California Consumer Privacy Act (CCPA)

The spotlights of the consumer privacy world are once again on California after the new California Privacy Protection Agency made a surprise Friday night release of its draft California Privacy Rights Act (CPRA) regulations on May 27, 2002.

In this webinar in association with Mondaq, Robert Cunningham and Rod Ghaemmaghami provided observations on the

The replay for our April 28, 2022 Consumer Privacy Litigation Update webinar is available here.

The increasing number of states enacting privacy laws means more privacy litigation. On this webinar, partners Lauri Mazzuchetti and Becca Wahlquist highlighted emerging trends across the docket of privacy litigation cases, provided an update on key cases involving consumer

The replay for our April 28, 2022 Privacy Priorities for 2022: Tracking State Law Developments webinar is available here.

In the absence of a federal privacy law, privacy has been at the forefront of many states’ legislative sessions this year. Against this backdrop, state attorneys general continue to initiate investigations into companies’ privacy practices,

In the first formal written opinion interpreting CCPA compliance obligations, California Attorney General Rob Bonta concludes that the CCPA grants consumers the right to know and access internally generated inferences that businesses generate about them, but that the CCPA does not require businesses to disclose trade secrets.

The 15-page opinion, issued on March 10, responds to a question posed by Sacramento area Assemblyman Kevin Kiley (R): “Under the California Consumer Privacy Act, does a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer apply to internally generated inferences the business holds about the consumer from either internal or external information sources?”

OAG’s response, in a nutshell, is “yes.”  Giving consumers access to inferences is important, according to OAG, because “inferences are one of the key mechanisms by which information becomes valuable to businesses, making it possible to target advertising and solicitations, and to find markets for goods and services.”  OAG further notes that nothing in the Consumer Privacy Rights Act (CPRA) changes its analysis.  The opinion also suggests that the OAG will refer to the CCPA’s broad purposes, such as giving “consumers greater control over the privacy of their personal information,” to support its interpretations.
Continue Reading California AG’s First CCPA Opinion Takes a Broad View of the Right to Access Inferences

Top Privacy Issues to Watch in 2022You’ve probably seen a lot of privacy forecasts for 2022 during the past few weeks. Here’s one that reflects the collective thoughts of our diverse privacy team, which includes former high level officials from the FTC and State AG offices, and practitioners who have been advising clients about privacy for over 30 years.

Note:

The California Office of the Attorney General has published a list of recent CCPA enforcement examples on its website.  Each example summarizes the AG’s allegation of noncompliance and the steps that the companies took to cure the alleged noncompliance.

Under CCPA, companies have 30 days to cure noncompliance after which the California AG may initiate a civil action for civil penalties not to exceed $2,500 for each violation or $7,500 for each intentional violation.  In each example made public by the California AG, the AG stated that the target of the enforcement action cured the violation and the California AG did not assess penalties.  In January 2023, however, the right to cure will sunset when the CPRA takes effect.

Continue Reading CCPA Update: California AG Releases List of Enforcement Actions 

The Colorado Legislature recently passed the Colorado Privacy Act (“ColoPA”), joining Virginia and California as states with comprehensive privacy legislation. Colorado Governor Jared Polis signed the bill (SB 21-190) into law on July 7, and ColoPA will go into effect on July 1, 2023.

How does the measure stack up against the VCDPA and the CCPA (as amended by CPRA)? The good news is that, in broad terms, ColoPA generally does not impose significant new requirements that aren’t addressed under the CCPA or VCDPA, but there are a few distinctions to note..
Continue Reading Privacy Law Update: Colorado Privacy Bill Becomes Law: How Does it Stack Up Against California and Virginia?

The California Privacy Rights Act (CPRA), effective January 1, 2023, adds “contractors” to the list of entities that a business may entrust with customer data.  So what is a “contractor?”  And how are “contractors” different from other entities described by California privacy law, such as “service providers” or “third parties?”

As it turns out, the answer is surprising.  Contractors are nearly identical to service providers, with just two differences:  contractors are not data processors; and contractors must make a contractual certification in CCPA contracts.  Moreover, contractors are not even new entities, and were already described in existing California privacy law.

Origins of “Contractors” in CCPA

To help explain the origins of the new contractor classification, we start with the California Consumer Privacy Act (CCPA).  Under the CCPA, now in effect, each disclosure of personal information from a covered business to another entity is regulated, either via consumer opt out preferences or via contractual restrictions.  Altogether, there are three potential data flows described in the CCPA:  business to third party, business to service provider, and business to a person who is not a third party.  We describe each in turn:

  • Business to Third Party:  First, when a business discloses personal information to a third party, this constitutes the “sale” of personal information (unless an exception applies, such as in the context of an intentional disclosure).  The CCPA grants consumers the right to opt out of such sales of their personal information to prevent these data flows.

As an example, selling a marketing list to a third party or sharing profile information with an adtech partner in most cases would be considered a sale of personal information to a third party.

  • Business to Service Provider:  Second, when a business discloses personal information to a service provider, no “sale” occurs and there is no right of consumers to opt out.  The requirements for the recipient to be a service provider are that (1) the service provider processes personal information on behalf of the business, and (2) the service provider agrees to retain, use, or disclose the personal information only for business purposes specified in a written contract.

Service providers provide technical, professional, and other business support to the business.  For example, a service provider might offer various services such as cloud-based servers or software, consulting, or e-commerce fulfillment services.

  • Business to a Person Who Is Not a Third Party:  Finally, there is a rarely discussed third option in the CCPA.  The CCPA states that any recipient of personal information that agrees to certain enhanced contractual terms is not a third party.  This third category requires that the recipient agree to contractual terms that mirror service provider contractual terms, along with three additional terms:  (1) to refrain from selling the personal information, (2) to refrain from retaining, using, or disclosing the information outside the direct business relationship between the recipient and the business, and (3) to certify that the recipient understands the above contractual restrictions.

This third option is significant to avoid the “sale” of personal information.  If the recipient is not a third party, then a sale can only occur if the recipient is a “business” under CCPA.  In many cases, the recipient will not be a business either, typically because the recipient does not determine the purposes and means of processing the personal information.

As an example, if an authorized reseller furnishes a manufacturer with a list of new orders for fulfillment, and the manufacturer agrees to use the list only to fulfill orders, the manufacturer is not a third party.   Because the manufacturer does not determine the purposes and means of processing the personal information it receives, the manufacturer is not acting as a “business.”  No sale occurs.

Similarly, if an identity verification service sends personal information to a company to assist that company with confirming the identity of an applicant for service, and the company agrees contractually to limit its use and disclosure of the information for business purposes, the recipient is not a third party or business and no sale occurs from the identity verification service to the business.

Here’s a summary of the entities that may receive personal data under the CCPA:
Continue Reading CPRA Update: What is a “Contractor?”

Key Developments in CCPA Litigation for Q1 2021As we move deeper into the second year of CCPA litigation, the substantive issues continue to develop and we remain focused on the patterns and implications of recent filings and rulings.  In this post, we highlight notable developments in three cases that occurred in the first quarter of 2021.  These cases raise significant issues

California officials today announced their nominees to be the five inaugural members of the California Privacy Protection Agency (“CPPA”) Board.  Created by the California Privacy Rights Act (“CPRA”), the CPPA will become a powerful, state-level privacy regulator long before its enforcement authority becomes effective in 2023, and today’s appointments move the CPPA one large step