Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On March 15, the California attorney general announced approval of additional regulations implementing the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1, 2020. According to the announcement, the newly-approved amendments strengthen the language of CCPA regulations approved by OAL last August (covered by InfoBytes here). Specifically, the new amendments:
- Require businesses selling personal information collected in the course of interacting with consumers offline to provide consumers about their right to opt out via offline communications. Consumers must also be provided instructions on how to submit opt-out requests.
- Provide an opt-out icon for businesses to use in addition to posting a notice of right to opt-out. The amendments note that the opt-out icon may not be used in lieu of requirements to post opt-out notices or “do not sell my personal information” links.
The AG’s press release also notes that the California Privacy Rights Act (CPRA), which was approved by voters last November and sought to amend the CCPA, will transfer some of the AG’s responsibilities to the California Privacy Protection Agency (CPPA), covered by InfoBytes here; however, the AG will retain the authority to go to court to enforce the law. Enforcement of the CPRA will begin in 2023.
Additionally, on March 17, the California governor announced appointments to the five-member inaugural board for the CPPA, consisting of experts in privacy, technology, and consumer rights. The CPPA is tasked with protecting the privacy rights of consumers over their personal information, and “will have full administrative power, authority, and jurisdiction to implement and enforce” the CCPA and the CPRA, including bringing enforcement actions before an administrative law judge.
On January 12, the U.S. District Court for the Central District of California dismissed a data breach lawsuit brought against a hotel chain, ruling the plaintiff lacked standing. The plaintiff claimed class members were victims of a data breach when hotel employees at a franchise in Russia allegedly accessed personal information without authorization, including guests’ names, addresses, phone numbers, email addresses, genders, birth dates and loyalty account numbers. The plaintiff’s suit alleged, among other things, violations of the California Consumer Privacy Act and the state’s Unfair Competition Law. While the hotel disclosed the incident last March and admitted that class members’ personal information was compromised, the court determined that the plaintiff lacked standing to bring claims after the hotel’s investigation found that “no sensitive information, such as social security numbers, credit card information, or passwords, was compromised.” The court determined that the plaintiff failed to plausibly plead that any of the class members’ more sensitive data had fallen into the wrong hands, and that “[w]ithout a breach of this type of sensitive information, Plaintiff has not suffered an injury in fact and cannot meet the constitutional requirements of standing.”
On December 29, the U.S. District Court for the Northern District of California granted preliminary approval of a proposed settlement in a class action alleging a children’s clothing company and cloud technology service provider (collectively, “defendants”) violated, among other things, the California Consumer Privacy Act (CCPA) after suffering a data breach and potentially exposing customers’ personal information (PII) used to purchase products from the company’s website. After the company issued a notice of the security incident in January 2020, the plaintiffs filed the class action alleging the company failed to (i) “adequately protect its users’ PII”; (ii) “warn users of its inadequate information security practices”; and (iii) “effectively monitor [the company]’s website and ecommerce platform for security vulnerabilities and incidents.”
After mediation, the plaintiffs filed an unopposed motion for preliminary approval of class action settlement, which provides for a $400,000 settlement fund to cover approximately 200,000 class members who made purchases through the company’s website from September 16, 2019 to November 11, 2019. Class members have the option of claiming a cash payment of up to $500 for a Basic Award or of up to $5,000 for a Reimbursement Award, with amounts increasing or decreasing pro rata based on the number of claimants. Additionally, the company agreed to certain business practice changes, including conducting a risk assessment of its data assets and environment and enabling multi-factor authentication for all cloud services accounts. When granting preliminary approval, the court concluded that the agreement does “not improperly grant preferential treatment to any individual or segment of the Settlement Class and fall[s] within the range of possible approval as fair, reasonable, and adequate.”
On December 10, the California Department of Justice (Department) released a fourth set of proposed modifications to the regulations implementing the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, on October 12, the Department released a third set of proposed modifications to the regulations that went into effect on August 14. The Department noted that it received around 20 comments in response to the third set of proposed modifications and the fourth set of proposed modifications is to address those comments and/or to clarify and conform the proposed regulations to existing law. Highlights of the proposed modifications include:
- Amending Section 999.306, subd. (b)(3), to clarify that a business that sells (previously proposed as “collects”) personal information collected from consumers in the course of interacting with them offline shall inform consumers of their right to opt-out of the sale of their personal information by an offline method.
- The addition of Section 999.315, subd. (f), which identifies a uniform “opt-out button” to be used in addition to posting the notice of right to opt-out or used in conjunction with a “Do Not Sell My Personal Information” link.
