The California Consumer Privacy Act (CCPA) right to non-discrimination explainedThe California Attorney General’s office announced a fourth set of proposed modifications to the CCPA regulations. These modifications: (1) clarify the requirement for businesses that sell personal information that is collected offline to provide offline opt-out notices; and (2) propose an opt-out button for businesses to feature online along with opt-out notices and the “Do Not Sell My Personal Information” link.

Clarifying offline opt-out notice requirements. The modifications proposed in October required that any business that collected personal information offline provide notice via an offline method of the consumer’s opt-out right.

  • The modified regulations now specify that businesses that sell personal information that they collect “in the course of interacting with consumers offline” must provide an offline notice of the consumer’s right to opt-out, and provide instructions for how the consumer can opt out.
  • The same examples of providing notice on a paper form, posting a sign in a store, or giving an oral notice over the phone still apply.

While not explicitly stated in the proposal, this modification suggests that businesses that collect personal information offline, but do not sell that personal information, are not required to provide an offline opt-out notice, even if the business separately sells personal information that it collects online. In response to the October proposal, numerous comments indicated that requiring an opt-out notice when the business did not sell information collected offline could potentially confuse consumers.

Proposing an optional opt-out button. After delaying the introduction of the opt-out button in the first set of CCPA regulations, the Attorney General’s office has proposed the following blue button for businesses to use in addition to providing an opt-out notice and “Do Not Sell My Personal Information” link:

Use of the button does not absolve a business from posting the opt-out notice or link where otherwise required. Where a business posts a “Do Not Sell My Personal Information” link, the business must also include the button to the left of the link (as shown above) in “approximately the same size as any other buttons used by the business on its webpage.” The button must link to the same landing page as the “Do Not Sell My Personal Information” link itself.

Process and Timing. The deadline to submit written comments to the proposed modifications is 5:00 PM PST on December 28, 2020. The regulations have been a continued work in progress for the Attorney General’s office since their first publication in October 2019. We will continue to monitor any further changes and will provide updates on the blog.

_________________________

 

Hear Alysa Hutnik and Aaron Burstein discuss some of the overarching CPRA issues and a few particular issues that caught their attention on the Ad Law Access podcast.

Listen on AppleSpotifyGoogle Podcasts,  Soundcloud, via your smart speaker, or wherever you get your podcasts.

California became the first U.S. state with a comprehensive consumer privacy law when the California Consumer Privacy Act (“CCPA”) became operative on January 1, 2020. The CCPA provides for broad privacy rights for residents of California and imposes data protection obligations on companies doing business in California that meet certain criteria.  For further background on the CCPA, see our prior CCPA blog posts here.

Privacy Risks Trigger Public Disclosure

While many businesses continue to work on their CCPA privacy compliance strategies and risk mitigation measures, those subject to the law also should consider whether their data practices prompt any material disclosures. Item 105 of Securities and Exchange Commission (“SEC”) Regulation S-K requires public companies to disclose the most significant factors that make investing in their securities speculative or risky.

The SEC published a proposed rule for public comment in the Federal Register on August 23, 2019, that sets forth amendments to modernize the description of business, legal proceedings, and risk factor disclosures that registrants are required to make pursuant to Regulation S-K.  In a public comment to the proposed rule, the World Privacy Forum advised the SEC that the privacy and security risks and obligations that companies face today require that there be more disclosure of those risks in public disclosures. Thus, it requested that the SEC expressly require the appropriate disclosure of material privacy and security risks faced by regulated companies.

In support of its request to the SEC, the World Privacy Forum pointed not only to the risk of data breaches, but also to the material impact that privacy regulations, including the CCPA, can have on a company’s operations. Specifically, it pointed to a $5 billion fine that the Federal Trade Commission imposed on Facebook for its failure to comply with a privacy-related FTC consent decree and the potential for a fine of up to four percent of a company’s worldwide revenues for violations of the European Union’s General Data Protection Regulation (“GDPR”).

The comment continues, however, by noting that fines are not the only risk that companies face from privacy regulations. Compliance with privacy and security regulations can also have a material risk on a company’s operations, with the comment specifically citing:

  • Loss of markets, customers, and opportunities;
  • Failure of business models to be consistent with privacy requirements;
  • Charges for responding to data breaches; and
  • Loss of key personnel.

