Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Privacy initiative makes California ballot

    State Issues

    On June 24, the California Privacy Rights Act of 2020 (CPRA) ballot initiative was submitted to the California Country Clerk’s office as an initiative qualified for the November 2020 General Election ballot after receiving more than the 623,212 valid signatures required to qualify. The initiative was drafted by Alastair Mactaggart, the Founder and Chair of the Californians for Consumer Privacy, and would amend the CCPA in several significant ways. Notably, Mactaggart also drafted the initiative that ultimately resulted in the California Consumer Privacy Act (CCPA). The ballot initiative would, among other things:

    • Provide consumers with the right to require a business to correct inaccurate personal information;
    • Revise the definition of “business” to: (i) clarify that the time period for calculating annual gross revenues is based on the prior calendar year; (ii) provide that an entity meets the definition of a “business” if the entity, in relevant part, alone or in combination, annually buys, sell, or shares the personal information of 100,000 or more consumers or households; (iii) include a joint venture or partnership composed of businesses in which each business has at least a 40 percent interest; and (iv) include a person who does not otherwise qualify as a “business” but voluntarily certifies to the California Privacy Protection Agency (described below) that it is in compliance with, and agrees to be bound by, the CPRA;
    • Create the California Privacy Protection Agency, which would have the authority to implement and enforce the CCPA (powers that are currently vested in the attorney general). The agency would be governed by a five-member board, including a single Chair, with members being appointed by the governor, the attorney general, and the leaders of the senate and assembly; and
    • Expand on the CCPA’s opt-out provisions and prohibit businesses from selling a consumers’ “sensitive personal information”—a new term introduced by the initiative— without affirmative authorization.

    Additional details regarding the proposed changes are available in the September 2019 InfoBytes post announcing the initiative. Since originally filing the initiative in September 2019, Mactaggart has amended the initiative several times, without significant change.

    State Issues Privacy/Cyber Risk & Data Security State Legislation State Attorney General CCPA

    Share page with AddThis
  • California AG finalizes proposed CCPA regulations, requests expedited review

    State Issues

    On June 1, the California attorney general submitted final proposed regulations implementing the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL). The CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1. The proposed regulations, if approved, will set forth guidance regarding complying with the CCPA, including requirements related to the various required notices under the CCPA (e.g., Notice at Collection, privacy policy, etc.), business practices for handling consumer requests (e.g., methods for submitting and responding to requests to know and requests to delete), service providers, training and recordkeeping, verification of requests, special rules for minors, and nondiscrimination requirements.

    The final version of the proposed regulations, which are substantively unchanged from the March draft modifications (covered by InfoBytes here), include an updated statement of reasons summarizing the modifications and reiterating that the “stated bases for the necessity of the proposed regulations continue to apply to the regulations as adopted.”

    The AG also submitted an expedited review request, asking that the regulations take effect upon filing with the Secretary of State. The CCPA imposes a July 1 statutory deadline for the AG to adopt initial regulations. However, due to challenges imposed by the Covid-19 pandemic, California Executive Order N-40-20 allows the OAL 30 working days, plus an additional 60 calendar days to finalize proposed regulations. Because of this, the AG respectfully requested that the OAL complete its review within 30 days, given the July 1 deadline.

    State Issues California State Attorney General CCPA Privacy/Cyber Risk & Data Security Consumer Protection

    Share page with AddThis
  • California AG releases second set of modified proposed CCPA regulations

    State Issues

    On March 11, the California attorney general released a second set of draft modifications to the proposed regulations implementing the California Consumer Privacy Act (CCPA). These modifications follow the initial proposed regulations published last October and the first set of draft modifications published last month (covered by Buckley Special Alerts here and here). According to a notice issued by the California Department of Justice, these changes are in response to roughly 100 comments received by the Department to the proposed February modifications and are intended “to clarify and conform the proposed regulations to existing law.”

    Key modifications are as follows:

    • Personal Information. In the February modifications, a section was added to provide guidance regarding the interpretation of CCPA definitions and specifically defined the term “personal information” and provided an example of when IP addresses were not considered “personal information.” In the recent modifications, the Attorney General (AG) struck this section of the regulations.
    • Indirectly Receiving Personal Information. The modifications clarify that a business that does not collect personal information directly from a consumer is not required to provide a consumer with a notice at collection if it does not sell the consumer’s personal information.
    • Notice at Collection for Employees. The modifications clarify that the notice at collection of employment-related information is not required to include a link to the business’s privacy policy.
    • “Opt-Out Button” Button. The modifications strike a provision that previously provided a model for the opt-out button that companies could include on their websites as an additional way for consumers to opt out of selling their information, as well as information about when the button should be used.
    • Privacy Policy. The privacy policy section appears to have been updated to further align with the CCPA. In addition to the currently proposed disclosure requirements, the modifications provide that privacy policies also identify: (i) the categories of sources from which personal information is collected, and describe these categories in such a way that allows consumers to meaningfully understand the information being collected; and (ii) all business or commercial purposes for collecting or sending consumers’ personal information, and describe the purposes in a way that allows consumers to meaningfully understand why the information is collected and sold. Further, if a “business has actual knowledge that it sells the personal information of minors under 16 years of age,” it must provide a description of the processes as required by sections 999.330 and 999.331, which outline special rules regarding minors.
    • Responding to Requests to Know. While the regulations have made clear that there are certain types of data that a business must never disclose in response to a request to know, such as Social Security number, driver’s license or government ID number, biometric data, etc., the modifications clarify that when responding to a request to know, businesses must inform consumers “with sufficient particularity” that they have collected that type of information. The modifications provide the following example – the business must respond that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.
    • Responding to Requests to Delete. The modifications provide that if a business denies a consumer’s request to delete, the business sells personal information, and the consumer has not already made a request to opt out of the sale, then the business must ask the consumer if he/she would like to opt out and include either the contents of, or a link to, the notice of right to opt-out.
    • Service Providers. The modifications clarify that a service provider may not retain, use, or disclose personal information obtained while providing services unless the information is used to “process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information” and complies with the CCPA’s requirements for a written contract for services. The modifications also add that while the service provider may use the personal information to build or improve the quality of it services, it may not build or modify household or consumer profiles to use in providing services to another business.
    • Training: Record-Keeping. The modifications clarify that information retained for record-keeping purposes may not be shared with third parties “except as necessary to comply with a legal obligation.”
    • Authorized Agent. The modifications clarify that businesses shall not require consumers, or a consumer’s authorized agent, to pay a fee to verify requests to know or to delete.
    • Calculating the Value of Consumer Data. The modifications provide that for the purpose of calculating the value of consumer data, a business may consider the value of the data of all natural persons in the United States and not just consumers.

    Comments on the second set of proposed modifications are due by March 27. As a reminder, the CCPA became effective January 1.

    State Issues State Attorney General CCPA Regulation Consumer Protection Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • California AG says federal privacy legislation should not include preemption

    State Issues

    On February 25, California Attorney General Xavier Becerra sent a letter to the chairmen and ranking members of the Senate Committee on Commerce, Science and Transportation and the House Committee on Energy and Commerce, asking lawmakers to not preempt state laws as they draft federal privacy legislation. While Becerra expressed his appreciation for Congress’ efforts to address consumer privacy issues through legislation, he stated, “I encourage Congress to favor legislation that sets a federal privacy-protection floor rather than a ceiling, allowing my state—and others that may follow—the opportunity to provide further protections tailored to our residents.” To emphasize his position, Becerra provided an update on the California Consumer Privacy Act (CCPA), which confers significant new privacy rights to California consumers concerning the collection, use, disclosure, and sale of their personal information by covered businesses, service providers, and third parties. The CCPA took effect January 1 but will not be enforced until July 1 following promulgation of the attorney general’s CCPA regulations. (See continuing InfoBytes coverage on the CCPA here.)

    Becerra outlined several criteria for Congress to consider when drafting privacy legislation, encouraging Congress to “develop a final bill that builds on the rights afforded by [the] CCPA” as well as the additional guidance within the proposed regulations. These include the right for consumers to (i) “access, correct, and delete personal information that has been collected”; (ii) “minimize data collection, processing, and retention”; (iii) “data portability among services”; and (iv) “know what data is collected and processed and for what reasons.” In addition, Becerra stated that Congress should make clear that state attorneys general have “parallel enforcement authority” and that consumers are granted a private right of action to protect their rights.

    State Issues State Attorney General CCPA Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Special Alert: California attorney general modifies proposed CCPA regulations

    State Issues

    The California attorney general last week released modifications to the proposed regulations announced last October (covered by a Buckley Special Alert) implementing the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (also covered by a Buckley Special Alert) and amended several times—became effective Jan. 1.


    This Special Alert contains a summary of key modifications to the proposed regulations.

    * * *

    Click here to read the full special alert.

    If you have any questions regarding the CCPA or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page or contact a Buckley attorney with whom you have worked in the past.

