Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On July 8, the California Privacy Protection Agency (CPPA) initiated formal rulemaking procedures to adopt proposed regulations implementing the Consumer Privacy Rights Act of 2020 (CPRA), a law amending and building on the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020. Earlier this year, the CPPA provided an update on the CPRA rulemaking process, announcing its intention to finalize rulemaking in the third or fourth quarter of 2022 (covered by InfoBytes here). While the CPRA established a July 1, 2022 deadline for rulemaking, CPPA Executive Director Ashkan Soltani stated during a February meeting that the rulemaking process will extend into the second half of the year.
The July proposed regulations modify definitions in the CCPA regulations; outline restrictions on the collection and use of personal information; provide disclosure and communications requirements; describe requirements for submitting CCPA requests and obtaining consumer consent; amend required privacy notices; provide instructions for the Notice of Right to Limit Use of Sensitive Personal Information; amend methods for handling consumer requests to delete, correct, and know; set forth requirements for opt-out preference signals; and address consumer requests for limiting the use and disclosure of sensitive personal information. Comprehensive details of the modified provisions and proposed regulations are available in previous InfoBytes coverage here.
The CPPA stated in its notice of proposed rulemaking that the proposed regulations serve three primary purposes: to (i) “update existing CCPA regulations to harmonize them with CPRA amendments to the CCPA”; (ii) “operationalize new rights and concepts introduced by the CPRA to provide clarity and specificity to implement the law”; and (iii) “reorganize and consolidate requirements set forth in the law to make the regulations easier to follow and understand.” The CPPA emphasized that the proposed regulations are designed to factor in privacy laws in other jurisdictions and “implement compliance with the CCPA in such a way that it would not contravene a business’s compliance with other privacy laws, such as the General Data Protection Regulation (GDPR) in Europe and consumer privacy laws recently passed in Colorado, Virginia, Connecticut, and Utah.” This design, the CPPA said, will simplify compliance for businesses operating across jurisdictions and avoid unnecessary confusion for consumers who may not understand which laws apply to them.
A hearing on the proposed regulations is scheduled for August 24 and 25. Comments are due August 23.
Recently, in advance of its June 8 board meeting, the California Privacy Protection Agency (CPPA) Board posted draft regulations to implement the California Privacy Rights Act (CPRA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020. Earlier this year, the CPPA provided an update on the CPRA rulemaking process, announcing its intention to finalize rulemaking in the third or fourth quarter of 2022 (covered by InfoBytes here). While the CPRA established a July 1, 2022 deadline for rulemaking, CPPA Executive Director Ashkan Soltani stated during the February meeting that the rulemaking process will extend into the second half of the year. An updated formal rulemaking timeline may be released during the June 8 meeting.
The draft regulations, which were introduced outside of the rulemaking process, set forth a working draft of the regulations to implement the CPRA and modify certain provisions and propose new regulations, including:
- Adding, amending, and striking certain definitions. The CPRA draft regulations modify the definitions in the CCPA regulations. Specifically, the amendments strike “affirmative authorization” and “household” from its list of definitions, but adds new terms such as “disproportionate effect,” “first party,” “frictionless manner,” “notice of right to limit,” “opt-out preference signal,” as well as terms related to a consumer’s right to request to correct, opt-in to sale/sharing, delete, know, or limit.
- Outlining restrictions on the collection and use of personal information. The draft regulations state that a business’s collection, use, retention, and/or sharing of a consumer’s personal information must be “reasonably necessary and proportionate,” and “must be consistent with what an average consumer would expect when the personal information was collected.” Businesses also must obtain a consumer’s explicit consent prior to collecting, using, retaining, and/or sharing the personal information for any purpose that is unrelated or incompatible with the original purpose for which the personal information was collected or processed.
- Providing disclosure and communications requirements. Disclosures and communications are required to be easy to read and understandable to consumers, be available in languages in which the business ordinarily provides information, and be reasonably accessible to consumers with disabilities. The draft regulations also stipulate requirements for website and mobile application links.
- Describing requirements for submitting CCPA requests and obtaining consumer consent. The draft regulations set forth methods for submitting CCPA requests and obtaining consumer consent, including requirements regarding the manner in which such requests and consents may be obtained. For example, the requests and consents must be easy to understand, must include symmetry in choice, and avoid confusing and manipulative language. Methods that do not comply with these requirements may be considered a “dark pattern” and will not constitute consumer consent.
- Amending requirements related to a business’s privacy notice. The draft regulations would amend the requirements related to the information that must be included in a privacy notice related to a business’s online and offline practices regarding the collection, use, sale, sharing, and retention of personal information; and an explanation of CPRA rights conferred on consumers regarding their personal information, how they can exercise their rights, and what they can expect from this process.
