InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Special Alert: California attorney general modifies proposed CCPA regulations
The California attorney general last week released modifications to the proposed regulations announced last October (covered by a Buckley Special Alert) implementing the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (also covered by a Buckley Special Alert) and amended several times—became effective Jan. 1.
This Special Alert contains a summary of key modifications to the proposed regulations.* * *
Click here to read the full special alert.
If you have any questions regarding the CCPA or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page or contact a Buckley attorney with whom you have worked in the past.California outlines new data privacy rights
On January 6, the California attorney general issued an advisory explaining consumers’ rights under the California Consumer Privacy Act (CCPA), which took effect January 1. (See previous InfoBytes coverage on the CCPA here.) These rights include (i) the right to request from businesses what personal information they collect, use, share, or sell; (ii) the right to request that businesses and their service providers delete one’s personal information; (iii) the right to opt out of businesses’ disclosure of one’s personal information via “Do Not Sell” links on businesses’ websites and mobile apps; (iv) the right of children younger than 16 to have businesses disclose their personal information only after receiving the child’s opt-in consent (though parents or guardians may consent for children under 13); and (v) the right to non-discrimination should a consumer exercise his or her privacy rights under the CCPA.
In addition to enumerating these consumer rights, the advisory specifies the types of businesses subject to the CCPA, provides information on the state’s data broker registry, and describes consumers’ private right of action in the event of a data breach.
California governor signs CCPA amendments
On October 11, the California governor signed several amendments to the California Consumer Privacy Act (CCPA) and other privacy-related bills. As previously covered by a Buckley Special Alert, AB 874, AB 1355, AB 1146, AB 25, and AB 1564 leave the majority of the consumer’s rights intact in the CCPA and clarify certain provisions—including the definition of “personal information.” Other exemptions were added or clarified regarding the collection of certain data that have a bearing on financial services companies. Notable revisions to the CCPA include the (i) “personal information” definition; (ii) FCRA exemption; (iii) employee exemption; (iv) business individual exemption; (v) verification and delivery requirements; (vi) privacy policy and training requirements; (vii) collection of information; and (viii) vehicle/ownership information exemption. The various amendments are effective on January 1, 2020, the same day the CCPA becomes effective.
Additionally, on October 10, the California attorney general released the highly anticipated proposed regulations implementing the CCPA. See the Buckley Special Alert for details of the proposed regulations.
Special Alert: California attorney general releases proposed CCPA regulations
Buckley Special Alert
Last week, the California attorney general released the highly anticipated proposed regulations implementing the California Consumer Privacy Act (CCPA). The CCPA — which was enacted in June 2018 (covered by a Buckley Special Alert), amended several times and with the most recent amendments signed into law on Oct. 11, and is currently set to take effect on Jan. 1, 2020 — directed the California attorney general to issue regulations to further the law’s purpose.
* * *
Click here to read the full special alert.
If you have any questions about the CCPA or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page, or contact a Buckley attorney with whom you have worked in the past.
California attorney general releases proposed CCPA regulations
On October 10, the California attorney general released the highly anticipated proposed regulations implementing the California Consumer Privacy Act (CCPA). The CCPA—which was enacted in June 2018 (covered by a Buckley Special Alert), amended in September 2018, amended again in October 2019 (pending Governor Gavin Newsom’s signature), and is currently set to take effect on January 1, 2020 (Infobytes coverage on the amendments available here and here)—directed the California attorney general to issue regulations to further the law’s purpose. The proposed regulations address a variety of topics related to the law, including:
- How a business should provide disclosures required by the CCPA, such as the notice at collection of personal information, the notice of financial incentive, the privacy policy, and the opt-out notice;
- The handling of consumer requests made under the CCPA, such as requests to know, requests to delete, and requests to opt-out;
- Service provider classification and obligations;
- The process for verifying consumer requests;
- Training and recordkeeping requirements; and
- Special requirements related to minors.
The California attorney general will hold four public hearings between December 2 and December 5 on the proposed regulations. Written comments are due by December 6.
Notably, the Notice of Proposed Rulemaking states that “the adoption of these regulations may have a significant, statewide adverse economic impact directly affecting business, including the ability of California businesses to compete with businesses in other states” and requests that the public consider, among other things, different compliance requirements depending on a business’s resources or potential exemptions from the regulatory requirements for businesses when submitting comments on the proposal.
Buckley will follow up with a more detailed summary of the proposed regulations soon.