Additionally, the Department provided notice that it added new documents and information to the rulemaking file, which was relied upon when adopting the proposed regulations.
Comments on the proposed modifications are due on December 28 by 5:00 p.m.
On November 3, California voters approved a ballot initiative, the California Privacy Rights Act of 2020 (CPRA), that expands on the California Consumer Privacy Act (CCPA). While there are a number of differences between the CPRA and the CCPA, some key provisions include:
- Adding expanded consumer rights, including the right to correction and the right to limit sharing of personal information for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.
- Changing the definitions of various entities, including increasing the numerical threshold for being a business to 100,000 from 50,000 consumers and households and removing devices from this threshold.
- Adding the category of sensitive personal information that is subject to specific rights.
- Creating a new privacy agency, the California Privacy Protection Agency, to administer, implement, and enforce the CPRA.
It is important to note that the Gramm-Leach-Bliley Act and Fair Credit Reporting Act exemptions are in the CPRA, and the act extends the employee and business-to-business exemption to January 1, 2023.
The CPRA becomes effective January 1, 2023, with enforcement delayed until July 1, 2023. However, the CPRA contains a look-back provision (i.e., the CPRA will apply to personal information collected by a business on or after January 1, 2022). The new privacy agency also is required to begin drafting regulations starting on July 1, 2021, with final regulations to be completed one year later.
Please refer to a Buckley article for further information on the differences between the CCPA and the CPRA: 6 Key Ways the California Privacy Rights Act of 2020 Would Revise the CCPA (Corporate Compliance Insights), as well a continuing InfoBytes coverage here.
On October 12, the California Department of Justice released a third set of proposed modifications to the regulations implementing the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, on August 14, the regulations went into effect after being approved by the Office of Administrative Law (OAL). Highlights of the proposed modifications include:
- The addition of Section 999.306, subd. (b)(3), which provides illustrative examples of the methods businesses can use to provide the notice of right to opt-out of the sale of personal information through an offline method, when the business collects personal information in the course of interacting with consumers offline. Examples include: posting signage in the area where personal information is collected or providing the notice orally during calls where information is collected;
- The addition of Section 999.315, subd. (h), which provides illustrative examples of right to opt-out methods that are designed with the purpose or have the substantial effect of subverting or impairing a consumer’s choice to opt-out. Examples include: using double negatives or requiring consumers to click through a list of reasons why they should not opt-out before confirming their request;
- Amending Section 999.326, subd. (a), which clarifies what proof a business may require from an authorized agent and consumer when a consumer uses an agent to submit a request to know or a request to delete; and
Comments on the proposed modifications are due on October 28 by 5:00 p.m.
On September 29, the California governor signed AB 1281, which extends certain exemptions under the California Consumer Privacy Act (CCPA) from January 1, 2021 to January 1, 2022. As previously covered by InfoBytes, the CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1, and provides consumers several rights regarding their personal information that is held by a business. Specifically, the exemptions at issue in AB 1281 apply to “information collected by a business about a natural person in the course of the natural person acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor, as specified.” The exemptions also apply to certain personal information used in communications or transactions between a business and a consumer if the “consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from that company, partnership, sole proprietorship, nonprofit, or government agency.” However, the act will only take effect if a ballot proposition does not pass during the November statewide general election.
On August 14, the California attorney general announced that the Office of Administrative Law (OAL) approved the final regulations under the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, the CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1. While the regulation package was under review by the OAL, the California attorney general made certain “nonsubstantial changes” and “changes without regulatory effect” to the CCPA regulations, which are outlined here (Buckley created redline available here). Under the OAL’s regulations, changes are considered “nonsubstantial” if they clarify without materially altering the requirements, rights, responsibilities, conditions, or prescriptions contained in the original text. Changes are considered to be “without regulatory effect” if they involve renumbering or relocating a provision, revising structure, syntax, grammar or punctuation, and, subject to certain conditions, making a provision consistent with statute.
Among others, the following nonsubstantial changes were made to the final regulations:
- The shorthand phrase “Do Not Sell My Info” was removed from several sections in order for the language to track the statute (i.e. “Do Not Sell My Personal Information”).
- The severability provision, formerly in Section 999.341 was deleted as unnecessary. This provision previously stated: “If any article, section, subsection, sentence, clause or phrase of these regulations contained in this Chapter is for any reason held to be unconstitutional, contrary to statute, exceeding the authority of the Attorney General, or otherwise inoperative, such decision shall not affect the validity of the remaining portion of these regulations.” (formerly § 999.341).
