Ad Law Access https://www.kelleydrye.com/viewpoints/blogs/ad-law-access Updates on advertising law and privacy law trends, issues, and developments Thu, 14 Nov 2024 12:25:35 -0500 60 hourly 1 The California Privacy Protection Agency Advances Regulations to Reign in AI, Mandate Security Audits and Risk Assessments, and Update CCPA Obligations https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/the-california-privacy-protection-agency-advances-regulations-to-reign-in-ai-mandate-security-audits-and-risk-assessments-and-update-ccpa-obligations https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/the-california-privacy-protection-agency-advances-regulations-to-reign-in-ai-mandate-security-audits-and-risk-assessments-and-update-ccpa-obligations Tue, 08 Oct 2024 10:00:00 -0400 The California Privacy Protection Agency (CPPA) has signaled it will advance rulemaking at its upcoming November 8 board meeting to place restrictions on the use of automated decision-making technology (ADMT) and impose new obligations to require businesses to conduct cybersecurity audits and risk assessments. The agency has grappled with these issues for more than two years, including soliciting formal comments in a February 2023 invitation for preliminary comments and conducting other stakeholder outreach.

The CCPA grants the CPPA the authority to issue regulations relating to cybersecurity audits, risk assessments, and ADMT, but leaves the details to agency rulemaking. To date, that approach has left a gap with other comprehensive state privacy laws, which give consumers the right to opt out of automated “profiling” and require documenting Data Protection Assessments (i.e., DPIAs). California is one of just three states (along with Colorado and New Jersey) that include rulemaking authority in their comprehensive state privacy laws, placing significant autonomy with the CPPA to determine the state’s approach to these issues.

The CPPA also plans to issue rules that update CCPA compliance obligations, including new disclosures when denying privacy rights requests and categorizing children and teen data as “sensitive personal information.”

In a stunning assessment, staff of the CPPA estimates the total costs of the latest regulatory initiative to be $3.5 billion in the first year, and an average of $1 billion each subsequent year for the first ten years. The agency defends its approach by alleging that cybersecurity audits will reduce cybercrimes to the tune of $1.5 billion in the first year and $66.3 billion by 2036.

In this blog post, we highlight key updates contained in the CPPA’s latest rulemaking initiative.

New Rules for Use of ADMT

Under the CPPA’s proposal, the ADMT regulations would be triggered in one of the following three ways:

  • First, the regulations can be triggered by “significant decisions concerning the consumer.” These include decisions impacting access to or denial of financial or lending services, housing, insurance, education, criminal justice, employment, healthcare services, or essential goods or services (including groceries, medicines, hygiene products, or fuel). Businesses using ADMT for these significant decisions would be required to provide an adverse significant decision notice to consumers prior to making decisions that deny opportunities or services to the consumer.
  • Second, the regulations can be triggered by extensive profiling of the consumer using automated processing, including in their job, at school, in public, or via behavioral advertising. The regulations define “behavioral advertising” to include both cross-context behavioral advertising based on activity across the internet and first-party behavioral advertising based on activity within a business’s own website, apps, or services.
  • Third, the regulations can be triggered when training ADMT to generate significant decisions, to establish individual identity, for identification or profiling, or to generate deepfakes (defining deepfakes as “manipulated or synthetic audio, image, or video content that depicts a consumer saying or doing things they did not say or do and that are presented as truthful or authentic without the consumer’s knowledge or permission).

The new rules would regulate the use of ADMT through a notice informing the consumer about the use of ADMT, a limited right to opt out of ADMT, and a right to access information about the use of ADMT and the output with respect to the consumer.

The rules provide exceptions and limitations on the right to opt out of ADMT. For example, the right to opt out of the use of ADMT for significant decisions concerning the consumer is not available if the consumer is offered an opportunity to appeal the decision to a human reviewer. The rights to opt out of the use of ADMT for extensive profiling in the workplace or education contexts can also be limited if the business conducts an evaluation to ensure the ADMT is accurate and non-discriminatory.

Mandatory Risk Assessments

The CPPA proposes that businesses that process personal information that “presents significant risk to consumers’ privacy” must conduct a risk assessment to determine whether the risks to consumers’ privacy outweigh the benefits to the consumer, the business, other stakeholders, and the public. The types of activities that could involve “significant risk” are broadly defined in the rulemaking proposal, including:

  • Processing activities involving the sale or sharing of personal information.
  • Processing activities involving the processing of sensitive personal information (other than in certain employment or benefits contexts).
  • Processing activities involving a significant decision concerning a consumer, extensive profiling (including for behavioral advertising), or training ADMT. All three of these categories trigger ADMT rules, as we’ve discussed above.

The proposed regulations list the types of information that must be included in the risk assessments, including processing details (i.e., identification of the purpose of the processing, the categories of personal information that will be processed, and how the business collects, uses, and discloses the information); the benefits of the processing including in particular expected profits for the business; possible negative impacts to consumer privacy; and how the business will safeguard against possible negative impacts.

The CPPA proposes that businesses must submit their risk assessments within 24 months of the effective date of the regulations, and then annually thereafter. A business’s “highest-ranking executive who is responsible for oversight of the business’s risk assessment compliance” will be required to file a written certification along with the risk assessment.

Cybersecurity Audits

Another new requirement in the proposed regulations is for covered businesses to complete a cybersecurity audit within 24 months of the effective date of the regulations, and then annually thereafter. The audit would be required to assess the company’s cybersecurity program and identify any gaps or weaknesses in the program, including the status of efforts to address such gaps or weaknesses. Substantively, audits would assess standard components of a cybersecurity program, including authentication/encryption, zero trust architecture, access controls, personal information inventory and management, secure configuration of hardware and software, scanning for vulnerabilities, audit logs, network monitoring and defenses, use of virus protections, proper configuration of information systems, training, oversight of third parties, data retention and destruction practices, disaster recovery, business continuity, and incident response.

Businesses would be required to use a “qualified, objective, independent” auditor. To ensure a degree of independence, the regulations require internal auditors to report to the company’s board of directors or equivalent governing body. Auditors cannot participate in the business activities that they audit.

Businesses would be required to submit an annual certification of completion of a cybersecurity audit—and not the actual audit report—to the CPPA.

Not all businesses would be required to complete an annual audit. The CPPA states that there are two categories of businesses that would be required to conduct annual cybersecurity audits: (1) businesses that derive 50 percent or more of their annual revenues from selling or sharing consumers’ personal information, or (2) businesses that in the prior calendar year met the CCPA’s annual gross revenue threshold and either processed personal information of at least 250,000 consumers or sensitive personal information of 50,000 consumers. Adjusted for inflation under the recently-passed AB 3286, the gross revenue threshold is now just above $27.9 million according to the CPPA.

Reclassifying children and teen data as “Sensitive Personal Information”

Citing its authority in the CCPA to update or add categories of personal information or sensitive personal information, the CPPA proposes that all personal information of a consumer known to be under 16 years of age will be categorized as sensitive personal information. Even though the CCPA already restricts the sale or sharing personal information of anyone under 16 years of age without consent, the CPPA’s latest proposal would also allow minors to opt out of the use or disclosure of their personal information where used to infer characteristics about them. In the draft initial statement of reasons, the CPPA explains that its proposal is aimed at both harmonizing the CCPA with other state laws that treat personal data of a known child under 13 as sensitive data, while also providing expanded protections for consumers ages 13 to 15.

Requirements for responding to privacy rights requests

The CPPA proposes additional changes to the process of submitting and responding to privacy rights requests that may require businesses to update their processes and procedures. Here are some notable proposed changes:

  • Handling of toll-free requests: The CPPA proposes that businesses that require the consumer to call a toll-free telephone number to submit a CCPA request must ensure that the individuals handling those phone calls have the knowledge and ability to process the consumer’s CCPA requests.
  • Look-back period: The CPPA will now require businesses to offer a way for consumers to request personal information collected prior to the 12-months preceding the business’s receipt of the consumer’s request.
  • Denial notice disclosure: The CPPA wants to see the following or similar language added to every denial of a privacy rights request: “If you believe your privacy rights have been violated, you can submit a complaint to the California Privacy Protection Agency at [link to complaint form] or to the California Attorney General at [link to complaint form].”

Process for finalizing proposed regulations

The CPPA is expected to vote on initiating formal rulemaking on the proposed regulations at its November 8, 2024 board meeting. Members of the public will have 45 days to submit comments to the CPPA once the rulemaking begins. After the comment period closes, the CPPA can then proceed with finalizing the regulations, a process that requires the agency to consider and respond to every comment it receives and to publish a final statement of reasons. If the CPPA makes any substantive changes to the proposed regulations based on the comments that it receives, the CPPA must provide an additional 15 day comment period on the revised version of the regulations.

A recent California 3rd District Court of Appeals decision confirmed that CPPA regulations take effect immediately and do not require a one year waiting period. As a result, once the CPPA finalizes the proposed regulations and files the regulations with the California Secretary of State, the regulations will become effective as follows: January 1, if filed between September 1 and November 30; April 1, if filed between December 1 and February 29; July 1, if filed between March 1 and May 31; and October 1, if filed between June 1 and August 31. The CPPA can also petition for an earlier effective date by demonstrating good cause.

]]>
CPPA to Propose Changes to Privacy Policy Requirements https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/cppa-to-propose-changes-to-privacy-policy-requirements https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/cppa-to-propose-changes-to-privacy-policy-requirements Tue, 12 Dec 2023 10:00:00 -0500 While the California Privacy Protection Agency (CPPA) Board’s attention during its December 8 public meeting was mainly focused on preliminary draft regulations on automated decisionmaking technology (ADMT), risk assessments, and cybersecurity audits, the Board also decided to begin a formal process to revise its existing regulations.

The proposed changes emphasize the need to give consumers a “meaningful understanding” of personal information practices and the CPPA’s focus on providing information about data practices before consumers engage with a business. These changes are less far-reaching than the ADMT, risk assessment, and audit proposals, but they could affect how businesses make disclosures in their privacy policies and are likely to be finalized on a relatively short timeline.

Here are the key ways that privacy policy requirements would change under the CPPA’s proposal.

  • “Meaningful Understanding” of Sources and Third-Party Recipients of Personal Information

The draft revisions to sections 7011(e)(1)(B) and (E) would expressly include a requirement for privacy policies to give consumers a “meaningful understanding” of the sources from which a business collects personal information and the categories of third parties to which it sells or shares personal information. The phrase “meaningful understanding” is already in the current definitions of “categories of sources” and “categories of third parties” in section 7001. Its repetition in section 7011 could signal an expectation of increased specificity and clarity in how businesses collect and sell personal information.

  • Clarifying Disclosures to Service Providers and Contractors

Proposed revisions to section 7011(e)(1)(H) would require businesses to identify the categories of personal information that they disclosed to a service provider or contractor in the preceding 12 months, along with the business purpose for these disclosures. This change would remove an ambiguity in current section 7011(e)(1)(H), which also mentions disclosures to third parties for business purposes, which is arguably inconsistent with the definition of a third party. Companies that have interpreted subsection (H) differently may need to take another look at their privacy policies in light of this proposal.

  • Privacy Policy Links for Mobile Applications

Finally, the draft regulations propose to require mobile applications to include a link to their privacy policies within their settings menu. Under current section 7011(d), including a privacy policy link in an app’s setting menu is discretionary. This new requirement would be in addition to the current mandate to make the privacy policy available through the business’s homepage or app store download page.

What’s Next?

Once CPPA staff revises the draft revisions to reflect Board members’ input, the package of rule changes will be published for a 45-day public comment period. The CPPA did not indicate when the comment period will begin.

