly narrows the ability of a service provider to use personal information to perform services generally, now requiring that the service provider limit the use of personal information “on behalf of the business that provided the personal information.”

Second, the AG edited a clause that allowed a service provider to use personal information for internal purposes to build or improve the quality of its services.  The AG clarified that the exemption does not allow a service provider to build or modify consumer profiles to use in providing services to another business; or correcting or augmenting data acquired from another source.  These clarifications indicate that the AG seeks to limit a service provider from using personal information it obtains through providing a service to develop consumer profiles that it can resell.

  • Removal of Opt Out Button – In the prior draft of the regulations, the AG proposed a standard opt out button and logo for the industry to adopt.  But the opt out button came under scrutiny in comments submitted by Lorrie Cranor of Carnegie Mellon University, which highlighted usability issues presented by the color and appearance of the AG’s proposed button.  Cranor’s team noted that the icon looked deceptively like an actual toggle switch, and when combined with its red color, could be misinterpreted as indicating an off-state.  “[A] consumer may misinterpret the [AG] toggle icon as an indication that they have already opted-out of the sale of their personal information,” Cranor’s team wrote.  In the latest version, the AG removes all reference to the opt out button.
  • Exemption from Notice at Point of Collection – A business that does not collect PI directly from a consumer is not required to provide a notice at the point of collection if that business will not sell the consumer’s personal information.
  • Guidance on IP Addresses – The AG abruptly removed guidance indicating that an IP address that does not link to a particular consumer or household would not be “personal information.”  The new draft does not include new guidance, however, leaving the prior guidance as the only interpretation issued by the AG on whether IP addresses are “personal information.”
  • Privacy Policy Disclosures – The AG restored language from the first draft of the regulations requiring a business to identify the categories of sources from which personal information is collected and the business/commercial purpose for collecting or selling personal information, both in a manner that provides consumers a meaningful understanding of the information disclosed.  The new language does not require these disclosures “for each” category of personal information.
  • Sensitive Data Disclosures – The AG proposes that even if a business withholds sensitive data in response to a request to know, the business must still provide a description of the information withheld.  For example, a business should not provide an actual social security number, but should state that it holds the consumer’s social security number.
  • Denial of Deletion Request – When a business that sells personal information denies a deletion request, the business must ask the consumer if the consumer wants to opt out of the sale of their personal information.
  • Definition of a Financial Incentive – The AG removed a confusing element of the definition of a financial incentive that had previously indicated that a program, benefit, or other offering, including payments to consumers, would be a “financial incentive” where a company compensated the disclosure, deletion, or sale of personal information.   The AG clarified that a financial incentive relates instead to the collection, retention, or sale of personal information.
  • Annual Privacy Policy Disclosures – The requirement to disclose metrics when a business buys, receives, sells, or shares personal information of more than 10 million consumers in a calendar year will now only apply to businesses that know or should reasonably know that they meet the threshold for such a disclosure.

The deadline to submit written comments to the proposed modifications is March 27, 2020. Our firm will continue to review the draft regulations as we work with clients to develop practical guidance on complying with the CCPA. If you have questions on how the regulations may impact your business, or if you would like assistance in submitting a written comment, please contact Alysa Hutnik, Aaron Burstein, Katie Townley, Carmen Hinebaugh, or Alex Schneider.

 

Advertising and Privacy Law Resource Center

If you have suggestions for other topics, CCPA or otherwise, that you would like us to cover in future podcasts, please send us an email at marketing@kelleydrye.com.

___________________

Given the continuing growth in influencer and celebrity marketing to help create buzz, companies have additional worries about potential harm to their brands. Please join partner Gonzalo Mon for this 30-minute program on the legal issues surrounding social media influencers. This program will cover:

  • Key legal requirements for influencer campaigns
  • Notable enforcement actions, and what you can learn from them
  • Practical tips for managing influencers

Register Here 

The Ad Law Access podcast is available through Apple PodcastsSpotifyGoogle PlaySoundCloud, or wherever you get your podcasts.

Privacy law 101 webinar on Wednesday, February 25th
While there is a lot of attention on California’s new privacy law (CCPA), what about the basic privacy considerations when it comes to compliance, risk assessment, and negotiating contracts? Please join partner Alysa Hutnik and associate Carmen Hinebaugh for a webinar that walks through topics such as:

  • Privacy law 101
  • Data security and breaches
  • E-Mail, calls, and text marketing

Register here

 

 

On Friday, California Attorney General Xavier Becerra released proposed modifications to the formerly-released draft regulations implementing the California Consumer Privacy Act (CCPA). The modifications reflect the Attorney General’s response to public comments issued in response to the draft regulations and arguably represent a rollback of key provisions previously proposed.