Because privacy and security risks are unique to each company, boilerplate disclosures will not suffice to warn investors of these risks. As noted in the comment, a company that collects and uses consumer data as part of its business model faces a significantly larger threat to the continuity of its operations by privacy regulations than a company that maintains only its employees’ data.

These and other privacy law developments are a good reminder for public companies that their CCPA-related exposure extends beyond the CCPA’s monetary provisions, which are limited to a narrow private right of action for data breaches, as well as enforcement by the California Attorney General. Class action plaintiffs have used similar data privacy statutes to support securities fraud claims, and companies should expect to see similar claims predicated on compliance with the CCPA. Rather than basing the claim on a direct violation of the privacy statute at issue, such as the CCPA, the complaints are rooted in violations of federal securities laws and claim that the company did not accurately disclose its compliance with regulatory obligations under the privacy law or disclose the impact that the privacy law would have on its business.

Privacy Shareholder Litigation Examples

For example, shareholders of Nielsen Holdings PLC (“Nielsen”) brought a securities class action against the company and some of its officers and directors alleging securities fraud under the federal securities laws based on false or misleading statements made by the company regarding how the GDPR would impact its business and financial performance. The consolidated complaint alleges that the defendants misled investors by stating that the GDPR would not have any major impact on the company, assuring investors that the company was ready for the GDPR’s effective date, and assuring investors that the company would continue to have access to data from Facebook and others, which it relied upon for many of its products and services. The defendants went as far as to call the GDPR a “non-event” for the company.

In reality, however, the GDPR had a material effect as soon as it became effective by preventing Nielsen from getting the data it needed from large data providers. The truth was revealed to the market on July 26, 2018, the complaint alleges, when Nielsen reported its 2Q18 earnings and disclosed a significant decline in its performance. Nielsen attributed its poor performance to the GDPR, and admitted that Nielsen no longer had access to the data from Facebook and other data providers for its analytical products, including data that helped advertisers target individual consumers. Following this disclosure, Nielsen’s stock price declined 25% in one day.

In another securities class action predicated in part on the GDPR, investors alleged that Facebook made false and misleading statements regarding its compliance with the GDPR and the impact that the legislation would have on its business and operations. Specifically, the operative complaint alleges that Facebook made materially false and misleading statements when: “(i) it falsely and without a reasonable basis assured investors that GDPR had not caused, and would not cause, a decline in active use of Facebook’s solid [sic] media platforms; and (ii) it portrayed Facebook as adhering to and prepared to meet the requirements of the GDPR, when in reality Facebook was not.”

The investors claim that the truth was revealed to the market on July 25, 2018, when Facebook released its 2Q18 earnings report and revealed “a significant decline in users in Europe, zero user growth in the United States, decelerating worldwide growth of active users (i.e., those most responsible for generating data used in targeted advertising), lower than expected revenues and earnings, ballooning expenses affecting profitability, and reduced guidance going forward.” The company’s stock dropped by nearly 19% the following day.

The complaint alleges that the GDPR contributed to Facebook’s declining revenue growth by limiting the data that users share with the company, which lead to a reduction in spending by advertisers, and by requiring the company to “incur billions in expenses to become privacy compliant.” The complaint alleged this was in contrast to the company’s prior reassurances that the GDPR would not have a material impact on Facebook’s business because the vast majority of users were opting into data sharing and because the company’s privacy practices were already compliant with the regulation.

Facebook and Nielsen are examples of a growing trend of cases in securities class action litigation that allege class-wide harm to shareholders based on violations of the federal securities law, in these cases sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5, rather than harm to consumers based on direct violations of privacy statutes like the GDPR or CCPA. Also notable is that neither of these class actions was preceded by regulatory action prosecuting a breach of the privacy regulation by the company.  The Facebook plaintiffs recently filed their Third Amended Complaint and Nielsen has a pending motion to dismiss, therefore it remains to be seen whether this theory of securities fraud will prove successful for plaintiffs’ attorneys.

Public Company Privacy Disclosure Considerations

These developments raise several considerations for public companies.  At a minimum, public companies should ensure that they have accurately assessed and disclosed their compliance with and exposure under privacy statutes, including the CCPA. Companies should not attempt to rely on generic risk disclosure provisions but instead should provide thoughtful, tailored disclosures of the impact that newly-enacted data protection legislation—including the CCPA—will have on their businesses.

