The proposed changes emphasize the need to give consumers a “meaningful understanding” of personal information practices and the CPPA’s focus on providing information about data practices before consumers engage with a business. These changes are less far-reaching than the ADMT, risk assessment, and audit proposals, but they could affect how businesses make disclosures in their privacy policies and are likely to be finalized on a relatively short timeline.

Here are the key ways that privacy policy requirements would change under the CPPA’s proposal.

• “Meaningful Understanding” of Sources and Third-Party Recipients of Personal Information

The draft revisions to sections 7011(e)(1)(B) and (E) would expressly include a requirement for privacy policies to give consumers a “meaningful understanding” of the sources from which a business collects personal information and the categories of third parties to which it sells or shares personal information. The phrase “meaningful understanding” is already in the current definitions of “categories of sources” and “categories of third parties” in section 7001. Its repetition in section 7011 could signal an expectation of increased specificity and clarity in how businesses collect and sell personal information.

• Clarifying Disclosures to Service Providers and Contractors

Proposed revisions to section 7011(e)(1)(H) would require businesses to identify the categories of personal information that they disclosed to a service provider or contractor in the preceding 12 months, along with the business purpose for these disclosures. This change would remove an ambiguity in current section 7011(e)(1)(H), which also mentions disclosures to third parties for business purposes, which is arguably inconsistent with the definition of a third party. Companies that have interpreted subsection (H) differently may need to take another look at their privacy policies in light of this proposal.

• Privacy Policy Links for Mobile Applications

Finally, the draft regulations propose to require mobile applications to include a link to their privacy policies within their settings menu. Under current section 7011(d), including a privacy policy link in an app’s setting menu is discretionary. This new requirement would be in addition to the current mandate to make the privacy policy available through the business’s homepage or app store download page.

What’s Next?

Once CPPA staff revises the draft revisions to reflect Board members’ input, the package of rule changes will be published for a 45-day public comment period. The CPPA did not indicate when the comment period will begin.

Starting January 1, 2024, in an action brought by the California AG pursuant to Consumer Laws, the court can award disgorgement in addition to other remedies already provided for in those statutes, which include the often confused remedy of consumer restitution. The difference between the two remedies is one of focus; restitution focuses on how much the victims were harmed by the conduct, while disgorgement focuses on what the wrongdoer gained as a result of the illegal conduct. Of importance, disgorgement does not require a showing of the specific harmed consumers that need to be compensated, making it an attractive, flexible remedy for enforcers.

When determining whether to award disgorgement, the court shall take into account the amount of civil penalties and consumer restitution awarded, “in addition to other appropriate factors.” Currently, the California AG has authority to seek civil penalties of $2500/violation. The funds recovered as disgorgement shall be deposited into the new Fund, established in the State Treasury. Monies in the Fund may, upon appropriation by the legislature, be used by the AG to provide restitution to victims of acts or practices for which consumer restitution has been ordered but not paid in an action brought by the AG pursuant to the Consumer Laws. Should the AG recover funds from a defendant after payment from the Fund has been made, the AG can reimburse the Fund.

California Attorney General Bonta sponsored this bill, declaring that it is a game changer and will allow consumers to get restitution when a business has been successfully prosecuted, but becomes insolvent. Companies should take note that the flexibility to obtain disgorgement will likely give California greater authority to obtain additional monetary recoveries in the state’s actions. Disgorgement however is specific to AG actions which necessarily excludes California District Attorney and private actions. Because a “violation” for penalty purposes and “appropriate factors” under the new statute are undefined, it will be worth watching how California wields this new source for payment when it comes to negotiating resolutions. We also note that several other state AGs already claim disgorgement authority (which the FTC currently lacks). See, e.g., New York and Texas.

As California is a very active state when it comes to consumer protection, one can assume that this new tool will be used to a great extent, and that California will want to quickly ensure that the Fund maintains a robust amount of money to be used in future enforcement matters.

Among the most significant of these developments is California’s SB 362 – a data broker bill that goes well beyond the registration requirements contained in California’s existing data broker law. Proposed earlier this year, SB 362 met with various twists and turns all summer, including strenuous opposition from industry members. However, yesterday (on the last day of the legislative session), the California Senate gave the bill final approval, concurring in the version passed by the California Assembly.

Now the law is on its way to the Governor Newsom for signature, and there have been no signs that he’ll veto it. Indeed, the bill’s chief sponsor, state Senator Josh Becker, has said that, while he hasn’t reached out to the governor, he expects the governor to sign. Others have surmised that Newsom will sign in light of the prominence of privacy in the Golden State, as well as concerns about data brokers’ collection and sale of reproductive health care data (an issue referenced in Section 3 of the bill).

What Does SB 362 Require?

Although the bill was amended throughout the legislative process, the core requirements remain largely the same. In brief, SB 362 expands California’s current data broker law by providing a centralized place where consumers can delete their data and limit the further sale or sharing of it, and requiring data brokers to undertake new disclosure, recordkeeping, and audit requirements. Some provisions will take effect in 2024 but most will be delayed until 2026 or even 2028. Specifically, SB 362:

• Requires data brokers to register with the California Privacy Protection Agency (CPPA) (instead of the California AG’s office, as required by the current law), pay a fee, submit detailed information, provide detailed disclosure to consumers, and comply with new recordkeeping requirements (expanded requirements phased in during 2024):
• Requires the CPPA to create an “accessible deletion mechanism” where consumers can at no cost direct some or all data brokers to delete all of their information, subject to the same deletion and other exceptions available under CCPA (beginning in 2026);
• Requires data brokers to continue to delete any new information received about the consumer every 45 days (2026);
• Requires any data broker that receives a deletion request not to sell or share any new personal information about the consumer unless the consumer requests it (2026);
• Requires any data broker that receives a request to direct their service providers and contractors to delete the information (2026);
• Requires a data broker that denies a request to delete because the request cannot be verified to process the request as an opt-out of sale/sharing and to direct its service providers and contractors to do the same (2026);
• Allows “authorized agents” to assist consumers in making deletion requests (2026);
• Requires data brokers to undergo independent compliance audits every three years (beginning in 2028);
• Authorizes penalties and administrative costs for noncompliance, including $200 for each day a data broker fails to register and $200 “for each deletion request for each day the data broker fails to delete information” as required. (These sanctions kick in as each of the above requirements become effective.); and
• Gives the CPPA discretionary rulemaking authority to implement the new law.

Of significance, the term “data broker” is defined broadly as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship” (though it excludes entities covered by the Fair Credit Reporting Act (FCRA), the Gramm Leach Bliley Act, the Health Insurance Portability and Accountability Act and similar California laws, and a California insurance law). As result of this broad definition, the bill extends not just to data brokers as they are commonly understood, but also to many members of the advertising industry that collect and sell data but do not have a consumer-facing relationship.

What Did Opponents Argue?

In a website created for the purposes of opposing SB 362, industry members pointed to the many beneficial support services they provide – such as stopping fraud targeting companies and the government; verifying identities for the administration of unemployment and nutrition programs; identifying potential donors for political and charitable campaigns; and allowing small businesses to compete and reach a larger customer base. They also stated that the California Consumer Privacy Act already covers data brokers and provides a full set of transparency and deletion rights to consumers as to these entities. These arguments didn’t carry the day, although the bill garnered a chunk of “no” votes in the California Assembly.

Why is this Significant?

As discussed in our prior posts on this subject, policymakers at the federal and state levels have debated for years whether to impose new statutory and/or regulatory requirements on data brokers, citing the sensitive nature of the information and profiles that they sell, the use of this data in making consequential decisions about consumers, and the invisibility of most data brokers to the public. However, to date, data broker-specific legislation has largely been limited to the FCRA and to the state data registry requirements now in effect in four states (though data brokers fall within many privacy laws of general applicability, of course).

The new requirements in SB 362 raise the potential that large numbers of consumers might opt out of the collection and sale by data brokers (broadly defined), whether on their own or through “authorized agents.” Thus, while the law confers significant new privacy rights on consumers, it also could substantially impact the data broker and advertising industries and the many businesses and services that rely on them. In addition, because California typically leads the states on privacy issues, it’s possible that other states will follow suit, amplifying these effects considerably.

Stay tuned as we continue to monitor this important topic.

Three of the topics that stood out during these discussions – there were several others – were: understanding and managing data protection impact assessments (DPIAs), assessing sensitive personal information (SPI) risks, and implementing data deletion obligations. This post shares some of the tips that emerged from these sessions.