- Amending notices required by the CCPA. The draft regulations set forth additional requirements related to the notice at collection, the notice of right to opt-out of sale/sharing, and the “Do Not Sell or Share My Personal Information” link, such as updates to the content of the notices, location of the notices/links, and the effects of certain requests (e.g. “clicking the business’s ‘Do Not Sell or Share My Personal Information’ link will either have the immediate effect of opting the consumer out of the sale or sharing of personal information or lead the consumer to a webpage where the consumer can learn about and make that choice”). The draft regulations would also amend the notice of financial incentive.
- Providing instructions for the Notice of Right to Limit Use of Sensitive Personal Information. The draft regulations outline requirements for businesses to comply with a consumer’s rights to limit the use of sensitive personal information. They also provide businesses the option to use an alternative opt-out link to allow “consumers to easily exercise both their right to opt-out of sale/sharing and right to limit, instead of posting the two separate…links.”
- Amending methods for handling consumer requests to delete, correct, and know. The draft regulations outline additional documentation requirements, as well as guidance on responding to consumer requests, including explanations for denying a request. Notably, in response to a request to know, “a business shall provide all the personal information it has collected and maintains about the consumer on or after January 1, 2022, including beyond the 12-month period preceding the business’s receipt of the request, unless doing so proves impossible or would involve disproportionate effort.” Additionally, a company that intends to collect additional categories of information that are “incompatible” with the originally disclosed purpose must provide a new notice at collection and obtain new consent.
- Opt-out preference signals. The draft regulations set forth requirements for opt-out preference signals and how businesses should respond to such preferences. Specifically, the draft regulations provide that processing an opt-out preference must be done in a “frictionless manner” and includes examples.
- Addressing consumer requests for limiting the use and disclosure of sensitive personal information. Businesses will be required to provide two or more designated methods for submitting requests to limit and must, among other things, comply with a request to limit “as soon as feasibly possible, but no later than 15 business days from the date the business receives the request.” All service providers, contractors, and third parties must comply as well. The regulations set forth exceptions to the limitations for using and disclosing sensitive personal information.
The draft regulations also amend provisions related to contract requirements for service providers/contractors/third parties, verification of requests, authorized agents, minor consumers, discriminatory practices, requirements for businesses collecting large amounts of personal information, and investigations and enforcement.
On March 10, the California Office of the Attorney General (OAG) issued an opinion on the question of whether, under the California Consumer Privacy Act (CCPA), a consumer’s right to know the specific pieces of personal information collected by a covered business about that consumer applies to internally generated inferences that the business holds about the consumer from either internal or external information sources. According to the OAG, the answer is yes—consumers have the right to know internally generated inferences about themselves, and a business must provide such information upon request, unless a business can demonstrate an applicable CCPA statutory exception. The CCPA, which was enacted in June 2018 and became effective January 1, 2020 (covered by a Buckley Special Alert), provides California consumers with new rights of control over the personal information held about them (with certain exceptions), including the right to know what information is being collected and how a business uses and shares that information, the right to delete personal information, and the right to opt out of certain transfers and sales of their personal information. The OAG noted that while the Consumer Privacy Rights Act of 2020 will become fully operative January 1, 2023, none of the act’s amendments to the CCPA will change the conclusions presented in the opinion.
The OAG’s opinion defines “inference” under the CCPA to mean “the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.” Example inferences such as “married,” “homeowner,” “online shopper,” or “likely voter,” the OAG explained, are derived from information collected by businesses such as online transactions, social network posts, or public records. OAG noted that some businesses also use proprietary methods to create inferences and “then sell or transfer the inferences to others for commercial purposes,” thus allowing, according to studies, “seemingly innocuous data points” to be combined with other data points “to deduce startlingly personal characteristics.” According to the OAG’s interpretation of the plain language of the CCPA, as well as legislative history, businesses are generally required “to disclose internally generated inferences to consumers” “regardless of whether the inferences were generated internally by the responding business or obtained by the responding business from another source.”
The OAG further explained that, inferences are “personal information” for purposes of the CCPA, and therefore must be disclosed provided two conditions exist: (i) “the inference is drawn ‘from any of the information identified”’ in subdivision (o) of Civil Code section 1798.140, which includes, among other things, personal identifiers such as names, addresses, account numbers, or identification numbers, customer records, age, gender, race, or religion, as well as inferences obtained from any of the provided items; and (ii) “the inference is used to ‘create a profile about a consumer,’ or in other words to predict a salient consumer characteristic.” For the purposes of responding to a consumer’s request to know, the OAG stated that “it does not matter whether the business gathered the information from the consumer, found the information in public repositories, bought the information from a broker, inferred the information through some proprietary process of the business’s own invention, or any combination thereof.” The business is required to disclose the personal information it holds to the consumer upon request. The OAG noted, however, that the CCPA does not require businesses to disclose protected trade secrets used to derive its inferences, provided the business demonstrates “that such inferences are indeed trade secrets under the applicable law.”
