Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On October 12, the California Department of Justice released a third set of proposed modifications to the regulations implementing the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, on August 14, the regulations went into effect after being approved by the Office of Administrative Law (OAL). Highlights of the proposed modifications include:
- The addition of Section 999.306, subd. (b)(3), which provides illustrative examples of the methods businesses can use to provide the notice of right to opt-out of the sale of personal information through an offline method, when the business collects personal information in the course of interacting with consumers offline. Examples include: posting signage in the area where personal information is collected or providing the notice orally during calls where information is collected;
- The addition of Section 999.315, subd. (h), which provides illustrative examples of right to opt-out methods that are designed with the purpose or have the substantial effect of subverting or impairing a consumer’s choice to opt-out. Examples include: using double negatives or requiring consumers to click through a list of reasons why they should not opt-out before confirming their request;
- Amending Section 999.326, subd. (a), which clarifies what proof a business may require from an authorized agent and consumer when a consumer uses an agent to submit a request to know or a request to delete; and
Comments on the proposed modifications are due on October 28 by 5:00 p.m.
On September 29, the California governor signed AB 1281, which extends certain exemptions under the California Consumer Privacy Act (CCPA) from January 1, 2021 to January 1, 2022. As previously covered by InfoBytes, the CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1, and provides consumers several rights regarding their personal information that is held by a business. Specifically, the exemptions at issue in AB 1281 apply to “information collected by a business about a natural person in the course of the natural person acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor, as specified.” The exemptions also apply to certain personal information used in communications or transactions between a business and a consumer if the “consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from that company, partnership, sole proprietorship, nonprofit, or government agency.” However, the act will only take effect if a ballot proposition does not pass during the November statewide general election.
On August 14, the California attorney general announced that the Office of Administrative Law (OAL) approved the final regulations under the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, the CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1. While the regulation package was under review by the OAL, the California attorney general made certain “nonsubstantial changes” and “changes without regulatory effect” to the CCPA regulations, which are outlined here (Buckley created redline available here). Under the OAL’s regulations, changes are considered “nonsubstantial” if they clarify without materially altering the requirements, rights, responsibilities, conditions, or prescriptions contained in the original text. Changes are considered to be “without regulatory effect” if they involve renumbering or relocating a provision, revising structure, syntax, grammar or punctuation, and, subject to certain conditions, making a provision consistent with statute.
Among others, the following nonsubstantial changes were made to the final regulations:
- The shorthand phrase “Do Not Sell My Info” was removed from several sections in order for the language to track the statute (i.e. “Do Not Sell My Personal Information”).
- The severability provision, formerly in Section 999.341 was deleted as unnecessary. This provision previously stated: “If any article, section, subsection, sentence, clause or phrase of these regulations contained in this Chapter is for any reason held to be unconstitutional, contrary to statute, exceeding the authority of the Attorney General, or otherwise inoperative, such decision shall not affect the validity of the remaining portion of these regulations.” (formerly § 999.341).
Additionally, the following requirements were deleted from the regulations at this time, although the California attorney general has indicated that these provisions may be resubmitted “after further review and possible revisions”:
- The requirement, formerly in Section 999.305(a)(4), that the business notify and obtain explicit consent from a consumer to use the consumer’s personal information for a purpose materially different than those disclosed in the notice at collection.
- The requirement, formerly in Section 999.306(b)(2), that a business that substantially interacts with consumers offline must provide a notice to the consumer offline to facilitate their awareness of the right to opt-out.
- The requirement in Section 999.315(c) that the business’s methods for submitting the request to opt-out must “be easy for consumers to execute” and “require minimal steps to allow the consumer to opt-out.”
- The provision, formerly in Section 999.326(c), permitting a business to deny a request from an authorized agent if the agent fails to submit proof of authorization from the consumer.
The final regulations became effective on August 14, 2020.
On August 14, the California attorney general announced that the Office of Administrative Law (OAL) approved the final regulations under the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, the CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1. The proposed final regulations were submitted to OAL on June 1 and were “nonsubstantially changed” during OAL’s review process for “accuracy, consistency, and clarity.” The final regulations are effective as of August 14.
For a detailed overview of the regulations, see here (the InfoByte details an earlier version of the regulations, which remain substantially unchanged). Details discussing the nonsubstantial changes available by InfoBytes here.
The California attorney general recently published a set of frequently asked questions providing general consumer information on the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1. Final proposed regulations were submitted by the AG last month as required under the CCPA’s July 1 statutory deadline (covered by InfoBytes here), and are currently with the California Office of Administrative Law for review. The FAQs—which will be updated periodically and do not serve as legal advice, regulatory guidance, or as an opinion of the AG—are intended to provide consumers guidance on exercising their rights under the CCPA.