]]>
California: Changes to Consumer Protection Authority https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/california-changes-to-consumer-protection-authority https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/california-changes-to-consumer-protection-authority Tue, 24 Oct 2023 08:30:00 -0400 California has a new tool in the toolbox when it comes to remedies available for certain consumer protection law violations. The governor of California recently signed legislation adding the remedy of disgorgement for AG actions under false advertising and unfair competition laws (Consumer Laws), which would require a party to repay all amounts obtained through illegal or wrongful acts. In addition, the law created a Victims of Consumer Fraud Restitution Fund (Fund) to help make victims whole in consumer protection lawsuits brought by the California Attorney General. The Fund is funded through payments made by those who violate consumer protection laws, and not through taxes or fees charged to law-abiding businesses.

Starting January 1, 2024, in an action brought by the California AG pursuant to Consumer Laws, the court can award disgorgement in addition to other remedies already provided for in those statutes, which include the often confused remedy of consumer restitution. The difference between the two remedies is one of focus; restitution focuses on how much the victims were harmed by the conduct, while disgorgement focuses on what the wrongdoer gained as a result of the illegal conduct. Of importance, disgorgement does not require a showing of the specific harmed consumers that need to be compensated, making it an attractive, flexible remedy for enforcers.

When determining whether to award disgorgement, the court shall take into account the amount of civil penalties and consumer restitution awarded, “in addition to other appropriate factors.” Currently, the California AG has authority to seek civil penalties of $2500/violation. The funds recovered as disgorgement shall be deposited into the new Fund, established in the State Treasury. Monies in the Fund may, upon appropriation by the legislature, be used by the AG to provide restitution to victims of acts or practices for which consumer restitution has been ordered but not paid in an action brought by the AG pursuant to the Consumer Laws. Should the AG recover funds from a defendant after payment from the Fund has been made, the AG can reimburse the Fund.

California Attorney General Bonta sponsored this bill, declaring that it is a game changer and will allow consumers to get restitution when a business has been successfully prosecuted, but becomes insolvent. Companies should take note that the flexibility to obtain disgorgement will likely give California greater authority to obtain additional monetary recoveries in the state’s actions. Disgorgement however is specific to AG actions which necessarily excludes California District Attorney and private actions. Because a “violation” for penalty purposes and “appropriate factors” under the new statute are undefined, it will be worth watching how California wields this new source for payment when it comes to negotiating resolutions. We also note that several other state AGs already claim disgorgement authority (which the FTC currently lacks). See, e.g., New York and Texas.

As California is a very active state when it comes to consumer protection, one can assume that this new tool will be used to a great extent, and that California will want to quickly ensure that the Fund maintains a robust amount of money to be used in future enforcement matters.

]]>
California Just Passed SB 362: Whatever You Think About the Merits of the Law, It’s a Big Deal https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/california-just-passed-sb-362-whatever-you-think-about-the-merits-of-the-law-its-a-big-deal https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/california-just-passed-sb-362-whatever-you-think-about-the-merits-of-the-law-its-a-big-deal Fri, 15 Sep 2023 00:00:00 -0400 As we’ve discussed here, data brokers have been in the hot seat lately, with the enactment of new state data broker registry laws, aggressive enforcement by the FTC, a looming rulemaking by the CFPB to extend the FCRA’s reach to a broader class of data brokers, multiple federal bills to restrict data broker sales, and a recent meeting at the White House to discuss “harmful data broker practices” and provide further impetus for regulation.

Among the most significant of these developments is California’s SB 362 – a data broker bill that goes well beyond the registration requirements contained in California’s existing data broker law. Proposed earlier this year, SB 362 met with various twists and turns all summer, including strenuous opposition from industry members. However, yesterday (on the last day of the legislative session), the California Senate gave the bill final approval, concurring in the version passed by the California Assembly.

Now the law is on its way to the Governor Newsom for signature, and there have been no signs that he’ll veto it. Indeed, the bill’s chief sponsor, state Senator Josh Becker, has said that, while he hasn’t reached out to the governor, he expects the governor to sign. Others have surmised that Newsom will sign in light of the prominence of privacy in the Golden State, as well as concerns about data brokers’ collection and sale of reproductive health care data (an issue referenced in Section 3 of the bill).

What Does SB 362 Require?

Although the bill was amended throughout the legislative process, the core requirements remain largely the same. In brief, SB 362 expands California’s current data broker law by providing a centralized place where consumers can delete their data and limit the further sale or sharing of it, and requiring data brokers to undertake new disclosure, recordkeeping, and audit requirements. Some provisions will take effect in 2024 but most will be delayed until 2026 or even 2028. Specifically, SB 362:

  • Requires data brokers to register with the California Privacy Protection Agency (CPPA) (instead of the California AG’s office, as required by the current law), pay a fee, submit detailed information, provide detailed disclosure to consumers, and comply with new recordkeeping requirements (expanded requirements phased in during 2024):
  • Requires the CPPA to create an “accessible deletion mechanism” where consumers can at no cost direct some or all data brokers to delete all of their information, subject to the same deletion and other exceptions available under CCPA (beginning in 2026);
  • Requires data brokers to continue to delete any new information received about the consumer every 45 days (2026);
  • Requires any data broker that receives a deletion request not to sell or share any new personal information about the consumer unless the consumer requests it (2026);
  • Requires any data broker that receives a request to direct their service providers and contractors to delete the information (2026);
  • Requires a data broker that denies a request to delete because the request cannot be verified to process the request as an opt-out of sale/sharing and to direct its service providers and contractors to do the same (2026);
  • Allows “authorized agents” to assist consumers in making deletion requests (2026);
  • Requires data brokers to undergo independent compliance audits every three years (beginning in 2028);
  • Authorizes penalties and administrative costs for noncompliance, including $200 for each day a data broker fails to register and $200 “for each deletion request for each day the data broker fails to delete information” as required. (These sanctions kick in as each of the above requirements become effective.); and
  • Gives the CPPA discretionary rulemaking authority to implement the new law.

Of significance, the term “data broker” is defined broadly as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship” (though it excludes entities covered by the Fair Credit Reporting Act (FCRA), the Gramm Leach Bliley Act, the Health Insurance Portability and Accountability Act and similar California laws, and a California insurance law). As result of this broad definition, the bill extends not just to data brokers as they are commonly understood, but also to many members of the advertising industry that collect and sell data but do not have a consumer-facing relationship.

What Did Opponents Argue?

In a website created for the purposes of opposing SB 362, industry members pointed to the many beneficial support services they provide – such as stopping fraud targeting companies and the government; verifying identities for the administration of unemployment and nutrition programs; identifying potential donors for political and charitable campaigns; and allowing small businesses to compete and reach a larger customer base. They also stated that the California Consumer Privacy Act already covers data brokers and provides a full set of transparency and deletion rights to consumers as to these entities. These arguments didn’t carry the day, although the bill garnered a chunk of “no” votes in the California Assembly.

Why is this Significant?

As discussed in our prior posts on this subject, policymakers at the federal and state levels have debated for years whether to impose new statutory and/or regulatory requirements on data brokers, citing the sensitive nature of the information and profiles that they sell, the use of this data in making consequential decisions about consumers, and the invisibility of most data brokers to the public. However, to date, data broker-specific legislation has largely been limited to the FCRA and to the state data registry requirements now in effect in four states (though data brokers fall within many privacy laws of general applicability, of course).

The new requirements in SB 362 raise the potential that large numbers of consumers might opt out of the collection and sale by data brokers (broadly defined), whether on their own or through “authorized agents.” Thus, while the law confers significant new privacy rights on consumers, it also could substantially impact the data broker and advertising industries and the many businesses and services that rely on them. In addition, because California typically leads the states on privacy issues, it’s possible that other states will follow suit, amplifying these effects considerably.

Stay tuned as we continue to monitor this important topic.

]]>
Practical Privacy: Lessons from the Front Lines https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/practical-privacy-lessons-from-the-front-lines https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/practical-privacy-lessons-from-the-front-lines Thu, 31 Aug 2023 00:00:00 -0400 With the continuing onslaught of state privacy laws, it’s easy to become overwhelmed by the number of new legal obligations while also trying to stay focused on identifying and mitigating the most pressing legal and business risks. Over the past couple of months, we’ve had the opportunity to meet with privacy professionals to hear about their top challenges and offer some practical perspectives of our own.

Three of the topics that stood out during these discussions – there were several others – were: understanding and managing data protection impact assessments (DPIAs), assessing sensitive personal information (SPI) risks, and implementing data deletion obligations. This post shares some of the tips that emerged from these sessions.

Data Protection Impact Assessments

Four states require DPIAs today for certain processing activities, and laws that go into effect in five additional states beginning in 2024 will require them, too. Across most of these states, the activities that trigger the need to conduct a DPIA include targeted advertising, data sales, and sensitive data processing. Beyond these clearly defined starting points, however, practical challenges abound. What form should a DPIA take? Who should be responsible for drafting the assessment? What are the best practices for keeping DPIAs up to date?

One way to look at these questions is that DPIAs tell the story about how a company uses personal data. Regulators will be one audience for these stories. Some states’ laws allow the attorneys general to request production of DPIAs from organizations. California law requires businesses to submit their DPIAs to the CPPA on a “regular basis” (with details now set forth in draft regulations). Regulators will expect to see (in the words of the Colorado Privacy Act’s implementing regulations) a “genuine, thoughtful analysis” of the benefits, potential harms, and mitigations in a company’s data practices.

At the same time, although some state privacy laws provide protection for attorney-client privilege and confidentiality, we expect DPIAs to generate investigations and to have their privilege and confidentiality protections challenged. Carefully planning the diligence and drafting stages of a DPIA – and taking care to maintain safeguards for communications that involve legal advice – is critical to ensuring that DPIAs are accurate and comprehensive while minimizing additional risk to the company.

Finding internal champions and identifying key stakeholders are also critical steps. DPIAs take time away from IT, engineering, business, legal, compliance, and privacy teams who have day jobs. In most cases, their contributions are essential to assemble an accurate picture of the activity that’s at the center of a given DPIA.

The message that spurs these teams to participate meaningfully in the DPIA process will vary. In some cases, buy-in might arise from a shared understanding that the company needs to align on whether its current practices are sufficient to protect against known risks. In other instances, a clear message of support from the top of the organization might be necessary.

In short, there isn’t a single format or process that will work for everyone. However, recognizing that the stakes involved in DPIAs are significant and planning accordingly are first steps toward identifying which processing activities to tackle first and how to go about it.

Sensitive Personal Information

In addition to triggering a DPIA obligation, SPI processing under state laws and emerging enforcement precedent may require opt-in consent. Identifying SPI collection and use is therefore a growing priority for many privacy professionals.

But the expansive definition of SPI under state privacy laws is only part of the equation. Sector-specific laws, such as the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the Illinois Biometric Information Privacy Act, expand the range of sensitive data that receives heightened protections. These laws have become an increasing focus for regulators and the plaintiffs’ bar at the same time that data from these sectors is becoming more valuable for new services and, in some instances, advertising.

Where SPI is used in marketing and advertising, companies face compliance challenges and potential exposure to private suits. Using alternatives to SPI can mitigate these risks. For example, in lieu of SPI, some companies are exploring the use of aggregated demographic data to power insights or target advertising based on non-sensitive purchasing behavior.

Practical approach to SPI

  • Cataloging data starts with thoughtful DPIAs and a robust understanding of the business use cases with SPI.
  • Consent is the baseline expectation for SPI processing. Consider building a consent management infrastructure that accounts for both direct collection and sourced (or inferred) data.
  • Explore emerging alternatives to SPI and implement mitigation measures in the meantime.
  • Think for today and for tomorrow. Short-term and long-term plans are crucial for developing a comprehensive and durable risk-management strategy. Set a cadence to revisit the plans.