Data Protection Impact Assessments

Four states require DPIAs today for certain processing activities, and laws that go into effect in five additional states beginning in 2024 will require them, too. Across most of these states, the activities that trigger the need to conduct a DPIA include targeted advertising, data sales, and sensitive data processing. Beyond these clearly defined starting points, however, practical challenges abound. What form should a DPIA take? Who should be responsible for drafting the assessment? What are the best practices for keeping DPIAs up to date?

One way to look at these questions is that DPIAs tell the story about how a company uses personal data. Regulators will be one audience for these stories. Some states’ laws allow the attorneys general to request production of DPIAs from organizations. California law requires businesses to submit their DPIAs to the CPPA on a “regular basis” (with details now set forth in draft regulations). Regulators will expect to see (in the words of the Colorado Privacy Act’s implementing regulations) a “genuine, thoughtful analysis” of the benefits, potential harms, and mitigations in a company’s data practices.

At the same time, although some state privacy laws provide protection for attorney-client privilege and confidentiality, we expect DPIAs to generate investigations and to have their privilege and confidentiality protections challenged. Carefully planning the diligence and drafting stages of a DPIA – and taking care to maintain safeguards for communications that involve legal advice – is critical to ensuring that DPIAs are accurate and comprehensive while minimizing additional risk to the company.

Finding internal champions and identifying key stakeholders are also critical steps. DPIAs take time away from IT, engineering, business, legal, compliance, and privacy teams who have day jobs. In most cases, their contributions are essential to assemble an accurate picture of the activity that’s at the center of a given DPIA.

The message that spurs these teams to participate meaningfully in the DPIA process will vary. In some cases, buy-in might arise from a shared understanding that the company needs to align on whether its current practices are sufficient to protect against known risks. In other instances, a clear message of support from the top of the organization might be necessary.

In short, there isn’t a single format or process that will work for everyone. However, recognizing that the stakes involved in DPIAs are significant and planning accordingly are first steps toward identifying which processing activities to tackle first and how to go about it.

Sensitive Personal Information

In addition to triggering a DPIA obligation, SPI processing under state laws and emerging enforcement precedent may require opt-in consent. Identifying SPI collection and use is therefore a growing priority for many privacy professionals.

But the expansive definition of SPI under state privacy laws is only part of the equation. Sector-specific laws, such as the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the Illinois Biometric Information Privacy Act, expand the range of sensitive data that receives heightened protections. These laws have become an increasing focus for regulators and the plaintiffs’ bar at the same time that data from these sectors is becoming more valuable for new services and, in some instances, advertising.

Where SPI is used in marketing and advertising, companies face compliance challenges and potential exposure to private suits. Using alternatives to SPI can mitigate these risks. For example, in lieu of SPI, some companies are exploring the use of aggregated demographic data to power insights or target advertising based on non-sensitive purchasing behavior.

Practical approach to SPI

• Cataloging data starts with thoughtful DPIAs and a robust understanding of the business use cases with SPI.

• Consent is the baseline expectation for SPI processing. Consider building a consent management infrastructure that accounts for both direct collection and sourced (or inferred) data.
• Explore emerging alternatives to SPI and implement mitigation measures in the meantime.
• Think for today and for tomorrow. Short-term and long-term plans are crucial for developing a comprehensive and durable risk-management strategy. Set a cadence to revisit the plans.

Data Deletion Obligations

All comprehensive state privacy laws that have been enacted so far give consumers the right to request deletion. State laws vary in the level of detail they provide about deletion – regulations in California and Colorado are quite specific in their procedures – but all provide significant leeway to retain data for internal purposes that are reasonably aligned with consumers’ expectations. In practice, it is not uncommon to preserve some data to meet operational needs or comply with legal obligations.

This leads to two challenges. First, companies need to communicate clearly with consumers, service providers, and third parties about how they’re fulfilling deletion requests. Second, companies need ways to ensure that data they keep under an exemption is not used for other purposes.

A few practical steps can help:

• Prior to developing a process for responding to deletion requests, map out your data to understand what personal information you have, where it is located, and with whom you share it. Identify any legal obligations surrounding how long you must keep it, including any minimum retention periods.
• Develop and maintain systems to notify service providers and third parties about data deletion requests. Methods for sending deletion requests to partners vary widely, from self-serve, automated interfaces to ad hoc requests that are handled case-by-case, so be prepared to work with a wide range of processes.
• Communicate clearly with consumers about deletion requests, whether the request will be approved in whole, in part, or not at all.

If Kelley Drye can help your organization develop a practical approach to building and maintaining a robust privacy program, please contact any member of our Privacy Group.

Investigative Sweep Targeting Employers

On July 14^th, OAG announced an investigative sweep targeting employer compliance with the CCPA.

Beginning January 1, 2023, after three years of statutory delays, the CCPA now applies to employers, requiring them to provide employees with privacy notices and to respond to employee privacy requests, including to access, correct, and delete their personal information, and offer opt outs, as applicable.

As part of the OAG sweep, the agency sent inquiry letters to large employers in California asking about how these companies comply with the CCPA’s requirements with respect to their employees and job applicants.

Under recent amendments to the CCPA, OAG and CPPA both have authority to enforce the privacy law although only the CPPA has the ability to engage in rulemaking. The CCPA no longer provides a right to cure violations of the law before either the OAG or CPPA allege a violation, although the statute indicates the CPPA may decide to offer a right to cure based on a lack of intent to violate CCPA or efforts undertaken by a business to cure the alleged violation. The OAG also maintains discretion in how it evaluates a company’s compliance and whether an enforcement action is appropriate.

Enforcement Update & Priorities

Also on July 14^th, the CPPA held a public meeting that in part responded to the recent Superior Court decision in California Chamber of Commerce v. California Privacy Protection Agency delaying enforcement of the CPPA’s recently finalized rulemaking completed on March 29, 2023.

During the meeting, Deputy Director of Enforcement for CPPA, Michael Macko, stated businesses “do not have a free pass” from all enforcement after the decision.

The Court’s ruling was based on the language of the California Privacy Rights Act ballot initiative approved by voters in November 2020 that added new requirements to the CCPA and created the CPPA. Under the ballot initiative, the CPPA was required to complete its rules on July 1, 2022, one year prior to enforcing those rules on July 1, 2023, but CPPA did not meet the deadline. The Superior Court stayed the agency’s enforcement of wholly new regulations for 12 months from the date the regulations were finalized in order to reflect the one-year timeframe codified in the ballot initiative.

Nonetheless, the CPPA’s position is that the court decision does not stop the Enforcement Division from enforcing the CCPA statute and earlier versions of the CCPA regulations. Macko also explained that regulations affected by the ruling are only one enforcement tool that the Enforcement Division plans to use. Macko expects to see robust compliance, while being sensitive and aware of potential implications and impacts for businesses that designed their compliance based on the new regulations.

Macko also described that the CPPA’s stance on enforcement will be emphasizing matters involving children, the elderly, and vulnerable or marginalized groups that he said are “susceptible to privacy violations or commonly overlooked.” According to Macko, cases will be considered based on overall circumstances, including harm to consumers, nature and severity to the harm, good nature to comply, and the size and resources of a business.

Macko also indicated the CPPA will prioritize privacy notices and policies. This includes reviewing whether businesses are collecting data in the way they tell consumers, how businesses are complying with the right to delete personal information, and the implementation of consumer requests from the stand point of business practices.

Legislative Update and CPPA’s Position on Pending Legislation

The CPPA also used its July 14^th meeting to endorse legislation that amends or impacts the CCPA. Maureen Mahoney, Deputy Director of Policy & Legislation for the CPPA, proposed that the CPPA make recommendations for the following bills that would directly affect the agency or its operations. Here is a list of pending legislation that the Board voted to recommend:

• Sensitive Personal Information: Assembly Bill 947 adds immigration and citizenship status to the definition of sensitive personal information. The bill is slated for a third reading in the California Senate after passage in the California Senate Appropriations Committee.
• Reproductive Health: Assembly Bill 1194 provides additional consumer protection for reproductive health information, including information related to accessing, searching, or procuring abortion services, pregnancy care, perinatal care, and contraception. The bill is currently under consideration by the California Senate Appropriations Committee.
• Statute of Limitations: Assembly Bill 1546 changes the statute of limitations to enforce a civil action within one year of the violation to begin instead within five years of the violation. The bill is currently under consideration by the California Senate Appropriations Committee.
• Data Broker Registration: Senate Bill 362 amends the California’s Data Broker Registry Law to transfer administration and rulemaking authority to the CPPA and directs the agency to establish a deletion mechanism for consumers to request all data brokers to delete their personal information through a single request. Beginning July 1, 2026 under the legislation, data brokers will not be able to sell or share new personal information from consumers that have already requested deletion, unless the consumer states otherwise. Starting on January 1, 2028, and every three years, data brokers will be audited by an independent third party to determine compliance. The bill is currently re-referred to the Committee on Appropriations pursuant to Assembly Rule 96.

The California legislature is currently on recess and reconvenes August 14^th.

If you have any questions about the above developments, compliance efforts with the new state privacy laws, or concerns related to a regulatory inquiry, please feel free to reach out to our team.

Summer Associate Brianna Robinson contributed to this post.

“Restricted Data Processing” Under the CCPA

Since 2019, Google has offered a number of its services on a “restricted data processing” basis. Where a service is configured for restricted data processing, Google acts as a service provider with respect to personal information (i.e., names, email addresses, online identifiers) that Google collects from advertisers, publishers, and other partners.

Under the California Consumer Privacy Act (CCPA), which first took effect in 2020, a service provider is not permitted to use personal information other than for business purposes associated with offering services. For example, the CCPA does not permit a service provider to resell personal information processed on behalf of a business or to use the information to build profiles about individual consumers for its own commercial benefit.

In documentation available at https://business.safety.google/rdp/, Google explains that when restricted data processing applies, Google will use personal information for business purposes such as ad delivery, reporting and measurement, security and fraud detection, debugging, and to improve and develop product features. Google cites these policies to support its position that it is a “service provider” for many of its advertising-related services, such as Google Ads, Google Analytics, Tag Manager, and Display & Video 360.

What’s changing?

Starting July 1, 2023 – the day that the California Privacy Rights Act (CPRA) amendments to the CCPA become enforceable – Google will no longer offer restricted data processing for the following services in California:

• Any feature that entails uploading customer data for purposes of matching with Google or other data for personalized advertising (e.g., Customer Match)
• Any feature that entails targeting user lists obtained from a third party (e.g., Audience Partner API)
• Any feature that entails creating, adding to, or updating user lists using first-party customer data (e.g., audience building with floodlight tags and audience-expansion features in DV360)

These changes reflect key amendments to the CCPA. In particular, the CPRA amendments define “cross-context behavioral advertising” to mean “targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across” the internet, and prohibit service providers from offering services that involve “sharing” personal information for purposes of “cross-context behavioral advertising.”

The clear but unstated message behind these changes is that Customer Match involves cross-context behavioral advertising. When an advertiser uses the Customer Match service, the advertiser provides Google with a target audience, and Google displays ads to that audience on its search results. Because the service involves targeting ads to consumers on Google based on the consumer’s interactions with the advertiser, Google’s apparent position is that Customer Match is a cross-context behavioral advertising service.

As noted above, advertisers, publishers, and other businesses that share personal information with third parties (such as Google) for cross-context behavioral advertising must offer consumers an opportunity to opt-out of the “sale” and “sharing” of their personal information. In addition, as described in the latest CCPA regulations, these businesses are required to enter into a contract for the “sale” or “sharing” of personal information that requires the third party recipient to comply with the CCPA and provide the same level of privacy protection for consumer data as any business subject to CCPA.

Where can I find the restricted data processing contract?

Google publishes its restricted data processing contract for US state privacy laws at https://business.safety.google/usaprivacyaddendum/.

What about Google Analytics?

Google Analytics is a popular service that allows businesses to gain insights into who visits their digital properties. Google states that it will act as a service provider for Google Analytics as long as the business disables sharing with other Google products and services.

Google offers a variety of privacy-related tools for Google Analytics, including support for deletion requests, here.

What about real-time bidding?

Google also offers services like Display & Video 360 and Authorized Buyers that enable advertisers to respond to bids in real-time for ad inventory across the web. Google indicates that these services continue to operate using restricted data processing but also makes clear that restricted data processing “does not extend to the sending or disclosure of data to third parties that you may have enabled in our products and services.” As a result, publishers issuing bid requests and advertisers responding to publisher bid requests should understand that personal information conveyed to third parties for bidding purposes may not be covered by Google’s restricted data processing terms.

Treatment of Sales and Opt-Out Signals in the Settlement

The allegations in the complaint are consistent with the AG Office’s long-standing position that Do Not Sell is a central feature of the CCPA – “the hallmark of the CCPA,” in the language of the complaint – and indicate that the AG takes a broad view of “sales” under the CCPA. According to the complaint, the CCPA’s opt-out provision establishes “certain straightforward rules: if companies make consumer personal information available to third parties and receive a benefit from the arrangement – such as in the form of ads targeting specific consumers – they are deemed to be ‘selling’ consumer personal information under the law.”

Taken together, the complaint and order entrench a sweeping view of sales: “online tracking technologies” that make personal information available to third parties “in exchange for monetary or other valuable consideration,” including analytics and “free or discounted services” are defined as sales under the order. The AG alleges that Sephora disclosed its use of online tracking technology but not the sale of personal information. According to the complaint, the opposite was true: the privacy policy stated “we do not sell personal information,” and the company did not offer an opt-out of sale by any method. (The complaint also includes a deception count under California’s Unfair Competition Law, which focuses on these representations.)

The “online tracking” described in the AG’s complaint is not limited to Sephora’s use of advertising cookies, pixels, or other technology. The AG also alleges that Sephora’s use of “analytics,” which is characterized as part of “third-party surveillance,” constituted sales, and the order requires that Sephora enable restricted data processing for its service providers.

In addition to alleging sales through online tracking technologies, the AG’s complaint also charges Sephora with failing to respond to user-enabled global privacy controls (GPC). The complaint states that Sephora’s practices were investigated as part of a June 2021 sweep of “large retailers,” to determine “whether they continued to sell personal information when a consumer signaled an opt-out via the GPC.” Although the GPC remains a proposed specification, the complaint alleges Sephora “completely ignored the GPC.”

Other Terms in the Order

In addition to imposing $1.2 million in civil penalties, the order requires Sephora to revise its disclosures and establish opt-out mechanisms via homepage link and GPC, to the extent that the company continues to sell personal information. The order also requires Sephora to conform its service provider agreements to the CCPA’s requirements, and provide an initial and two annual reports to the AG relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor the GPC.

What does this mean for businesses subject to CCPA?

First, if the AG sends a letter advising a business of CCPA violations, swift action may prevent additional investigation or enforcement action. Here, the complaint explains that the AG’s investigation followed Sephora’s “fail[ure] to cure any of the alleged violations” and “le[d] to this enforcement action.”

Second, companies that use technology to track consumer behavior online, which is ubiquitous, should reassess whether their practices result in CCPA sales. In particular, the AG may not regard analytics categorically to warrant treatment as a service provider offering.

Finally, it is important to continue to monitor developments on opt-out preference signals, which are addressed in greater detail in the CPPA’s draft regulations.

We’re keeping an eye on these issues, new case examples from the AG, and more.

A couple of overarching points are worth keeping in mind. First, implementing the CPRA’s consumer rights provides an occasion to review and update data maps so that they accurately capture how personal information flows both through their organizations and to service providers, contractors, and/or third parties. Second, preparing for CPRA consumer requests should go hand-in-hand with reviewing the systems and procedures that are in place to honor consumers’ requests.

Right to Opt Out of Sale/Sharing of Personal Information

The CPRA broadens the scope of the CCPA’s existing opt-out right to include the “sharing” of personal information. The Draft Regulations would add to existing opt-out obligations by requiring a business to:

• Provide a “means by which the consumer can confirm” that their request has been processed by the business (e.g., by displaying through a toggle or radio button on the business’s website that the consumer has exercised their right); and
• Notify all third parties to whom the business has sold or shared the consumer’s personal information since receiving the request that the consumer has exercised their opt-out right, direct them to comply with the request, and forward the request to any other person to or with whom they have disclosed or shared the consumer’s personal information.

Right to Delete

Following new requirements under the CPRA, the Draft Regulations clarify that a business must send deletion requests “downstream" to all relevant parties. Specifically, the Draft Regulations provide that a business must: (i) instruct its service providers and contractors to delete the consumer’s personal information from their records; and (ii) notify all third parties to whom it has sold or shared the consumer’s personal information to delete the information. Service providers and contractors must in turn notify other service providers, contractors, and third parties that accessed the personal information that is subject to the deletion request, unless the access occurred at the direction of the business. These obligations are subject to limitations if they are impossible or would require disproportionate effort to fulfill.