Companies also would do well to consider the extent to which:

  • The company’s data practices trigger compliance with U.S. and international privacy laws (often this means becoming familiar with the broadening definition of personal information under such laws);
  • Increased consumer rights concerning the sharing of personal information may limit or preclude the company’s ability to use the personal information in a manner that is material to its business practices, which could impact the company’s growth strategies or financial condition;
  • Data protection laws and industry changes will require the company to delete or remove consumer information from its records or otherwise materially increase the costs of doing business to ensure compliance;
  • The company’s failure to comply with privacy or data protection obligations could result in governmental investigations, enforcement actions or litigation, resulting in monetary penalties to the company, restrictive injunction terms, or a general loss of trust in the company, which in turn could have an adverse effect on a company’s reputation and business;
  • Data protection laws and industry changes will result in changes to the company’s data sources that, in turn, could affect the company’s ability to procure the data necessary for the company’s operations and thereby limit sources of revenue for the company;
  • Data protection laws and industry changes will result in business clients or consumer users choosing to limit or not adopt and use the company’s products, affecting the company’s ability to acquire customers and thereby limiting sources of revenue for the company.

While privacy laws in the U.S. are clearly at an inflection point, the trend line demonstrates that data strategies must be evaluated both for their possibilities and potential risks to the company.  Public companies that routinely perform rigorous internal privacy analyses and continue to closely monitor these quick moving legal and industry changes will be better positioned to address their transparency obligations, and in so doing, mitigate the risk of facing privacy shareholder suits.

For more information on the CCPA and other topics, see:

 

Advertising and Privacy Law Resource Center

Only two months after finalizing the CCPA regulations, the California Attorney General’s office today released a new set of proposed changes, most significantly addressing “Do Not Sell My Personal Information” requests. The office has also recommended changes to the regulations related to providing notice when businesses collect personal information offline, proof required when an authorized agent submits a request on behalf of a consumer, and a grammatical change related to providing notice of how to opt in to the sale of children’s information.

  • Do Not Sell Requests. The proposed addition specifies that a “Do Not Sell” request must “be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out.” The change would prohibit businesses from using any method that is designed to or would have the effect of preventing a consumer from opting out. The proposal enumerates specific examples, such as requiring a consumer to: (1) complete more steps to opt out than to re-opt in after a consumer had previously opted out; (2) provide personal information that is not necessary to implement the opt-out request; and (3) read through a list of reasons why he or she shouldn’t opt out before confirming the request.
  • Notice for Offline Collection. The proposal requires businesses that collect personal information offline to provide an offline notice, such as providing consumers with paper forms or posting signs in a store, or giving an oral notice if collecting personal information over the phone.
  • Authorized Agent Requests. The finalized regulations previously permitted businesses to require that a consumer provide the authorized agent with signed permission to submit the access or deletion request. The proposed change shifts the burden to the authorized agent to provide proof of signed permission, rather than imposing the requirement on the consumer to provide signed permission.
  • Children’s Information. The proposed grammatical change in section 999.332, requires businesses who sell personal information of children under the age of 13 or between the ages of 13 and 15 (rather than both) to include a description of how to make a sale opt-in request in their privacy policies.

The deadline to submit written comments related to these proposals is 5:00 PM PST on October 28, 2020. We will continue to monitor and will report any changes made to the regulations once they are finalized.

***

For more updates and information on the CCPA and and other privacy topics, visit:

 

Futureproofing Privacy Programs
Building a successful privacy program requires much more than compliance with data protection laws. To thrive in today’s global, data-driven environment, companies also need to understand the political environment and public attitudes surrounding privacy in the countries in which they operate. Of course, companies must anticipate and adapt to changing privacy regulations as well. This webinar will present strategies to help meet these challenges, with a focus on setting up structures to join local awareness with global compliance approaches.

This webinar will feature Kelley Drye attorney Aaron Burstein, along with Constantine Karbaliotis, Abigail Dubiniecki and Kris Klein of nNovation LLP.

Register Here

Futureproofing Privacy Programs

Prior to the September 30 deadline to sign or veto legislation, California Governor Gavin Newsom recently took action on three bills related to data privacy. Bringing some potential certainty to the dynamic CCPA landscape, Governor Newsom signed into law AB 1281, which provides for the extension of the CCPA’s exemptions related to employee data until January 1, 2022. In 2019, the Legislature exempted from the CCPA collection of personal information from job applicants, employees, business owners, directors, officers, medical staff, and contractors until January 1, 2021. Notably, AB 1281 only goes into effect if California voters do not approve the California Privacy Rights Act (CPRA) ballot initiative on November 3rd.