    State Issues State Attorney General CCPA Special Alerts Regulation Consumer Protection Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • California outlines new data privacy rights

    State Issues

    On January 6, the California attorney general issued an advisory explaining consumers’ rights under the California Consumer Privacy Act (CCPA), which took effect January 1. (See previous InfoBytes coverage on the CCPA here.) These rights include (i) the right to request from businesses what personal information they collect, use, share, or sell; (ii) the right to request that businesses and their service providers delete one’s personal information; (iii) the right to opt out of businesses’ disclosure of one’s personal information via “Do Not Sell” links on businesses’ websites and mobile apps; (iv) the right of children younger than 16 to have businesses disclose their personal information only after receiving the child’s opt-in consent (though parents or guardians may consent for children under 13); and (v) the right to non-discrimination should a consumer exercise his or her privacy rights under the CCPA.

    In addition to enumerating these consumer rights, the advisory specifies the types of businesses subject to the CCPA, provides information on the state’s data broker registry, and describes consumers’ private right of action in the event of a data breach.

    State Issues State Attorney General Privacy/Cyber Risk & Data Security CCPA State Regulation

    Share page with AddThis
  • California governor signs CCPA amendments

    State Issues

    On October 11, the California governor signed several amendments to the California Consumer Privacy Act (CCPA) and other privacy-related bills. As previously covered by a Buckley Special Alert, AB 874, AB 1355, AB 1146, AB 25, and AB 1564 leave the majority of the consumer’s rights intact in the CCPA and clarify certain provisions—including the definition of “personal information.” Other exemptions were added or clarified regarding the collection of certain data that have a bearing on financial services companies. Notable revisions to the CCPA include the (i) “personal information” definition; (ii) FCRA exemption; (iii) employee exemption; (iv) business individual exemption; (v) verification and delivery requirements; (vi) privacy policy and training requirements; (vii) collection of information; and (viii) vehicle/ownership information exemption. The various amendments are effective on January 1, 2020, the same day the CCPA becomes effective.

    Additionally, on October 10, the California attorney general released the highly anticipated proposed regulations implementing the CCPA. See the Buckley Special Alert for details of the proposed regulations.

    State Issues Privacy/Cyber Risk & Data Security State Legislation State Attorney General FCRA State Regulation CCPA

    Share page with AddThis
  • Special Alert: California attorney general releases proposed CCPA regulations

    Privacy, Cyber Risk & Data Security

    Buckley Special Alert

    Last week, the California attorney general released the highly anticipated proposed regulations implementing the California Consumer Privacy Act (CCPA). The CCPA — which was enacted in June 2018 (covered by a Buckley Special Alert), amended several times and with the most recent amendments signed into law on Oct. 11, and is currently set to take effect on Jan. 1, 2020 — directed the California attorney general to issue regulations to further the law’s purpose.

    * * *

    Click here to read the full special alert.

    If you have any questions about the CCPA or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page, or contact a Buckley attorney with whom you have worked in the past.

    Privacy/Cyber Risk & Data Security State Issues CCPA State Attorney General State Regulators Special Alerts Of Interest to Non-US Persons CCPA/EU

    Share page with AddThis
  • California attorney general releases proposed CCPA regulations

    Privacy, Cyber Risk & Data Security

    On October 10, the California attorney general released the highly anticipated proposed regulations implementing the California Consumer Privacy Act (CCPA). The CCPA—which was enacted in June 2018 (covered by a Buckley Special Alert), amended in September 2018, amended again in October 2019 (pending Governor Gavin Newsom’s signature), and is currently set to take effect on January 1, 2020 (Infobytes coverage on the amendments available here and here)—directed the California attorney general to issue regulations to further the law’s purpose. The proposed regulations address a variety of topics related to the law, including:

    • How a business should provide disclosures required by the CCPA, such as the notice at collection of personal information, the notice of financial incentive, the privacy policy, and the opt-out notice;
    • The handling of consumer requests made under the CCPA, such as requests to know, requests to delete, and requests to opt-out;
    • Service provider classification and obligations;
    • The process for verifying consumer requests;
    • Training and recordkeeping requirements; and
    • Special requirements related to minors.

    The California attorney general will hold four public hearings between December 2 and December 5 on the proposed regulations. Written comments are due by December 6.

    Notably, the Notice of Proposed Rulemaking states that “the adoption of these regulations may have a significant, statewide adverse economic impact directly affecting business, including the ability of California businesses to compete with businesses in other states” and requests that the public consider, among other things, different compliance requirements depending on a business’s resources or potential exemptions from the regulatory requirements for businesses when submitting comments on the proposal.   

    Buckley will follow up with a more detailed summary of the proposed regulations soon.