Additionally, the following requirements were deleted from the regulations at this time, although the California attorney general has indicated that these provisions may be resubmitted “after further review and possible revisions”:
- The requirement, formerly in Section 999.305(a)(4), that the business notify and obtain explicit consent from a consumer to use the consumer’s personal information for a purpose materially different than those disclosed in the notice at collection.
- The requirement, formerly in Section 999.306(b)(2), that a business that substantially interacts with consumers offline must provide a notice to the consumer offline to facilitate their awareness of the right to opt-out.
- The requirement in Section 999.315(c) that the business’s methods for submitting the request to opt-out must “be easy for consumers to execute” and “require minimal steps to allow the consumer to opt-out.”
- The provision, formerly in Section 999.326(c), permitting a business to deny a request from an authorized agent if the agent fails to submit proof of authorization from the consumer.
The final regulations became effective on August 14, 2020.
On August 14, the California attorney general announced that the Office of Administrative Law (OAL) approved the final regulations under the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, the CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1. The proposed final regulations were submitted to OAL on June 1 and were “nonsubstantially changed” during OAL’s review process for “accuracy, consistency, and clarity.” The final regulations are effective as of August 14.
For a detailed overview of the regulations, see here (the InfoByte details an earlier version of the regulations, which remain substantially unchanged). Details discussing the nonsubstantial changes available by InfoBytes here.
The California attorney general recently published a set of frequently asked questions providing general consumer information on the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1. Final proposed regulations were submitted by the AG last month as required under the CCPA’s July 1 statutory deadline (covered by InfoBytes here), and are currently with the California Office of Administrative Law for review. The FAQs—which will be updated periodically and do not serve as legal advice, regulatory guidance, or as an opinion of the AG—are intended to provide consumers guidance on exercising their rights under the CCPA.
- General CCPA information. The FAQs address consumer rights under the CCPA and reiterate that these rights apply only to California residents. This section also clarifies the definition of “personal information,” outlines businesses’ compliance thresholds, and states that the CCPA does not apply to nonprofit organizations and government agencies. The FAQs also remind consumers of their limited ability to sue businesses for CCPA violations and details the conditions that must be met before a consumer may sue a business for a data breach. The FAQs remind consumers that if they believe a business has violated the CCPA, they may file a complaint with the AG’s office.
- Right to opt-out of sale. The FAQs answer common questions related to consumers’ requests for businesses not to sell their personal information. The FAQs provide information on the steps for submitting opt-out requests, as well as explanations for why a business may deny an opt-out request. It also address circumstances where a consumer receives a response from a service provider that says it is not required to act on an opt-out request.
- Right to know. The FAQs discuss a consumer’s right to know what personal information is collected, used, shared, or sold, and clarifies what consumers should do to submit requests to know, how long a business may take to respond, and what steps should be taken if a business requests more information, denies a request to know, or claims to be a service provider that is not required to respond.
- Request to delete. The FAQs address several questions related to consumers’ right to delete personal information, including how to submit a request to delete, businesses’ responses to and denials of requests to delete, and why a debt collector may make an attempt to collect a debt or a credit reporting agency may provide credit information even after a request to delete has been made.
- Right to non-discrimination. Consumers are reminded that a business “cannot deny goods or services, charge. . .a different price, or provide a different level or quality of goods or services just because [a consumer] exercised [his or her] rights under the CCPA.”
- Data brokers. The FAQs set forth the definition of a data broker under California law and outline steps for consumers interested in finding data brokers that collect and sell personal information, as well as measures consumers can take to opt-out of the sale of certain personal information.
- Jonice Gray Tucker to moderate “Pandemic relief response and lasting impacts on access, credit, banking, and equality” at the American Bar Association Business Law Section Spring Meeting
- Jeffrey P. Naimon to discuss "Post-pandemic CFPB exam preparation" at the Mortgage Bankers Association Spring Conference & Expo
- Jonice Gray Tucker to discuss "Making fair lending work for you" at the Mortgage Bankers Association Spring Conference & Expo
- Jonice Gray Tucker to discuss "Reading the tea leaves of President Biden’s initial financial appointees" at LendIt Fintech
- Moorari K. Shah to discuss “CA, NY, federal licensing and disclosure” at the Equipment Leasing & Finance Association Legal Forum
- Jonice Gray Tucker to discuss "Compliance under Biden" at the WSJ Risk & Compliance Forum
- Sherry-Maria Safchuk to discuss UDAAP at an American Bar Association webinar
- Jonice Gray Tucker to discuss “The future of fair lending” at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference