California Consumer Privacy Act (CCPA)

Among the many details to absorb in the draft amendments to the CCPA regulations published by the California Privacy Protection Agency (“CPPA”) on May 27 (the “Draft Regulations”) are new and prescriptive disclosure requirements for notices at collection and privacy policies. While these disclosure provisions (and all of the other provisions of the Draft Regulations)

In the first formal written opinion interpreting CCPA compliance obligations, California Attorney General Rob Bonta concludes that the CCPA grants consumers the right to know and access internally generated inferences that businesses generate about them, but that the CCPA does not require businesses to disclose trade secrets.

The 15-page opinion, issued on March 10, responds to a question posed by Sacramento area Assemblyman Kevin Kiley (R): “Under the California Consumer Privacy Act, does a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer apply to internally generated inferences the business holds about the consumer from either internal or external information sources?”

OAG’s response, in a nutshell, is “yes.”  Giving consumers access to inferences is important, according to OAG, because “inferences are one of the key mechanisms by which information becomes valuable to businesses, making it possible to target advertising and solicitations, and to find markets for goods and services.”  OAG further notes that nothing in the Consumer Privacy Rights Act (CPRA) changes its analysis.  The opinion also suggests that the OAG will refer to the CCPA’s broad purposes, such as giving “consumers greater control over the privacy of their personal information,” to support its interpretations.
Continue Reading California AG’s First CCPA Opinion Takes a Broad View of the Right to Access Inferences

The California Office of the Attorney General has published a list of recent CCPA enforcement examples on its website.  Each example summarizes the AG’s allegation of noncompliance and the steps that the companies took to cure the alleged noncompliance.

Under CCPA, companies have 30 days to cure noncompliance after which the California AG may initiate a civil action for civil penalties not to exceed $2,500 for each violation or $7,500 for each intentional violation.  In each example made public by the California AG, the AG stated that the target of the enforcement action cured the violation and the California AG did not assess penalties.  In January 2023, however, the right to cure will sunset when the CPRA takes effect.

Continue Reading CCPA Update: California AG Releases List of Enforcement Actions 

The California Privacy Rights Act (CPRA), effective January 1, 2023, adds “contractors” to the list of entities that a business may entrust with customer data.  So what is a “contractor?”  And how are “contractors” different from other entities described by California privacy law, such as “service providers” or “third parties?”

As it turns out, the answer is surprising.  Contractors are nearly identical to service providers, with just two differences:  contractors are not data processors; and contractors must make a contractual certification in CCPA contracts.  Moreover, contractors are not even new entities, and were already described in existing California privacy law.

Origins of “Contractors” in CCPA

To help explain the origins of the new contractor classification, we start with the California Consumer Privacy Act (CCPA).  Under the CCPA, now in effect, each disclosure of personal information from a covered business to another entity is regulated, either via consumer opt out preferences or via contractual restrictions.  Altogether, there are three potential data flows described in the CCPA:  business to third party, business to service provider, and business to a person who is not a third party.  We describe each in turn:

  • Business to Third Party:  First, when a business discloses personal information to a third party, this constitutes the “sale” of personal information (unless an exception applies, such as in the context of an intentional disclosure).  The CCPA grants consumers the right to opt out of such sales of their personal information to prevent these data flows.

As an example, selling a marketing list to a third party or sharing profile information with an adtech partner in most cases would be considered a sale of personal information to a third party.

  • Business to Service Provider:  Second, when a business discloses personal information to a service provider, no “sale” occurs and there is no right of consumers to opt out.  The requirements for the recipient to be a service provider are that (1) the service provider processes personal information on behalf of the business, and (2) the service provider agrees to retain, use, or disclose the personal information only for business purposes specified in a written contract.

Service providers provide technical, professional, and other business support to the business.  For example, a service provider might offer various services such as cloud-based servers or software, consulting, or e-commerce fulfillment services.

  • Business to a Person Who Is Not a Third Party:  Finally, there is a rarely discussed third option in the CCPA.  The CCPA states that any recipient of personal information that agrees to certain enhanced contractual terms is not a third party.  This third category requires that the recipient agree to contractual terms that mirror service provider contractual terms, along with three additional terms:  (1) to refrain from selling the personal information, (2) to refrain from retaining, using, or disclosing the information outside the direct business relationship between the recipient and the business, and (3) to certify that the recipient understands the above contractual restrictions.

