InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Final CCPA regulations approved: Overview of changes
On August 14, the California attorney general announced that the Office of Administrative Law (OAL) approved the final regulations under the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, the CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1. While the regulation package was under review by the OAL, the California attorney general made certain “nonsubstantial changes” and “changes without regulatory effect” to the CCPA regulations, which are outlined here (Buckley created redline available here). Under the OAL’s regulations, changes are considered “nonsubstantial” if they clarify without materially altering the requirements, rights, responsibilities, conditions, or prescriptions contained in the original text. Changes are considered to be “without regulatory effect” if they involve renumbering or relocating a provision, revising structure, syntax, grammar or punctuation, and, subject to certain conditions, making a provision consistent with statute.
Among others, the following nonsubstantial changes were made to the final regulations:
- The shorthand phrase “Do Not Sell My Info” was removed from several sections in order for the language to track the statute (i.e. “Do Not Sell My Personal Information”).
- The requirement in Section 999.308(c)(1)(e) that the identification of sources from which personal information is collected “be described in a manner that provides consumers a meaningful understanding of the information being collected” in the privacy policy has been removed but the categories of sources still must be identified.
- The severability provision, formerly in Section 999.341 was deleted as unnecessary. This provision previously stated: “If any article, section, subsection, sentence, clause or phrase of these regulations contained in this Chapter is for any reason held to be unconstitutional, contrary to statute, exceeding the authority of the Attorney General, or otherwise inoperative, such decision shall not affect the validity of the remaining portion of these regulations.” (formerly § 999.341).
Additionally, the following requirements were deleted from the regulations at this time, although the California attorney general has indicated that these provisions may be resubmitted “after further review and possible revisions”:
- The requirement, formerly in Section 999.305(a)(4), that the business notify and obtain explicit consent from a consumer to use the consumer’s personal information for a purpose materially different than those disclosed in the notice at collection.
- The requirement, formerly in Section 999.306(b)(2), that a business that substantially interacts with consumers offline must provide a notice to the consumer offline to facilitate their awareness of the right to opt-out.
- The requirement in Section 999.315(c) that the business’s methods for submitting the request to opt-out must “be easy for consumers to execute” and “require minimal steps to allow the consumer to opt-out.”
- The provision, formerly in Section 999.326(c), permitting a business to deny a request from an authorized agent if the agent fails to submit proof of authorization from the consumer.
The final regulations became effective on August 14, 2020.
Final CCPA regulations approved
On August 14, the California attorney general announced that the Office of Administrative Law (OAL) approved the final regulations under the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, the CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1. The proposed final regulations were submitted to OAL on June 1 and were “nonsubstantially changed” during OAL’s review process for “accuracy, consistency, and clarity.” The final regulations are effective as of August 14.
The final regulations set forth guidance regarding compliance with the CPPA, including requirements related to the various required notices under the CCPA (e.g., Notice at Collection, privacy policy, etc.), business practices for handling consumer requests (e.g., methods for submitting and responding to requests to know and requests to delete), service providers, training and recordkeeping, verification of requests, special rules for minors, and nondiscrimination requirements.
For a detailed overview of the regulations, see here (the InfoByte details an earlier version of the regulations, which remain substantially unchanged). Details discussing the nonsubstantial changes available by InfoBytes here.
EU - U.S. forum studies implications of Covid-19 for financial stability
On July 17, the U.S. Treasury Department issued a joint statement on the EU - U.S. Financial Regulatory Forum, which met virtually on July 14 and 15 and included participants from Treasury, the Federal Reserve Board, CFTC, FDIC, SEC, and OCC. Forum participants discussed six key themes: (i) potential financial stability implications and economic responses to the Covid-19 pandemic; (ii) capital market supervisory and regulatory cooperation, including cross-border supervision; (iii) “multilateral and bilateral engagement in banking and insurance,” including “cross-border resolution of systemic banks” and Volcker Rule implementation; (iv) approaches to anti-money laundering/countering the financing of terrorism financing and remittances; (v) the regulation and supervision of digital finance and financial innovation, such as “digital operational resilience and developments in crypto-assets, so-called stablecoins, and central bank digital currencies”; and (vi) sustainable finance developments. EU and U.S. participants recognized the importance of communicating mutual supervisory and regulatory concerns to “support financial stability, investor protection, market integrity, and a level playing field.”