However, Governor Newsom vetoed two other privacy bills that would have tightened data- and service-specific regulations beyond the CCPA’s standards. Citing the risk of unintended consequences during the COVID-19 pandemic, Governor Newsom nixed SB 980, which would have created heightened privacy and security requirements for genetic data handled by direct-to-consumer genetic testing and analysis companies. Instead, Governor Newsom directed the state’s Health and Human Services Agency and Department of Public Health to work with the Legislature to identify “a solution that achieves the privacy aims of the bill while preventing inadvertent impacts on COVID-19 testing efforts.”

The second vetoed bill, AB 1138, would have required companies that offer “social media” services to obtain parental consent before allowing a user who companies actually know to be under the age of 13 to create an account. In his veto message, Governor Newsom explained that AB 1138 “would not meaningfully expand protections for children,” but indicated that he is “open to exploring ways to build upon current law to expand safeguards for children online.”

Privacy developments in California this year are unlikely to end with the Legislature’s session. As we have discussed, the November 3rd vote on CPRA could have far-reaching implications for California privacy law. With the election only 33 days away, we will continue to monitor and post relevant updates.

On August 30th, the California legislature passed a bill to continue the employee and business-to-business (B2B) exemptions contained in the CCPA for another year. Currently, the CCPA provides two limited exemptions for employee and B2B information, whereby this information is excluded from most CCPA requirements. Both of these exemptions become ineffective January 1, 2021. Assembly Bill 1281 (“AB 1281”) would continue these exemptions until January 1, 2022.

AB 1281 was crafted as a backstop in case the California Consumer Privacy Act (“CPRA”) does not pass during the state’s November 3rd general election.  AB 1281 only takes effect if the legislation is enacted and voters do not approve of CPRA. If CPRA receives enough votes (which most anticipate is likely), the ballot initiative would extend the exemptions until January 1, 2023. To learn more about CPRA and to view a comparison between CPRA and CCPA, visit our past blog post here and our podcast here.

Governor Newsom has until September 30th to sign AB 1281 into law. If neither AB 1281, nor CPRA becomes law, the CCPA employee and B2B exemptions will expire on January 1, 2021. Please contact any of the attorneys in Kelley Drye’s Privacy Group if you would like assistance with California privacy compliance.

The California Office of Administrative Law today approved the CCPA Regulations that the California Attorney General submitted in June, and the regulations are effective immediately. As we discussed here, the now-final regulations, for the most part, substantively match those that the AG released in March, with a few notable changes.

Significantly, the AG has removed the shortened “Do Not Sell My Info” language throughout the final regulations to align with the statutory language. While the final regulations do not explicitly prohibit abbreviations, this removal indicates that businesses must include the full “Do Not Sell My Personal Information” language in their website link to an opt-out request. This is consistent with the statute, which requires businesses to include “a clear and conspicuous link on the business’s Internet homepage, titled ‘Do Not Sell My Personal Information’” that links to an opt-out request. Apparently, there is no room for flexibility on this display.

The Addendum to the Final Statement of Reasons also identifies four other provisions that the AG has “withdrawn”:

  • Former § 999.305(a)(5) requiring a business to provide notice and obtain explicit consent prior to using a consumer’s personal information for a “materially different purpose” than disclosed in the notice at collection.
  • Former § 999.306(b)(2) requiring businesses that substantially interact with consumers offline to provide consumers with an offline notice informing them of their right to opt-out.  In other words, there is no longer an express requirement to provide an offline Do Not Sell My Personal Information notice, such as a paper form or store signage. Notably, the obligation to provide an offline Notice at Collection still applies.
  • Former § 999.315(c) indicating that a business must implement an easy opt-out method for consumers, and must not use a method that would impair a consumer’s decision to opt-out (though a business is still required to consider ease of use when implementing an opt-out method).
  • Former § 999.326(c) permitting a business to deny a request from an authorized agent who does not submit proof of consumer authorization (though a business may still require a consumer to verify his or her identity directly with the business when using an authorized agent, and the business may deny opt-out requests from an authorized agent if the agent cannot provide signed permission that demonstrates authorization from the consumer).

While the Addendum does not provide any rationale for these withdrawals, it notes that the AG “may resubmit [the withdrawn] section[s] after further review and possible revision.” The Addendum also identifies other “non-substantive changes” the AG has made, including grammatical and syntax modifications.