Right to Correct

The right to correct is a new right granted to consumers by the CPRA, and the Draft Regulations establish rules and procedures to facilitate consumers’ correction requests. Among other obligations, the Draft Regulations provide that, upon verification, a business must determine the accuracy of the personal information by considering the “totality of the circumstances relating to the contested personal information.” Pursuant to the Draft Regulations, relevant factors that a business would need to consider are: (i) the nature of the personal information; (ii) how the business obtained the contested information; and (iii) documentation relating to the accuracy of the information. A business that corrects personal information would also need to implement measures to ensure the information “remains corrected” and instruct its service providers and contractors to correct the information in their respective systems.

Right to Know

Building on the existing right to know, the Draft Regulations provide that a business must provide information beyond the 12-month period preceding the business’s receipt of the request unless doing so “proves impossible or would involve disproportionate effort.”

Right to Limit Use and Disclosure of Sensitive Personal Information

The right to limit the use and disclosure of sensitive personal information is another new right under the CPRA. The Draft Regulations would require a business to handle such “requests to limit” by:

• Ceasing to use and disclose the consumer’s sensitive personal information, except for purposes allowed under the regulations, within 15 business days of receiving the request;
• Notifying its service providers and contractors that the consumer has exercised their right to limit and instructing them to comply with the consumer’s request within the same time frame described above;
• Notifying all third parties to whom the business has disclosed or made available the consumer’s personal information for purposes other than those set forth in the regulations after the consumer submitted their request and before the business complied with the request that the consumer has exercised their right and directing the third party to comply with the consumer’s request and forward the request to others that have received the consumer’s sensitive personal information;
• Notifying all third parties to whom the business makes sensitive personal information available for purposes other than those set forth in the regulations (e.g., third parties that the business authorizes to collect information from its property) that the consumer has exercised their right, and directing such third parties to comply with the consumer’s request and forward the request to others that have received the consumer’s sensitive personal information; and
• Providing a “means by which the consumer can confirm” that their request has been processed by the business (similar to the obligation for opt-out requests described above).

Propagating Data Subject Rights to Service Providers, Contractors, and Third Parties

A business may have obligations to notify and instruct its service providers, contractors, and/or third parties to comply with a consumer’s request. Service Providers, contractors, and third parties may also have obligations to notify and instruct companies they’ve shared a consumer’s personal information with to comply with a request. The following chart shows obligations that each party has based on the consumer’s request.

See: Propagating Data Subject Rights Chart

Takeaways: The CPRA provides consumers with a range of rights that empower them to exercise more control over their personal information, and the additional obligations that the proposed regulations impose on businesses would help ensure that all parties processing consumers’ personal information give effect to such rights.

To reiterate, it’s unclear which of the amendments in the proposed regulations will stick. It is clear, however, that the expanded transparency and consumer rights requirements in the CPPA’s Draft Regulations are likely to require substantial time and resources to implement.

Stay tuned for additional blog posts in which we will summarize how the proposed regulations contemplate some of businesses’ other compliance obligations under the CPRA.

* * * *

Join us July 20 for How To Protect Employee/HR Data and Comply with Data Privacy Laws. This webinar will cover:

• Existing and prospective laws and regulations employers should be aware of when managing their workforce
• Key principles to adhere to when collecting and handling employee personal data
• Best practices for protecting employee personal data during the employment life cycle

Register here

In this post, we summarize the Draft Regulations’ disclosure provisions and provide outline steps for businesses to consider taking to prepare for these requirements.

New Disclosure Requirements

Citing a CCPA provision that authorizes regulations to ensure that notices and information required under the CCPA are provided to consumers at the appropriate time and in a manner that may be “easily understood by the average consumer,” the Draft Regulations would create new disclosure requirements for any business engaged in the collection of consumers’ personal information.

Notice at Collection

The Draft Regulations, citing a declared purpose in the CPRA of enabling consumers to “exercise meaningful control” over businesses’ use of their information, would require businesses to provide additional details about certain aspects of their information practices at or before the point of collection. These provisions include new requirements governing first parties’ and third parties’ notice at collection disclosures.

• Required Content of a Notice at Collection. Building on existing requirements under the CCPA, the Draft Regulations would require a business to include the following information in its notice at collection:
• • the categories of personal information collected, including sensitive personal information;
  • the purposes for which the categories of personal information are collected and used;
  • whether the categories of personal information listed are sold or shared;
  • the length of time the business intends to retain each category of personal information listed (or the criteria used to determine the retention period);
  • a link to the business’ notice of the right to opt out of the sale/sharing of personal information (or, in the case of an offline notice, where the webpage can be found online);
  • if the business allows third parties to control the collection of personal information on its property, the names of all such third parties or information about their business practices; and
  • a link to the business’ privacy policy (or, in the case of an offline notice, where the privacy policy can be found online).
• Presentation of the Notice at Collection. The Draft Regulations also prescribe how a business must present its notice at collection. According to the Draft Regulations, it is insufficient to direct consumers to the top of a privacy policy or to require consumers to scroll to find the notice at collection disclosures. Instead, a business must include a link that takes consumers directly to the section of its privacy policy that includes the required information. The link to the notice at collection must be made “readily available where consumers will encounter it at or before the point of collection.” As an example, the Draft Regulations provide that, when a business collects personal information from a consumer via a webform, it should include a “conspicuous link” to the notice at collection in “close proximity” to either the fields where the consumer enters his/her personal information or the button the consumer hits to submit his/her personal information.
• First and Third Party Disclosures. Based on the view that “more than one business may control the collection of a consumer’s personal information, and thus, have an obligation to provide a notice at collection,” Section 7012(g) of the Draft Regulations would require a business to include in its notice at collection extensive information about third parties that “control” the collection of personal information. In particular, the Draft Regulations provide that if a business owns a physical or digital property from which consumers’ personal information is collected (a “first party”) and allows third parties to control the collection of personal information on its property, the business must include in its notice at collection either (i) the name of all such third parties or (ii) details about such third parties’ “business practices” (which the third parties would be required to provide to the first party). Additionally, the Draft Regulations provide that if a third party collects information from the first party’s physical premises, the third-party business must provide a notice at collection “in a conspicuous manner” at the physical location(s) where it collects the information.

Privacy Policy

The Draft Regulations would also require businesses to include more granular disclosures in their privacy policies. These requirements include:

• a detailed description of the business’ online and offline information handling practices, including a statement indicating whether the business uses or discloses sensitive personal information for purposes other than those enumerated in Section 7027(l);
• details about the rights consumers have with respect to their personal information under the CCPA, as amended by the CPRA (which we will discuss in a subsequent blog post);
• an explanation of how consumers can exercise their rights and what they can expect from the process, including details about how the business processes opt-out preference signals;
• the date the privacy policy was last updated; and
• the business’ consumer rights requests metrics for the previous calendar year (or a link to such information), where applicable.

Takeaways

While the CPPA may revise the Draft Regulations before they are finalized, the direction toward more detail in notices at collection and privacy policies – particularly about third parties – seems clear. Satisfying the notice at collection requirements in the Draft Regulations would likely present significant challenges. While the Draft Regulations provide businesses with some flexibility in terms of how they disclose the presence of third parties on their properties, presenting all of the required information in a clear and meaningful manner to consumers could be difficult. Additionally, the need to disclose extensive information about third parties could interfere with consumers’ online experiences.

To prepare for these potential changes, a valuable step for many businesses would be to take stock of the third-party information collection occurring on their sites and in their apps and to consider how to provide more detailed disclosures to consumers in a concise, intelligible, and easily accessible form.

Stay tuned for additional blog posts in which we will summarize how the Draft Regulations contemplate some of the CPRA’s other amendments to the CCPA.

* * * *

Join us today for State Attorneys General 102.

In this webinar in association with Mondaq, Kelley Drye provided observations on the proposed regulations, including which would pose the biggest challenge for businesses if implemented, and will offer strategies to plan efficiently for compliance in the face of these proposals.

Click here to view the webinar recording and click here for the presentation slides.

Join us for our next webinar, State Attorneys General 102, on June 30. Register here.

Find our state privacy law portal and more here.

Subscribe to the Ad Law Access blog to receive real-time updates on privacy and other related matters.

The Ad Law News and Views newsletter provides information on our upcoming events and a summary of recent blog posts and other publications.

Visit the Advertising and Privacy Law Resource Center for additional information, past webinars, and educational materials.

For easy access to all of our webinars, posts and podcasts, download our new Ad Law Access App.

.

The increasing number of states enacting privacy laws means more privacy litigation. On this webinar, partners Lauri Mazzuchetti and Becca Wahlquist highlighted emerging trends across the docket of privacy litigation cases, provided an update on key cases involving consumer claims, and provided practical tips, including:

• Understanding potential litigation risk
• Reducing your litigation exposure
• Discussing exposure for data breaches and other alleged misuses of consumer data
• Providing an understanding of the scope of private rights of action
• Looking ahead to new laws

Find our webinar replays, blog posts and podcasts easily on the new Ad Law Access App.