CFPB launches pilot advisory opinion program to provide regulatory clarity
On June 18, the CFPB launched a pilot advisory opinion program (AO program) to allow entities to submit requests to the Bureau for written guidance in cases of regulatory compliance uncertainty. The pilot AO program procedural rule went into effect June 22, and states that the AO program—established in response to external stakeholder feedback encouraging the Bureau to provide written guidance—will primarily focus on clarifying ambiguities in Bureau regulations, although AOs may also clarify statutory ambiguities. The Bureau notes, however, that it will not issue AOs on matters that require notice-and-comment rulemaking or that are better addressed through that process, and does not intend to issue an AO that will change a regulation or replace a regulation or statute with a “bright-light standard that eliminates all the required analysis.” During the pilot, requests will not be accepted from third parties, such as trade associations or law firms, on behalf of unnamed entities. According to the Bureau’s announcement, it will select topics based on the program’s priorities, and, if appropriate, may publicly “issue an [AO] based on its summary of the facts presented that would be applicable to other entities in situations with similar facts and circumstances.”
The pilot AO program will focus on the following four priorities: (i) providing consumers “with timely and understandable information to make responsible decisions”; (ii) identifying “outdated, unnecessary or unduly burdensome regulations in order to reduce regulatory burdens”; (iii) consistently enforcing federal consumer financial laws “in order to promote fair competition”; and (iv) “[e]nsuring markets for consumer financial products and services operate transparently and efficiently to facilitate access and innovation.”
In determining the appropriateness of an AO, the Bureau will consider several factors, including whether (i) prior Bureau examinations have identified the issue as one that may benefit from additional regulatory clarity; (ii) the issue is “of substantive importance or impact or one whose clarification would provide significant benefit”; and/or (iii) the issue concerns an ambiguity not previously addressed through an interpretive rule or other authoritative source. Additionally, issues currently under investigation or enforcement likely will not be considered appropriate for an AO.
A proposed procedural rule and information collection was also announced June 18, which requests comments on the proposed AO program. Comments must be received 60 days after publication in the Federal Register. The proposed AO program, following the conclusion of the pilot, will be fully implemented after the Bureau reviews the comments.
CFPB issues guidance allowing pandemic relief payment distribution with prepaid cards
On April 13, the CFPB issued an Interpretive Rule (IR) addressing the “Treatment of Pandemic Relief Payments Under Regulation E and Application of the Compulsory Use Prohibition.” Pursuant to the CARES Act, many consumers are entitled to pandemic relief payments, generally provided through direct deposit to the consumer’s bank account. When that information is unavailable, or when the consumer does not have a bank account, the IR allows government agencies to provide the economic impact payments via alternative means, including by issuing prepaid account cards. However, the Electronic Fund Transfer Act and implementing Regulation E prohibit government agencies from requiring consumers to “establish accounts for receipt of electronic fund transfers with a particular financial institution as a condition of receipt of a government benefit. ” According to the IR, the “compulsory use prohibition” will not apply to prepaid cards and the Covid-19 relief payments will not be classified as government benefits, provided the cards fulfill certain requirements. In order to not be considered “government benefits” the payments must: (i) be to aid consumers impacted by Covid-19; (ii) not be “part of an already-established government benefit program”; (iii) be distributed “on a one-time or otherwise limited basis”; and (iv) not require consumers to apply for the funds.
CFPB states commitment to protecting consumers through continued examination and supervisory work
On April 1, the CFPB published a statement which assured that the Bureau will continue to perform examinations and other supervisory work during the Covid-19 pandemic, reinforcing the Bureau’s mission to protect consumers. The statement explains that the Bureau is taking advantage of technology to fulfill its examination duties and to stay in communication with supervised entities. Additionally, the statement suggests that the Bureau will consider individual circumstances and good faith efforts to comply when performing examination and supervisory work.
California AG releases second set of modified proposed CCPA regulations
On March 11, the California attorney general released a second set of draft modifications to the proposed regulations implementing the California Consumer Privacy Act (CCPA). These modifications follow the initial proposed regulations published last October and the first set of draft modifications published last month (covered by Buckley Special Alerts here and here). According to a notice issued by the California Department of Justice, these changes are in response to roughly 100 comments received by the Department to the proposed February modifications and are intended “to clarify and conform the proposed regulations to existing law.”
Key modifications are as follows:
- Personal Information. In the February modifications, a section was added to provide guidance regarding the interpretation of CCPA definitions and specifically defined the term “personal information” and provided an example of when IP addresses were not considered “personal information.” In the recent modifications, the Attorney General (AG) struck this section of the regulations.
- Indirectly Receiving Personal Information. The modifications clarify that a business that does not collect personal information directly from a consumer is not required to provide a consumer with a notice at collection if it does not sell the consumer’s personal information.
- Notice at Collection for Employees. The modifications clarify that the notice at collection of employment-related information is not required to include a link to the business’s privacy policy.
- “Opt-Out Button” Button. The modifications strike a provision that previously provided a model for the opt-out button that companies could include on their websites as an additional way for consumers to opt out of selling their information, as well as information about when the button should be used.
- Privacy Policy. The privacy policy section appears to have been updated to further align with the CCPA. In addition to the currently proposed disclosure requirements, the modifications provide that privacy policies also identify: (i) the categories of sources from which personal information is collected, and describe these categories in such a way that allows consumers to meaningfully understand the information being collected; and (ii) all business or commercial purposes for collecting or sending consumers’ personal information, and describe the purposes in a way that allows consumers to meaningfully understand why the information is collected and sold. Further, if a “business has actual knowledge that it sells the personal information of minors under 16 years of age,” it must provide a description of the processes as required by sections 999.330 and 999.331, which outline special rules regarding minors.
- Responding to Requests to Know. While the regulations have made clear that there are certain types of data that a business must never disclose in response to a request to know, such as Social Security number, driver’s license or government ID number, biometric data, etc., the modifications clarify that when responding to a request to know, businesses must inform consumers “with sufficient particularity” that they have collected that type of information. The modifications provide the following example – the business must respond that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.
- Responding to Requests to Delete. The modifications provide that if a business denies a consumer’s request to delete, the business sells personal information, and the consumer has not already made a request to opt out of the sale, then the business must ask the consumer if he/she would like to opt out and include either the contents of, or a link to, the notice of right to opt-out.
- Service Providers. The modifications clarify that a service provider may not retain, use, or disclose personal information obtained while providing services unless the information is used to “process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information” and complies with the CCPA’s requirements for a written contract for services. The modifications also add that while the service provider may use the personal information to build or improve the quality of it services, it may not build or modify household or consumer profiles to use in providing services to another business.
- Training: Record-Keeping. The modifications clarify that information retained for record-keeping purposes may not be shared with third parties “except as necessary to comply with a legal obligation.”
- Authorized Agent. The modifications clarify that businesses shall not require consumers, or a consumer’s authorized agent, to pay a fee to verify requests to know or to delete.
- Calculating the Value of Consumer Data. The modifications provide that for the purpose of calculating the value of consumer data, a business may consider the value of the data of all natural persons in the United States and not just consumers.
Comments on the second set of proposed modifications are due by March 27. As a reminder, the CCPA became effective January 1.
Special Alert: California attorney general modifies proposed CCPA regulations
The California attorney general last week released modifications to the proposed regulations announced last October (covered by a Buckley Special Alert) implementing the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (also covered by a Buckley Special Alert) and amended several times—became effective Jan. 1.
This Special Alert contains a summary of key modifications to the proposed regulations.* * *
Click here to read the full special alert.
If you have any questions regarding the CCPA or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page or contact a Buckley attorney with whom you have worked in the past.California appoints Manuel Alvarez as DBO Commissioner
On March 28, the California governor announced that Manuel Alvarez has been appointed Commissioner of the California Department of Business Oversight. Since 2014, Alvarez has been general counsel, chief compliance officer, and corporate secretary at an online purchase lender. Prior to those roles, he was an enforcement attorney with the CFPB, and a deputy attorney general at the California Department of Justice. Alvarez’s appointment will require the confirmation of the state Senate.
U.S., Canada, and Mexico announce annual financial regulatory forum
On November 30, the U.S. Treasury Department, the Canadian Department of Finance, and the Ministry of Finance and Public Credit of Mexico (collectively, the “authorities”) announced the creation of the Canada-Mexico-United States Financial Regulatory Forum (Forum) to share information on financial sector developments and financial regulatory practices and procedures. The authorities published a joint “understanding,” which outlines the Forum’s intentions, including: (i) sharing information to allow for timely identification of potential cross-border financial regulatory issues; (ii) exchanging views on emerging financial sector developments and financial stability risks; and (iii) discussing regulatory issues that arise in bilateral and multilateral contexts or which relate to international standards. The Forum intends to meet annually.