Alston & Bird Consumer Finance Blog

California

California Privacy Rights Act (CPRA) Will be on November Ballot

By

The California Secretary of State has announced that the California Privacy Rights Act (CPRA) will be on California’s November 3, 2020 ballot.  If approved by California voters, the CPRA would significantly update and amend the California Consumer Privacy Act (CCPA) that went into effect at the beginning of this year.  The organization that submitted the CPRA for inclusion on the ballot has stated its polling shows 88% of Californians would support a ballot measure expanding privacy protections.

We published a summary of the CPRA’s key business impacts here.  The most recent version of the CPRA can be view downloaded here.

As a ballot initiative, the CPRA could only be placed on California’s November ballot if a sufficient number of signatures of registered voters were collected and validated.  Until last night, the California Secretary of State was still working with California counties to determine whether Alastair Mactaggart’s organization – which submitted the CPRA for placement on the ballot – had collected sufficient qualifying signatures.  As we reported, Mactaggart had petitioned California courts to compel the placement of the CPRA on this year’s California ballots.  The Secretary of State’s announcement confirms the CPRA will be voted on this year.

The Updated CCPA Regulations: Alston & Bird Detail the 30 Key Business Impacts

By

On February 7, California Attorney General Xavier Becerra released updated regulations to the California Consumer Privacy Act (CCPA).  The updates contain a number of material modifications to the initial CCPA regulations that AG Becerra’s office released in October 2019.

Alston & Bird has compiled a privacy briefing summarizing the 30 key modifications to the Regulations that potentially impact businesses. These include modifications to rules regarding:

  • Notices companies must provide (there are new types!);
  • How companies must intake and process consumer requests to access or delete data;
  • “Do Not Sell My Info” requests;
  • How B2B service providers can use customer data; and
  • Data-mediated financial incentive programs.

To read the full Privacy Briefing on the Updated Regulations, click here.

For further information, contact Kathleen BenwayDavid KeatingAmy Mushahwar, or Daniel Felz.

California Governor Moves to Strengthen State Consumer Protection Enforcement in 2020

By

A&B ABstract:

On January 10, 2020, California Governor Gavin Newsom released his budget summary for 2020 to 2021. Fearing that the Trump administration will further roll back consumer financial protections, Gov. Newsom proposed the California Consumer Financial Protection Law, which would provide the state’s primary financial services regulator with additional authority to enforce consumer protection laws.

Discussion

In his budget summary for 2020 to 2021 (“Budget”), Gov. Newsom expressed concern that “[t]he federal government’s rollback of the [Consumer Financial Protection Bureau (“CFPB”)] leaves Californians vulnerable to predatory businesses and leaves companies without the clarity they need to innovate.” Seeking to protect Californians from the effects of such rollbacks, Gov. Newsom proposed that state funds be allocated to enact and administer the California Consumer Financial Protection Law (“CCFPL”).

A draft of the CCFPL is not yet available.  However, as described in the Budget, the CCFPL would expand the authority and capacity of the state’s primary financial services regulator, the Department of Business Oversight (“DBO”), “to protect [California] consumers and foster the responsible development of new financial products.”

Change in Regulatory Structure

The DBO, which would be re-named the Department of Financial Protection and Innovation (“DFPI”), would be responsible for:

  • Offering services to empower and educate consumers, especially older Americans, students, military service members, and recent immigrants;
  • Licensing and examining new industries that are currently under-regulated [including, but not limited to, debt collectors, credit reporting agencies, and financial technology companies];
  • Analyzing patterns and developments in the market to inform evidence-based policies and enforcement;
  • Protecting consumers through enforcement against unfair, deceptive, and abusive practices;
  • Establishing a new Financial Technology Innovation Office that will proactively cultivate the responsible development of new consumer financial products;
  • Offering legal support for the administration of the new law; and
  • Expanding existing administrative and information technology staff to support the DFPI’s increased regulatory responsibilities.

The statements on the DFPI indicate that it will be another “mini-CFPB” (i.e. a state version of the CFPB) that will protect California consumers in a way that Gov. Newsom believes the CFPB cannot. Former CFPB Director Richard Cordray is reportedly working with California to develop the DFPI.

DFPI Funding and Staffing

The Budget includes a $10.2 million Financial Protection Fund and the creation of 44 new positions at the DFPI between 2020 and 2021. This will grow to $19.3 million and 90 new positions at the DFPI between 2022 and 2023, to establish and administer the CCFPL. According to the Budget, initial costs for the DFPI and the CCFPL “will be covered by available settlement proceeds in the State Corporations and Financial Institutions Funds, with future costs covered by fees on any newly-covered industries and increased fees on existing licensees.”

Takeaway

Gov. Newsom’s comments in the Budget suggest that California will be more active in investigating regulated financial services entities and enforcing California’s existing consumer protection laws. Additional regulations may be passed as part of this initiative. Action by California is consistent with a growing trend among the states to be more active in their oversight of regulated industries in response to a less active CFPB. Industry participants should be mindful of this trend, assessing their compliance programs to manage oversight from multiple entities under multiple regulatory schemes.

Alston & Bird Details 21 Potentially Significant Impacts from Draft CCPA Regulations

By

Late last week, the California Attorney General published much-anticipated proposed Regulations under the California Consumer Privacy Act (“CCPA”). The Regulations are extensive and contain a number of potentially material business impacts.

To help companies work through the Regulations, Alston & Bird’s Privacy & Data Security team published a client advisory outlining “21 Potentially Significant Business Impacts” from the proposed CCPA Regulations. View the full advisory here.

This advisory tackles a number of issues likely of interest to companies attempting to get ready for CCPA, including:

  • Why posting a CCPA privacy policy on your website may not be enough to satisfy your CCPA notice obligations – instead you may need additional “just in time” notices at every specific point where you collect data (or lose the right to collect it);
  • Why you may hear discussions about a potential return of Do Not Track in the online context, this time as a “Do Not Sell My Info” request;
  • Why brick-and-mortar interactions with consumers may require companies to facilitate “offline” CCPA rights requests; and
  • Why companies that take a position as vendor or service provider may need to examine any aspect of their business that involves pooling customer data for regulatory risk.

Alston & Bird is closely following the development of the CCPA and its Regulations. For more information, contact Jim HarveyDavid KeatingAmy MushahwarKaren Sanzaro, or Daniel Felz.