On February 17, the California Privacy Protection Agency (CPPA) Board held a public meeting to provide an update on the California Privacy Rights Act (CPRA or the Act) rulemaking process. According to sources, the CPPA, which was established under the CPRA, stated it intends to finalize rulemaking in the third or fourth quarter of 2022. As previously covered by InfoBytes, last September, the CPPA formally called on stakeholders to provide preliminary comments on proposed CPRA rulemaking. The Act (effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 (covered by InfoBytes here) and amended the existing California Consumer Privacy Act. The invitation for comments highlighted several areas of interest for the CPPA, including topics concerning cybersecurity audits and risk assessments, automated decision-making, consumer privacy rights and requests to know, sensitive personal information, and dark patterns. While the CPRA established a July 1, 2022 deadline for rulemaking, CPPA Executive Director Ashkan Soltani stated during the meeting that the rulemaking process will extend into the second half of the year. Soltani noted that preliminary and informational proceedings will take place sometime this March and April, and will include instructive sessions with various subject matter experts and public sessions to obtain stakeholder input, and will take into account responses from the comment solicitation period that ended November 8, 2021. Following these proceedings, the Board will begin the formal rulemaking process during the second and third quarters, with final rules being finished by the end of the year. Soltani acknowledged that while the Board is behind schedule with respect to the July deadline, the CPPA expects to use the extra time to fill open positions at the agency.
On October 5, the California governor signed AB 694. The bill clarifies that the California Privacy Protection Agency (which was given “full administrative power, authority, and jurisdiction to implement and enforce the [California Consumer Privacy Act]”) would assume responsibility for rulemaking “on or after the later of July 1, 2021, or within six months of the agency providing the Attorney General with notice that it is prepared to assume rulemaking.” A previously covered by InfoBytes, last month the CPPA formally called on stakeholders to provide preliminary comments on proposed Consumer Privacy Rights Act rulemaking. However, the CPPA noted that the invitation for comments is not a proposed rulemaking action and stated that the public will have additional opportunities to provide comments on proposed regulations or modifications when it proceeds with a notice of proposed rulemaking action.
According to sources, Ashkan Soltani, a former chief technologist at the FTC, has been named Executive Director of the California Privacy Protection Agency (CPPA). Among other things, Soltani was an architect of the California Consumer Privacy Act (CCPA). According to CPPA Chair Jennifer Urban, Soltani’s “background in technology and privacy, and his work on both the CCPA and the [California Privacy Rights Act (CPRA)] give him a thorough understanding of California privacy law and will stand him in good stead as he leads Agency staff and helps the Agency fulfill its privacy protection mandate.” As previously covered by InfoBytes, earlier this year, California’s governor announced appointments to the five-member inaugural board for the CPPA, consisting of experts in privacy, technology, and consumer rights. The CPPA is tasked with protecting the privacy rights of consumers over their personal information, and “will have full administrative power, authority, and jurisdiction to implement and enforce” the CCPA and the CPRA, including bringing enforcement actions before an administrative law judge.
On September 22, the California Privacy Protection Agency (CPPA) formally called on stakeholders to provide preliminary comments on proposed rulemaking under the California Privacy Rights Act (CPRA). The CPRA, which established the CPPA to administer, implement, and enforce the act, was approved by ballot measure in November 2020 (covered by InfoBytes here) and updated the existing California Consumer Privacy Act. The invitation for comments highlights several areas of interest for the CPPA as it begins the rulemaking process, including topics related to: (i) cybersecurity audits and risk assessments to be performed by businesses processing personal information that presents a significant risk to consumers’ privacy or security; (ii) matters concerning automated decision-making; (iii) audits performed by the CPPA; (iv) issues related to consumer rights, including consumers’ right to delete, right to correct, and right to know what personal data has been collected or shared, as well as consumers’ rights to opt-out of the selling or sharing of their personal information and to limit the use and disclosure of their sensitive personal information; (v) information to be provided when responding to a consumer’s request to know; and (vi) definitions and categories of information and activities, including what updates or additions should be added to “personal information,” “sensitive personal information,” “precise geolocation,” and “dark patterns,” among other terms. Comments must be submitted by November 8.