This third option is significant to avoid the “sale” of personal information.  If the recipient is not a third party, then a sale can only occur if the recipient is a “business” under CCPA.  In many cases, the recipient will not be a business either, typically because the recipient does not determine the purposes and means of processing the personal information.

As an example, if an authorized reseller furnishes a manufacturer with a list of new orders for fulfillment, and the manufacturer agrees to use the list only to fulfill orders, the manufacturer is not a third party.   Because the manufacturer does not determine the purposes and means of processing the personal information it receives, the manufacturer is not acting as a “business.”  No sale occurs.

Similarly, if an identity verification service sends personal information to a company to assist that company with confirming the identity of an applicant for service, and the company agrees contractually to limit its use and disclosure of the information for business purposes, the recipient is not a third party or business and no sale occurs from the identity verification service to the business.

Here’s a summary of the entities that may receive personal data under the CCPA:
Continue Reading CPRA Update: What is a “Contractor?”

California officials today announced their nominees to be the five inaugural members of the California Privacy Protection Agency (“CPPA”) Board.  Created by the California Privacy Rights Act (“CPRA”), the CPPA will become a powerful, state-level privacy regulator long before its enforcement authority becomes effective in 2023, and today’s appointments move the CPPA one large step

California’s Office of Administrative Law approved further revisions to the Attorney General’s CCPA regulations on March 15, 2021. The revisions went into effect upon approval. In substance, the revisions are identical to the fourth set of modifications the Attorney General proposed on December 10, 2020, and make the following changes: (1) Notice for Sale of PI Collected Offline: Businesses that sell personal information collected offline must provide an offline notice by means such as providing paper copies or posting signs in a store, or giving an oral notice if collecting personal information over the phone. (2) Opt-Out Icon: The revised regulations provide that businesses may use an opt-out icon in addition to, but not in lieu of, notice of a right to opt out or a “Do Not Sell My Personal Information” link. (3) Do Not Sell Requests: A “Do Not Sell” request must “be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out.” The change prohibits businesses from using any method that is designed to or would have the effect of preventing a consumer from opting out. The revised regulation offers examples of prohibited opt-out practices, which include requiring a consumer to: (A) complete more steps to opt out than to re-opt in after a consumer had previously opted out; (B) provide personal information that is not necessary to implement the opt-out request; and (C) read through a list of reasons why he or she shouldn’t opt out before confirming the request. (4) Consumer Requests from Authorized Agents: A business may now require an authorized agent who submits a request to know or delete to provide proof that the consumer gave the agent signed permission to submit a request. The regulations also preserve the options business previously had of requiring the consumer to verify their identity directly to the business or directly confirming that they provided the authorized agent permission to submit the request. (5) Children’s Information: The addition of the word “or” in section 999.332 requires businesses that sell personal information of children under the age of 13 “and/or” between the ages of 13 and 15 to describe in their privacy policies how to make an opt-in to sale requests. We will continue to monitor closely further developments in CCPA regulations.California’s Office of Administrative Law approved further revisions to the Attorney General’s CCPA regulations on March 15, 2021.  The revisions went into effect upon approval.  In substance, the revisions are identical to the fourth set of modifications the Attorney General proposed on December 10, 2020, and make the following changes:

(1) Notice for Sale of

On Tuesday, November 3, 2020, California voters passed ballot Proposition 24, the California Privacy Rights Act of 2020 (“CPRA”). Also known as CCPA 2.0, CPRA brings a number of changes to the CCPA, the majority of which will become operative on January 1, 2023. In addition to revising some of the definitions that are fundamental

California became the first U.S. state with a comprehensive consumer privacy law when the California Consumer Privacy Act (“CCPA”) became operative on January 1, 2020. The CCPA provides for broad privacy rights for residents of California and imposes data protection obligations on companies doing business in California that meet certain criteria.  For further background on

Only two months after finalizing the CCPA regulations, the California Attorney General’s office today released a new set of proposed changes, most significantly addressing “Do Not Sell My Personal Information” requests. The office has also recommended changes to the regulations related to providing notice when businesses collect personal information offline, proof required when an

Prior to the September 30 deadline to sign or veto legislation, California Governor Gavin Newsom recently took action on three bills related to data privacy. Bringing some potential certainty to the dynamic CCPA landscape, Governor Newsom signed into law AB 1281, which provides for the extension of the CCPA’s exemptions related to employee data