InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California proposes modifying CCPA regs again
On December 10, the California Department of Justice (Department) released a fourth set of proposed modifications to the regulations implementing the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, on October 12, the Department released a third set of proposed modifications to the regulations that went into effect on August 14. The Department noted that it received around 20 comments in response to the third set of proposed modifications and the fourth set of proposed modifications is to address those comments and/or to clarify and conform the proposed regulations to existing law. Highlights of the proposed modifications include:
- Amending Section 999.306, subd. (b)(3), to clarify that a business that sells (previously proposed as “collects”) personal information collected from consumers in the course of interacting with them offline shall inform consumers of their right to opt-out of the sale of their personal information by an offline method.
- The addition of Section 999.315, subd. (f), which identifies a uniform “opt-out button” to be used in addition to posting the notice of right to opt-out or used in conjunction with a “Do Not Sell My Personal Information” link.
Additionally, the Department provided notice that it added new documents and information to the rulemaking file, which was relied upon when adopting the proposed regulations.
Comments on the proposed modifications are due on December 28 by 5:00 p.m.
California voters approve expanded privacy rights
On November 3, California voters approved a ballot initiative, the California Privacy Rights Act of 2020 (CPRA), that expands on the California Consumer Privacy Act (CCPA). While there are a number of differences between the CPRA and the CCPA, some key provisions include:
- Adding expanded consumer rights, including the right to correction and the right to limit sharing of personal information for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.
- Changing the definitions of various entities, including increasing the numerical threshold for being a business to 100,000 from 50,000 consumers and households and removing devices from this threshold.
- Adding the category of sensitive personal information that is subject to specific rights.
- Creating a new privacy agency, the California Privacy Protection Agency, to administer, implement, and enforce the CPRA.
It is important to note that the Gramm-Leach-Bliley Act and Fair Credit Reporting Act exemptions are in the CPRA, and the act extends the employee and business-to-business exemption to January 1, 2023.
Implementation deadlines
The CPRA becomes effective January 1, 2023, with enforcement delayed until July 1, 2023. However, the CPRA contains a look-back provision (i.e., the CPRA will apply to personal information collected by a business on or after January 1, 2022). The new privacy agency also is required to begin drafting regulations starting on July 1, 2021, with final regulations to be completed one year later.
Learn more
Please refer to a Buckley article for further information on the differences between the CCPA and the CPRA: 6 Key Ways the California Privacy Rights Act of 2020 Would Revise the CCPA (Corporate Compliance Insights), as well a continuing InfoBytes coverage here.
California modifying CCPA regs again
On October 12, the California Department of Justice released a third set of proposed modifications to the regulations implementing the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, on August 14, the regulations went into effect after being approved by the Office of Administrative Law (OAL). Highlights of the proposed modifications include:
- The addition of Section 999.306, subd. (b)(3), which provides illustrative examples of the methods businesses can use to provide the notice of right to opt-out of the sale of personal information through an offline method, when the business collects personal information in the course of interacting with consumers offline. Examples include: posting signage in the area where personal information is collected or providing the notice orally during calls where information is collected;
- The addition of Section 999.315, subd. (h), which provides illustrative examples of right to opt-out methods that are designed with the purpose or have the substantial effect of subverting or impairing a consumer’s choice to opt-out. Examples include: using double negatives or requiring consumers to click through a list of reasons why they should not opt-out before confirming their request;
- Amending Section 999.326, subd. (a), which clarifies what proof a business may require from an authorized agent and consumer when a consumer uses an agent to submit a request to know or a request to delete; and
- Amending Section 999.332, subd. (a), which clarifies that businesses subject to § 999.330 (consumers under 13 years of age) and/or § 999.331 (consumers 13 to 15 years of age) must include a description of the processes set forth in those section in its privacy policy for consumers under 16 years of age.
Comments on the proposed modifications are due on October 28 by 5:00 p.m.
Special Alert: California’s new consumer financial protection law expands UDAAP and enforcement authority
On Monday, August 31, the California Legislature passed Assembly Bill 1864, which enacts the California Consumer Financial Protection Law (CCFPL) and changes the name of the Department of Business Oversight (DBO) to the Department of Financial Protection and Innovation (DFPI).