The modifications impose a number of changes to the regulations. Of immediate note to companies are the following:

  1. Service Providers:  The modifications clarify that it would be acceptable (and thus, not a “sale”) for a service provider to use a business’s personal information to build or improve the quality of the service provider’s services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source.  The modifications also require the service provider to stop selling data on behalf of a business when a consumer has opted out of the business’s sale of their personal information.  This clarification arguably restricts an interpretation that using personal information to build or augment profiles, or to clean or augment personal information, are acceptable “business purposes” between a business and a service provider.
  2. Third Parties: The modifications no longer require a third party that purchases personal information to contact the consumer directly to provide notice and an opt out, or to contact the source and confirm that the source provided the required notice and obtain signed attestations.
  3. Loyalty Programs/Not Discrimination: If a consumer informs the business that she would like to remain in a loyalty program but otherwise have the business delete their information, it is lawful under the CCPA for the business to deny the deletion request as to the information necessary to maintain the enrollment in and benefits from the loyalty program. The modifications specifically provide that a business’s denial of a consumer’s request to know, request to delete, or request to opt-out for reasons permitted by the CCPA or the regulations are not discriminatory.
  4. Personal Information (Actual, Not Hypothetical): The modifications reinforce that whether information is “personal information” depends on how the business maintains the information, noting, for example, “if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.”  In other words, if data collected technically could be considered personal information under the CCPA definition, but the business does not and cannot reasonably link that data to any particular consumer or household, that data would not be personal information.
  5. Notice at Point of Collection:  The modifications clarify that a business may not use personal information for purposes that are materially different from those disclosed in the notice at collection, unless the business directly notifies the consumer of the new use and obtains explicit consent.
  6. Privacy Policy “Right to Know” Disclosure: In describing the “right to know” in the privacy policy, the disclosure should be written in a manner that provides consumers with a meaningful understanding of the categories listed, and disclose:
    • The categories of personal information collected;
    • The categories of sources from which it was collected;
    • The business or commercial purpose for collecting or selling personal information;
    • The categories of third parties with whom the business shares personal information;
    • The categories of personal information the business sold in the past 12 months and, for each category, the categories of third parties to whom they sold it; and
    • The categories of personal information disclosed for business purpose in the past 12 months and, for each category, the categories of third parties to whom they disclosed it.
  7. Privacy Policy “Agent Instructions” Disclosure:  The privacy policy must provide instructions on how a consumer can designate an authorized agent to make a request under the CCPA on the consumer’s behalf.
  8. Consumer Rights Requests: The modifications would update how a business responds to consumer rights requests as follows:
    • Online-Only Businesses:   If they have a direct relationship with a consumer, the modified regulations confirm that an online-only business need only provide an email address for submitting requests to know.
    • Timing: A business has 10 business days to confirm receipt of a request, and 45 calendar days to respond. If the business cannot verify the consumer’s identity within the 45 days, the business may deny the request.  In other words, the clock does not run indefinitely if the consumer has not verified his or her identity during the initial 45-day period.
    • “Right to Know” Search Exceptions:  A business does not need to search for personal information in response to a request if the business does not maintain the personal information in a searchable format, maintains it only for legal and compliance purposes, does not sell the information or use it for any commercial purpose, and describes in its response to the consumer the categories of information it holds that it did not search but which may contain the information. This provides some flexibility to avoid expensive searches for personal information, such as call recording or video footage collected by companies for security or legal compliance purposes.
    • “Right to Know” Production Exceptions:  The modifications struck the express exception preventing a business from providing specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of the personal information, the consumer’s account with the business, or the security of the business’s systems or networks. Instead, the modifications more generally state that a business may avoid producing specific pieces of personal information, in whole or in part, because of a conflict with federal or state law, or based an exception to the CCPA, but must inform the requestor and explain the basis for the denial, unless prohibited from doing so by law.
    • Deletion Denial/Opt Out Notice:  If the business denies a deletion request, it also must ask the consumer if she wants to opt out of the sale of her personal information (even if the consumer has not made the opt-out request), and include a link to the opt out.
    • Deletion Compliance: Two-step confirmation of deletion requests is no longer required. In fulfilling a deletion request, the business does not need to specify the manner in which it deleted the personal information.
    • No Fee for Verification:  A business cannot require a consumer to pay a fee for the verification of a request to know or request to delete.
  9. Do Not Sell Button: The modifications provide additional information about the voluntary use of the opt-out button. When the opt-out button is used, it should be the same size as other buttons on the webpage, such as:
  10. Opt Out: A business has 15 business days to comply with an opt-out request. Significantly, the modifications provide that businesses will not need to notify third parties to whom they sold the consumers data within 90 days. Instead, this obligation is limited to circumstances when the business sold personal information to third parties between the date of the opt-out request and the date of compliance. For sales made during this limited period, the business shall direct the third party purchasers not to further sell the data. In addition, the opt-out method must be easy for consumers to execute and require minimal steps to allow the consumer to opt-out. “A business shall not utilize a method that is designed with the purpose or substantial effect of subverting or impairing a consumer’s decision to opt-out.”
  11. User-Enabled Privacy Controls:  A privacy control developed in accordance with the regulations must clearly communicate that a consumer intends to opt out of the sale of her personal information. The privacy control must require that the consumer affirmatively select her choice to opt out and not be designed with pre-selected settings. If a global privacy control conflicts with a consumer’s existing business-specific privacy setting or participation in a business’s financial incentive program, the business shall respect the global privacy control but may notify the consumer of the conflict and give the consumer the choice to confirm the business-specific privacy setting or participation in the financial incentive program.
  12. Mobile Notifications: The modifications provide that, where a business collects information from a mobile application, it can provide a link to the privacy policy within the applications. Where the application collects information that the consumer would not reasonably expect, the business must provide a notification of that collection, such as through a pop up window, that explains the collection and links to the larger privacy policy.
  13. Households: The modifications clarify that a household means those who reside at the same address, share a common device or the same service provided by a business, and are identified by the business as sharing the same group account or unique identifier. In terms of responding to “household” rights requests, if a consumer has a password-protected account with a business that collects personal information about a household, the business may process requests to know and delete relating to household information through the business’s existing business practices and in compliance with the regulations. If a member of a household is a minor under the age of 13, a business must obtain verifiable parental consent before complying with a request to access specific pieces of information for the household or the deletion of household personal information pursuant to CCPA-mandated parental consent.
  14. Employee Privacy Notice: Under the revised regulations, employee privacy notices do not need to contain links to the Do Not Sell option.
  15. Data Brokers: The modifications provide that data brokers do not need to provide a notice at collection to the consumer if it included in its registration submission a link to its online privacy policy that includes instructions on how a consumer can submit a request to opt-out.
  16. Annual Privacy Policy Disclosures:  Businesses that buy, receive for the business’s commercial purposes, sell, or share for commercial purposes, the personal information of 10MM+ (up from 4MM+) consumers in a calendar year must disclose required metrics by July 1 of every calendar year in their privacy policy (or on their website and accessible from a link included in their privacy policy) with some variations depending on how it tracks the data.

