Skip to main content
Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • California regulator advises businesses to only collect needed data under CCPA

    Privacy, Cyber Risk & Data Security

    On April 2, The California Privacy Protection Agency issued Enforcement Advisory No. 2024-01 reminding businesses that data minimization is a foundational principle the California Consumer Privacy Act. The Advisory noted that the Agency has observed certain businesses collecting unnecessary and disproportionate amounts of personal information and emphasized that minimization principles would apply to processing consumer requests. As such, the Advisory highlighted the requirements of minimization, including the concept that the collection, use, sharing, and retention of personal information must be reasonable and proportionate to the purposes identified, considering the minimum personal information required, the potential negative impacts on consumers, and the existence of additional safeguards that addressed the applicable negative impacts. As part of the discussion, the Advisory also discussed two scenarios: one described an opt-out procedure, and the other described verification in connection with a consumer request. For the opt-out procedure, the Advisory reminded businesses that businesses may not verify a consumer’s identity to process an opt-out (it may, however, ask the consumer for the information necessary to complete the request). For the verification procedures, the Advisory outlined a possible process for analyzing whether additional verification information would be required, such as whether the business stores driver license information.  

    Privacy, Cyber Risk & Data Security California CCPA CPPA Digital Identity Identity Theft

  • CPPA releases latest draft of automated decision-making technology regulation

    State Issues

    The California Privacy Protection Agency (CPPA) released an updated draft of its proposed enforcement regulations for automated decisionmaking technology in connection with its March 8 board meeting. The draft regulations included new definitions, including “automated decisionmaking technology” which means “any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking,” which expands its scope from its previous September update (covered by InfoBytes here).

    Among other things, the draft regulations would require businesses that use automated decisionmaking technology to provide consumers with a “Pre-use Notice” to inform consumers on (i) the business’s use of the technology; (ii) their right to opt-out of the business’s use of the automated decisionmaking technology and how they can submit such a request (unless exempt); (iii) a description of their right to access information; and (iv) a description of how the automated decisionmaking technology works, including its intended content and recommendations and how the business plans to use the output. The draft regulations detailed further requirements for the opt-out process.

    The draft regulations also included a new article, entitled “risk assessments,” which provided requirements as to when a business must conduct certain assessments and requirements that process personal information to train automated decisionmaking technology or artificial intelligence. Under the proposed regulations, every business which processes consumers’ personal information may present significant risk to consumers’ privacy and must conduct a risk assessment before initiating that processing. If a business previously conducted a risk assessment for a processing activity in compliance with the article and submitted an abridged risk assessment to the CPPA, and there were no changes, the business is not required to submit an updated risk assessment. The business must, however, submit a certification of compliance to the CPPA.

    The CPPA has not yet started the formal rulemaking process for these regulations and the drafts are provided to facilitate board discussion and public participation, and are subject to change. 

    State Issues Privacy Agency Rule-Making & Guidance California CPPA Artificial Intelligence

  • California appeals court vacates a ruling on enjoining enforcement of CPRA regulations

    State Issues

    On February 9, California’s Third District Court of Appeal vacated a lower court’s decision to enjoin the California Privacy Protection Agency (CPPA) from enforcing regulations implementing the California Privacy Rights Act (CPRA).  The decision reverses the trial court’s ruling delaying enforcement of the regulations until March 2024, which would have given businesses a one-year implementation period from the date final regulations were promulgated (covered by InfoBytes here).

    The CPRA mandated the CPPA to finalize regulations on specific elements of the act by July 1, 2022, and provided that “the Agency’s enforcement authority would take effect on July 1, 2023,” a one-year gap between promulgation and enforcement. The CPPA did not issue final regulations until March of 2023, but sought to enforce the rules starting on the July 1, 2023, statutory date.  In response, in March 2023, the Chamber of Commerce filed a lawsuit in state court seeking a one-year delay of enforcement for the new regulations.  The trial court held that a delay was warranted because “voters intended there to be a gap between the passing of final regulations and enforcement of those regulations.” On appeal, the court emphasized that there is no explicit and unambiguous language in the law prohibiting the agency from enforcing the CPRA until at least one year after final regulations are approved, and that and found that while the mandatory dates included in the CPRA “amounts to a one-year delay,” such a delay was not mandated by the statutory language. The court further found that there is no indication from the ballot materials available to voters in passing the statute that the voters intended such a one-year delay. The court explained that the one-year gap between regulations could have been interpreted to give businesses time to comply, or as a period for the agency to prepare for enforcing the new rules, or there may also be other reasons for the gap.