Key takeaways
- Establishes UDAAP authority for the new DFPI, adding “abusive” to “unfair or deceptive” acts or practices prohibited by California law, and authorizing remedies similar to those provided in the Dodd-Frank Act. The DFPI also has authority to define UDAAPs in connection with the offering or provision of commercial financing (e.g., merchant cash advance, lease financing, factoring) and other financial products or services to small business recipients, nonprofits, and family farms.
Final CCPA regulations approved: Overview of changes
On August 14, the California attorney general announced that the Office of Administrative Law (OAL) approved the final regulations under the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, the CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1. While the regulation package was under review by the OAL, the California attorney general made certain “nonsubstantial changes” and “changes without regulatory effect” to the CCPA regulations, which are outlined here (Buckley created redline available here). Under the OAL’s regulations, changes are considered “nonsubstantial” if they clarify without materially altering the requirements, rights, responsibilities, conditions, or prescriptions contained in the original text. Changes are considered to be “without regulatory effect” if they involve renumbering or relocating a provision, revising structure, syntax, grammar or punctuation, and, subject to certain conditions, making a provision consistent with statute.
Among others, the following nonsubstantial changes were made to the final regulations:
- The shorthand phrase “Do Not Sell My Info” was removed from several sections in order for the language to track the statute (i.e. “Do Not Sell My Personal Information”).
- The requirement in Section 999.308(c)(1)(e) that the identification of sources from which personal information is collected “be described in a manner that provides consumers a meaningful understanding of the information being collected” in the privacy policy has been removed but the categories of sources still must be identified.
- The severability provision, formerly in Section 999.341 was deleted as unnecessary. This provision previously stated: “If any article, section, subsection, sentence, clause or phrase of these regulations contained in this Chapter is for any reason held to be unconstitutional, contrary to statute, exceeding the authority of the Attorney General, or otherwise inoperative, such decision shall not affect the validity of the remaining portion of these regulations.” (formerly § 999.341).
Additionally, the following requirements were deleted from the regulations at this time, although the California attorney general has indicated that these provisions may be resubmitted “after further review and possible revisions”:
- The requirement, formerly in Section 999.305(a)(4), that the business notify and obtain explicit consent from a consumer to use the consumer’s personal information for a purpose materially different than those disclosed in the notice at collection.
- The requirement, formerly in Section 999.306(b)(2), that a business that substantially interacts with consumers offline must provide a notice to the consumer offline to facilitate their awareness of the right to opt-out.
- The requirement in Section 999.315(c) that the business’s methods for submitting the request to opt-out must “be easy for consumers to execute” and “require minimal steps to allow the consumer to opt-out.”
- The provision, formerly in Section 999.326(c), permitting a business to deny a request from an authorized agent if the agent fails to submit proof of authorization from the consumer.
The final regulations became effective on August 14, 2020.
Final CCPA regulations approved
On August 14, the California attorney general announced that the Office of Administrative Law (OAL) approved the final regulations under the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, the CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1. The proposed final regulations were submitted to OAL on June 1 and were “nonsubstantially changed” during OAL’s review process for “accuracy, consistency, and clarity.” The final regulations are effective as of August 14.
The final regulations set forth guidance regarding compliance with the CPPA, including requirements related to the various required notices under the CCPA (e.g., Notice at Collection, privacy policy, etc.), business practices for handling consumer requests (e.g., methods for submitting and responding to requests to know and requests to delete), service providers, training and recordkeeping, verification of requests, special rules for minors, and nondiscrimination requirements.
For a detailed overview of the regulations, see here (the InfoByte details an earlier version of the regulations, which remain substantially unchanged). Details discussing the nonsubstantial changes available by InfoBytes here.
FFIEC discusses additional Covid-19 loan accommodations
On August 3, the member agencies of the Federal Financial Institutions Examinations Council (FFIEC) issued a joint statement on managing loan accommodations granted to borrowers pursuant to federal, state, and local law to address Covid-19 related hardships. Specifically, the statement provides risk management and consumer protection principles to financial institutions working with borrowers that are near the end of their initial loan accommodation period. Among other things, the statement outlines:
- Risk Management Practices. The statement encourages financial institutions to institute sound credit risk management practices following an accommodation period, such as “reassess[ing] risk ratings for each loan based on a borrower’s current debt level, current financial condition, repayment ability, and collateral.” Additionally, the statement encourages institutions to provide “clear, accurate, and timely information to borrowers and guarantors regarding the accommodation” being granted.
- Sustainable Accommodations. The statement notes that the Covid-19 pandemic may have “long-term adverse impact[s] on borrower’s future earnings” and financial institutions should consider additional accommodation options to mitigate losses for the borrower and institutions by assessing “each loan based upon the fundamental risk characteristics affecting the collectability of that particular credit.”
- Consumer Protection. The statement encourages financial institutions to provide consumers with options to support repayment at the end of accommodations to avoid delinquencies and to consider offering credit product term changes to “support sustainable and affordable payments for the long term.”
- Accounting and Regulatory Reporting. The statement emphasizes that financial institutions should consider the effects of the Covid-19 pandemic in its allowance for loan and lease losses, or credit losses, estimation processes, consistent with generally accepted accounting principles.
- Internal Control Systems. The statement notes that internal control functions for the end of initial accommodation periods and for additional accommodations typically “include appropriate targeted testing of the process for managing each stage of the accommodation.” Additionally, the statement reminds financial institutions of their responsibility for ensuring service providers in charge of these functions act consistently with the institution’s policies and all applicable laws and regulations.
CFPB outlines plans for consumer financial law taskforce
On June 8, the CFPB published a blog post written by Todd Zywicki, the Chair of the Taskforce on Federal Consumer Financial Law, which discusses the future plans of the taskforce. In addition to the March request for information (RFI) seeking input on consumer protection areas for the taskforce to focus its research and analysis on (covered by InfoBytes here), the post notes that the taskforce intends to gain feedback from other public forums as well in order to produce a two-volume report. The first volume, among other things, will contain a history of consumer financial protection laws, a cost-benefit analysis of financial products and services, and an outline of the current regulatory framework. The second volume will include a set of recommendations for the Bureau “on ways to improve and strengthen the application of financial laws and regulations.” Through the fall, the taskforce will (i) analyze the comments received from the RFI; (ii) hold a public hearing; and (iii) participate in public listening sessions with the Bureau’s four advisory committees.
California AG finalizes proposed CCPA regulations, requests expedited review
On June 1, the California attorney general submitted final proposed regulations implementing the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL). The CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1. The proposed regulations, if approved, will set forth guidance regarding complying with the CCPA, including requirements related to the various required notices under the CCPA (e.g., Notice at Collection, privacy policy, etc.), business practices for handling consumer requests (e.g., methods for submitting and responding to requests to know and requests to delete), service providers, training and recordkeeping, verification of requests, special rules for minors, and nondiscrimination requirements.
The final version of the proposed regulations, which are substantively unchanged from the March draft modifications (covered by InfoBytes here), include an updated statement of reasons summarizing the modifications and reiterating that the “stated bases for the necessity of the proposed regulations continue to apply to the regulations as adopted.”
The AG also submitted an expedited review request, asking that the regulations take effect upon filing with the Secretary of State. The CCPA imposes a July 1 statutory deadline for the AG to adopt initial regulations. However, due to challenges imposed by the Covid-19 pandemic, California Executive Order N-40-20 allows the OAL 30 working days, plus an additional 60 calendar days to finalize proposed regulations. Because of this, the AG respectfully requested that the OAL complete its review within 30 days, given the July 1 deadline.
$550 million preliminary settlement reached in biometric privacy class action
On May 8, plaintiffs in a biometric privacy class action in the U.S. District Court for the Northern District of California filed a motion requesting preliminary approval of a $550 million settlement deal. The preliminary settlement, reached between a global social media company and a class of Illinois users, would resolve consolidated class claims that alleged the social media company’s face scanning practices violated the Illinois Biometric Information Privacy Act (BIPA). As previously covered by InfoBytes, last August the U.S. Court of Appeals for the 9th Circuit affirmed class certification and held that the class’s claims met the standing requirement described in Spokeo, Inc. v. Robins because the social media company’s alleged development of a face template that used facial-recognition technology without users’ consent constituted an invasion of an individual’s private affairs and concrete interests. According to the motion for preliminary approval, the settlement would be the largest BIPA class action settlement ever and would provide “cash relief that far outstrips what class members typically receive in privacy settlements, even in cases in which substantial statutory damages are involved.” If approved, the social media company must also provide “forward-looking relief” to ensure it secures users’ informed, written consent as required under BIPA.