    Privacy/Cyber Risk & Data Security State Issues State Attorney General CCPA State Legislation Agency Rule-Making & Guidance

    Share page with AddThis
  • Ballot initiative seeks to expand CCPA, create new enforcement agency

    Privacy, Cyber Risk & Data Security

    On September 25, Alastair Mactaggart, the Founder and Chair of the Californians for Consumer Privacy and the drafter of the initiative that ultimately resulted in the California Consumer Privacy Act (CCPA), announced a newly filed ballot measure to further expand the CCPA (currently effective on January 1, 2020), titled the “California Privacy Rights and Enforcement Act of 2020” (the Act) (an additional version of the Act is available with comments from McTaggart’s team). The Act would result in significant amendments to the CCPA, including the following, among others

    • Sensitive personal information. The Act sets forth additional obligations in connection with a business’s collection, use, sale, or disclosure of “sensitive personal information,” which is a new term introduced by the Act. “Sensitive personal information” includes categories such as health information; financial information (stated as, “a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account”); racial or ethnic origin; precise geolocation; or other data collected and analyzed for the purpose of identifying such information.
    • Disclosure of sensitive personal information. The Act expands on the CCPA’s disclosure requirements to include, among other things, a requirement for businesses to specify the categories of sensitive personal information that will be collected, disclose the specific purposes for which the categories of sensitive personal information are collected or used, and disclose whether such information is sold. In addition, the Act prohibits a business from collecting additional categories of sensitive personal information or use sensitive personal information collected for purposes that are incompatible with the disclosed purpose for which the information was collected, or other disclosed purposes reasonably related to the original purpose for which the information was collected, unless notice is provided to the consumer.
    • Contractual requirements. The Act sets forth additional contractual requirements and obligations that apply when a business sells personal information to a third party or discloses personal information to a service provider or contractor for a business purpose. Among other things, the Act obligates the third party, service provider, or contractor to provide at least the same level of privacy protection required by the Act. The contract must also require the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligation to protect the personal information as required by the Act.
    • Eligibility for financial or lending services. The Act would require a business that collects personal information to disclose whether the business is profiling consumers and using their personal information for purposes of determining eligibility for, among other things, financial or lending services, housing, and insurance, as well as “meaningful information about the logic involved in using consumers’ personal information for this purpose.” Additionally, the business appears required to state in its privacy policy notice if such profiling had, or could reasonably have been expected to have, a significant, adverse effect on the consumers with respect to financial lending and loans, insurance, or any other specific categories that are enumerated. Notably, while Mactaggart has expressed heightened concern with sensitive personal information, such as health and financial information, the Act appears to retain the CCPA’s current exemptions under the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act.
    • Advertising and marketing opt-out. The Act includes a consumer’s right to opt-out, at any time, of the business’s use of their sensitive personal information for advertising and marketing or disclosure of personal information to a service provider or contractor for the same purposes. The Act requires that businesses provide notice to consumers that their sensitive personal information may be used or disclosed for advertising or marketing purposes and that the consumers have “the right to opt-out” of its use or disclosure. “Advertising and marketing” means a communication by a business or a person acting on the business’s behalf in any medium intended to induce a consumer to buy, rent, lease, join, use, subscribe to, apply for, provide, or exchange products, goods, property, information, services, or employment.
    • Affirmative consent for sale of sensitive personal information. The Act expands on the CCPA’s opt-out provisions and prohibits businesses from selling a consumer’s sensitive personal information without actual affirmative authorization.
    • Right to correct inaccurate information. The Act provides consumers with the right to require a business to correct inaccurate personal information.
    • Definition of business.  The Act revises the definition of “business” to:
      • Clarify that the time period for calculating annual gross revenues is based on the prior calendar year; 
      • Provide that an entity meets the definition of “business” if the entity, in relevant part, alone or in combination, annually buys the personal information of 100,000 or more consumers or households;
      • Include a joint venture or partnership composed of business in which each business has at least a 40% interest; and
      • Provides a catch-all for businesses not covered by the foregoing bullets.
    • The “California Privacy Protection Agency.” The Act creates the California Privacy Protection Agency, which would have the power, authority, and jurisdiction to implement and enforce the CCPA (powers that are currently vested in the attorney general). The Act states that the Agency would have five members, including a single Chair, and the members would be appointed by the governor, the attorney general, and the leaders of the senate and assembly.

    If passed, the Act would become operative on January 1, 2021 and would apply to personal information collected by a business on or after January 1, 2020.

    As previously covered by a Buckley Special Alert, on September 13, lawmakers in California passed numerous amendments to the CCPA, which are awaiting Governor Gavin Newsom’s signature, who has until October 13 to sign. The amendments leave the majority of the consumer’s rights intact, but certain provisions were clarified — including the definition of “personal information” — while other exemptions were clarified regarding the collection of certain data that have a bearing on financial services companies.

     

     

    Privacy/Cyber Risk & Data Security State Issues State Legislation State Attorney General CCPA

    Share page with AddThis

Pages