Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On June 24, the California Privacy Rights Act of 2020 (CPRA) ballot initiative was submitted to the California Country Clerk’s office as an initiative qualified for the November 2020 General Election ballot after receiving more than the 623,212 valid signatures required to qualify. The initiative was drafted by Alastair Mactaggart, the Founder and Chair of the Californians for Consumer Privacy, and would amend the CCPA in several significant ways. Notably, Mactaggart also drafted the initiative that ultimately resulted in the California Consumer Privacy Act (CCPA). The ballot initiative would, among other things:
- Provide consumers with the right to require a business to correct inaccurate personal information;
- Revise the definition of “business” to: (i) clarify that the time period for calculating annual gross revenues is based on the prior calendar year; (ii) provide that an entity meets the definition of a “business” if the entity, in relevant part, alone or in combination, annually buys, sell, or shares the personal information of 100,000 or more consumers or households; (iii) include a joint venture or partnership composed of businesses in which each business has at least a 40 percent interest; and (iv) include a person who does not otherwise qualify as a “business” but voluntarily certifies to the California Privacy Protection Agency (described below) that it is in compliance with, and agrees to be bound by, the CPRA;
- Create the California Privacy Protection Agency, which would have the authority to implement and enforce the CCPA (powers that are currently vested in the attorney general). The agency would be governed by a five-member board, including a single Chair, with members being appointed by the governor, the attorney general, and the leaders of the senate and assembly; and
- Expand on the CCPA’s opt-out provisions and prohibit businesses from selling a consumers’ “sensitive personal information”—a new term introduced by the initiative— without affirmative authorization.
Additional details regarding the proposed changes are available in the September 2019 InfoBytes post announcing the initiative. Since originally filing the initiative in September 2019, Mactaggart has amended the initiative several times, without significant change.
The final version of the proposed regulations, which are substantively unchanged from the March draft modifications (covered by InfoBytes here), include an updated statement of reasons summarizing the modifications and reiterating that the “stated bases for the necessity of the proposed regulations continue to apply to the regulations as adopted.”
The AG also submitted an expedited review request, asking that the regulations take effect upon filing with the Secretary of State. The CCPA imposes a July 1 statutory deadline for the AG to adopt initial regulations. However, due to challenges imposed by the Covid-19 pandemic, California Executive Order N-40-20 allows the OAL 30 working days, plus an additional 60 calendar days to finalize proposed regulations. Because of this, the AG respectfully requested that the OAL complete its review within 30 days, given the July 1 deadline.
On March 11, the California attorney general released a second set of draft modifications to the proposed regulations implementing the California Consumer Privacy Act (CCPA). These modifications follow the initial proposed regulations published last October and the first set of draft modifications published last month (covered by Buckley Special Alerts here and here). According to a notice issued by the California Department of Justice, these changes are in response to roughly 100 comments received by the Department to the proposed February modifications and are intended “to clarify and conform the proposed regulations to existing law.”
Key modifications are as follows:
- Personal Information. In the February modifications, a section was added to provide guidance regarding the interpretation of CCPA definitions and specifically defined the term “personal information” and provided an example of when IP addresses were not considered “personal information.” In the recent modifications, the Attorney General (AG) struck this section of the regulations.
- Indirectly Receiving Personal Information. The modifications clarify that a business that does not collect personal information directly from a consumer is not required to provide a consumer with a notice at collection if it does not sell the consumer’s personal information.
- “Opt-Out Button” Button. The modifications strike a provision that previously provided a model for the opt-out button that companies could include on their websites as an additional way for consumers to opt out of selling their information, as well as information about when the button should be used.
- Responding to Requests to Know. While the regulations have made clear that there are certain types of data that a business must never disclose in response to a request to know, such as Social Security number, driver’s license or government ID number, biometric data, etc., the modifications clarify that when responding to a request to know, businesses must inform consumers “with sufficient particularity” that they have collected that type of information. The modifications provide the following example – the business must respond that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.
- Responding to Requests to Delete. The modifications provide that if a business denies a consumer’s request to delete, the business sells personal information, and the consumer has not already made a request to opt out of the sale, then the business must ask the consumer if he/she would like to opt out and include either the contents of, or a link to, the notice of right to opt-out.
- Service Providers. The modifications clarify that a service provider may not retain, use, or disclose personal information obtained while providing services unless the information is used to “process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information” and complies with the CCPA’s requirements for a written contract for services. The modifications also add that while the service provider may use the personal information to build or improve the quality of it services, it may not build or modify household or consumer profiles to use in providing services to another business.
- Training: Record-Keeping. The modifications clarify that information retained for record-keeping purposes may not be shared with third parties “except as necessary to comply with a legal obligation.”
- Authorized Agent. The modifications clarify that businesses shall not require consumers, or a consumer’s authorized agent, to pay a fee to verify requests to know or to delete.