    Accordingly, the appellate court held that Chamber of Commerce “was simply not entitled to the relief granted by the trial court.” As a result of the court’s decision, businesses are now required to commence implementing the privacy regulations established by the agency. 

    State Issues Privacy Courts California Appellate CPPA CPRA

  • California enacts new data broker regulations

    State Issues

    The California governor recently signed SB 362 (the “Act”), which will impose regulations on data brokers by allowing consumers to request the deletion of their personal data that was collected. The Act will allow the California Privacy Protection Agency (CPPA) to create an “accessible deletion mechanism” to make a streamlined method for consumers to delete their collected information available by January 1, 2026.

    Among other amendments, businesses that meet the definition of a data broker will be required to register every year with the CPPA, instead of with the attorney general. Additionally, the Act requires data brokers to provide more information during its yearly registration, including: (i) if they collect the personal information of minors; (ii) if the data broker collects consumers’ precise geolocation; (iii) if they collect consumers’ reproductive health care data; (iv) “[b]eginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency”; and (v) a link on its website with details on how consumers may delete their personal information, correct inaccurate personal information, learn what personal information is collected and how it is being used, learn how to opt out of the sale or sharing of personal information, learn how to access their collected personal information, and learn how to limit the use and disclosure of their sensitive personal information. Moreover, administrative fines for violations of the Act, payable to the CPPA, have increased from $100 to $200, and data brokers that fail to delete information for each deletion request face a penalty of $200 per day the information is not deleted.

    The Act further requires that data brokers submit a yearly report of the number of requests received for consumer information deletion, and the number of requests denied. The yearly report must also include the median and mean number of days in which the data broker responded to those requests.


    State Issues Privacy, Cyber Risk & Data Security State Legislation California CPPA Data Brokers Consumer Protection

  • CPPA continues efforts towards California Privacy Rights Act

    State Issues

    The California Privacy Protection Agency board is continuing its efforts to prepare regulations implementing the California Privacy Rights Act (covered by InfoBytes here and here).

    Draft risk assessment regulations and cybersecurity audit regulations were released in advance of the September 8 open meeting held by the board. Draft regulations on automated decision-making remain to be published. More comprehensive comment and feedback is expected on these draft regulations, unlike regulations finalized in March that were presented in a more robust state. As previously covered by InfoBytes, the California Privacy Protection Agency cannot enforce any regulations until a year after their finalization, adding a ticking reminder to the finalization process for these draft regulations.

    The draft cybersecurity regulations include thoroughness requirements for the annual cybersecurity audit, which must also be completed “using a qualified, objective, independent professional” and “procedures and standards generally accepted in the profession of auditing.” A management certification must also be signed certifying the business has not influenced the audit, and has reviewed the audit and understands its findings.

    The draft risk assessment regulations require conducting a risk assessment prior to initiating processing of consumers’ personal information that “presents significant risk to consumers’ privacy,” as set forth in an enumerated list include the selling or sharing of personal information; processing personal information of consumers under age 16; and using certain automated decision-making technology, including AI.

    State Issues Privacy California CCPA CPPA CPRA Compliance State Regulators Opt-Out Consumer Protection

  • California Privacy Protection Agency announces its first inquiry

    Privacy, Cyber Risk & Data Security

    On July 31, the California Privacy Protection Agency (CPPA) announced a review of the data privacy practices of “connected vehicle” manufacturers and related technologies. Executive Director of the CCPA Ashkan Soltani stated in the press release that the agency is “making inquiries into the connected vehicle space to understand how these companies are complying with California law when they collect and use consumers’ data.” The vehicles in question contain tracking technology that raised data concerns under the California Consumer Privacy Act. Notably, this is the first action from the agency’s enforcement division.

    Privacy, Cyber Risk & Data Security State Issues State Regulators California CCPA CPPA Enforcement

  • Court delays enforcement of California privacy regulations

    Privacy, Cyber Risk & Data Security

    The Superior Court for the County of Sacramento adopted a ruling during a hearing held June 30, granting the California Chamber of Commerce’s (Chamber of Commerce) request to enjoin the California Privacy Protection Agency (CPPA) from enforcing its California Privacy Rights Act (CPRA) regulations until March 2024. Enforcement of the CPRA regulations was set to begin July 1.