- General CCPA information. The FAQs address consumer rights under the CCPA and reiterate that these rights apply only to California residents. This section also clarifies the definition of “personal information,” outlines businesses’ compliance thresholds, and states that the CCPA does not apply to nonprofit organizations and government agencies. The FAQs also remind consumers of their limited ability to sue businesses for CCPA violations and details the conditions that must be met before a consumer may sue a business for a data breach. The FAQs remind consumers that if they believe a business has violated the CCPA, they may file a complaint with the AG’s office.
- Right to opt-out of sale. The FAQs answer common questions related to consumers’ requests for businesses not to sell their personal information. The FAQs provide information on the steps for submitting opt-out requests, as well as explanations for why a business may deny an opt-out request. It also address circumstances where a consumer receives a response from a service provider that says it is not required to act on an opt-out request.
- Right to know. The FAQs discuss a consumer’s right to know what personal information is collected, used, shared, or sold, and clarifies what consumers should do to submit requests to know, how long a business may take to respond, and what steps should be taken if a business requests more information, denies a request to know, or claims to be a service provider that is not required to respond.
- Request to delete. The FAQs address several questions related to consumers’ right to delete personal information, including how to submit a request to delete, businesses’ responses to and denials of requests to delete, and why a debt collector may make an attempt to collect a debt or a credit reporting agency may provide credit information even after a request to delete has been made.
- Right to non-discrimination. Consumers are reminded that a business “cannot deny goods or services, charge. . .a different price, or provide a different level or quality of goods or services just because [a consumer] exercised [his or her] rights under the CCPA.”
- Data brokers. The FAQs set forth the definition of a data broker under California law and outline steps for consumers interested in finding data brokers that collect and sell personal information, as well as measures consumers can take to opt-out of the sale of certain personal information.
On June 24, the California Privacy Rights Act of 2020 (CPRA) ballot initiative was submitted to the California Country Clerk’s office as an initiative qualified for the November 2020 General Election ballot after receiving more than the 623,212 valid signatures required to qualify. The initiative was drafted by Alastair Mactaggart, the Founder and Chair of the Californians for Consumer Privacy, and would amend the CCPA in several significant ways. Notably, Mactaggart also drafted the initiative that ultimately resulted in the California Consumer Privacy Act (CCPA). The ballot initiative would, among other things:
- Provide consumers with the right to require a business to correct inaccurate personal information;
- Revise the definition of “business” to: (i) clarify that the time period for calculating annual gross revenues is based on the prior calendar year; (ii) provide that an entity meets the definition of a “business” if the entity, in relevant part, alone or in combination, annually buys, sell, or shares the personal information of 100,000 or more consumers or households; (iii) include a joint venture or partnership composed of businesses in which each business has at least a 40 percent interest; and (iv) include a person who does not otherwise qualify as a “business” but voluntarily certifies to the California Privacy Protection Agency (described below) that it is in compliance with, and agrees to be bound by, the CPRA;
- Create the California Privacy Protection Agency, which would have the authority to implement and enforce the CCPA (powers that are currently vested in the attorney general). The agency would be governed by a five-member board, including a single Chair, with members being appointed by the governor, the attorney general, and the leaders of the senate and assembly; and
- Expand on the CCPA’s opt-out provisions and prohibit businesses from selling a consumers’ “sensitive personal information”—a new term introduced by the initiative— without affirmative authorization.
Additional details regarding the proposed changes are available in the September 2019 InfoBytes post announcing the initiative. Since originally filing the initiative in September 2019, Mactaggart has amended the initiative several times, without significant change.
The final version of the proposed regulations, which are substantively unchanged from the March draft modifications (covered by InfoBytes here), include an updated statement of reasons summarizing the modifications and reiterating that the “stated bases for the necessity of the proposed regulations continue to apply to the regulations as adopted.”
The AG also submitted an expedited review request, asking that the regulations take effect upon filing with the Secretary of State. The CCPA imposes a July 1 statutory deadline for the AG to adopt initial regulations. However, due to challenges imposed by the Covid-19 pandemic, California Executive Order N-40-20 allows the OAL 30 working days, plus an additional 60 calendar days to finalize proposed regulations. Because of this, the AG respectfully requested that the OAL complete its review within 30 days, given the July 1 deadline.
On March 11, the California attorney general released a second set of draft modifications to the proposed regulations implementing the California Consumer Privacy Act (CCPA). These modifications follow the initial proposed regulations published last October and the first set of draft modifications published last month (covered by Buckley Special Alerts here and here). According to a notice issued by the California Department of Justice, these changes are in response to roughly 100 comments received by the Department to the proposed February modifications and are intended “to clarify and conform the proposed regulations to existing law.”
Key modifications are as follows:
- Personal Information. In the February modifications, a section was added to provide guidance regarding the interpretation of CCPA definitions and specifically defined the term “personal information” and provided an example of when IP addresses were not considered “personal information.” In the recent modifications, the Attorney General (AG) struck this section of the regulations.