While July 1 marked the CCPA’s enforcement date, the finalized regulations solidify an entity’s requirements under the CCPA to comply with the CCPA as clarified through the now-finalized regulations. With each violation subject to a penalty of between $2,500 and $7,500, entities should carefully review their current CCPA practices to ensure compliance with both the statute and the final regulations.

If you have questions on how the finalized regulations may affect your business, please contact Alysa Hutnik and Lauren Myers.  If you have other CCPA questions, please see our other CCPA blog posts and our Advertising and Privacy Law Resource Center.

The replay for our July 30, 2020 California Consumer Privacy Act (CCPA) for Procrastinators: What You Need To Do Now If You Haven’t Done Anything Yet webinar is available here.

The coronavirus pandemic has put many things on hold, but CCPA enforcement is not one of them. The California Attorney General’s enforcement authority kicked in on July 1, 2020, and companies reportedly have begun to receive notices of alleged violation. In addition, several class actions have brought CCPA claims. Although final regulations to implement the CCPA have yet to be approved, compliance cannot wait.

If you’re not yet on the road to CCPA compliance (or would like a refresher), this webinar is for you. We covered:

  • Latest CCPA developments
  • Compliance strategies
  • Potential changes to the CCPA if the California Privacy Rights Act (CPRA) ballot initiative passes

Anyone who has not begun their CCPA compliance efforts or thinks they need a refresher should watch this webinar.

To view the presentation slides, click here.

To view the webinar recording, click here.

Subscribe to our Ad Law News and Views newsletter to receive information on our next round of webinars and to stay current on advertising and privacy matters.

Visit the Advertising and Privacy Law Resource Center for additional information for additional information, past webinars, and educational materials.

Ad Law Access Podcast

January 1, 2020 was the effective date for the California Consumer Privacy Act (CCPA).  As we reported and summarized in our Q1 2020 CCPA Litigation Round-Up, private litigants wasted no time in filing consumer-related causes of action under the new law.

Here, we provide an update on material developments in that first wave of claims and report on additional private lawsuits commenced in the first half of the year.  We have further categorized the recently-filed cases based on those stemming from a data breach versus not.  In the latter category, the cases are further split based on the underlying alleged violations – last quarter, non-breach based claims related to the disclosures and opt-out mechanisms required by the CCPA as well as the scope of “personal information” covered by the CCPA.

1. Update on Cases Reported in Q1 2020

Continue Reading CCPA Litigation Round-Up: Q2 2020

The California Consumer Privacy Act (CCPA) right to non-discrimination explainedOn June 24, 2020, the Secretary of State of California announced that the California Privacy Rights Act (CPRA), had enough votes to be eligible for the November 2020 general election ballot. CPRA is a ballot initiative, which, if adopted, would amend and augment the California Consumer Privacy Act (CCPA) to increase and clarify the privacy rights of California residents.  The result is a law that is closer in scope to robust international privacy laws, such as the GDPR. For more information on the CCPA, please see our posts here.

To be eligible for the November 2020 ballot, CPRA needed to obtain over 623,212 verified signatures. If passed by a simple majority of California voters in November, as is looking likely, the CPRA will become effective on January 1, 2021, with most compliance obligations required by January 1, 2023. With the exception of the access right, the CPRA would apply only to personal information collected after January 1, 2022. Additionally, the CPRA would extend the CCPA’s temporary business to business exemption and employee data exemptions (which are scheduled to sunset on January 1, 2021) until January 1, 2023.

Until January 1, 2023, businesses would need to comply with the CCPA and any finalized regulations in force (which could mean both CCPA and CPRA regulations). The Attorney General would preserve its authority to issue CCPA regulations and enforcement during this period, and a new privacy agency would be formed with its own rulemaking and enforcement authority.

For more information on the comparison between CCPA and CPRA, please see our chart below. While there are no immediate action items, companies may benefit from reviewing the CPRA requirements to assess what changes may be necessary should the ballot pass. And a reminder — the CCPA enforcement date is set for July 1, 2020, although it is not yet clear whether the CCPA regulations will be effective by then; the Office of Administrative Law’s review remains pending. Please contact any of the attorneys in Kelley Drye’s Privacy Group if you would like assistance in California privacy compliance.