In the absence of a federal privacy law, privacy has been at the forefront of many states’ legislative sessions this year. Against this backdrop, state attorneys general continue to initiate investigations into companies’ privacy practices, and state agencies continue to advance privacy rulemakings under existing law. Aaron Burstein, Laura VanDruff and Paul Singer, presented this webinar to help learn about the latest developments in state privacy law, make sense of these developments and understand their practical impact.

To view the webinar recording, click here or view it on the new Ad Law Access App.

Subscribe to the Ad Law Access blog to receive real-time updates on privacy and other related matters.

The Ad Law News and Views newsletter provides information on our upcoming events and a summary of recent blog posts and other publications.

Visit the Advertising and Privacy Law Resource Center for additional information, past webinars, and educational materials.

For easy access to all of our webinars, posts and podcasts, download our new Ad Law Access App.

The 15-page opinion, issued on March 10, responds to a question posed by Sacramento area Assemblyman Kevin Kiley (R): “Under the California Consumer Privacy Act, does a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer apply to internally generated inferences the business holds about the consumer from either internal or external information sources?”

OAG’s response, in a nutshell, is “yes.” Giving consumers access to inferences is important, according to OAG, because “inferences are one of the key mechanisms by which information becomes valuable to businesses, making it possible to target advertising and solicitations, and to find markets for goods and services.” OAG further notes that nothing in the Consumer Privacy Rights Act (CPRA) changes its analysis. The opinion also suggests that the OAG will refer to the CCPA’s broad purposes, such as giving “consumers greater control over the privacy of their personal information,” to support its interpretations.

Summary of OAG’s Legal Analysis

OAG’s analysis begins by noting that the CCPA includes a broad set of inferences – the “derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data” – in the statutory definition of “personal information.” Specifically, “personal information” includes “inferences drawn from any of the information identified in [the definition of personal information] to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” .”

Focusing on this definition, the OAG opinion defines a two-part test to determine whether inferences must be disclosed in response to a consumer access request.

1. First, inferences must be drawn from “information identified in” the definition of “personal information,” Civil Code section 1798.140(o).

The opinion shows little deference to the exemption for public records when it comes to inferences. The opinion asserts that “information in public repositories” is personal information but acknowledges (in a footnote) that information in public records is not. The opinion sweeps this tension aside by concluding that “once a business has made an inference about a consumer, the inference becomes personal information—one more item in the bundle of information that can be bought, sold, traded, and exploited beyond the consumer’s power of control.”

The bottom line is that even if the underlying information is exempt from disclosure because it is publicly available information from government records, an inference based on the information must be disclosed to the consumer, as the inference itself is not available in government records.

2. Second, the inference must be used to create a profile about a consumer, such as by identifying or predicting the consumer’s characteristics. To illustrate an inference that does not give rise to a profile, OAG gives a trivial example: inferences derived when a business combines information “obtained from a consumer with online postal information to obtain a nine-digit zip code.” It is unclear how this is an inference at all, as opposed to a look-up of existing information.

OAG anticipates and refutes two potential arguments that inferences would not have to be disclosed.

• First, CCPA states that personal information must be disclosed that is collected “about” a consumer, not necessarily collected “from” a consumer. This means that businesses must broadly disclose to consumers inferences they make about the consumer, regardless of the source of the information. Although not addressed in the opinion, this differs from the right to delete, which only applies to information collected “from” a consumer.
• Second, OAG argues that while businesses are not required to disclose trade secrets, individual inferences are not trade secrets. OAG agrees that companies are not required to disclose the inputs or algorithms that form the inferences, but expects companies to produce inferences in response to access requests.

Additional Takeaways

Here are some other takeaways from the OAG opinion:

• OAG acknowledges that CCPA does not require businesses to disclose their trade secrets. The opinion finds that the “most relevant” exception in the CCPA to support this conclusion is that “the obligations imposed on businesses by this title shall not restrict a business’ ability to … comply with federal, state, or local laws.”

• Along the same lines, the opinion makes it clear that OAG recognizes key statutory exceptions, such as the exception allowing businesses to comply with applicable law or exercise or defend legal claims. OAG labels these exceptions as “carve-out” provisions “designed to relieve businesses from undue burdens and common legal binds.”
• For those interested in how OAG interprets CCPA, OAG commits to interpret the law by “examining the text, giving the language its usual meaning in order to understand the intent of legislators. The words of a statute must be construed in context and section relating to the same subject must be harmonized to the extent possible.”
• Finally, the opinion spends considerable time reviewing the history and purpose of CCPA, citing to the Cambridge Analytica data breaches, EU passage of GDPR, and legislative history addressing “exploitative tendencies of collecting masses of information and using it to identify and affect unwitting consumers.” This background provides insight into the perceived harms OAG seeks to safeguard through enforcement of CCPA.

Thursday, March 24, 2022 at 4:00pm ET/ 1:00pm PT Privacy Priorities for 2022: Tracking State Law Developments RSVP HERE

Note: Our team will discuss these issues, along with practical suggestions for how companies can tackle privacy challenges, in a January 26 webinar at 4 pm ET. Please tune in! You can register here.

• State privacy developments will continue to drive much of the U.S. privacy debate.
  • California and Colorado will launch rulemakings to implement their laws, setting an example for other jurisdictions and prompting industry changes even beyond their borders. Meanwhile, companies will be gearing up for the effective dates of all three state laws (January 1, 2023 for California and Virginia, and July 1, 2023 for Colorado).
  • With multiple bills already pending in other states, we may see additional state laws by year’s end. Draft bills introduced thus far suggest a range of approaches that vary from existing laws, suggesting compliance may become even more complex in the coming year.
  • Even states without comprehensive privacy laws will seek to use their “unfair and deceptive” trade practice authority in increasingly creative ways to address privacy. A recent example is Arizona’s effort to challenge Google’s collection and use of location data.
• The FTC will pursue an aggressive privacy agenda, pushing the boundaries of its legal authority and seeking to move the goalposts governing data collection, use, and sharing.
  • It will launch a broad “surveillance” rulemaking under its Magnuson-Moss procedures, seeking strict limits on personalized advertising, lax security practices, and algorithmic discrimination. (As we discuss here, though, the rule will likely take years to complete.)
  • It will increase enforcement of sectoral privacy laws and rules (e.g., FCRA, COPPA, GLB Privacy, Red Flags), so it can get monetary relief, post AMG. It also will try to obtain settlements for alleged violations of the Health Breach Notification Rule – which it “clarified” in a 2021 policy statement covers virtually all health apps.
  • It will focus on tech platforms and other large companies, through both aggressive enforcement and high-profile studies, such as its upcoming report on social media companies.
  • In all of its privacy cases, the FTC will seek stringent remedies, including data deletion, bans on conduct, notices to consumers, stricter consent requirements, individual liability, and significant monetary relief based on a range of creative theories. (See our scorecard on the FTC’s use of such theories here.)
• Other federal agencies will flex their muscles on privacy and data security, scrutinizing and regulating companies within their areas of jurisdiction.
  • For example, the CFPB recently ordered the tech giants to turn over information regarding the data practices of payments systems they operate. The FCC just moved to update breach reporting requirements under the CPNI rules. And the SEC just fined eight broker-dealers and investment companies for their “deficient cybersecurity procedures.”
  • Expect these types of actions to accelerate in the coming year, as privacy continues its ascent as a top regulatory, consumer protection, and risk management issue.

• Developments in and around the tech platforms will continue to have ripple effects across the entire marketplace.
  • The tech platforms (yeah, them again) will continue to tighten their rules governing data sharing, third-party cookies, use of identifiers, and access to their platforms, forcing other companies to develop new ways to market their brands.
  • “Big tech” antitrust challenges will advance through legislatures and the courts, requiring policymakers and enforcers to finally confront the tension between competition interests (which seek to expand access to data) and privacy interests (which seek to limit access).
• Cross border data transfers will become ever more difficult, as Privacy Shield remains unresolved and the EU accelerates GDPR enforcement.
  • For example, Austria’s DPA recently held that Google Analytics violated the GDPR when it transferred to the U.S. EU citizens’ IP address and identifiers in cookie data, notwithstanding Google’s claim that it had protective measures in place.
  • Further, the record fines being obtained for GDPR violations (a reported seven-fold spike in 2021) will increase the peril for multinational companies that transfer data as part of their operations.
• The plaintiff’s bar will continue to test the limits of addressing privacy in private litigation, despite some setbacks in 2021.
  • The setbacks include the high bar set by the Supreme Court regarding the proof of harm necessary to confer standing in privacy cases. In addition, neither Virginia nor Colorado included a private right of action in their comprehensive privacy laws.
  • However, the California law includes a private right of action for data breaches, and pending legislative proposals in other states include private rights of action for privacy, security, or both. Plaintiffs also are employing other statutory frameworks to address privacy, such as the contract laws cited in the recent class action against Zoom, and the call recording laws cited in session-replay lawsuits.