- Indirectly Receiving Personal Information. The modifications clarify that a business that does not collect personal information directly from a consumer is not required to provide a consumer with a notice at collection if it does not sell the consumer’s personal information.
- “Opt-Out Button” Button. The modifications strike a provision that previously provided a model for the opt-out button that companies could include on their websites as an additional way for consumers to opt out of selling their information, as well as information about when the button should be used.
- Responding to Requests to Know. While the regulations have made clear that there are certain types of data that a business must never disclose in response to a request to know, such as Social Security number, driver’s license or government ID number, biometric data, etc., the modifications clarify that when responding to a request to know, businesses must inform consumers “with sufficient particularity” that they have collected that type of information. The modifications provide the following example – the business must respond that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.
- Responding to Requests to Delete. The modifications provide that if a business denies a consumer’s request to delete, the business sells personal information, and the consumer has not already made a request to opt out of the sale, then the business must ask the consumer if he/she would like to opt out and include either the contents of, or a link to, the notice of right to opt-out.
- Service Providers. The modifications clarify that a service provider may not retain, use, or disclose personal information obtained while providing services unless the information is used to “process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information” and complies with the CCPA’s requirements for a written contract for services. The modifications also add that while the service provider may use the personal information to build or improve the quality of it services, it may not build or modify household or consumer profiles to use in providing services to another business.
- Training: Record-Keeping. The modifications clarify that information retained for record-keeping purposes may not be shared with third parties “except as necessary to comply with a legal obligation.”
- Authorized Agent. The modifications clarify that businesses shall not require consumers, or a consumer’s authorized agent, to pay a fee to verify requests to know or to delete.
- Calculating the Value of Consumer Data. The modifications provide that for the purpose of calculating the value of consumer data, a business may consider the value of the data of all natural persons in the United States and not just consumers.
Comments on the second set of proposed modifications are due by March 27. As a reminder, the CCPA became effective January 1.
On February 25, California Attorney General Xavier Becerra sent a letter to the chairmen and ranking members of the Senate Committee on Commerce, Science and Transportation and the House Committee on Energy and Commerce, asking lawmakers to not preempt state laws as they draft federal privacy legislation. While Becerra expressed his appreciation for Congress’ efforts to address consumer privacy issues through legislation, he stated, “I encourage Congress to favor legislation that sets a federal privacy-protection floor rather than a ceiling, allowing my state—and others that may follow—the opportunity to provide further protections tailored to our residents.” To emphasize his position, Becerra provided an update on the California Consumer Privacy Act (CCPA), which confers significant new privacy rights to California consumers concerning the collection, use, disclosure, and sale of their personal information by covered businesses, service providers, and third parties. The CCPA took effect January 1 but will not be enforced until July 1 following promulgation of the attorney general’s CCPA regulations. (See continuing InfoBytes coverage on the CCPA here.)
Becerra outlined several criteria for Congress to consider when drafting privacy legislation, encouraging Congress to “develop a final bill that builds on the rights afforded by [the] CCPA” as well as the additional guidance within the proposed regulations. These include the right for consumers to (i) “access, correct, and delete personal information that has been collected”; (ii) “minimize data collection, processing, and retention”; (iii) “data portability among services”; and (iv) “know what data is collected and processed and for what reasons.” In addition, Becerra stated that Congress should make clear that state attorneys general have “parallel enforcement authority” and that consumers are granted a private right of action to protect their rights.
The California attorney general last week released modifications to the proposed regulations announced last October (covered by a Buckley Special Alert) implementing the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (also covered by a Buckley Special Alert) and amended several times—became effective Jan. 1.
This Special Alert contains a summary of key modifications to the proposed regulations.
* * *
Click here to read the full special alert.
If you have any questions regarding the CCPA or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page or contact a Buckley attorney with whom you have worked in the past.
- Thomas A. Sporkin to discuss "Managing internal investigations and advanced government defense" at the Securities Enforcement Forum
- Jeffrey P. Naimon to discuss "2021 - A new beginning/what's to come" at the QuestSoft Lending Compliance & Risk Management Virtual Conference
- H Joshua Kotin to discuss "Mortgage servicing in a recession: Early intervention, loss mitigation and more" at the NAFCU Virtual Regulatory Compliance Seminar
- Daniel R. Alonso to discuss "Independent monitoring in the United States" at the World Compliance Association Peru Chapter IV International Conference on Compliance and the Fight Against Corruption
- Jonice Gray Tucker to discuss "Cyber security, incident response, crisis management" at the Legal & Diversity Summit
- Jonice Gray Tucker to discuss "The future of fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Pandemic fallout – Navigating practical operational challenges" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute
- Daniel P. Stipano to discuss "BSA/AML - Covid impact and regulatory/guidance roundup" at an NAFCU webinar