Data Deletion Obligations

All comprehensive state privacy laws that have been enacted so far give consumers the right to request deletion. State laws vary in the level of detail they provide about deletion – regulations in California and Colorado are quite specific in their procedures – but all provide significant leeway to retain data for internal purposes that are reasonably aligned with consumers’ expectations. In practice, it is not uncommon to preserve some data to meet operational needs or comply with legal obligations.

This leads to two challenges. First, companies need to communicate clearly with consumers, service providers, and third parties about how they’re fulfilling deletion requests. Second, companies need ways to ensure that data they keep under an exemption is not used for other purposes.

A few practical steps can help:

  • Prior to developing a process for responding to deletion requests, map out your data to understand what personal information you have, where it is located, and with whom you share it. Identify any legal obligations surrounding how long you must keep it, including any minimum retention periods.
  • Develop and maintain systems to notify service providers and third parties about data deletion requests. Methods for sending deletion requests to partners vary widely, from self-serve, automated interfaces to ad hoc requests that are handled case-by-case, so be prepared to work with a wide range of processes.
  • Communicate clearly with consumers about deletion requests, whether the request will be approved in whole, in part, or not at all.

If Kelley Drye can help your organization develop a practical approach to building and maintaining a robust privacy program, please contact any member of our Privacy Group.

]]>
CCPA Update: Agencies Push Ahead with Enforcement as Superior Court Delays New Regulations https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/ccpa-update-agencies-push-ahead-with-enforcement-as-superior-court-delays-new-regulations https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/ccpa-update-agencies-push-ahead-with-enforcement-as-superior-court-delays-new-regulations Thu, 20 Jul 2023 00:00:00 -0400 The California Privacy Protection Agency (CPPA) and California Office of Attorney General (OAG) are publicly pressing ahead with enforcement now that they have the authority to enforce the California Consumer Privacy Act (CCPA) as of July 1st. While the agencies did not announce headline grabbing enforcement decisions at the start of the month, there were some notable developments.

Investigative Sweep Targeting Employers

On July 14th, OAG announced an investigative sweep targeting employer compliance with the CCPA.

Beginning January 1, 2023, after three years of statutory delays, the CCPA now applies to employers, requiring them to provide employees with privacy notices and to respond to employee privacy requests, including to access, correct, and delete their personal information, and offer opt outs, as applicable.

As part of the OAG sweep, the agency sent inquiry letters to large employers in California asking about how these companies comply with the CCPA’s requirements with respect to their employees and job applicants.

Under recent amendments to the CCPA, OAG and CPPA both have authority to enforce the privacy law although only the CPPA has the ability to engage in rulemaking. The CCPA no longer provides a right to cure violations of the law before either the OAG or CPPA allege a violation, although the statute indicates the CPPA may decide to offer a right to cure based on a lack of intent to violate CCPA or efforts undertaken by a business to cure the alleged violation. The OAG also maintains discretion in how it evaluates a company’s compliance and whether an enforcement action is appropriate.

Enforcement Update & Priorities

Also on July 14th, the CPPA held a public meeting that in part responded to the recent Superior Court decision in California Chamber of Commerce v. California Privacy Protection Agency delaying enforcement of the CPPA’s recently finalized rulemaking completed on March 29, 2023.

During the meeting, Deputy Director of Enforcement for CPPA, Michael Macko, stated businesses “do not have a free pass” from all enforcement after the decision.

The Court’s ruling was based on the language of the California Privacy Rights Act ballot initiative approved by voters in November 2020 that added new requirements to the CCPA and created the CPPA. Under the ballot initiative, the CPPA was required to complete its rules on July 1, 2022, one year prior to enforcing those rules on July 1, 2023, but CPPA did not meet the deadline. The Superior Court stayed the agency’s enforcement of wholly new regulations for 12 months from the date the regulations were finalized in order to reflect the one-year timeframe codified in the ballot initiative.

Nonetheless, the CPPA’s position is that the court decision does not stop the Enforcement Division from enforcing the CCPA statute and earlier versions of the CCPA regulations. Macko also explained that regulations affected by the ruling are only one enforcement tool that the Enforcement Division plans to use. Macko expects to see robust compliance, while being sensitive and aware of potential implications and impacts for businesses that designed their compliance based on the new regulations.

Macko also described that the CPPA’s stance on enforcement will be emphasizing matters involving children, the elderly, and vulnerable or marginalized groups that he said are “susceptible to privacy violations or commonly overlooked.” According to Macko, cases will be considered based on overall circumstances, including harm to consumers, nature and severity to the harm, good nature to comply, and the size and resources of a business.

Macko also indicated the CPPA will prioritize privacy notices and policies. This includes reviewing whether businesses are collecting data in the way they tell consumers, how businesses are complying with the right to delete personal information, and the implementation of consumer requests from the stand point of business practices.

Legislative Update and CPPA’s Position on Pending Legislation

The CPPA also used its July 14th meeting to endorse legislation that amends or impacts the CCPA. Maureen Mahoney, Deputy Director of Policy & Legislation for the CPPA, proposed that the CPPA make recommendations for the following bills that would directly affect the agency or its operations. Here is a list of pending legislation that the Board voted to recommend:

  • Sensitive Personal Information: Assembly Bill 947 adds immigration and citizenship status to the definition of sensitive personal information. The bill is slated for a third reading in the California Senate after passage in the California Senate Appropriations Committee.
  • Reproductive Health: Assembly Bill 1194 provides additional consumer protection for reproductive health information, including information related to accessing, searching, or procuring abortion services, pregnancy care, perinatal care, and contraception. The bill is currently under consideration by the California Senate Appropriations Committee.
  • Statute of Limitations: Assembly Bill 1546 changes the statute of limitations to enforce a civil action within one year of the violation to begin instead within five years of the violation. The bill is currently under consideration by the California Senate Appropriations Committee.
  • Data Broker Registration: Senate Bill 362 amends the California’s Data Broker Registry Law to transfer administration and rulemaking authority to the CPPA and directs the agency to establish a deletion mechanism for consumers to request all data brokers to delete their personal information through a single request. Beginning July 1, 2026 under the legislation, data brokers will not be able to sell or share new personal information from consumers that have already requested deletion, unless the consumer states otherwise. Starting on January 1, 2028, and every three years, data brokers will be audited by an independent third party to determine compliance. The bill is currently re-referred to the Committee on Appropriations pursuant to Assembly Rule 96.

The California legislature is currently on recess and reconvenes August 14th.

If you have any questions about the above developments, compliance efforts with the new state privacy laws, or concerns related to a regulatory inquiry, please feel free to reach out to our team.

Summer Associate Brianna Robinson contributed to this post.

]]>
With July 1st in view, Google updates CCPA contract terms https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/with-july-1st-in-view-google-updates-ccpa-contract-terms https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/with-july-1st-in-view-google-updates-ccpa-contract-terms Wed, 24 May 2023 08:00:00 -0400 Google updated its privacy terms earlier this month, shifting away from offering many of its advertising services on a “service provider” basis. With the change, Google states that its Customer Match, Audience Partner API, and certain audience-building services no longer meet the CCPA’s strict new requirements to be offered on a “service provider” basis. The implication of this change is that companies leveraging these services are “selling” or “sharing” personal information and will need to offer consumers an opportunity to opt out.

“Restricted Data Processing” Under the CCPA

Since 2019, Google has offered a number of its services on a “restricted data processing” basis. Where a service is configured for restricted data processing, Google acts as a service provider with respect to personal information (i.e., names, email addresses, online identifiers) that Google collects from advertisers, publishers, and other partners.

Under the California Consumer Privacy Act (CCPA), which first took effect in 2020, a service provider is not permitted to use personal information other than for business purposes associated with offering services. For example, the CCPA does not permit a service provider to resell personal information processed on behalf of a business or to use the information to build profiles about individual consumers for its own commercial benefit.

In documentation available at https://business.safety.google/rdp/, Google explains that when restricted data processing applies, Google will use personal information for business purposes such as ad delivery, reporting and measurement, security and fraud detection, debugging, and to improve and develop product features. Google cites these policies to support its position that it is a “service provider” for many of its advertising-related services, such as Google Ads, Google Analytics, Tag Manager, and Display & Video 360.

What’s changing?

Starting July 1, 2023 – the day that the California Privacy Rights Act (CPRA) amendments to the CCPA become enforceable – Google will no longer offer restricted data processing for the following services in California:

  • Any feature that entails uploading customer data for purposes of matching with Google or other data for personalized advertising (e.g., Customer Match)
  • Any feature that entails targeting user lists obtained from a third party (e.g., Audience Partner API)
  • Any feature that entails creating, adding to, or updating user lists using first-party customer data (e.g., audience building with floodlight tags and audience-expansion features in DV360)

These changes reflect key amendments to the CCPA. In particular, the CPRA amendments define “cross-context behavioral advertising” to mean “targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across” the internet, and prohibit service providers from offering services that involve “sharing” personal information for purposes of “cross-context behavioral advertising.”

The clear but unstated message behind these changes is that Customer Match involves cross-context behavioral advertising. When an advertiser uses the Customer Match service, the advertiser provides Google with a target audience, and Google displays ads to that audience on its search results. Because the service involves targeting ads to consumers on Google based on the consumer’s interactions with the advertiser, Google’s apparent position is that Customer Match is a cross-context behavioral advertising service.

As noted above, advertisers, publishers, and other businesses that share personal information with third parties (such as Google) for cross-context behavioral advertising must offer consumers an opportunity to opt-out of the “sale” and “sharing” of their personal information. In addition, as described in the latest CCPA regulations, these businesses are required to enter into a contract for the “sale” or “sharing” of personal information that requires the third party recipient to comply with the CCPA and provide the same level of privacy protection for consumer data as any business subject to CCPA.

Where can I find the restricted data processing contract?

Google publishes its restricted data processing contract for US state privacy laws at https://business.safety.google/usaprivacyaddendum/.

What about Google Analytics?

Google Analytics is a popular service that allows businesses to gain insights into who visits their digital properties. Google states that it will act as a service provider for Google Analytics as long as the business disables sharing with other Google products and services.

Google offers a variety of privacy-related tools for Google Analytics, including support for deletion requests, here.

What about real-time bidding?

Google also offers services like Display & Video 360 and Authorized Buyers that enable advertisers to respond to bids in real-time for ad inventory across the web. Google indicates that these services continue to operate using restricted data processing but also makes clear that restricted data processing “does not extend to the sending or disclosure of data to third parties that you may have enabled in our products and services.” As a result, publishers issuing bid requests and advertisers responding to publisher bid requests should understand that personal information conveyed to third parties for bidding purposes may not be covered by Google’s restricted data processing terms.

]]>
California Attorney General’s First CCPA Settlement Sends Strong “Signals” About Do Not Sell Enforcement https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/california-attorney-generals-first-ccpa-settlement-sends-strong-signals-about-do-not-sell-enforcement https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/california-attorney-generals-first-ccpa-settlement-sends-strong-signals-about-do-not-sell-enforcement Thu, 25 Aug 2022 12:50:51 -0400 Warning that “[t]here are no more excuses,” California Attorney General on August 24, announced the first public settlement under the California Consumer Privacy Act (CCPA). The settlement order, which the court approved on the same day, requires beauty-product retailer Sephora, Inc., to pay a $1.2 million civil penalty to resolve allegations that the company failed to disclose to consumers that it was selling their personal information, and failed to process consumer requests to opt-out of sale by either offering a “Do Not Sell My Personal Information” link or via user-enabled global privacy controls. The order also requires Sephora to implement, assess, and report on a CCPA compliance program, in addition to other injunctive terms.

Treatment of Sales and Opt-Out Signals in the Settlement

The allegations in the complaint are consistent with the AG Office’s long-standing position that Do Not Sell is a central feature of the CCPA – “the hallmark of the CCPA,” in the language of the complaint – and indicate that the AG takes a broad view of “sales” under the CCPA. According to the complaint, the CCPA’s opt-out provision establishes “certain straightforward rules: if companies make consumer personal information available to third parties and receive a benefit from the arrangement – such as in the form of ads targeting specific consumers – they are deemed to be ‘selling’ consumer personal information under the law.”

Taken together, the complaint and order entrench a sweeping view of sales: “online tracking technologies” that make personal information available to third parties “in exchange for monetary or other valuable consideration,” including analytics and “free or discounted services” are defined as sales under the order. The AG alleges that Sephora disclosed its use of online tracking technology but not the sale of personal information. According to the complaint, the opposite was true: the privacy policy stated “we do not sell personal information,” and the company did not offer an opt-out of sale by any method. (The complaint also includes a deception count under California’s Unfair Competition Law, which focuses on these representations.)

The “online tracking” described in the AG’s complaint is not limited to Sephora’s use of advertising cookies, pixels, or other technology. The AG also alleges that Sephora’s use of “analytics,” which is characterized as part of “third-party surveillance,” constituted sales, and the order requires that Sephora enable restricted data processing for its service providers.

In addition to alleging sales through online tracking technologies, the AG’s complaint also charges Sephora with failing to respond to user-enabled global privacy controls (GPC). The complaint states that Sephora’s practices were investigated as part of a June 2021 sweep of “large retailers,” to determine “whether they continued to sell personal information when a consumer signaled an opt-out via the GPC.” Although the GPC remains a proposed specification, the complaint alleges Sephora “completely ignored the GPC.”

Other Terms in the Order

In addition to imposing $1.2 million in civil penalties, the order requires Sephora to revise its disclosures and establish opt-out mechanisms via homepage link and GPC, to the extent that the company continues to sell personal information. The order also requires Sephora to conform its service provider agreements to the CCPA’s requirements, and provide an initial and two annual reports to the AG relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor the GPC.

What does this mean for businesses subject to CCPA?

First, if the AG sends a letter advising a business of CCPA violations, swift action may prevent additional investigation or enforcement action. Here, the complaint explains that the AG’s investigation followed Sephora’s “fail[ure] to cure any of the alleged violations” and “le[d] to this enforcement action.”

Second, companies that use technology to track consumer behavior online, which is ubiquitous, should reassess whether their practices result in CCPA sales. In particular, the AG may not regard analytics categorically to warrant treatment as a service provider offering.

Finally, it is important to continue to monitor developments on opt-out preference signals, which are addressed in greater detail in the CPPA’s draft regulations.

We’re keeping an eye on these issues, new case examples from the AG, and more.

]]>
Preparing for Expanded Consumer Rights Requests Under the CPRA https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/preparing-for-expanded-consumer-rights-requests-under-the-cpra https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/preparing-for-expanded-consumer-rights-requests-under-the-cpra Fri, 15 Jul 2022 06:11:20 -0400 With the clock now running on the comment period for the California Privacy Protection Agency’s (CPPA) Draft Regulations to implement the CPRA – comments are due on August 23 – one of the items on many businesses’ CPRA preparation to-do lists is to address new (and the expansion of existing) consumer rights. The Draft Regulations published by the CPPA lay out how the CPPA is likely to define these obligations. This post takes a deeper look at what’s in the CPPA’s proposal – as well as what’s missing.

A couple of overarching points are worth keeping in mind. First, implementing the CPRA’s consumer rights provides an occasion to review and update data maps so that they accurately capture how personal information flows both through their organizations and to service providers, contractors, and/or third parties. Second, preparing for CPRA consumer requests should go hand-in-hand with reviewing the systems and procedures that are in place to honor consumers’ requests.

Right to Opt Out of Sale/Sharing of Personal Information

The CPRA broadens the scope of the CCPA’s existing opt-out right to include the “sharing” of personal information. The Draft Regulations would add to existing opt-out obligations by requiring a business to:

  • Provide a “means by which the consumer can confirm” that their request has been processed by the business (e.g., by displaying through a toggle or radio button on the business’s website that the consumer has exercised their right); and
  • Notify all third parties to whom the business has sold or shared the consumer’s personal information since receiving the request that the consumer has exercised their opt-out right, direct them to comply with the request, and forward the request to any other person to or with whom they have disclosed or shared the consumer’s personal information.

Right to Delete

Following new requirements under the CPRA, the Draft Regulations clarify that a business must send deletion requests “downstream" to all relevant parties. Specifically, the Draft Regulations provide that a business must: (i) instruct its service providers and contractors to delete the consumer’s personal information from their records; and (ii) notify all third parties to whom it has sold or shared the consumer’s personal information to delete the information. Service providers and contractors must in turn notify other service providers, contractors, and third parties that accessed the personal information that is subject to the deletion request, unless the access occurred at the direction of the business. These obligations are subject to limitations if they are impossible or would require disproportionate effort to fulfill.

Right to Correct

The right to correct is a new right granted to consumers by the CPRA, and the Draft Regulations establish rules and procedures to facilitate consumers’ correction requests. Among other obligations, the Draft Regulations provide that, upon verification, a business must determine the accuracy of the personal information by considering the “totality of the circumstances relating to the contested personal information.” Pursuant to the Draft Regulations, relevant factors that a business would need to consider are: (i) the nature of the personal information; (ii) how the business obtained the contested information; and (iii) documentation relating to the accuracy of the information. A business that corrects personal information would also need to implement measures to ensure the information “remains corrected” and instruct its service providers and contractors to correct the information in their respective systems.

Right to Know

Building on the existing right to know, the Draft Regulations provide that a business must provide information beyond the 12-month period preceding the business’s receipt of the request unless doing so “proves impossible or would involve disproportionate effort.”

Right to Limit Use and Disclosure of Sensitive Personal Information

The right to limit the use and disclosure of sensitive personal information is another new right under the CPRA. The Draft Regulations would require a business to handle such “requests to limit” by:

  • Ceasing to use and disclose the consumer’s sensitive personal information, except for purposes allowed under the regulations, within 15 business days of receiving the request;
  • Notifying its service providers and contractors that the consumer has exercised their right to limit and instructing them to comply with the consumer’s request within the same time frame described above;
  • Notifying all third parties to whom the business has disclosed or made available the consumer’s personal information for purposes other than those set forth in the regulations after the consumer submitted their request and before the business complied with the request that the consumer has exercised their right and directing the third party to comply with the consumer’s request and forward the request to others that have received the consumer’s sensitive personal information;
  • Notifying all third parties to whom the business makes sensitive personal information available for purposes other than those set forth in the regulations (e.g., third parties that the business authorizes to collect information from its property) that the consumer has exercised their right, and directing such third parties to comply with the consumer’s request and forward the request to others that have received the consumer’s sensitive personal information; and
  • Providing a “means by which the consumer can confirm” that their request has been processed by the business (similar to the obligation for opt-out requests described above).

Propagating Data Subject Rights to Service Providers, Contractors, and Third Parties

A business may have obligations to notify and instruct its service providers, contractors, and/or third parties to comply with a consumer’s request. Service Providers, contractors, and third parties may also have obligations to notify and instruct companies they’ve shared a consumer’s personal information with to comply with a request. The following chart shows obligations that each party has based on the consumer’s request.

See: Propagating Data Subject Rights Chart

Takeaways: The CPRA provides consumers with a range of rights that empower them to exercise more control over their personal information, and the additional obligations that the proposed regulations impose on businesses would help ensure that all parties processing consumers’ personal information give effect to such rights.

To reiterate, it’s unclear which of the amendments in the proposed regulations will stick. It is clear, however, that the expanded transparency and consumer rights requirements in the CPPA’s Draft Regulations are likely to require substantial time and resources to implement.

Stay tuned for additional blog posts in which we will summarize how the proposed regulations contemplate some of businesses’ other compliance obligations under the CPRA.

* * * *

Join us July 20 for How To Protect Employee/HR Data and Comply with Data Privacy Laws. This webinar will cover:

  • Existing and prospective laws and regulations employers should be aware of when managing their workforce
  • Key principles to adhere to when collecting and handling employee personal data
  • Best practices for protecting employee personal data during the employment life cycle

Register here

]]>
On Notice: “Notice at Collection” and Privacy Policy Requirements Under the CPPA’s Draft Regulations https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/on-notice-notice-at-collection-and-privacy-policy-requirements-under-the-cppas-draft-regulations https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/on-notice-notice-at-collection-and-privacy-policy-requirements-under-the-cppas-draft-regulations Thu, 30 Jun 2022 07:06:28 -0400 Among the many details to absorb in the draft amendments to the CCPA regulations published by the California Privacy Protection Agency (“CPPA”) on May 27 (the “Draft Regulations”) are new and prescriptive disclosure requirements for notices at collection and privacy policies. While these disclosure provisions (and all of the other provisions of the Draft Regulations) are subject to further changes, it is important that businesses begin to assess carefully these provisions and devise strategies for operationalizing compliance with them, especially since disclosures provide some of the most visible signals of CCPA compliance.

In this post, we summarize the Draft Regulations’ disclosure provisions and provide outline steps for businesses to consider taking to prepare for these requirements.

New Disclosure Requirements

Citing a CCPA provision that authorizes regulations to ensure that notices and information required under the CCPA are provided to consumers at the appropriate time and in a manner that may be “easily understood by the average consumer,” the Draft Regulations would create new disclosure requirements for any business engaged in the collection of consumers’ personal information.

Notice at Collection

The Draft Regulations, citing a declared purpose in the CPRA of enabling consumers to “exercise meaningful control” over businesses’ use of their information, would require businesses to provide additional details about certain aspects of their information practices at or before the point of collection. These provisions include new requirements governing first parties’ and third parties’ notice at collection disclosures.

  • Required Content of a Notice at Collection. Building on existing requirements under the CCPA, the Draft Regulations would require a business to include the following information in its notice at collection:
    • the categories of personal information collected, including sensitive personal information;
    • the purposes for which the categories of personal information are collected and used;
    • whether the categories of personal information listed are sold or shared;
    • the length of time the business intends to retain each category of personal information listed (or the criteria used to determine the retention period);
    • a link to the business’ notice of the right to opt out of the sale/sharing of personal information (or, in the case of an offline notice, where the webpage can be found online);
    • if the business allows third parties to control the collection of personal information on its property, the names of all such third parties or information about their business practices; and
    • a link to the business’ privacy policy (or, in the case of an offline notice, where the privacy policy can be found online).
  • Presentation of the Notice at Collection. The Draft Regulations also prescribe how a business must present its notice at collection. According to the Draft Regulations, it is insufficient to direct consumers to the top of a privacy policy or to require consumers to scroll to find the notice at collection disclosures. Instead, a business must include a link that takes consumers directly to the section of its privacy policy that includes the required information. The link to the notice at collection must be made “readily available where consumers will encounter it at or before the point of collection.” As an example, the Draft Regulations provide that, when a business collects personal information from a consumer via a webform, it should include a “conspicuous link” to the notice at collection in “close proximity” to either the fields where the consumer enters his/her personal information or the button the consumer hits to submit his/her personal information.
  • First and Third Party Disclosures. Based on the view that “more than one business may control the collection of a consumer’s personal information, and thus, have an obligation to provide a notice at collection,” Section 7012(g) of the Draft Regulations would require a business to include in its notice at collection extensive information about third parties that “control” the collection of personal information. In particular, the Draft Regulations provide that if a business owns a physical or digital property from which consumers’ personal information is collected (a “first party”) and allows third parties to control the collection of personal information on its property, the business must include in its notice at collection either (i) the name of all such third parties or (ii) details about such third parties’ “business practices” (which the third parties would be required to provide to the first party). Additionally, the Draft Regulations provide that if a third party collects information from the first party’s physical premises, the third-party business must provide a notice at collection “in a conspicuous manner” at the physical location(s) where it collects the information.

Privacy Policy

The Draft Regulations would also require businesses to include more granular disclosures in their privacy policies. These requirements include:

  • a detailed description of the business’ online and offline information handling practices, including a statement indicating whether the business uses or discloses sensitive personal information for purposes other than those enumerated in Section 7027(l);
  • details about the rights consumers have with respect to their personal information under the CCPA, as amended by the CPRA (which we will discuss in a subsequent blog post);
  • an explanation of how consumers can exercise their rights and what they can expect from the process, including details about how the business processes opt-out preference signals;
  • the date the privacy policy was last updated; and
  • the business’ consumer rights requests metrics for the previous calendar year (or a link to such information), where applicable.

Takeaways

While the CPPA may revise the Draft Regulations before they are finalized, the direction toward more detail in notices at collection and privacy policies – particularly about third parties – seems clear. Satisfying the notice at collection requirements in the Draft Regulations would likely present significant challenges. While the Draft Regulations provide businesses with some flexibility in terms of how they disclose the presence of third parties on their properties, presenting all of the required information in a clear and meaningful manner to consumers could be difficult. Additionally, the need to disclose extensive information about third parties could interfere with consumers’ online experiences.

To prepare for these potential changes, a valuable step for many businesses would be to take stock of the third-party information collection occurring on their sites and in their apps and to consider how to provide more detailed disclosures to consumers in a concise, intelligible, and easily accessible form.

Stay tuned for additional blog posts in which we will summarize how the Draft Regulations contemplate some of the CPRA’s other amendments to the CCPA.

* * * *

Join us today for State Attorneys General 102.

]]>
Webinar Replay: A Readout Of The California Privacy Protection Agency's Draft Proposed CPRA Regulations https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/webinar-replay-a-readout-of-the-california-privacy-protection-agencys-draft-proposed-cpra-regulations https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/webinar-replay-a-readout-of-the-california-privacy-protection-agencys-draft-proposed-cpra-regulations Wed, 15 Jun 2022 17:46:48 -0400 The spotlights of the consumer privacy world are once again on California after the new California Privacy Protection Agency made a surprise Friday night release of its draft California Privacy Rights Act (CPRA) regulations on May 27, 2002.

In this webinar in association with Mondaq, Kelley Drye provided observations on the proposed regulations, including which would pose the biggest challenge for businesses if implemented, and will offer strategies to plan efficiently for compliance in the face of these proposals.

Click here to view the webinar recording and click here for the presentation slides.

Join us for our next webinar, State Attorneys General 102, on June 30. Register here.

Find our state privacy law portal and more here.

Subscribe to the Ad Law Access blog to receive real-time updates on privacy and other related matters.

The Ad Law News and Views newsletter provides information on our upcoming events and a summary of recent blog posts and other publications.

Visit the Advertising and Privacy Law Resource Center for additional information, past webinars, and educational materials.

For easy access to all of our webinars, posts and podcasts, download our new Ad Law Access App.

.

]]>
Webinar Replay: Consumer Privacy Litigation Update https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/webinar-replay-consumer-privacy-litigation-update https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/webinar-replay-consumer-privacy-litigation-update Fri, 29 Apr 2022 12:50:47 -0400 The replay for our April 28, 2022 Consumer Privacy Litigation Update webinar is available here.

The increasing number of states enacting privacy laws means more privacy litigation. On this webinar, partners Lauri Mazzuchetti and Becca Wahlquist highlighted emerging trends across the docket of privacy litigation cases, provided an update on key cases involving consumer claims, and provided practical tips, including:

  • Understanding potential litigation risk
  • Reducing your litigation exposure
  • Discussing exposure for data breaches and other alleged misuses of consumer data
  • Providing an understanding of the scope of private rights of action
  • Looking ahead to new laws

Find our webinar replays, blog posts and podcasts easily on the new Ad Law Access App.

Kelley Drye Unveils First-of-its-kind Advertising Law App

]]>
Privacy Priorities for 2022: Tracking State Law Developments https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/privacy-priorities-for-2022-tracking-state-law-developments https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/privacy-priorities-for-2022-tracking-state-law-developments Fri, 25 Mar 2022 13:10:13 -0400 The replay for our April 28, 2022 Privacy Priorities for 2022: Tracking State Law Developments webinar is available here.

In the absence of a federal privacy law, privacy has been at the forefront of many states’ legislative sessions this year. Against this backdrop, state attorneys general continue to initiate investigations into companies’ privacy practices, and state agencies continue to advance privacy rulemakings under existing law. Aaron Burstein, Laura VanDruff and Paul Singer, presented this webinar to help learn about the latest developments in state privacy law, make sense of these developments and understand their practical impact.

To view the webinar recording, click here or view it on the new Ad Law Access App.

Subscribe to the Ad Law Access blog to receive real-time updates on privacy and other related matters.

The Ad Law News and Views newsletter provides information on our upcoming events and a summary of recent blog posts and other publications.

Visit the Advertising and Privacy Law Resource Center for additional information, past webinars, and educational materials.

For easy access to all of our webinars, posts and podcasts, download our new Ad Law Access App.

Kelley Drye Unveils First-of-its-kind Advertising Law App
]]>
California AG’s First CCPA Opinion Takes a Broad View of the Right to Access Inferences https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/california-ags-first-ccpa-opinion-takes-a-broad-view-of-the-right-to-access-inferences https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/california-ags-first-ccpa-opinion-takes-a-broad-view-of-the-right-to-access-inferences Mon, 14 Mar 2022 18:43:10 -0400 In the first formal written opinion interpreting CCPA compliance obligations, California Attorney General Rob Bonta concludes that the CCPA grants consumers the right to know and access internally generated inferences that businesses generate about them, but that the CCPA does not require businesses to disclose trade secrets.

The 15-page opinion, issued on March 10, responds to a question posed by Sacramento area Assemblyman Kevin Kiley (R): “Under the California Consumer Privacy Act, does a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer apply to internally generated inferences the business holds about the consumer from either internal or external information sources?”

OAG’s response, in a nutshell, is “yes.” Giving consumers access to inferences is important, according to OAG, because “inferences are one of the key mechanisms by which information becomes valuable to businesses, making it possible to target advertising and solicitations, and to find markets for goods and services.” OAG further notes that nothing in the Consumer Privacy Rights Act (CPRA) changes its analysis. The opinion also suggests that the OAG will refer to the CCPA’s broad purposes, such as giving “consumers greater control over the privacy of their personal information,” to support its interpretations.

Summary of OAG’s Legal Analysis

OAG’s analysis begins by noting that the CCPA includes a broad set of inferences – the “derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data” – in the statutory definition of “personal information.” Specifically, “personal information” includes “inferences drawn from any of the information identified in [the definition of personal information] to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” .”

Focusing on this definition, the OAG opinion defines a two-part test to determine whether inferences must be disclosed in response to a consumer access request.

1. First, inferences must be drawn from “information identified in” the definition of “personal information,” Civil Code section 1798.140(o).

The information may be obtained directly from consumers (such as address and income), found in public repositories, bought from a data broker, or inferred through an algorithm. The inference does not have to be made by the business itself. It may be generated internally or received from another source.

The opinion shows little deference to the exemption for public records when it comes to inferences. The opinion asserts that “information in public repositories” is personal information but acknowledges (in a footnote) that information in public records is not. The opinion sweeps this tension aside by concluding that “once a business has made an inference about a consumer, the inference becomes personal information—one more item in the bundle of information that can be bought, sold, traded, and exploited beyond the consumer’s power of control.”

The bottom line is that even if the underlying information is exempt from disclosure because it is publicly available information from government records, an inference based on the information must be disclosed to the consumer, as the inference itself is not available in government records.

2. Second, the inference must be used to create a profile about a consumer, such as by identifying or predicting the consumer’s characteristics. To illustrate an inference that does not give rise to a profile, OAG gives a trivial example: inferences derived when a business combines information “obtained from a consumer with online postal information to obtain a nine-digit zip code.” It is unclear how this is an inference at all, as opposed to a look-up of existing information.

On the other hand, an inference that is used for predicting, targeting, or affecting consumer behavior must be disclosed in an access request.

OAG anticipates and refutes two potential arguments that inferences would not have to be disclosed.

  • First, CCPA states that personal information must be disclosed that is collected “about” a consumer, not necessarily collected “from” a consumer. This means that businesses must broadly disclose to consumers inferences they make about the consumer, regardless of the source of the information. Although not addressed in the opinion, this differs from the right to delete, which only applies to information collected “from” a consumer.
  • Second, OAG argues that while businesses are not required to disclose trade secrets, individual inferences are not trade secrets. OAG agrees that companies are not required to disclose the inputs or algorithms that form the inferences, but expects companies to produce inferences in response to access requests.
The opinion makes clear that the upcoming California Privacy Rights Act does not change the OAG’s conclusions, and that these issues were not otherwise addressed in the CCPA regulations.

Additional Takeaways

Here are some other takeaways from the OAG opinion:

  • OAG acknowledges that CCPA does not require businesses to disclose their trade secrets. The opinion finds that the “most relevant” exception in the CCPA to support this conclusion is that “the obligations imposed on businesses by this title shall not restrict a business’ ability to … comply with federal, state, or local laws.”
OAG cautions, however, that businesses must explain the basis of their denial of an access request with respect to trade secrets. “A blanket assertion of ‘trade secret’ or ‘proprietary information’ or the like would not suffice; the general import of the regulations is that a business must respond to requests in a meaningful and understandable way.”
  • Along the same lines, the opinion makes it clear that OAG recognizes key statutory exceptions, such as the exception allowing businesses to comply with applicable law or exercise or defend legal claims. OAG labels these exceptions as “carve-out” provisions “designed to relieve businesses from undue burdens and common legal binds.”
  • For those interested in how OAG interprets CCPA, OAG commits to interpret the law by “examining the text, giving the language its usual meaning in order to understand the intent of legislators. The words of a statute must be construed in context and section relating to the same subject must be harmonized to the extent possible.”
  • Finally, the opinion spends considerable time reviewing the history and purpose of CCPA, citing to the Cambridge Analytica data breaches, EU passage of GDPR, and legislative history addressing “exploitative tendencies of collecting masses of information and using it to identify and affect unwitting consumers.” This background provides insight into the perceived harms OAG seeks to safeguard through enforcement of CCPA.
Businesses that develop inferences about consumers should take a close look at the OAG’s opinion to determine whether to adjust their procedures for responding to CCPA access requests.

Privacy Priorities for 2022: Tracking State Law Developments

Thursday, March 24, 2022 at 4:00pm ET/ 1:00pm PT Privacy Priorities for 2022: Tracking State Law Developments RSVP HERE

]]>
Top Privacy Issues to Watch in 2022 https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/top-privacy-issues-to-watch-in-2022 https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/top-privacy-issues-to-watch-in-2022 Wed, 19 Jan 2022 21:28:04 -0500 Top Privacy Issues to Watch in 2022You’ve probably seen a lot of privacy forecasts for 2022 during the past few weeks. Here’s one that reflects the collective thoughts of our diverse privacy team, which includes former high level officials from the FTC and State AG offices, and practitioners who have been advising clients about privacy for over 30 years.

Note: Our team will discuss these issues, along with practical suggestions for how companies can tackle privacy challenges, in a January 26 webinar at 4 pm ET. Please tune in! You can register here.