• Congress will continue to debate whether to pass a federal privacy law.
  • Yes, it’s safe to assume that the never-ending debate will continue! The harder question is whether Congress will finally pass anything.
  • It’s possible. Businesses have never wanted a federal privacy law more – to deal with the specter of more state privacy laws, “overreach” by the FTC, the EU’s heightened enforcement efforts, and the overall confusion created by fragmented privacy regimes (i.e., all of the issues discussed above).
  • The more likely scenario, however, is that Congress will pass something narrower, like a bill to amend COPPA or provide new privacy protections for teens, which could be an area of consensus among Democrats and Republicans. (Another possibility, just proposed by some Democrats, is legislation to ban “surveillance advertising,” similar to the rule that the FTC is planning. However, that would likely be a much more divisive issue in Congress.)

Under CCPA, companies have 30 days to cure noncompliance after which the California AG may initiate a civil action for civil penalties not to exceed $2,500 for each violation or $7,500 for each intentional violation. In each example made public by the California AG, the AG stated that the target of the enforcement action cured the violation and the California AG did not assess penalties. In January 2023, however, the right to cure will sunset when the CPRA takes effect.

The examples provide insight into the types of companies and industries that the California AG focused on, including inadequate privacy policy CCPA disclosures, lack of service provider restrictions, and inefficient responses to CCPA requests. The examples also highlight the CCPA compliance issues that the California AG prioritized in its enforcement efforts, including allegations concerning:

• Inadequate disclosures: Companies did not provide disclosures or methods to submit consumer requests.
• Service Provider Restrictions: Companies did not add language in contracts that restricts how service providers can retain, use, or disclose personal information.
• Sale of Personal Information or Responding to GPC signals: Companies that “sell” personal information did not include a Do Not Sell My Personal Information link on their homepage or provide disclosures about the sale of information.
  • In one case, the California AG disagreed that a business that included an “accept sharing” link had established consent to sell personal information.
  • In a number of cases, the California AG disagreed that mobile device settings or a trade association opt out tool designed to manage online advertising were sufficient in place of a Do Not Sell My Personal Information button.
• Privacy Request Responses: Companies did not respond properly or timely to CCPA requests to know or delete personal information. Some companies did not offer the option for authorized agents to submit requests, or imposed requirements on authorized agents that the California AG said were not warranted, like the requirement to notarize requests.
• Financial Incentives: The California AG took the position that a grocery chain that required consumers to provide personal information in exchange for participation in a loyalty program was required to provide a notice of financial incentives, but did not do so.

• Classification of Service Providers: Companies cured alleged violations relating to service provider classifications by taking the following actions:
  • Amending service provider contracts to include CCPA-specific addendums.
  • Redrafting service provider contracts to contain the necessary restrictions on the use of personal information.
  • In the case of a company that acted both as a service provider and as a business, updating the company’s privacy policies to include disclosures required of businesses.
• Inadequate Disclosures: In response to concerns that privacy policies or other required notices were inadequate, companies took steps to cure by:
  • Updating privacy policies to include notice of CCPA consumer rights and how to exercise those rights.
  • Addressing whether the business “sells” personal information.
  • Amending privacy policies with instructions on how authorized agents may submit CCPA requests on behalf of consumers.
  • Implementing notice at collection for personal information received, regardless of whether information was collected online or in-person.
  • Updating privacy policies to clarify that the business cannot charge a fee for processing a consumer’s privacy request .
• Do Not Sell My Personal Information Link: Companies addressed concerns with the DNSMPI link by:
  • Adding the Do Not Sell My Personal Information link to the homepage.
    • In one example, the California AG initiated an inquiry focused on the business’s failure to respond to an opt out request via global privacy control signal, but the AG ultimately accepted a cure where the company worked with its third party privacy vendor to effectuate consumer opt-out requests.
  • Changing the “Do Not Sell My Personal Information” link to ensure it functioned properly.
  • Discontinuing requiring government identification and a bill showing the consumer’s address before honoring requests to opt-out of the sale of personal information.
• CCPA Request Procedures: Companies modified CCPA response procedures by:
  • Responding more quickly to CCPA requests.

How does the measure stack up against the VCDPA and the CCPA (as amended by CPRA)? The good news is that, in broad terms, ColoPA generally does not impose significant new requirements that aren’t addressed under the CCPA or VCDPA, but there are a few distinctions to note..

• Establishing consumer rights. As with the VCDPA and the CCPA, ColoPA provides rights for access, deletion, correction, portability, and opt out for targeted advertising, sales, and certain profiling decisions that have legal or similar effects. Unlike CCPA, which permits an authorized agent to submit any consumer requests, under ColoPA, authorized agents can only submit sale opt-out requests.
• Universal opt-out requests. ColoPA also requires the Attorney General to establish technical specifications for a universal targeted advertising and sale opt-out (e.g., global privacy control) by July 1, 2023, which controllers must honor starting July 1, 2024. Note there also will be CPRA regulations on this point with compliance likely due by January 1, 2023. Unlike CPRA, which makes the global privacy control optional, controllers must comply with the universal opt-out under ColoPA.
• Appealing consumer rights decisions. Like Virginia, ColoPA requires controllers to set up mechanisms permitting consumers to appeal a controller’s decision not to comply with a consumer’s request. The controller must then inform the consumer of its reasons for rejecting the request and also inform the consumer of his or her ability to contact the Attorney General “if the consumer has concerns about the result of the appeal.”
• Requiring data protection assessments. Similar to GDPR, and consistent with the VCDPA, ColoPA requires data protection assessments (“DPAs”) for certain processing activities, namely, targeted advertising, sales, certain profiling, and processing of sensitive personal data. As with Virginia, the Colorado Attorney General has the right to request copies of a controller’s DPAs.
• Consent for certain processing. Again following Virginia’s lead, ColoPA requires opt-in consent for the processing of sensitive personal information, which covers categories such as racial or ethnic origin, religious beliefs, citizenship, or genetic or biometric data used for uniquely identifying an individual. ColoPA also requires consent for processing children’s data, with a “child” being any individual under the age of 13. Unlike the VDCPA, ColoPA does not require COPPA-compliant consent for such processing, but ColoPA does exempt from the law personal data that is processed consistent with COPPA requirements.
• Right to cure. ColoPA allows controllers to cure violations and is unique by establishing the longest right to cure, at 60 days, and also because the statute repeals the provision on January 1, 2025. By this date, the Attorney General may have established rules to issue opinion letters and guidance that businesses can rely on in good faith to defend an action that would otherwise violate the law. Such rules must go into effect by July 1, 2025.
• Establishing controller duties. ColoPA establishes certain duties for controllers, including the duties of transparency, purpose specification, data minimization, care, avoiding unlawful discrimination, and duties regarding sensitive data. These duties create related obligations, such as providing a privacy policy, establishing security practices to secure personal data, and obtaining consent prior to processing sensitive data or children’s data.
• Consent for secondary use. ColoPA also establishes a “duty to avoid secondary use.” This duty requires consent to process personal data for purposes “not reasonably necessary or compatible with” the original purposes for collection. This requirement suggests that businesses need to keep detailed records of the personal data that they are collecting, the purposes for initially collecting such personal data, confirm such purposes are consistent with disclosures made to consumers, and track the scope of consent in connection with such data uses.

Given the significant overlap among the three privacy laws, companies subject to ColoPA should be able to leverage VCDPA and CCPA implementation efforts for ColoPA compliance. If ColoPA is any example, other state privacy efforts may not veer too far from the paths VCDPA and CCPA have forged. The key will be to closely monitor how CalPPA and the Colorado Attorney General address forthcoming regulations and whether they add new distinct approaches for each state. Check back on our blog for more privacy law updates.

As it turns out, the answer is surprising. Contractors are nearly identical to service providers, with just two differences: contractors are not data processors; and contractors must make a contractual certification in CCPA contracts. Moreover, contractors are not even new entities, and were already described in existing California privacy law.

