Prior to the September 30 deadline to sign or veto legislation, California Governor Gavin Newsom recently took action on three bills related to data privacy. Bringing some potential certainty to the dynamic CCPA landscape, Governor Newsom signed into law AB 1281, which provides for the extension of the CCPA’s exemptions related to employee data
Further to ongoing efforts to evaluate and regulate how companies advertise and label that their products are “Made in the USA,” last week the FTC issued a staff report and a proposed rule that would include the possibility of civil penalties up to $43,280 per violation.
FTC Chairman Joseph Simons joined Commissioners Rohit…
On June 2, California Attorney General Xavier Becerra announced that he had submitted final CCPA regulations to the Office of Administrative Law (OAL) for review. The final regulations are substantively identical to the second set of modified proposed regulations, which the AG released in March. In addition, the AG issued a Final Statement of Reasons that (1) explains the changes between the first draft and final regulations, and (2) is accompanied by Appendices that respond to each public comment received throughout the rulemaking process – including written comments submitted in response to each draft of proposed regulations and those provided at the four public hearings held in December 2019.
We have described below some of the key provisions of the final regulations, which will impose additional requirements on businesses, service providers, and third parties and data brokers, and likely require the design and implementation of new processes. Whatever hardship the regulations may cause, it is clear that the AG is prioritizing consumer privacy, explaining that the office “has made every effort to limit the burden of the regulations while implementing the CCPA” and does not believe the regulations are “overly onerous or impractical to implement, or that compliance would be overly burdensome or would stifle businesses or innovation.”…
Continue Reading CCPA Update: Final Regulations Submitted but No Changes from Prior Draft
CCPA compliance is a cross-functional exercise that requires active participation and buy-in from business units across the organization to tackle data mapping, work flows and employee training. On the latest episode of the Ad Law Access Podcast, special counsel Tara Marciano and associate Alexander Schneider discuss the ongoing challenges of operationalizing CCPA compliance focusing broadly…
The California Consumer Privacy Act (CCPA) provides consumers with a right to non-discrimination when they exercise other privacy rights guaranteed by the law, such as the right to access, delete, or opt out of the sale of their personal information. However, the meaning of “non-discrimination” and the exceptions to this prohibition provided in the CCPA and proposed regulations are among the more confusing aspects of California’s privacy law.
While other privacy laws contain non-discrimination provisions, the CCPA non-discrimination right is notably broader. For example, the CCPA concept of discrimination is not limited to protected or sensitive categories, as is the case with Title VII. Nor is it limited to a specific type of economic activity, as is the case with industry-specific laws such as the Equal Credit Opportunity Act. Instead, CCPA’s non-discrimination right applies to all California consumers exercising any of their other rights under the Act.
This post looks at what the non-discrimination right prohibits (and allows), as well as some of the important questions that the statute and draft regulations leave open. Critical practical issues include being able to (1) distinguish between lawful denials of CCPA rights and impermissible discrimination, and (2) justify the magnitude of financial incentives offered in connection with personal information collection, retention, and sale. With about two months before the CCPA’s July 1 enforcement date, it’s important for businesses to confirm how they are addressing this often overlooked right and square away any final adjustments that may be prudent.
The CCPA grants the California Attorney General (AG) the authority to enforce the CCPA starting on July 1, 2020. Last month, the AG confirmed no intention to delay that enforcement date due to the COVID-19 pandemic, despite mounting industry pressure.
Even if enforcement begins July 1st, companies must contend with another glaring obstacle:…
On Wednesday, the California Attorney General (AG) released a third draft of proposed CCPA regulations for public comment. The draft contains a series of technical corrections, along with a handful of substantive incremental modifications to the prior draft. The limited number of changes signals that the rulemaking process is reaching an end.
The California Attorney General unveiled its data broker registry on Monday. On or before January 31st, companies qualifying as a “data broker” based on the prior year’s activities are required to register their name and contact information with the Attorney General and may provide a statement concerning their data collection practices. A…
While Attorney General Xavier Becerra has indicated his office will prioritize enforcement relating to the sale of minors’ personal information, will direct enforcement efforts at companies that are not showing a willingness to comply, and will not make major changes before finalizing the proposed regulations, the Attorney General has not fielded specific questions about how to implement the law. This state of affairs has left companies scrambling to benchmark their compliance practices against competitors and the industry at large.
In this post, we provide some insights on common questions we are hearing about how to comply with the CCPA in the absence of clear guidance or precedent. Of course, every company is different and companies should always consult with a privacy attorney before deciding on the best way to comply with the CCPA.
- Why are so many companies posting a “Do Not Sell My Info” (DNSMI) button on their website if they do not sell personal information in exchange for money?
- When can a business claim that its ad tech partner and purchased ad tech services are exempt from the “sale” provisions of the CCPA?
- What are the IAB and DAA options for ad tech compliance?
- How do privacy technology vendor tools factor into CCPA Do Not Sell compliance?
- What best practices can companies adopt when verifying a consumer request before providing personal information to the requestor?
- Where are companies posting their DNSMI links?
- What should we do when a consumer clicks on our DNSMI link?
- What does the B2B exemption mean?
- We’re a business, and we sell personal information. Do we have to pass through consumer requests to entities to which we sold data?
- Is there a potential for a private right of action for privacy issues?
- What’s happening with California’s new privacy ballot initiative?
Why are so many companies posting a “Do Not Sell My Info” (DNSMI) button on their website if they do not sell personal information in exchange for money?
Companies that post a DNSMI button but do not sell personal information for money likely have determined that their provision of personal information to ad tech companies in connection with interest-based advertising is a “sale.” Accordingly, they post the DNSMI button to enable consumers to opt out of these “sales.”
The question of whether, and under what circumstances, the use of third-party cookies, pixels, tags, etc. constitutes a “sale” and how to provide DNSMI choices is a flashpoint in the debate over how to interpret the CCPA (as discussed here, here, and here). There is a growing consensus that only a lawsuit or a government enforcement action will resolve this matter.
For now, two ways of analyzing this question are emerging. One position concludes that data collected via a third-party cookie, tag, or pixel may be a potential “sale” because the company adding that cookie, tag, or pixel to its website sends, makes available, or otherwise shares personal information to an ad tech provider in exchange for services, and, critically, where that provider does not restrict its use or sharing of that personal information for the provider’s or other entities’ commercial benefit (other than for a limited number of exempted purposes).
The other position is that the third party directly collects personal information via the cookie, tag, or pixel placed on a publisher’s website, and the publisher is not selling that personal information to the third party responsible for the tracker.
When can a business claim that its ad tech partner and purchased ad tech services are exempt from the “sale” provisions of the CCPA?
The CCPA provides an exemption from the definition of a “sale” when a business uses or shares with a “service provider” personal information of a consumer that is necessary and proportionate to perform a “business purpose.” As a result, companies may want to determine (1) whether an ad tech vendor is a “service provider” and (2) whether that vendor performs its ad tech service for a “business purpose.” Examining specific arrangements with each advertising partner is the best way to address this question and for each of the relevant services provided by the vendor.
Some of the major players in online advertising have laid down public markers that can be helpful in classifying interest-based advertising activities. Examples include:…
Continue Reading CCPA Implementation: An Early Map
Last Monday, Google released its answer to the CCPA: a new “service provider” contract. Given Google’s widely used advertising and analytics technologies, Google’s new contract has the potential to influence how website publishers, advertisers, the Ad Tech industry, and software as a service (SaaS) providers approach compliance with California’s new privacy law.
No “Sales” …