- Calculating the Value of Consumer Data. The modifications provide that for the purpose of calculating the value of consumer data, a business may consider the value of the data of all natural persons in the United States and not just consumers.
Comments on the second set of proposed modifications are due by March 27. As a reminder, the CCPA became effective January 1.
On February 25, California Attorney General Xavier Becerra sent a letter to the chairmen and ranking members of the Senate Committee on Commerce, Science and Transportation and the House Committee on Energy and Commerce, asking lawmakers to not preempt state laws as they draft federal privacy legislation. While Becerra expressed his appreciation for Congress’ efforts to address consumer privacy issues through legislation, he stated, “I encourage Congress to favor legislation that sets a federal privacy-protection floor rather than a ceiling, allowing my state—and others that may follow—the opportunity to provide further protections tailored to our residents.” To emphasize his position, Becerra provided an update on the California Consumer Privacy Act (CCPA), which confers significant new privacy rights to California consumers concerning the collection, use, disclosure, and sale of their personal information by covered businesses, service providers, and third parties. The CCPA took effect January 1 but will not be enforced until July 1 following promulgation of the attorney general’s CCPA regulations. (See continuing InfoBytes coverage on the CCPA here.)
Becerra outlined several criteria for Congress to consider when drafting privacy legislation, encouraging Congress to “develop a final bill that builds on the rights afforded by [the] CCPA” as well as the additional guidance within the proposed regulations. These include the right for consumers to (i) “access, correct, and delete personal information that has been collected”; (ii) “minimize data collection, processing, and retention”; (iii) “data portability among services”; and (iv) “know what data is collected and processed and for what reasons.” In addition, Becerra stated that Congress should make clear that state attorneys general have “parallel enforcement authority” and that consumers are granted a private right of action to protect their rights.
The California attorney general last week released modifications to the proposed regulations announced last October (covered by a Buckley Special Alert) implementing the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (also covered by a Buckley Special Alert) and amended several times—became effective Jan. 1.
This Special Alert contains a summary of key modifications to the proposed regulations.
* * *
Click here to read the full special alert.
If you have any questions regarding the CCPA or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page or contact a Buckley attorney with whom you have worked in the past.
On January 6, the California attorney general issued an advisory explaining consumers’ rights under the California Consumer Privacy Act (CCPA), which took effect January 1. (See previous InfoBytes coverage on the CCPA here.) These rights include (i) the right to request from businesses what personal information they collect, use, share, or sell; (ii) the right to request that businesses and their service providers delete one’s personal information; (iii) the right to opt out of businesses’ disclosure of one’s personal information via “Do Not Sell” links on businesses’ websites and mobile apps; (iv) the right of children younger than 16 to have businesses disclose their personal information only after receiving the child’s opt-in consent (though parents or guardians may consent for children under 13); and (v) the right to non-discrimination should a consumer exercise his or her privacy rights under the CCPA.
In addition to enumerating these consumer rights, the advisory specifies the types of businesses subject to the CCPA, provides information on the state’s data broker registry, and describes consumers’ private right of action in the event of a data breach.
Additionally, on October 10, the California attorney general released the highly anticipated proposed regulations implementing the CCPA. See the Buckley Special Alert for details of the proposed regulations.
Buckley Special Alert
Last week, the California attorney general released the highly anticipated proposed regulations implementing the California Consumer Privacy Act (CCPA). The CCPA — which was enacted in June 2018 (covered by a Buckley Special Alert), amended several times and with the most recent amendments signed into law on Oct. 11, and is currently set to take effect on Jan. 1, 2020 — directed the California attorney general to issue regulations to further the law’s purpose.
* * *
If you have any questions about the CCPA or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page, or contact a Buckley attorney with whom you have worked in the past.
On October 10, the California attorney general released the highly anticipated proposed regulations implementing the California Consumer Privacy Act (CCPA). The CCPA—which was enacted in June 2018 (covered by a Buckley Special Alert), amended in September 2018, amended again in October 2019 (pending Governor Gavin Newsom’s signature), and is currently set to take effect on January 1, 2020 (Infobytes coverage on the amendments available here and here)—directed the California attorney general to issue regulations to further the law’s purpose. The proposed regulations address a variety of topics related to the law, including:
- The handling of consumer requests made under the CCPA, such as requests to know, requests to delete, and requests to opt-out;
- Service provider classification and obligations;
- The process for verifying consumer requests;
- Training and recordkeeping requirements; and
- Special requirements related to minors.
The California attorney general will hold four public hearings between December 2 and December 5 on the proposed regulations. Written comments are due by December 6.
Notably, the Notice of Proposed Rulemaking states that “the adoption of these regulations may have a significant, statewide adverse economic impact directly affecting business, including the ability of California businesses to compete with businesses in other states” and requests that the public consider, among other things, different compliance requirements depending on a business’s resources or potential exemptions from the regulatory requirements for businesses when submitting comments on the proposal.