    The approved regulations (which were finalized in March and took effect immediately) update existing California Consumer Privacy Act regulations to harmonize them with amendments adopted by voter initiative under the CPRA in November 2020. (Covered by InfoBytes here.) In February of this year, the CPPA acknowledged that it had not finalized regulations regarding cybersecurity audits, risk assessments, and automated decision-making technology and posted a preliminary request for comments to inform this rulemaking. (Covered by InfoBytes here.) The June 30 ruling referred to a public statement issued by the CPPA, in which the agency explained that enforcement of those three areas would not commence until after the applicable regulations are finalized. However, the CPPA stated it intended to “enforce the law in the other twelve areas as soon as July 1.”

    In March, the Chamber of Commerce filed a lawsuit in state court seeking a one-year delay of enforcement for the new regulations. The Chamber of Commerce argued that the CPPA had finalized its regulations in March 2023 (rather than the statutorily-mandated completion date of July 1, 2022), and as a result businesses were not provided the required one-year period to come into compliance before the CPPA begins enforcement. The CPPA countered that the text of the statute “is not so straightforward as to confer a mandatory promulgation deadline of July 1, 2022, nor did the voters intend for impacted business to have a 12-month grace period between the [CPPA’s] adoption of all final regulations and their enforcement.”

    The court disagreed, finding that the CPPA’s failure “to timely pass final regulations” as required by the CPRA “is sufficient to grant the Petition.” The court stated that because the CPRA required the CPPA to pass final regulations by July 1, 2022, with enforcement beginning one year later, “voters intended there to be a gap between the passing of final regulations and enforcement of those regulations.” The court added that it was “not persuaded” by the CPPA’s argument “that it may ignore one date while enforcing the other.” However, staying enforcement of all the regulations for one year until after the last of the CPRA regulations have been finalized would “thwart the voters’ intent.” In striking a balance, the court stayed the CPPA’s enforcement of the regulations that became final on March 29 and said the agency may begin enforcing those regulations on March 29, 2024. The court also held that any new regulations issued by the CPPA will be stayed for one year after they are implemented. The court declined to mandate any specific date by which the CPPA must finalize the outstanding regulations.

    Privacy, Cyber Risk & Data Security State Issues Courts California CPRA CPPA Enforcement CCPA

  • California OAL approves CCPA regulations

    Privacy, Cyber Risk & Data Security

    On March 30, the California Privacy Protection Agency (CPPA) announced that the California Office of Administrative Law (OAL) approved the agency’s first substantive rulemaking package for implementing the California Consumer Privacy Act (CCPA). The approved regulations are effective immediately. The CPPA noted that the approved regulations update existing CCPA regulations to harmonize them with amendments adopted under the California Privacy Rights Act (CPRA), which was approved by ballot measure in November 2020 to amend and build on the CCPA. In February, the CPPA voted unanimously to adopt and approve the regulations, which have not been substantively changed since the CPPA voted on modifications last year (covered by InfoBytes here). The final regulations and supporting materials are now available on the CPPA’s website.

    The CPPA has already begun additional rulemaking. The agency issued a preliminary request for comments on cybersecurity audits, risk assessments, and automated decision-making to inform future rulemaking in February. Comments were due at the end of March.

    Privacy, Cyber Risk & Data Security Agency Rule-Making & Guidance State Issues State Regulators California CPRA CPPA CCPA

  • House committees move forward on data privacy

    Privacy, Cyber Risk & Data Security

    On March 1, the House Subcommittee on Innovation, Data, and Commerce, a subcommittee of the House Energy and Commerce Committee, held a hearing entitled “Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy” to continue discussions on the need for comprehensive federal privacy legislation. House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-WA) delivered opening remarks, commenting that discussions during the hearing will build upon the bipartisan American Data Privacy and Protection Act (ADPPA), which advanced through the committee last July by a vote of 53-2. As previously covered by InfoBytes, the ADPPA (see H.R. 8152) was sent to the House floor during the last Congressional session, but never came up for a full chamber vote. The bill has not been reintroduced yet.

    A subcommittee memo highlighted that absent a comprehensive federal standard, “there are insufficient limits to what types of data companies may collect, process, and transfer.” The subcommittee flagged the data broker industry as an example of where there are limited restrictions or oversight to prevent the creation of consumer profiles that link sensitive data to individuals. Other areas of importance noted by the subcommittee relate to data security protections, data minimization requirements, digital advertising, and privacy enhancing technologies. The subcommittee heard from witnesses who agreed that a comprehensive privacy framework would benefit consumers.

    One of the witnesses commented in prepared remarks that preemption is key, calling the current patchwork of state laws confusing and costly to businesses and consumers. “Consumers need a strong and consistent law to protect them across jurisdictions and market sectors, and to clarify what privacy rights they should expect and demand as they navigate the marketplace,” the witness said. The witness also stated that the FTC is currently relying on outdated law, noting that while Section 5 of the FTC Act is frequently used, “virtually all of the FTC’s privacy and data security cases are settlements. That means that many of the legal theories advanced, as well as the remedies obtained, have never been tested in court.”