The deadline to submit written comments to the proposed modifications is February 24, 2020. Our firm will continue to review the draft regulations as we work with clients to develop practical guidance on complying with the CCPA. If you have questions on how the regulations may impact your business, or if you would like assistance in submitting a written comment, please contact Alysa HutnikAaron Burstein, Katie Townley, or Carmen Hinebaugh.

 


The California Attorney General unveiled its data broker registry on Monday.  On or before January 31st, companies qualifying as a “data broker” based on the prior year’s activities are required to register their name and contact information with the Attorney General and may provide a statement concerning their data collection practices.  A list of “data brokers” will be published for public inspection.

California law defines a business as a “data broker” when it “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”  That definition is considerably broader than the definition of a “data broker” under Vermont’s now year-old registration requirement.

After registering for an account, a user on the Attorney General’s website can submit a registration of a data broker.  The registration page includes the following fields:

  • Data broker name
  • Email address
  • Website URL
  • Country
  • Address, City, State & Zip Code
  • A description of how a consumer may opt out of sale or submit requests under the CCPA.
  • A description of how a protected individual can demand deletion of information posted online under Gov. Code 6208.1(b) or 6254.21(c)(1).  These code sections relate to legal protections for government officials and victims of domestic violence, sexual assault, and stalking who would like their personal contact information removed from being posted publicly on the internet.
  • Additional information about data collecting practices.

In an emergency regulation approved on December 18, 2019, the California Department of Justice set the initial registration fee at $360.  The fee is based on an assumption that 1,000 data brokers will register, splitting almost evenly the $360,972 estimated costs of setting up the registration website.  By comparison, only 165 data brokers are listed in the Vermont data broker registry.

If you have any questions about whether your business qualifies as a data broker under California law, please contact Alysa Hutnik or Alex Schneider at Kelley Drye.