  • State privacy developments will continue to drive much of the U.S. privacy debate.
    • California and Colorado will launch rulemakings to implement their laws, setting an example for other jurisdictions and prompting industry changes even beyond their borders. Meanwhile, companies will be gearing up for the effective dates of all three state laws (January 1, 2023 for California and Virginia, and July 1, 2023 for Colorado).
    • With multiple bills already pending in other states, we may see additional state laws by year’s end. Draft bills introduced thus far suggest a range of approaches that vary from existing laws, suggesting compliance may become even more complex in the coming year.
    • Even states without comprehensive privacy laws will seek to use their “unfair and deceptive” trade practice authority in increasingly creative ways to address privacy. A recent example is Arizona’s effort to challenge Google’s collection and use of location data.
  • The FTC will pursue an aggressive privacy agenda, pushing the boundaries of its legal authority and seeking to move the goalposts governing data collection, use, and sharing.
    • It will launch a broad “surveillance” rulemaking under its Magnuson-Moss procedures, seeking strict limits on personalized advertising, lax security practices, and algorithmic discrimination. (As we discuss here, though, the rule will likely take years to complete.)
    • It will increase enforcement of sectoral privacy laws and rules (e.g., FCRA, COPPA, GLB Privacy, Red Flags), so it can get monetary relief, post AMG. It also will try to obtain settlements for alleged violations of the Health Breach Notification Rule – which it “clarified” in a 2021 policy statement covers virtually all health apps.
    • It will focus on tech platforms and other large companies, through both aggressive enforcement and high-profile studies, such as its upcoming report on social media companies.
    • In all of its privacy cases, the FTC will seek stringent remedies, including data deletion, bans on conduct, notices to consumers, stricter consent requirements, individual liability, and significant monetary relief based on a range of creative theories. (See our scorecard on the FTC’s use of such theories here.)
  • Other federal agencies will flex their muscles on privacy and data security, scrutinizing and regulating companies within their areas of jurisdiction.
    • For example, the CFPB recently ordered the tech giants to turn over information regarding the data practices of payments systems they operate. The FCC just moved to update breach reporting requirements under the CPNI rules. And the SEC just fined eight broker-dealers and investment companies for their “deficient cybersecurity procedures.”
    • Expect these types of actions to accelerate in the coming year, as privacy continues its ascent as a top regulatory, consumer protection, and risk management issue.
  • Developments in and around the tech platforms will continue to have ripple effects across the entire marketplace.
    • The tech platforms (yeah, them again) will continue to tighten their rules governing data sharing, third-party cookies, use of identifiers, and access to their platforms, forcing other companies to develop new ways to market their brands.
    • “Big tech” antitrust challenges will advance through legislatures and the courts, requiring policymakers and enforcers to finally confront the tension between competition interests (which seek to expand access to data) and privacy interests (which seek to limit access).
  • Cross border data transfers will become ever more difficult, as Privacy Shield remains unresolved and the EU accelerates GDPR enforcement.
    • For example, Austria’s DPA recently held that Google Analytics violated the GDPR when it transferred to the U.S. EU citizens’ IP address and identifiers in cookie data, notwithstanding Google’s claim that it had protective measures in place.
    • Further, the record fines being obtained for GDPR violations (a reported seven-fold spike in 2021) will increase the peril for multinational companies that transfer data as part of their operations.
  • The plaintiff’s bar will continue to test the limits of addressing privacy in private litigation, despite some setbacks in 2021.
    • The setbacks include the high bar set by the Supreme Court regarding the proof of harm necessary to confer standing in privacy cases. In addition, neither Virginia nor Colorado included a private right of action in their comprehensive privacy laws.
    • However, the California law includes a private right of action for data breaches, and pending legislative proposals in other states include private rights of action for privacy, security, or both. Plaintiffs also are employing other statutory frameworks to address privacy, such as the contract laws cited in the recent class action against Zoom, and the call recording laws cited in session-replay lawsuits.
  • Congress will continue to debate whether to pass a federal privacy law.
    • Yes, it’s safe to assume that the never-ending debate will continue! The harder question is whether Congress will finally pass anything.
    • It’s possible. Businesses have never wanted a federal privacy law more – to deal with the specter of more state privacy laws, “overreach” by the FTC, the EU’s heightened enforcement efforts, and the overall confusion created by fragmented privacy regimes (i.e., all of the issues discussed above).
    • The more likely scenario, however, is that Congress will pass something narrower, like a bill to amend COPPA or provide new privacy protections for teens, which could be an area of consensus among Democrats and Republicans. (Another possibility, just proposed by some Democrats, is legislation to ban “surveillance advertising,” similar to the rule that the FTC is planning. However, that would likely be a much more divisive issue in Congress.)
Privacy remains at the forefront in 2022. In our January 26 webinar, we will help you think about what to monitor and what to prioritize. Please join us, and feel free to send us a note if you have questions that you’d like us to address in the webinar.

]]>
CCPA Update: California AG Releases List of Enforcement Actions https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/ccpa-update-california-ag-releases-list-of-enforcement-actions https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/ccpa-update-california-ag-releases-list-of-enforcement-actions Tue, 20 Jul 2021 16:02:31 -0400 The California Office of the Attorney General has published a list of recent CCPA enforcement examples on its website. Each example summarizes the AG’s allegation of noncompliance and the steps that the companies took to cure the alleged noncompliance.

Under CCPA, companies have 30 days to cure noncompliance after which the California AG may initiate a civil action for civil penalties not to exceed $2,500 for each violation or $7,500 for each intentional violation. In each example made public by the California AG, the AG stated that the target of the enforcement action cured the violation and the California AG did not assess penalties. In January 2023, however, the right to cure will sunset when the CPRA takes effect.

The examples provide insight into the types of companies and industries that the California AG focused on, including inadequate privacy policy CCPA disclosures, lack of service provider restrictions, and inefficient responses to CCPA requests. The examples also highlight the CCPA compliance issues that the California AG prioritized in its enforcement efforts, including allegations concerning:

  • Inadequate disclosures: Companies did not provide disclosures or methods to submit consumer requests.
  • Service Provider Restrictions: Companies did not add language in contracts that restricts how service providers can retain, use, or disclose personal information.
  • Sale of Personal Information or Responding to GPC signals: Companies that “sell” personal information did not include a Do Not Sell My Personal Information link on their homepage or provide disclosures about the sale of information.
    • In one case, the California AG disagreed that a business that included an “accept sharing” link had established consent to sell personal information.
    • In a number of cases, the California AG disagreed that mobile device settings or a trade association opt out tool designed to manage online advertising were sufficient in place of a Do Not Sell My Personal Information button.
  • Privacy Request Responses: Companies did not respond properly or timely to CCPA requests to know or delete personal information. Some companies did not offer the option for authorized agents to submit requests, or imposed requirements on authorized agents that the California AG said were not warranted, like the requirement to notarize requests.
  • Financial Incentives: The California AG took the position that a grocery chain that required consumers to provide personal information in exchange for participation in a loyalty program was required to provide a notice of financial incentives, but did not do so.
In response to the California AG, companies have taken corrective action to cure alleged violations. Here are examples of steps that companies have taken:
  • Classification of Service Providers: Companies cured alleged violations relating to service provider classifications by taking the following actions:
    • Amending service provider contracts to include CCPA-specific addendums.
    • Redrafting service provider contracts to contain the necessary restrictions on the use of personal information.
    • In the case of a company that acted both as a service provider and as a business, updating the company’s privacy policies to include disclosures required of businesses.
  • Inadequate Disclosures: In response to concerns that privacy policies or other required notices were inadequate, companies took steps to cure by:
    • Updating privacy policies to include notice of CCPA consumer rights and how to exercise those rights.
    • Addressing whether the business “sells” personal information.
    • Amending privacy policies with instructions on how authorized agents may submit CCPA requests on behalf of consumers.
    • Implementing notice at collection for personal information received, regardless of whether information was collected online or in-person.
    • Updating privacy policies to clarify that the business cannot charge a fee for processing a consumer’s privacy request .
  • Do Not Sell My Personal Information Link: Companies addressed concerns with the DNSMPI link by:
    • Adding the Do Not Sell My Personal Information link to the homepage.
      • In one example, the California AG initiated an inquiry focused on the business’s failure to respond to an opt out request via global privacy control signal, but the AG ultimately accepted a cure where the company worked with its third party privacy vendor to effectuate consumer opt-out requests.
    • Changing the “Do Not Sell My Personal Information” link to ensure it functioned properly.
    • Discontinuing requiring government identification and a bill showing the consumer’s address before honoring requests to opt-out of the sale of personal information.
  • CCPA Request Procedures: Companies modified CCPA response procedures by:
    • Responding more quickly to CCPA requests.
These examples signal that the California AG’s CCPA enforcement is active and ongoing. Prioritizing privacy compliance and confirming appropriate controls are in place (including those that take account of these types of updates) can help reduce the risk of receiving a letter of noncompliance. If you have questions about compliance with the CCPA, please contact attorneys in the Information Privacy and Data Security practice group at Kelley Drye.

]]>
Privacy Law Update: Colorado Privacy Bill Becomes Law: How Does it Stack Up Against California and Virginia? https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/privacy-law-update-colorado-privacy-bill-becomes-law-how-does-it-stack-up-against-california-and-virginia https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/privacy-law-update-colorado-privacy-bill-becomes-law-how-does-it-stack-up-against-california-and-virginia Thu, 08 Jul 2021 23:50:13 -0400 The Colorado Legislature recently passed the Colorado Privacy Act (“ColoPA”), joining Virginia and California as states with comprehensive privacy legislation. Colorado Governor Jared Polis signed the bill (SB 21-190) into law on July 7, and ColoPA will go into effect on July 1, 2023.

How does the measure stack up against the VCDPA and the CCPA (as amended by CPRA)? The good news is that, in broad terms, ColoPA generally does not impose significant new requirements that aren’t addressed under the CCPA or VCDPA, but there are a few distinctions to note..