    In advance of the hearing, the California governor, the California attorney general, and the California Privacy Protection Agency sent a joint letter opposing preemption language contained in H.R. 8152. “[B]y prohibiting states from adopting, maintaining, enforcing, or continuing in effect any law covered by the legislation, [the ADPPA] would eliminate existing protections for residents in California and sister states,” the letter warned. The letter asked Congress “to set the floor and not the ceiling in any federal privacy law” and “allow states to provide additional protections in response to changing technology and data privacy protection practices.”

    Separately, at the end of February, Chairman of the House Financial Services Committee, Patrick McHenry (R-NC) introduced the Data Privacy Act of 2023 (see H.R. 1165). The bill moved out of committee by a 26-21 vote, and now goes to the full House for consideration. Among other things, the bill would modernize the Gramm-Leach-Bliley Act to better align the statute with the evolving technological landscape. The bill would also ensure consumers understand how their data is being collected and used and grant consumers power to opt-out of the collection of their data and request that their data be deleted at any time. Additional provisions are intended to protect against the misuse or overuse of consumers’ personal data and impose disclosure requirements relating to data collection methods, how data is used and who it is shared with, data retention policies, and informed choice. The bill is designed to provide consistency across the country to reduce compliance burdens, McHenry said.

    Privacy, Cyber Risk & Data Security Federal Issues Federal Legislation House Energy and Commerce Committee House Financial Services Committee Gramm-Leach-Bliley State Issues CPPA Consumer Protection

  • California’s privacy agency finalizes CPRA regulations

    Privacy, Cyber Risk & Data Security

    On February 3, the California Privacy Protection Agency (CPPA) Board voted unanimously to adopt and approve updated regulations for implementing the California Privacy Rights Act (CPRA). The proposed final regulations will now go to the Office of Administrative Law, who will have 30 working days to review and approve or disapprove the regulations. As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the California Consumer Privacy Act (CCPA). In July 2022, the CPPA initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA, and in November the agency posted updated draft regulations (covered by InfoBytes here and here).

    According to the CPPA’s final statement of reasons, the proposed final regulations (which are substantially similar to the version of the proposed regulations circulated in November) address comments received by stakeholders, and include the following modifications from the initial proposed text:

    • Amending certain definitions. The proposed changes would, among other things, modify the definition of “disproportionate effort” to apply to service providers, contractors, and third parties in addition to businesses, as such term is used throughout the regulations, to limit the obligation of businesses (and other entities) with respect to certain consumer requests. The term is further defined as “when the time and/or resources expended to respond to the request significantly outweighs the reasonably foreseeable impact to the consumer by not responding to the request,” and has been modified “to operationalize the exception to complying with certain CCPA requests when it requires ‘disproportionate effort.’” The proposed changes also introduce the definition of “unstructured” personal information, which describes personal information that could not be retrieved or organized in a predefined manner without disproportionate effort on behalf of the business, service provider, contractor, or third party as it relates to the retrieval of text, video, and audio files.
    • Outlining restrictions on how a consumer’s personal information is collected or used. The proposed changes outline factors for determining whether the collection or processing of personal information is consistent with a consumer’s “reasonable expectations.” The modifications also add language explaining how a business should “determine whether another disclosed purpose is compatible with the context in which the personal information was collected,” and present factors such as the reasonable expectation of the consumer at the time of collection, the nature of the other disclosed purpose, and the strength of the link between such expectation and the nature of the other disclosed purpose, for assessing compatibility. Additionally, a section has been added to reiterate requirements “that a business’s collection, use, retention, and/or sharing of a consumer’s personal information must be ‘reasonably necessary and proportionate’ for each identified purpose.” The CPPA explained that this guidance is necessary for ensuring that businesses do not create unnecessary and disproportionate negative impacts on consumers.
    • Providing disclosure and communications requirements. The proposed changes also introduce formatting and presentation requirements, clarifying that disclosures must be easy to read and understandable and conform to applicable industry standards for persons with disabilities, and that conspicuous links for websites should appear in a similar manner as other similarly-posted links, and, for mobile applications, that conspicuous links should be accessible in the business’ privacy policy.
    • Clarifying requirements for consumer requests and obtaining consumer consent. Among other things, the proposed changes introduce technical requirements for the design and implementation of processes for obtaining consumer consent and fulfilling consumer requests, including but not limited to “symmetry-in-choice,” which prohibits businesses from creating more difficult or time consuming paths for more privacy-protective options than paths to exercise a less privacy protective options. The modifications also provide that businesses should avoid choice architecture that impairs or interferes with a consumer’s ability to make a choice, as “consent” under the CCPA requires that it be freely give, specific, informed, and unambiguous. Moreover, the statutory definition of a “dark pattern” does not require that a business “intend to design a user interface to have the substantial effect of subverting or impairing consumer choice.” Additionally, businesses that are aware of, but do not correct, broken links and nonfunctional email addresses may be in violation of the regulation.
    • Amending business practices for handling consumer requests. The revisions clarify that a service provider and contractor may use self-service methods that enable the business to delete personal information that the service provider or contractor has collected pursuant to a written contract with the business (additional clarification is also provided on a how a service provider or contractor’s obligations apply to the personal information collected pursuant to its written contract with the business). Businesses can also provide a link to resources that explain how specific pieces of personal information can be deleted.
    • Amending requests to correct/know. Among other things, the revisions add language to allow “businesses, service providers, and contractors to delay compliance with requests to correct, with respect to information stored on archived or backup systems until the archived or backup system relating to that data is restored to an active system or is next accessed or used.” Consumers will also be required to make a good-faith effort to provide businesses with all necessary information available at the time of a request. A section has also been added, which clarifies “that implementing measures to ensure that personal information that is the subject of a request to correct remains corrected factors into whether a business, service provider, or contractor has complied with a consumer’s request to correct in accordance with the CCPA and these regulations.” Modifications have also been made to specify that a consumer can request that a business disclose their personal information for a specific time period, and changes have been made to provide further clarity on how a service provider or contractor’s obligations apply to personal information collected pursuant to a written contract with a business.
    • Amending opt-out preference signals. The proposed changes clarify that the requirement to process opt-out preference signals applies only to businesses that sell or share personal information. Language has also been added to explain that “the opt-out preference signal shall be treated as a valid request to opt-out of sale/sharing for any consumer profile, including pseudonymous profiles, that are associated with the browser or device for which the opt-out preference signal is given.” When consumers do not respond to a business’s request for more information, a “business must still process the request to opt-out of sale/sharing” to ensure that “a business’s request for more information is not a dark pattern that subverts consumer’s choice.” Additionally, business should not interpret the absence of an opt-out preference signal as a consumer’s consent to opt-in to the sale or sharing of personal information.
    • Amending requests to opt-out of sale/sharing. The revisions, among other things, clarify that, at a minimum, a business shall allow consumers to submit requests to opt-out of sale/sharing through an opt-out preference signal and through one of the following methods—an interactive form accessible via the “Do No Sell or Share My Personal Information” link, the Alternative Opt-out Link, or the business’s privacy policy. The revisions also make various changes related to service provider, contractor, and third-party obligations.
    • Clarifying requests to limit use and disclosure of sensitive personal information. The regulations require businesses to provide specific disclosures related to the collection, use, and rights of consumers for limiting the use of personal sensitive information in certain cases, including, among other things, requiring the use of a link to “Limit the Use of My Sensitive Personal Information” and honoring any limitations within 15 business days of receipt.  The regulations also provide specific enumerated business uses where the right to limit does not apply, including to ensure physical safety and to prevent, detect, and investigate security incidents.

    The proposed final regulations also clarify when businesses must provide a notice of right to limit, modify how the alternative opt-out link should be presented, provide clarity on how businesses should address scenarios in which opt-out preference signals may conflict with financial incentive programs, make changes to service provider, contractor, and third party obligations to the collection of personal information, as well as contract requirements, provide clarity on special rules applicable to consumers under 16-years of age, and modify provisions related to investigations and enforcement.

    Separately, on February 10, the CPPA posted a preliminary request for comments on cybersecurity audits, risk assessments, and automated decisionmaking to inform future rulemaking. Among other things, the CPPA is interested in learning about steps it can take to ensure cybersecurity audits are “thorough and independent,” what content should be included in a risk assessment (including whether the CPPA should adopt the approaches in the EU GDPR and/or Colorado Privacy Act), and how “automated decisionmaking technology” is defined in other laws and frameworks. The CPPA noted that this invitation for comments is not a proposed rulemaking action, but rather serves as an opportunity for information gathering. Comments are due March 27.

    Privacy, Cyber Risk & Data Security State Issues California CCPA CPPA CPRA Compliance State Regulators Opt-Out Consumer Protection


Upcoming Events