The CPRA will become effective January 1, 2023, with enforcement delayed until July 1, 2023. However, the CPRA will apply to personal information collected by a business on or after January 1, 2022. The CPPA notes that this invitation for comments is not a proposed rulemaking action and states that the public will have additional opportunities to provide comments on proposed regulations or modifications when it proceeds with a notice of proposed rulemaking action.
On March 15, the California attorney general announced approval of additional regulations implementing the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1, 2020. According to the announcement, the newly-approved amendments strengthen the language of CCPA regulations approved by OAL last August (covered by InfoBytes here). Specifically, the new amendments:
- Require businesses selling personal information collected in the course of interacting with consumers offline to provide consumers about their right to opt out via offline communications. Consumers must also be provided instructions on how to submit opt-out requests.
- Provide an opt-out icon for businesses to use in addition to posting a notice of right to opt-out. The amendments note that the opt-out icon may not be used in lieu of requirements to post opt-out notices or “do not sell my personal information” links.
The AG’s press release also notes that the California Privacy Rights Act (CPRA), which was approved by voters last November and sought to amend the CCPA, will transfer some of the AG’s responsibilities to the California Privacy Protection Agency (CPPA), covered by InfoBytes here; however, the AG will retain the authority to go to court to enforce the law. Enforcement of the CPRA will begin in 2023.
Additionally, on March 17, the California governor announced appointments to the five-member inaugural board for the CPPA, consisting of experts in privacy, technology, and consumer rights. The CPPA is tasked with protecting the privacy rights of consumers over their personal information, and “will have full administrative power, authority, and jurisdiction to implement and enforce” the CCPA and the CPRA, including bringing enforcement actions before an administrative law judge.
On November 3, California voters approved a ballot initiative, the California Privacy Rights Act of 2020 (CPRA), that expands on the California Consumer Privacy Act (CCPA). While there are a number of differences between the CPRA and the CCPA, some key provisions include:
- Adding expanded consumer rights, including the right to correction and the right to limit sharing of personal information for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.
- Changing the definitions of various entities, including increasing the numerical threshold for being a business to 100,000 from 50,000 consumers and households and removing devices from this threshold.
- Adding the category of sensitive personal information that is subject to specific rights.
- Creating a new privacy agency, the California Privacy Protection Agency, to administer, implement, and enforce the CPRA.
It is important to note that the Gramm-Leach-Bliley Act and Fair Credit Reporting Act exemptions are in the CPRA, and the act extends the employee and business-to-business exemption to January 1, 2023.
The CPRA becomes effective January 1, 2023, with enforcement delayed until July 1, 2023. However, the CPRA contains a look-back provision (i.e., the CPRA will apply to personal information collected by a business on or after January 1, 2022). The new privacy agency also is required to begin drafting regulations starting on July 1, 2021, with final regulations to be completed one year later.
Please refer to a Buckley article for further information on the differences between the CCPA and the CPRA: 6 Key Ways the California Privacy Rights Act of 2020 Would Revise the CCPA (Corporate Compliance Insights), as well a continuing InfoBytes coverage here.
- Kathryn L. Ryan and Jedd R. Bellman to discuss “Risk and compliance management: Are you covered?” at a Mortgage Bankers Association webinar
- Melissa Klimkiewicz and Daniel A. Bellovin to discuss “Things to know about flood insurance” at a NAFCU webinar
- Hank Asbill to discuss “Ethical issues at sentencing” at the 31st Annual National Seminar on Federal Sentencing
- Max Bonici will moderate a panel on “Enforcement risk and other regulatory and compliance issues related to crypto and digital assets” at the American Bar Association’s 2022 Annual Meeting
- John R. Coleman to provide a “CFPB Update” at MBA’s 2022 Regulatory Compliance Conference
- Amanda R. Lawrence to discuss “The shifting data privacy and data protection landscape” at MBA’s 2022 Regulatory Compliance Conference
- Jeffrey P. Naimon to provide “An update on key fair lending cases and the CRA and UDAAP rules” at MBA’s 2022 Regulatory Compliance Conference
- Benjamin W. Hutten to discuss “Fundamentals of financial crime compliance” at the Practicing Law Institute
- Benjamin W. Hutten to discuss “Ongoing CDD: Operational considerations” at NAFCU’s Regulatory Compliance & BSA Seminar
- James C. Chou to discuss ransomware at NAFCU’s Regulatory Compliance & BSA seminar
- Elizabeth E. McGinn, Benjamin W. Hutten, and James C. Chou to discuss “The Evolving Regulatory Landscape: Third-party and cyber risk management” at the 2022 mWISE Conference
- James T. Parkinson to present a “Global anti-corruption update” at IBA’s annual conference