Ballot initiative seeks to expand CCPA, create new enforcement agency
On September 25, Alastair Mactaggart, the Founder and Chair of the Californians for Consumer Privacy and the drafter of the initiative that ultimately resulted in the California Consumer Privacy Act (CCPA), announced a newly filed ballot measure to further expand the CCPA (currently effective on January 1, 2020), titled the “California Privacy Rights and Enforcement Act of 2020” (the Act) (an additional version of the Act is available with comments from McTaggart’s team). The Act would result in significant amendments to the CCPA, including the following, among others
- Sensitive personal information. The Act sets forth additional obligations in connection with a business’s collection, use, sale, or disclosure of “sensitive personal information,” which is a new term introduced by the Act. “Sensitive personal information” includes categories such as health information; financial information (stated as, “a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account”); racial or ethnic origin; precise geolocation; or other data collected and analyzed for the purpose of identifying such information.
- Disclosure of sensitive personal information. The Act expands on the CCPA’s disclosure requirements to include, among other things, a requirement for businesses to specify the categories of sensitive personal information that will be collected, disclose the specific purposes for which the categories of sensitive personal information are collected or used, and disclose whether such information is sold. In addition, the Act prohibits a business from collecting additional categories of sensitive personal information or use sensitive personal information collected for purposes that are incompatible with the disclosed purpose for which the information was collected, or other disclosed purposes reasonably related to the original purpose for which the information was collected, unless notice is provided to the consumer.
- Contractual requirements. The Act sets forth additional contractual requirements and obligations that apply when a business sells personal information to a third party or discloses personal information to a service provider or contractor for a business purpose. Among other things, the Act obligates the third party, service provider, or contractor to provide at least the same level of privacy protection required by the Act. The contract must also require the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligation to protect the personal information as required by the Act.
- Eligibility for financial or lending services. The Act would require a business that collects personal information to disclose whether the business is profiling consumers and using their personal information for purposes of determining eligibility for, among other things, financial or lending services, housing, and insurance, as well as “meaningful information about the logic involved in using consumers’ personal information for this purpose.” Additionally, the business appears required to state in its privacy policy notice if such profiling had, or could reasonably have been expected to have, a significant, adverse effect on the consumers with respect to financial lending and loans, insurance, or any other specific categories that are enumerated. Notably, while Mactaggart has expressed heightened concern with sensitive personal information, such as health and financial information, the Act appears to retain the CCPA’s current exemptions under the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act.
- Advertising and marketing opt-out. The Act includes a consumer’s right to opt-out, at any time, of the business’s use of their sensitive personal information for advertising and marketing or disclosure of personal information to a service provider or contractor for the same purposes. The Act requires that businesses provide notice to consumers that their sensitive personal information may be used or disclosed for advertising or marketing purposes and that the consumers have “the right to opt-out” of its use or disclosure. “Advertising and marketing” means a communication by a business or a person acting on the business’s behalf in any medium intended to induce a consumer to buy, rent, lease, join, use, subscribe to, apply for, provide, or exchange products, goods, property, information, services, or employment.
- Affirmative consent for sale of sensitive personal information. The Act expands on the CCPA’s opt-out provisions and prohibits businesses from selling a consumer’s sensitive personal information without actual affirmative authorization.
- Right to correct inaccurate information. The Act provides consumers with the right to require a business to correct inaccurate personal information.
- Definition of business. The Act revises the definition of “business” to:
- Clarify that the time period for calculating annual gross revenues is based on the prior calendar year;
- Provide that an entity meets the definition of “business” if the entity, in relevant part, alone or in combination, annually buys the personal information of 100,000 or more consumers or households;
- Include a joint venture or partnership composed of business in which each business has at least a 40% interest; and
- Provides a catch-all for businesses not covered by the foregoing bullets.
- The “California Privacy Protection Agency.” The Act creates the California Privacy Protection Agency, which would have the power, authority, and jurisdiction to implement and enforce the CCPA (powers that are currently vested in the attorney general). The Act states that the Agency would have five members, including a single Chair, and the members would be appointed by the governor, the attorney general, and the leaders of the senate and assembly.
If passed, the Act would become operative on January 1, 2021 and would apply to personal information collected by a business on or after January 1, 2020.
As previously covered by a Buckley Special Alert, on September 13, lawmakers in California passed numerous amendments to the CCPA, which are awaiting Governor Gavin Newsom’s signature, who has until October 13 to sign. The amendments leave the majority of the consumer’s rights intact, but certain provisions were clarified — including the definition of “personal information” — while other exemptions were clarified regarding the collection of certain data that have a bearing on financial services companies.
Special Alert: California Legislature passes several amendments to the California Consumer Privacy Act and other privacy-related bills
Lawmakers in California last week amended the landmark California Consumer Privacy Act (CCPA or the Act), which confers significant new privacy rights to California consumers concerning the collection, use, disclosure, and sale of their personal information by covered businesses, service providers, and third parties. While the amendments, which California Governor Gavin Newsom must sign by October 13, leave the majority of the consumer’s rights intact, certain provisions were clarified — including the definition of “personal information” — while other exemptions were added or clarified regarding the collection of certain data that have a bearing on financial services companies.