  • Establishing consumer rights. As with the VCDPA and the CCPA, ColoPA provides rights for access, deletion, correction, portability, and opt out for targeted advertising, sales, and certain profiling decisions that have legal or similar effects. Unlike CCPA, which permits an authorized agent to submit any consumer requests, under ColoPA, authorized agents can only submit sale opt-out requests.
  • Universal opt-out requests. ColoPA also requires the Attorney General to establish technical specifications for a universal targeted advertising and sale opt-out (e.g., global privacy control) by July 1, 2023, which controllers must honor starting July 1, 2024. Note there also will be CPRA regulations on this point with compliance likely due by January 1, 2023. Unlike CPRA, which makes the global privacy control optional, controllers must comply with the universal opt-out under ColoPA.
  • Appealing consumer rights decisions. Like Virginia, ColoPA requires controllers to set up mechanisms permitting consumers to appeal a controller’s decision not to comply with a consumer’s request. The controller must then inform the consumer of its reasons for rejecting the request and also inform the consumer of his or her ability to contact the Attorney General “if the consumer has concerns about the result of the appeal.”
  • Requiring data protection assessments. Similar to GDPR, and consistent with the VCDPA, ColoPA requires data protection assessments (“DPAs”) for certain processing activities, namely, targeted advertising, sales, certain profiling, and processing of sensitive personal data. As with Virginia, the Colorado Attorney General has the right to request copies of a controller’s DPAs.
  • Consent for certain processing. Again following Virginia’s lead, ColoPA requires opt-in consent for the processing of sensitive personal information, which covers categories such as racial or ethnic origin, religious beliefs, citizenship, or genetic or biometric data used for uniquely identifying an individual. ColoPA also requires consent for processing children’s data, with a “child” being any individual under the age of 13. Unlike the VDCPA, ColoPA does not require COPPA-compliant consent for such processing, but ColoPA does exempt from the law personal data that is processed consistent with COPPA requirements.
  • Right to cure. ColoPA allows controllers to cure violations and is unique by establishing the longest right to cure, at 60 days, and also because the statute repeals the provision on January 1, 2025. By this date, the Attorney General may have established rules to issue opinion letters and guidance that businesses can rely on in good faith to defend an action that would otherwise violate the law. Such rules must go into effect by July 1, 2025.
  • Establishing controller duties. ColoPA establishes certain duties for controllers, including the duties of transparency, purpose specification, data minimization, care, avoiding unlawful discrimination, and duties regarding sensitive data. These duties create related obligations, such as providing a privacy policy, establishing security practices to secure personal data, and obtaining consent prior to processing sensitive data or children’s data.
  • Consent for secondary use. ColoPA also establishes a “duty to avoid secondary use.” This duty requires consent to process personal data for purposes “not reasonably necessary or compatible with” the original purposes for collection. This requirement suggests that businesses need to keep detailed records of the personal data that they are collecting, the purposes for initially collecting such personal data, confirm such purposes are consistent with disclosures made to consumers, and track the scope of consent in connection with such data uses.
ColoPA VCDPA CCPA
Thresholds to Applicability Conduct business in CO or produce products or services targeted to CO and (a) control or process personal data of at least 100,000 consumers; or (b) derive revenue or receive a discount on the price of goods or service from selling personal data or controls personal data of at least 25,000 consumers Conduct business in or produce products or services targeted to VA and (a) control or process personal data of at least 100,000 consumers; or (b) derive over 50% of gross revenue from the sale of personal data and process or control personal data of at least 25,000 consumers Conduct business in CA and collect personal information of CA residents and: (a) has $25 million or more in annual revenue for preceding calendar year as of Jan. 1 of calendar year; (b) annually buys, sells, or shares personal data of more than 100,000 consumers or households; or (c) earns more than 50% of its annual revenue from selling or sharing consumer personal information
Consent Requires opt-in consent for processing sensitive personal data, including children’s data, and certain secondary processing Requires opt-in consent for processing sensitive personal data, and COPPA-compliant consent for processing children’s data Requires opt-in consent for sharing PI for cross-context behavioral advertising for children under 16, including parental consent for children under 13
Opt-Out Required for targeted advertising, sales, and profiling for legal or similarly significant effects Required for targeted advertising, sales, and profiling for legal or similarly significant effects Required for profiling, cross-contextual advertising, and sale; right to limit use and disclosure of sensitive personal information
Other Consumer Rights Access, Deletion, Correction, Portability Access, Deletion, Correction, Portability Access, Deletion, Correction, Portability
Authorized Agents Permitted for opt-out requests N/A Permitted for all requests
Appeals Must create process for consumers to appeal refusal to act on consumer rights Must create process for consumers to appeal refusal to act on consumer rights N/A
Private Cause of Action No No Yes, related to security breaches
Cure Period? 60 days until provision expires on Jan. 1, 2025 30 days No
Data Protection Assessments Required for targeted advertising, sale, sensitive data, certain profiling Required for targeted advertising, sale, sensitive data, certain profiling Annual cybersecurity audit and risk assessment requirements to be determined through regulations

Given the significant overlap among the three privacy laws, companies subject to ColoPA should be able to leverage VCDPA and CCPA implementation efforts for ColoPA compliance. If ColoPA is any example, other state privacy efforts may not veer too far from the paths VCDPA and CCPA have forged. The key will be to closely monitor how CalPPA and the Colorado Attorney General address forthcoming regulations and whether they add new distinct approaches for each state. Check back on our blog for more privacy law updates.

]]>
CPRA Update: What is a “Contractor?” https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/cpra-update-what-is-a-contractor https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/cpra-update-what-is-a-contractor Thu, 03 Jun 2021 09:32:11 -0400 The California Privacy Rights Act (CPRA), effective January 1, 2023, adds “contractors” to the list of entities that a business may entrust with customer data. So what is a “contractor?” And how are “contractors” different from other entities described by California privacy law, such as “service providers” or “third parties?”

As it turns out, the answer is surprising. Contractors are nearly identical to service providers, with just two differences: contractors are not data processors; and contractors must make a contractual certification in CCPA contracts. Moreover, contractors are not even new entities, and were already described in existing California privacy law.

Origins of “Contractors” in CCPA

To help explain the origins of the new contractor classification, we start with the California Consumer Privacy Act (CCPA). Under the CCPA, now in effect, each disclosure of personal information from a covered business to another entity is regulated, either via consumer opt out preferences or via contractual restrictions. Altogether, there are three potential data flows described in the CCPA: business to third party, business to service provider, and business to a person who is not a third party. We describe each in turn:

  • Business to Third Party: First, when a business discloses personal information to a third party, this constitutes the “sale” of personal information (unless an exception applies, such as in the context of an intentional disclosure). The CCPA grants consumers the right to opt out of such sales of their personal information to prevent these data flows.
As an example, selling a marketing list to a third party or sharing profile information with an adtech partner in most cases would be considered a sale of personal information to a third party.
  • Business to Service Provider: Second, when a business discloses personal information to a service provider, no “sale” occurs and there is no right of consumers to opt out. The requirements for the recipient to be a service provider are that (1) the service provider processes personal information on behalf of the business, and (2) the service provider agrees to retain, use, or disclose the personal information only for business purposes specified in a written contract.
Service providers provide technical, professional, and other business support to the business. For example, a service provider might offer various services such as cloud-based servers or software, consulting, or e-commerce fulfillment services.
  • Business to a Person Who Is Not a Third Party: Finally, there is a rarely discussed third option in the CCPA. The CCPA states that any recipient of personal information that agrees to certain enhanced contractual terms is not a third party. This third category requires that the recipient agree to contractual terms that mirror service provider contractual terms, along with three additional terms: (1) to refrain from selling the personal information, (2) to refrain from retaining, using, or disclosing the information outside the direct business relationship between the recipient and the business, and (3) to certify that the recipient understands the above contractual restrictions.
This third option is significant to avoid the “sale” of personal information. If the recipient is not a third party, then a sale can only occur if the recipient is a “business” under CCPA. In many cases, the recipient will not be a business either, typically because the recipient does not determine the purposes and means of processing the personal information.

As an example, if an authorized reseller furnishes a manufacturer with a list of new orders for fulfillment, and the manufacturer agrees to use the list only to fulfill orders, the manufacturer is not a third party. Because the manufacturer does not determine the purposes and means of processing the personal information it receives, the manufacturer is not acting as a “business.” No sale occurs.

Similarly, if an identity verification service sends personal information to a company to assist that company with confirming the identity of an applicant for service, and the company agrees contractually to limit its use and disclosure of the information for business purposes, the recipient is not a third party or business and no sale occurs from the identity verification service to the business.

Here’s a summary of the entities that may receive personal data under the CCPA:
Criteria Third Party 1798.140(w) Service Provider 1798.140(v) Person Is Not a Third Party 1798.140(w)(2)
Sale?
  • Yes
  • No
  • No unless the recipient is a “business.”
Processor Terms
  • N/A
  • The service provider processes personal information on behalf of the business.
  • N/A
Contractual Terms
  • N/A
  • Retain, use, or disclose personal information only for business purposes.
  • Retain, use, or disclose personal information only for business purposes.
  • Refrain from selling the personal information.
  • Refrain from retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.
  • Certify understanding of and compliance with the above restrictions.
“Contractors” in CPRA

When CPRA becomes effective on January 1, 2023, the new law will incorporate these same classifications of entities that receive personal information.

  • Third Party: A third party continues to be a recipient of sales of personal information. A third party that offers cross context behavioral advertising can now be the recipient of “sharing” of personal information, as well.
  • Service Providers: Service providers remain entities that process personal information on behalf of a business pursuant to a written contract. CPRA clarifies, however, that a service provider may receive the personal information either directly from or on behalf of the business.
Service providers now inherit terms that only applied to a person who is not a third party in the CCPA. These terms require service providers to agree to (1) refrain from selling personal information and (2) refrain from retaining, using, or disclosing the information outside the direct business relationship between the service provider and the business.
  • Contractors: The new term “contractor” refers to a person to whom the business makes available a consumer’s personal information for a business purpose and pursuant to a written contract. This classification largely mirrors CCPA’s classification of a person who is not a third party. In particular, similar to CCPA, contractors are still required to certify their understanding and compliance with contractual restrictions.
One key difference, however, is that CPRA makes clear that a contractor is never the recipient of a “sale” or “sharing” of personal information under CPRA. Classification as a contractor means there is not a “sale” of personal information.

Additionally, for both service providers and contractors, CPRA adds three new contractual terms:

  • Combination of Personal Information: CPRA adds new contractual restrictions that limit how personal information from a business may be combined with personal information received from other businesses or directly from consumers. Further guidance on this issue is expected as part of the CPRA rulemaking process.
  • Contract Compliance Monitoring: CPRA adds an obligation on businesses to monitor contractors and service providers for compliance with CPRA contract terms.
  • Sub-processor Obligations: CPRA indicates that service providers and contractors must enter into similar CPRA contracts with any sub-processors that handle personal information, and provide notice to the business of each sub-processor.
The following chart summarizes these obligations, with comparisons to CCPA:
Criteria CCPA Service Provider 1798.140(v) CPRA Service Provider 1798.140(ag) CCPA Person Is Not a Third Party 1798.140(w)(2) CPRA Contractor 1798.140(j)
Sale?
  • No
  • No
  • No, unless the recipient is a business.
  • No
Processor Terms
  • The service provider processes personal information on behalf of the business.
  • The service provider processes personal information on behalf of the business.
  • N/A
  • N/A

Common Contractual Terms

In CCPA & CPRA

  • Retain, use, or disclose personal information only for business purposes.
  • Retain, use, or disclose personal information only for business purposes.
  • Refrain from selling the personal information.
  • Refrain from retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.
  • Retain, use, or disclose personal information only for business purposes.
  • Refrain from selling the personal information.
  • Refrain from retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.
  • Certify understanding of and compliance with the above restrictions.
  • Retain, use, or disclose personal information only for business purposes.
  • Refrain from selling the personal information.
  • Refrain from retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.
  • Certify understanding of and compliance with the above restrictions.
New CPRA Contractual Terms
  • N/A
  • Restriction on combination of personal information.
  • Duty to monitor compliance.
  • Sub-processor obligations.
  • N/A
  • Restriction on combination of personal information.
  • Duty to monitor compliance.
  • Sub-processor obligations.
As reflected above, the contractor classification is not new or significantly different from the service provider classification. When compared with a service provider, the only differences are that contractors (1) do not process data on behalf of the business, and (2) certify compliance with contractual restrictions.

Accordingly, in determining which types of contract terms to have in place in various data flow scenarios, it is possible that contractor terms will be used in a more limited way where the recipient of data is not processing personal information on behalf of a data owner.

Here are some examples:

  • Sharing customer identifiers in certain product fulfillment use cases.
  • Agreements involving joint operations on data.
  • Integration agreements to enable independently-performed services on behalf of a common customer.
  • Data services offered to a business with restrictions on use of the data for limited business purposes.
In these scenarios, the parties to the transaction may be able to leverage the “contractor” classification to avoid a “sale” of personal information.

If you have questions about the benefits or drawbacks of the contractor classification under CPRA, please contact attorneys in the Information Privacy and Data Security practice group at Kelley Drye.

* * *

Kelley Drye's Ad Law Access Blog - adlawaccess.com

Subscribe here to Kelley Drye’s Ad Law Access blog and here for our Ad Law News and Views newsletter. Visit the Advertising and Privacy Law Resource Center for update information on key legal topics relevant to advertising and marketing, privacy, data security, and consumer product safety and labeling.