Origins of “Contractors” in CCPA

To help explain the origins of the new contractor classification, we start with the California Consumer Privacy Act (CCPA). Under the CCPA, now in effect, each disclosure of personal information from a covered business to another entity is regulated, either via consumer opt out preferences or via contractual restrictions. Altogether, there are three potential data flows described in the CCPA: business to third party, business to service provider, and business to a person who is not a third party. We describe each in turn:

• Business to Third Party: First, when a business discloses personal information to a third party, this constitutes the “sale” of personal information (unless an exception applies, such as in the context of an intentional disclosure). The CCPA grants consumers the right to opt out of such sales of their personal information to prevent these data flows.

• Business to Service Provider: Second, when a business discloses personal information to a service provider, no “sale” occurs and there is no right of consumers to opt out. The requirements for the recipient to be a service provider are that (1) the service provider processes personal information on behalf of the business, and (2) the service provider agrees to retain, use, or disclose the personal information only for business purposes specified in a written contract.

• Business to a Person Who Is Not a Third Party: Finally, there is a rarely discussed third option in the CCPA. The CCPA states that any recipient of personal information that agrees to certain enhanced contractual terms is not a third party. This third category requires that the recipient agree to contractual terms that mirror service provider contractual terms, along with three additional terms: (1) to refrain from selling the personal information, (2) to refrain from retaining, using, or disclosing the information outside the direct business relationship between the recipient and the business, and (3) to certify that the recipient understands the above contractual restrictions.

As an example, if an authorized reseller furnishes a manufacturer with a list of new orders for fulfillment, and the manufacturer agrees to use the list only to fulfill orders, the manufacturer is not a third party. Because the manufacturer does not determine the purposes and means of processing the personal information it receives, the manufacturer is not acting as a “business.” No sale occurs.

Similarly, if an identity verification service sends personal information to a company to assist that company with confirming the identity of an applicant for service, and the company agrees contractually to limit its use and disclosure of the information for business purposes, the recipient is not a third party or business and no sale occurs from the identity verification service to the business.

Here’s a summary of the entities that may receive personal data under the CCPA:

Criteria	Third Party 1798.140(w)	Service Provider 1798.140(v)	Person Is Not a Third Party 1798.140(w)(2)
Sale?	Yes	No	No unless the recipient is a “business.”
Processor Terms	N/A	The service provider processes personal information on behalf of the business.	N/A
Contractual Terms	N/A	Retain, use, or disclose personal information only for business purposes.	Retain, use, or disclose personal information only for business purposes. Refrain from selling the personal information. Refrain from retaining, using, or disclosing the information outside of the direct business relationship between the person and the business. Certify understanding of and compliance with the above restrictions.

“Contractors” in CPRA

When CPRA becomes effective on January 1, 2023, the new law will incorporate these same classifications of entities that receive personal information.

• Third Party: A third party continues to be a recipient of sales of personal information. A third party that offers cross context behavioral advertising can now be the recipient of “sharing” of personal information, as well.
• Service Providers: Service providers remain entities that process personal information on behalf of a business pursuant to a written contract. CPRA clarifies, however, that a service provider may receive the personal information either directly from or on behalf of the business.

• Contractors: The new term “contractor” refers to a person to whom the business makes available a consumer’s personal information for a business purpose and pursuant to a written contract. This classification largely mirrors CCPA’s classification of a person who is not a third party. In particular, similar to CCPA, contractors are still required to certify their understanding and compliance with contractual restrictions.

Additionally, for both service providers and contractors, CPRA adds three new contractual terms:

• Combination of Personal Information: CPRA adds new contractual restrictions that limit how personal information from a business may be combined with personal information received from other businesses or directly from consumers. Further guidance on this issue is expected as part of the CPRA rulemaking process.
• Contract Compliance Monitoring: CPRA adds an obligation on businesses to monitor contractors and service providers for compliance with CPRA contract terms.
• Sub-processor Obligations: CPRA indicates that service providers and contractors must enter into similar CPRA contracts with any sub-processors that handle personal information, and provide notice to the business of each sub-processor.

Accordingly, in determining which types of contract terms to have in place in various data flow scenarios, it is possible that contractor terms will be used in a more limited way where the recipient of data is not processing personal information on behalf of a data owner.

Here are some examples:

• Sharing customer identifiers in certain product fulfillment use cases.
• Agreements involving joint operations on data.
• Integration agreements to enable independently-performed services on behalf of a common customer.
• Data services offered to a business with restrictions on use of the data for limited business purposes.

If you have questions about the benefits or drawbacks of the contractor classification under CPRA, please contact attorneys in the Information Privacy and Data Security practice group at Kelley Drye.

* * *

Subscribe here to Kelley Drye’s Ad Law Access blog and here for our Ad Law News and Views newsletter. Visit the Advertising and Privacy Law Resource Center for update information on key legal topics relevant to advertising and marketing, privacy, data security, and consumer product safety and labeling.

Kelley Drye attorneys and industry experts provide timely insights on legal and regulatory issues that impact your business. Our thought leaders keep you updated through advisories and articles, blogs, newsletters, podcasts and resource centers. Sign up here to receive our email communications tailored to your interests.

Follow us on LinkedIn and Twitter for the latest updates.

As we move deeper into the second year of CCPA litigation, the substantive issues continue to develop and we remain focused on the patterns and implications of recent filings and rulings. In this post, we highlight notable developments in three cases that occurred in the first quarter of 2021. These cases raise significant issues regarding judicial interpretation of the private right of action in the CCPA, the definition of a “data breach,” and CCPA plaintiffs’ ability to access pre-complaint discovery.

CCPA Claim Dismissed For Lack Of Data Breach Allegations

On August 5, 2020, Plaintiff filed a class action complaint against Defendants Alphabet, Inc. and Google, LLC in the Northern District of California. Plaintiff alleged that Defendants monitored and collected Android Smartphone users’ sensitive personal data without those users’ consent when they interacted with non-Google applications on their smartphones. Plaintiff’s CCPA cause of action was based on Defendants’ failure to disclose these activities in violation of Cal. Civ. Code § 1789.100(b). Plaintiff’s proposed class definition included “All Android Smartphone users from at least as early as January 1, 2014 through the present.”

On September 30, 2020, Defendants moved to dismiss the CCPA claim, arguing that (1) Plaintiff failed to allege that his information was subject to a data breach; and (2) Plaintiff, as a New York resident, had no standing under the CCPA, which only provides relief to California residents.

On February 2, 2021, the court dismissed the CCPA claim with prejudice, finding that the complaint did not allege that any personal information was subject to unauthorized access as a result of a security breach. The court reasoned that the CCPA only conferred “a private right of action” for violations related to “personal information security breaches,” and that Plaintiff was therefore unable to state a claim. The court also observed that Civil Code § 1798.150(c) explicitly states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.” McCoy v. Alphabet, Inc., No. 20-CV-05427-SVK, 2021 WL 405816 (N.D. Cal. Feb. 2, 2021).

On February 16, 2021, Plaintiff filed an Amended Complaint that alleges a violation of California’s Unfair Competition Law (“UCL”) using the alleged CCPA violation as a predicate. It will be relevant to follow how the court addresses Plaintiff’s attempt to transform his dismissed CCPA claim into a UCL claim, in light of the court’s observation that the CCPA does not provide a basis for a private right of action under other laws.

McCoy v. Alphabet, Inc. et al., 5:20-cv-05427 (N.D. Cal.).

Plaintiffs Allege Numerous, Individualized “Data Breaches”

On April 1, 2021, Plaintiffs filed a Consolidated Class Action Complaint against Bank of America in the Northern District of California. Plaintiffs allege that Bank of America issued Visa debit cards containing public benefit disbursements to recipients, including Plaintiffs and other members of the class, that were purportedly prone to breaches because the cards utilized outdated magnetic stripe technology, rather than the EMV chips that have allegedly become the industry standard due to improved security features. Plaintiffs’ CCPA cause of action alleges that as a result of the inadequate security safeguards, the cardholders suffered unauthorized access and disclosure of their personal information that resulted in their funds being stolen through unauthorized transactions.

The statutory language of the CCPA indicates that a claim must be connected to a data breach. Cal. Civ. Code § 1789.150. Unlike most cases, Plaintiffs do not allege that a single, centralized data breach occurred. Instead, Plaintiffs allege that individual data breaches of each cardholder were permitted by Bank of America’s card design. This theory raises questions about what qualifies as a data breach under the CCPA and whether the design of a consumer product that renders the product vulnerable to breach, followed by actual breaches, qualifies. A judicial determination of this issue could help determine the scope of similar consumer actions.

Yick v. Bank of America, N.A., 3:21-cv-376 (N.D. Cal.).