Buckley will follow up with a more detailed summary of the proposed regulations soon.
On September 25, Alastair Mactaggart, the Founder and Chair of the Californians for Consumer Privacy and the drafter of the initiative that ultimately resulted in the California Consumer Privacy Act (CCPA), announced a newly filed ballot measure to further expand the CCPA (currently effective on January 1, 2020), titled the “California Privacy Rights and Enforcement Act of 2020” (the Act) (an additional version of the Act is available with comments from McTaggart’s team). The Act would result in significant amendments to the CCPA, including the following, among others
- Sensitive personal information. The Act sets forth additional obligations in connection with a business’s collection, use, sale, or disclosure of “sensitive personal information,” which is a new term introduced by the Act. “Sensitive personal information” includes categories such as health information; financial information (stated as, “a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account”); racial or ethnic origin; precise geolocation; or other data collected and analyzed for the purpose of identifying such information.
- Disclosure of sensitive personal information. The Act expands on the CCPA’s disclosure requirements to include, among other things, a requirement for businesses to specify the categories of sensitive personal information that will be collected, disclose the specific purposes for which the categories of sensitive personal information are collected or used, and disclose whether such information is sold. In addition, the Act prohibits a business from collecting additional categories of sensitive personal information or use sensitive personal information collected for purposes that are incompatible with the disclosed purpose for which the information was collected, or other disclosed purposes reasonably related to the original purpose for which the information was collected, unless notice is provided to the consumer.
- Contractual requirements. The Act sets forth additional contractual requirements and obligations that apply when a business sells personal information to a third party or discloses personal information to a service provider or contractor for a business purpose. Among other things, the Act obligates the third party, service provider, or contractor to provide at least the same level of privacy protection required by the Act. The contract must also require the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligation to protect the personal information as required by the Act.
- Advertising and marketing opt-out. The Act includes a consumer’s right to opt-out, at any time, of the business’s use of their sensitive personal information for advertising and marketing or disclosure of personal information to a service provider or contractor for the same purposes. The Act requires that businesses provide notice to consumers that their sensitive personal information may be used or disclosed for advertising or marketing purposes and that the consumers have “the right to opt-out” of its use or disclosure. “Advertising and marketing” means a communication by a business or a person acting on the business’s behalf in any medium intended to induce a consumer to buy, rent, lease, join, use, subscribe to, apply for, provide, or exchange products, goods, property, information, services, or employment.
- Affirmative consent for sale of sensitive personal information. The Act expands on the CCPA’s opt-out provisions and prohibits businesses from selling a consumer’s sensitive personal information without actual affirmative authorization.
- Right to correct inaccurate information. The Act provides consumers with the right to require a business to correct inaccurate personal information.
- Definition of business. The Act revises the definition of “business” to:
- Clarify that the time period for calculating annual gross revenues is based on the prior calendar year;
- Provide that an entity meets the definition of “business” if the entity, in relevant part, alone or in combination, annually buys the personal information of 100,000 or more consumers or households;
- Include a joint venture or partnership composed of business in which each business has at least a 40% interest; and
- Provides a catch-all for businesses not covered by the foregoing bullets.
- The “California Privacy Protection Agency.” The Act creates the California Privacy Protection Agency, which would have the power, authority, and jurisdiction to implement and enforce the CCPA (powers that are currently vested in the attorney general). The Act states that the Agency would have five members, including a single Chair, and the members would be appointed by the governor, the attorney general, and the leaders of the senate and assembly.
If passed, the Act would become operative on January 1, 2021 and would apply to personal information collected by a business on or after January 1, 2020.
As previously covered by a Buckley Special Alert, on September 13, lawmakers in California passed numerous amendments to the CCPA, which are awaiting Governor Gavin Newsom’s signature, who has until October 13 to sign. The amendments leave the majority of the consumer’s rights intact, but certain provisions were clarified — including the definition of “personal information” — while other exemptions were clarified regarding the collection of certain data that have a bearing on financial services companies.
- Daniel R. Alonso to discuss "When can trial lawyers take their case to the public? The Harvey Weinstein case and beyond" at a New York City Bar Association webcast
- Jonice Gray Tucker to discuss "Fair servicing in wake of Covid-19" at an American Bar Association webinar
- APPROVED Webcast: Maximizing vendor value
- Daniel P. Stipano to discuss "Cram for the exam: Best prep strategies for a regulatory examination" at an ACAMS webinar
- Melissa Klimkiewicz to discuss "Flood insurance basics" at the NAFCU Virtual Regulatory Compliance School
- Sasha Leonhardt to discuss "Privacy laws clarified" at the National Settlement Services Summit (NS3)