  CCPA CPRA
“Business” Threshold $25 million annual revenue; or 50,000+ consumers; or 50% of annual revenue derived from selling consumers personal data $25 million annual revenue; or buys, sells or shares 100,000+ consumers or households; or 50% of annual revenue derived from selling or sharing consumers’ personal data
Operative date January 1, 2020 January 1, 2023, and applies only to personal information collected on or after January 1, 2022, except with regard to access requests.
Employee and B2B exemptions Sunsets January 1, 2021 Sunsets January 1, 2023
“Sold” and “Shared” Definitions “Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating … for monetary or other valuable consideration. The term “sold” is broadened to “sold or shared.” This change is accompanied by a change in the definition of what it means to sell, which removes the carve-out for sharing personal information with a service provider (although this point is addressed in a more narrow definition of “third party”).
Service Providers and Contractors

A Service Provider is an entity “that processes information on behalf of a business … provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business…”

 

Introduces new requirements to qualify as a “service provider” and adds a new definition of a “contractor” that mirrors the definition of a service provider.

Clarifies and provides additional requirements regarding service providers’ use of the data, such as a requirement that service providers silo the data they learn about a consumer from other sources.  (This is more restrictive than the AG CCPA regulations).

Requires contractual terms, similar to the GDPR.

Consent Consent is not required in the CCPA. However, the definition of sale contains guidance regarding “intentional interactions.”

Consent is defined as any freely given, specific, informed and unambiguous indication of the consumer’s wishes by which he or she… signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose.

Introduces the concept of “dark patterns” defined as a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice, as further defined by regulation.  Agreement obtained through use of dark patterns does not constitute consent.

Sensitive information Does not contain separate provisions for sensitive information (other than increased verification requirements.) Contains disclosure, opt-out, and purpose limitation requirements for sensitive information.
Automated Decision-Making N/A

Introduces concept of “profiling.”

Calls for regulations requiring businesses’ response to access requests to include meaningful information about the logic involved in such profiling, as well as a description of the likely outcome of the process with respect to the consumer.

Right to Correct N/A Gives consumers the right to correct inaccurate information.
Opt Out of Targeted Advertising The CCPA does not restrict targeted advertising if it can be conducted without “selling” data.

Providing advertising or marketing services is a business purpose but this does not include “Cross-Context Behavioral Advertising,” a newly defined term to describe ads targeted to consumers based on a profile or predictions about the consumer related to the consumer’s activity over time and across multiple businesses or distinctly-branded services, websites or applications.

Contains a broader opt-out provision (for both “sale” and “sharing”) and specifically limits service providers from engaging in any “cross-context behavioral advertising.”

Retention The CCPA does not contain any requirements that businesses disclose their retention practices to consumers.

Businesses must disclose, at the time of collection: the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine such period.

A business cannot retain personal information for longer than is reasonably necessary for that disclosed purpose.

GDPR Concepts

·        

N/A

 

Contains language to promote the following GDPR principles:

  • Data Minimization
  • Purpose Limitation
  • Duty to Avoid Secondary Use
Enforcement

Enforced by the Attorney General

 

 

Allows a 30 day period to cure violations

Establishes the California Privacy Protection Agency that would have a broad scope of responsibilities and enforcement powers.

Security breaches include email/password/challenge questions.

Modifies the 30-day cure period to apply to a private right of action for security breach violations, rather than for general privacy violations of the law.

Fines for violations involving children’s personal data are tripled.

 

 

Advertising and Privacy Law Resource Center

On June 2, California Attorney General Xavier Becerra announced that he had submitted final CCPA regulations to the Office of Administrative Law (OAL) for review. The final regulations are substantively identical to the second set of modified proposed regulations, which the AG released in March. In addition, the AG issued a Final Statement of Reasons that (1) explains the changes between the first draft and final regulations, and (2) is accompanied by Appendices that respond to each public comment received throughout the rulemaking process – including written comments submitted in response to each draft of proposed regulations and those provided at the four public hearings held in December 2019.

We have described below some of the key provisions of the final regulations, which will impose additional requirements on businesses, service providers, and third parties and data brokers, and likely require the design and implementation of new processes. Whatever hardship the regulations may cause, it is clear that the AG is prioritizing consumer privacy, explaining that the office “has made every effort to limit the burden of the regulations while implementing the CCPA” and does not believe the regulations are “overly onerous or impractical to implement, or that compliance would be overly burdensome or would stifle businesses or innovation.” Continue Reading CCPA Update: Final Regulations Submitted but No Changes from Prior Draft