This Special Alert provides an overview and status update of CCPA-related and other privacy bills that were recently considered by the California legislature.* * *
Click here to read the full special alert.
If you have any questions about the CCPA or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page, or contact a Buckley attorney with whom you have worked in the past.FTC Commissioners discuss state privacy preemption
On May 8, the FTC Commissioners participated in a subcommittee hearing before the House Committee on Energy and Commerce entitled, “Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security.” During the hearing, the Commissioners were questioned about the agency’s privacy and data security enforcement and regulatory activities, including whether they would support preemption of state privacy laws by a federal privacy statute. Using the California Consumer Privacy Act (covered by InfoBytes here) as an example, some Congressmen worried about the prospect of conflicting privacy legislation in other states, creating “confusion and uncertainty in the business community.”
Split along party lines, Democratic Commissioners expressed caution with federal preemption of state privacy laws; Commissioner Chopra, citing to federal preemption laws leading up to the mortgage crisis, warned of “unintended consequences.” Democratic Commissioner Slaughter recognized the “desire for uniformity, consistency, clarity, and predictability” that a federal law would provide, but noted that the appropriateness of preemption should be based on “whether a federal law meets or exceeds…the level of protections that states can provide and whether it allows them the opportunity to fill any gaps that may remain after a federal law is developed.” Republican Commissioners stressed the importance of having a federal law that would preempt the current “patchwork” of state laws, which Commissioner Phillips argued is “essential” in order to provide businesses clarity and reduced compliance costs, while also providing consumers with more power to understand expectations. FTC Chairman Simons noted that even if federal law preempts state privacy laws, Congress should grant concurrent enforcement authority to the states’ attorneys general.
The hearing also discussed, among other things, (i) the need for additional resources to increase agency staff focused on privacy issues; (ii) giving the FTC authority to levy civil money penalties, as Section 5 of the FTC act does not allow the Commission to seek civil penalties for first-time privacy violations; and (iii) the need for targeted rule-making authority.
California AG seeks to strengthen the California Consumer Privacy Act
On February 25, the California Attorney General announced a legislative proposal that would amend several aspects of the California Consumer Privacy Act (CCPA). The CCPA was originally enacted in June 2018 (covered by a Buckley Special Alert) and subsequently amended in September 2018 (covered by InfoBytes here). The CCPA, which carries an effective date of January 1, 2020, on most provisions, sets forth various requirements for businesses that collect, transfer, or sell a consumer’s personal information. Under SB 561, which was introduced on February 22, the law would be amended to (i) expand the right of California citizens to bring private legal actions, removing aspects of the law that provided exclusivity to the AG; (ii) remove provisions that would allow companies to request guidance from the California AG on how to comply with the law, instead allowing the AG to publish general guidance; and (iii) would allow enforcement actions to be brought immediately, removing the 30-day cure window.
Consumer advocates testify before Senate Commerce Committee on need for federal consumer data privacy legislation
On October 10, the Senate Committee on Commerce, Science, and Transportation held the second in a series of hearings on the subject of consumer data privacy safeguards. The hearing entitled “Consumer Data Privacy: Examining Lessons From the European Union’s General Data Protection Regulation and the California Consumer Privacy Act” heard from consumer privacy advocates on lessons from the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) of 2018, and what types of consumer protections should be considered in future federal legislation. Committee Chairman, Senator John Thune, opened the hearing by emphasizing the importance of promoting privacy without stifling innovation. Senator Thune stated that, while understanding the experience of technology and telecommunications companies in this space is important, any new federal privacy law must also incorporate views from affected industry stakeholders and consumer advocates.
The consumer privacy advocate witnesses agreed there is a need for heightened consumer protections and rights, and that the time is ripe to have a debate on what a consumer data privacy law at the federal level would look like and how it would work with state level laws. However, witnesses cautioned that federal legislation should create a floor and not a ceiling for privacy that will not prevent states from passing their own privacy laws. One of the witnesses who led the effort behind the California ballot initiative that resulted in the CCPA emphasized that federal legislation should contain a robust enforcement mechanism, while a witness from the Center for Democracy & Technology said that (i) lawmakers should give the FTC the ability to fine companies that violate consumers’ privacy and provide the agency with more resources; and (ii) a federal law should cover entities of all sizes and clarify what secondary and third-party uses of data are permissible.
Among other things, the hearing also discussed topics addressing: (i) GDPR open investigations; (ii) support for state Attorney General enforcement rights; (iii) privacy protections for children, including the strengths and weaknesses of the Children’s Online Privacy Protection Act, particularly with respect to children ages 13 and older; and (iv) consumers’ rights to control their personal data.