Kelley Drye attorneys and industry experts provide timely insights on legal and regulatory issues that impact your business. Our thought leaders keep you updated through advisories and articles, blogs, newsletters, podcasts and resource centers. Sign up here to receive our email communications tailored to your interests.

Follow us on LinkedIn and Twitter for the latest updates.

]]>
Key Developments in CCPA Litigation for Q1 2021 https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/key-developments-in-ccpa-litigation-for-q1-2021 https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/key-developments-in-ccpa-litigation-for-q1-2021 Tue, 04 May 2021 16:20:37 -0400 Key Developments in CCPA Litigation for Q1 2021

As we move deeper into the second year of CCPA litigation, the substantive issues continue to develop and we remain focused on the patterns and implications of recent filings and rulings. In this post, we highlight notable developments in three cases that occurred in the first quarter of 2021. These cases raise significant issues regarding judicial interpretation of the private right of action in the CCPA, the definition of a “data breach,” and CCPA plaintiffs’ ability to access pre-complaint discovery.

CCPA Claim Dismissed For Lack Of Data Breach Allegations

On August 5, 2020, Plaintiff filed a class action complaint against Defendants Alphabet, Inc. and Google, LLC in the Northern District of California. Plaintiff alleged that Defendants monitored and collected Android Smartphone users’ sensitive personal data without those users’ consent when they interacted with non-Google applications on their smartphones. Plaintiff’s CCPA cause of action was based on Defendants’ failure to disclose these activities in violation of Cal. Civ. Code § 1789.100(b). Plaintiff’s proposed class definition included “All Android Smartphone users from at least as early as January 1, 2014 through the present.”

On September 30, 2020, Defendants moved to dismiss the CCPA claim, arguing that (1) Plaintiff failed to allege that his information was subject to a data breach; and (2) Plaintiff, as a New York resident, had no standing under the CCPA, which only provides relief to California residents.

On February 2, 2021, the court dismissed the CCPA claim with prejudice, finding that the complaint did not allege that any personal information was subject to unauthorized access as a result of a security breach. The court reasoned that the CCPA only conferred “a private right of action” for violations related to “personal information security breaches,” and that Plaintiff was therefore unable to state a claim. The court also observed that Civil Code § 1798.150(c) explicitly states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.” McCoy v. Alphabet, Inc., No. 20-CV-05427-SVK, 2021 WL 405816 (N.D. Cal. Feb. 2, 2021).

On February 16, 2021, Plaintiff filed an Amended Complaint that alleges a violation of California’s Unfair Competition Law (“UCL”) using the alleged CCPA violation as a predicate. It will be relevant to follow how the court addresses Plaintiff’s attempt to transform his dismissed CCPA claim into a UCL claim, in light of the court’s observation that the CCPA does not provide a basis for a private right of action under other laws.

McCoy v. Alphabet, Inc. et al., 5:20-cv-05427 (N.D. Cal.).

Plaintiffs Allege Numerous, Individualized “Data Breaches”

On April 1, 2021, Plaintiffs filed a Consolidated Class Action Complaint against Bank of America in the Northern District of California. Plaintiffs allege that Bank of America issued Visa debit cards containing public benefit disbursements to recipients, including Plaintiffs and other members of the class, that were purportedly prone to breaches because the cards utilized outdated magnetic stripe technology, rather than the EMV chips that have allegedly become the industry standard due to improved security features. Plaintiffs’ CCPA cause of action alleges that as a result of the inadequate security safeguards, the cardholders suffered unauthorized access and disclosure of their personal information that resulted in their funds being stolen through unauthorized transactions.

The statutory language of the CCPA indicates that a claim must be connected to a data breach. Cal. Civ. Code § 1789.150. Unlike most cases, Plaintiffs do not allege that a single, centralized data breach occurred. Instead, Plaintiffs allege that individual data breaches of each cardholder were permitted by Bank of America’s card design. This theory raises questions about what qualifies as a data breach under the CCPA and whether the design of a consumer product that renders the product vulnerable to breach, followed by actual breaches, qualifies. A judicial determination of this issue could help determine the scope of similar consumer actions.

Yick v. Bank of America, N.A., 3:21-cv-376 (N.D. Cal.).

Defendant Compelled To Disclose Information Related To Data Breach Investigations

On April 16, 2021, Plaintiffs filed a redacted Consolidated Class Action Complaint against Blackbaud, Inc. in the District of South Carolina. Plaintiffs allege that Blackbaud provides data security services for sensitive information, and that Plaintiffs and the class members are Blackbaud’s clients. Plaintiffs’ CCPA cause of action alleges that as a result of a data breach, cybercriminals stole the sensitive private information that Plaintiffs entrusted to Blackbaud.

Of note, the early proceedings in this case have included the forced production of Blackbaud’s forensic report on the data breach. The report was apparently compiled independent of the litigation and, upon learning of the report, the Court ordered Blackbaud to immediately produce the forensic report and allowed Plaintiffs to use that report in drafting a consolidated complaint. This is an issue that we’ve explored previously (here and here). Companies need to be vigilant and deliberate in how they approach the issue of internal investigations concerning data breaches where litigation could arise.

In re Blackbaud, Inc., Customer Data Breach Litigation¸ 3:20-mn-02972-JMC, MDL No. 2972 (D.S.C.).

As these and other CCPA-related cases progress through the litigation stages, we will continue to provide updates. Our prior summaries of CCPA-related litigation can be found in our CCPA Litigation Round-ups for: Q1 2020, Q2 2020, and Q3 & Q4 posts. We will continue to report on relevant developments in CCPA litigation and provide updates in our CCPA Litigation Tracker.

If you have any questions about defending and/or preparing for a potential privacy consumer class action, please reach out to our team, and if you have questions on your privacy compliance strategy, please reach out to our privacy compliance team.

On the latest episode of the Ad Law Access Podcast, Kelley Drye Partner Alysa Hutnik discusses the state of privacy, tracking, compliance technology and tools, and strategies privacy lawyers and others can use to help do their jobs. As you would expect, there are some practical tips to take away. Listen here or wherever you get your podcasts.

]]>
California Privacy Protection Agency Appointments Announced https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/california-privacy-protection-agency-appointments-announced https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/california-privacy-protection-agency-appointments-announced Wed, 17 Mar 2021 21:29:25 -0400 California officials today announced their nominees to be the five inaugural members of the California Privacy Protection Agency (“CPPA”) Board. Created by the California Privacy Rights Act ("CPRA"), the CPPA will become a powerful, state-level privacy regulator long before its enforcement authority becomes effective in 2023, and today’s appointments move the CPPA one large step closer to beginning its work. This post provides an overview of the CPPA’s authority, examines the issues that might be on its agenda, and outlines a few ways companies can start to get ready for potential regulations.

Inaugural Appointees

The five inaugural nominees of the CPPA Board are:

  • Jennifer Urban, who was appointed as Chair of the CPPA by Governor Gavin Newsom. Urban is a clinical professor at UC Berkeley School of Law.
  • John Christopher Thompson, who was appointed by Governor Newsom and is Senior Vice President of Government Relations at LA 2028.
  • Angela Serra, who was designated by California Attorney General Xavier Becerra. Serra served in a wide range of roles in the California Department of Justice, including overseeing the Consumer Protection Section’s Privacy Unit.
  • Lydia de la Torre, who was nominated by Senate President Pro Tem Toni Atkins. De la Torre is a professor of law at Santa Clara University.
  • Vinhcent Le, who was designated by Assembly Speaker Anthony Rendon.

The announcement indicates that Urban’s and Thompson’s appointments do not require Senate confirmation.

The CPPA’s Next Milestones

Although the CPPA’s administrative enforcement authority does not become effective until July 1, 2023, the agency is poised in the meantime to become a powerful regulatory and supervisory authority, akin to a European data protection authority. Key dates in the near term are:

  • July 1, 2021: CPPA takes over rulemaking authority from the California Attorney General.
  • July 1, 2022: Deadline for the CPPA to adopt final regulations required by CPRA.

Which Regulations Does CPRA Require the CPPA to Issue?

Section 21 of CPRA (codified in Civil Code section 1798.185) adds fifteen areas of CCPA implementation to be spelled out in regulations to the seven areas that were defined under the initial CCPA. (CPRA also amends existing areas of rulemaking authority. For example, it grants more specific authority to prescribe standards for opt-out mechanisms.)

Although CPRA requires the CPPA to adopt final regulations in these areas by July 1, 2022, it would not be surprising to see the agency set priorities, as the Attorney General’s Office did initially under the CCPA. These priorities could include fundamental elements of the CCPA:

  • Opt-Outs for Sale, Sharing, and Profiling, and Limiting Use of Personal Information: CPRA grants the CPPA the authority to adopt regulations that further define consumers’ opt-out rights. Specifically, the agency is directed to adopt regulations that define “intentional interactions,” which in turn define the scope of exceptions to “sale” and “sharing.”The CPPA is also charged with issuing rules about “profiling” opt-out rights, and this area is worth watching closely because it is not aligned with Virginia’s new privacy law or the current text of the Washington Privacy Act. CPRA defines “profiling” as the “automated processing of personal information, . . . to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.” A profiling opt-out under CPRA could apply to any first-party data use that meets this definition. The profiling opt-out right under the Virginia Consumer Data Protection Act is narrower. It is limited to the “furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” (The profiling opt-out proposed in the Washington Privacy Act is substantively identical to Virginia’s opt-out.)Other aspects of opt-out rights that could be initial rulemaking targets include (a) the definition of “technical specifications” for a global platform- or browser-based opt-out mechanism; and, with the potential addition of a feature to indicate that the user is under the age of 13 or between 13 and 15 years old; (b) standards for consent to sell or share personal information, or use or disclose sensitive personal information, for businesses that respond to opt-out signals; and (c) “harmonizing” CCPA rules governing privacy notices, opt-out mechanisms, and “other operational mechanisms” to “promote clarify and functionality . . . for consumers.”
  • Access Requests: CPRA directs the CPPA to define the scope of responses to consumer requests for specific pieces of personal information. CPRA suggests that these regulations may exclude system log and other information that “would not be useful to the consumer,” as well as define authentication standards for access to sensitive personal information.
  • Business Purposes: Finally, it is possible that the CPPA will focus initially on “further defining” business purposes for which contractors and service providers may combine personal information from multiple businesses.

Defining CPPA’s Supervisory Authority

The CPPA will also have considerable supervisory authority. Section 1798.185(15) authorizes the CPPA to issue regulations defining audit and risk assessments for businesses “whose processing of consumers’ personal information presents significant risk to consumers privacy or security.”

Separately, the CPPA must appoint a Chief Privacy Auditor to audit businesses’ compliance with the CCPA. The Auditor’s role will be defined almost entirely through regulations, and the statutory guidance on these regulations is scant: The CPPA will define the “scope and process of the agency’s audit authority,” establish criteria for selecting audit targets, and establish protections against disclosure for the information the auditor collects.

As with other areas of CPPA rulemaking, it is unclear when the agency will turn to establishing the Chief Privacy Auditor’s authority. However, it is worth noting now that the Auditor’s authority is potentially sweeping, as well as considering how a CCPA compliance program will look when it is under the Auditor’s microscope.

Today’s appointments are an important milestone in the development of a new breed of U.S. privacy regulator. We will keep a close watch on further developments with the Board and the CPPA’s activities.

California Privacy Protection Agency Appointments Announced

Kelley Drye attorneys and industry experts provide timely insights on legal and regulatory issues that impact your business. Our thought leaders keep you updated through advisories and articles, blogs, newsletters, podcasts and resource centers. Sign up here to receive our email communications tailored to your interests.

Follow us on LinkedIn and Twitter for the latest updates.

]]>