Defendant Compelled To Disclose Information Related To Data Breach Investigations

On April 16, 2021, Plaintiffs filed a redacted Consolidated Class Action Complaint against Blackbaud, Inc. in the District of South Carolina. Plaintiffs allege that Blackbaud provides data security services for sensitive information, and that Plaintiffs and the class members are Blackbaud’s clients. Plaintiffs’ CCPA cause of action alleges that as a result of a data breach, cybercriminals stole the sensitive private information that Plaintiffs entrusted to Blackbaud.

Of note, the early proceedings in this case have included the forced production of Blackbaud’s forensic report on the data breach. The report was apparently compiled independent of the litigation and, upon learning of the report, the Court ordered Blackbaud to immediately produce the forensic report and allowed Plaintiffs to use that report in drafting a consolidated complaint. This is an issue that we’ve explored previously (here and here). Companies need to be vigilant and deliberate in how they approach the issue of internal investigations concerning data breaches where litigation could arise.

In re Blackbaud, Inc., Customer Data Breach Litigation¸ 3:20-mn-02972-JMC, MDL No. 2972 (D.S.C.).

As these and other CCPA-related cases progress through the litigation stages, we will continue to provide updates. Our prior summaries of CCPA-related litigation can be found in our CCPA Litigation Round-ups for: Q1 2020, Q2 2020, and Q3 & Q4 posts. We will continue to report on relevant developments in CCPA litigation and provide updates in our CCPA Litigation Tracker.

If you have any questions about defending and/or preparing for a potential privacy consumer class action, please reach out to our team, and if you have questions on your privacy compliance strategy, please reach out to our privacy compliance team.

On the latest episode of the Ad Law Access Podcast, Kelley Drye Partner Alysa Hutnik discusses the state of privacy, tracking, compliance technology and tools, and strategies privacy lawyers and others can use to help do their jobs. As you would expect, there are some practical tips to take away. Listen here or wherever you get your podcasts.

Inaugural Appointees

The five inaugural nominees of the CPPA Board are:

• Jennifer Urban, who was appointed as Chair of the CPPA by Governor Gavin Newsom. Urban is a clinical professor at UC Berkeley School of Law.
• John Christopher Thompson, who was appointed by Governor Newsom and is Senior Vice President of Government Relations at LA 2028.
• Angela Serra, who was designated by California Attorney General Xavier Becerra. Serra served in a wide range of roles in the California Department of Justice, including overseeing the Consumer Protection Section’s Privacy Unit.
• Lydia de la Torre, who was nominated by Senate President Pro Tem Toni Atkins. De la Torre is a professor of law at Santa Clara University.
• Vinhcent Le, who was designated by Assembly Speaker Anthony Rendon.

The announcement indicates that Urban’s and Thompson’s appointments do not require Senate confirmation.

The CPPA’s Next Milestones

Although the CPPA’s administrative enforcement authority does not become effective until July 1, 2023, the agency is poised in the meantime to become a powerful regulatory and supervisory authority, akin to a European data protection authority. Key dates in the near term are:

• July 1, 2021: CPPA takes over rulemaking authority from the California Attorney General.
• July 1, 2022: Deadline for the CPPA to adopt final regulations required by CPRA.

Which Regulations Does CPRA Require the CPPA to Issue?

Section 21 of CPRA (codified in Civil Code section 1798.185) adds fifteen areas of CCPA implementation to be spelled out in regulations to the seven areas that were defined under the initial CCPA. (CPRA also amends existing areas of rulemaking authority. For example, it grants more specific authority to prescribe standards for opt-out mechanisms.)

Although CPRA requires the CPPA to adopt final regulations in these areas by July 1, 2022, it would not be surprising to see the agency set priorities, as the Attorney General’s Office did initially under the CCPA. These priorities could include fundamental elements of the CCPA:

• Opt-Outs for Sale, Sharing, and Profiling, and Limiting Use of Personal Information: CPRA grants the CPPA the authority to adopt regulations that further define consumers’ opt-out rights. Specifically, the agency is directed to adopt regulations that define “intentional interactions,” which in turn define the scope of exceptions to “sale” and “sharing.”The CPPA is also charged with issuing rules about “profiling” opt-out rights, and this area is worth watching closely because it is not aligned with Virginia’s new privacy law or the current text of the Washington Privacy Act. CPRA defines “profiling” as the “automated processing of personal information, . . . to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.” A profiling opt-out under CPRA could apply to any first-party data use that meets this definition. The profiling opt-out right under the Virginia Consumer Data Protection Act is narrower. It is limited to the “furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” (The profiling opt-out proposed in the Washington Privacy Act is substantively identical to Virginia’s opt-out.)Other aspects of opt-out rights that could be initial rulemaking targets include (a) the definition of “technical specifications” for a global platform- or browser-based opt-out mechanism; and, with the potential addition of a feature to indicate that the user is under the age of 13 or between 13 and 15 years old; (b) standards for consent to sell or share personal information, or use or disclose sensitive personal information, for businesses that respond to opt-out signals; and (c) “harmonizing” CCPA rules governing privacy notices, opt-out mechanisms, and “other operational mechanisms” to “promote clarify and functionality . . . for consumers.”
• Access Requests: CPRA directs the CPPA to define the scope of responses to consumer requests for specific pieces of personal information. CPRA suggests that these regulations may exclude system log and other information that “would not be useful to the consumer,” as well as define authentication standards for access to sensitive personal information.
• Business Purposes: Finally, it is possible that the CPPA will focus initially on “further defining” business purposes for which contractors and service providers may combine personal information from multiple businesses.

Defining CPPA’s Supervisory Authority

The CPPA will also have considerable supervisory authority. Section 1798.185(15) authorizes the CPPA to issue regulations defining audit and risk assessments for businesses “whose processing of consumers’ personal information presents significant risk to consumers privacy or security.”

Separately, the CPPA must appoint a Chief Privacy Auditor to audit businesses’ compliance with the CCPA. The Auditor’s role will be defined almost entirely through regulations, and the statutory guidance on these regulations is scant: The CPPA will define the “scope and process of the agency’s audit authority,” establish criteria for selecting audit targets, and establish protections against disclosure for the information the auditor collects.

As with other areas of CPPA rulemaking, it is unclear when the agency will turn to establishing the Chief Privacy Auditor’s authority. However, it is worth noting now that the Auditor’s authority is potentially sweeping, as well as considering how a CCPA compliance program will look when it is under the Auditor’s microscope.

Today’s appointments are an important milestone in the development of a new breed of U.S. privacy regulator. We will keep a close watch on further developments with the Board and the CPPA’s activities.

Kelley Drye attorneys and industry experts provide timely insights on legal and regulatory issues that impact your business. Our thought leaders keep you updated through advisories and articles, blogs, newsletters, podcasts and resource centers. Sign up here to receive our email communications tailored to your interests.

Follow us on LinkedIn and Twitter for the latest updates.

(1) Notice for Sale of PI Collected Offline: Businesses that sell personal information collected offline must provide an offline notice by means such as providing paper copies or posting signs in a store, or giving an oral notice if collecting personal information over the phone.

(2) Opt-Out Icon: The revised regulations provide that businesses may use an opt-out icon in addition to, but not in lieu of, notice of a right to opt out or a “Do Not Sell My Personal Information” link.

(3) Do Not Sell Requests: A “Do Not Sell” request must “be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out.” The change prohibits businesses from using any method that is designed to or would have the effect of preventing a consumer from opting out. The revised regulation offers examples of prohibited opt-out practices, which include requiring a consumer to: (A) complete more steps to opt out than to re-opt in after a consumer had previously opted out; (B) provide personal information that is not necessary to implement the opt-out request; and (C) read through a list of reasons why he or she shouldn’t opt out before confirming the request.

(4) Consumer Requests from Authorized Agents: A business may now require an authorized agent who submits a request to know or delete to provide proof that the consumer gave the agent signed permission to submit a request. The regulations also preserve the options business previously had of requiring the consumer to verify their identity directly to the business or directly confirming that they provided the authorized agent permission to submit the request.

(5) Children’s Information: The addition of the word “or” in section 999.332 requires businesses that sell personal information of children under the age of 13 “and/or” between the ages of 13 and 15 to describe in their privacy policies how to make an opt-in to sale requests.

We will continue to monitor closely further developments in CCPA regulations.

Kelley Drye attorneys and industry experts provide timely insights on legal and regulatory issues that impact your business. Our thought leaders keep you updated through advisories and articles, blogs, newsletters, podcasts and resource centers. Sign up here to receive our email communications tailored to your interests.

Follow us on LinkedIn and Twitter for the latest updates.