Alston & Bird Consumer Finance Blog

Privacy and Cybersecurity

New Virginia Privacy Law Promises Big Impacts

Virginia became the second state after California to pass a comprehensive privacy law when the governor signed the Consumer Data Protection Act, which contains many elements found in the California Consumer Privacy Act and other proposed privacy frameworks, as well as a number of new requirements for businesses.

In a client advisory, our Privacy, Cyber & Data Strategy Team pinpoints critical steps companies should take to ensure compliance.

  • How is it different from California’s CCPA and the EU’s GDPR?
  • What is its scope and how will it be enforced?
  • How extensive are consumers’ opt-out and other rights?

Virginia Ready to Pass First State Privacy Statute after CCPA

Both houses of Virginia’s legislature recently passed the Virginia Consumer Data Protection Act (S.B. 1392H.B. 2307) (VCDPA). If approved by the state governor, the VCDPA would become the United States’ second comprehensive state privacy law behind the California Consumer Privacy Act (CCPA).  For a comparison of the VCDPA to the CCPA and the European Union’s General Data Protection Regulation, see the Alston & Bird Privacy, Cyber and Data Strategy Blog.

California AG Proposes Regulatory Changes to CCPA

Cyber attack

On December 10, the California Attorney General’s office provided “Notice of Fourth Set of Modifications” to regulations under the California Consumer Privacy Act. The new proposed regulatory text would modify the current regulations which took effect in August. The latest proposal responds to comments on a prior draft and primarily addresses the presentation of the right to opt out of sales of personal data. The California AG has provided a web page with full details on this latest rulemaking effort.

Alston & Bird Analyzes New California Privacy Rights Act in Client Alert

Cyber attack

On November 3, California voters approved a ballot initiative containing the California Privacy Rights Act of 2020. The ballot initiative significantly revises the existing California Consumer Privacy Act to create arguably the most comprehensive state privacy law in the United States.

Alston & Bird has now issued a client alert explaining key impacts of this law. The client alert outlines essential steps for compliance, explains impacts on existing law, and outlines the operation of a dedicated new privacy regulator and enforcement authority, the California Privacy Protection Agency. You can read the client alert here.

California Department of Justice Releases Post-Finalization Modifications to CCPA Regulations

On October 12, 2020, the California Department of Justice (“Department”) released its first set of proposed post-finalization modifications to the California Consumer Privacy Act Regulations (the “CCPA Regulations”).

As many businesses know, the CCPA Regulations were finalized on August 14, 2020.  The Department styled these new modifications as a “Third Set of Proposed Modifications” to the CCPA Regulations, suggesting that it sees them as related to the two rounds of modifications it proposed before the Regulations were finalized.  (You can read our summaries of the key impacts of these prior modifications here (first round of modification) and here (second round of modifications)).

While the Department’s new proposed modifications are modest in volume, they contain potentially significant impacts for businesses.  If passed in their current form, the modifications would modify the CCPA Regulations as follows:

(1) Required Offline Opt-Out Notices Would Return: Pre-finalization drafts of the Regulations required businesses that “substantially interact[] with consumers offline” to provide an offline notice to consumers about their right to opt-out of data sales.  However, this requirement was deleted as the Regulations were finalized during review by California’s Office of Administrative Law.

  • The Department’s new proposed modifications would reintroduce the requirement to provide offline opt-out notices whenever a “business … collects personal information in the course of interactions with consumers offline.”
  • As illustrations of how this required offline notice can be provided, the modifications state that “brick-and-mortar store[s]” may provide notice by (a) “printing the notice on the paper forms that collect the personal information” or by (b) posting signage in “the area where the personal information is collected.” Likewise, businesses that collect personal information over the phone may provide notice orally “during the phone call where such personal information is collected.”

(2) The Requirement for “Easy” Opt-Outs Would Return – with Specified Prohibited Practices: Pre-finalization draft of the Regulations required businesses’ methods enabling consumer to make Opt-Out requests to be “easy for consumers to execute and [] require minimal steps.” Again, however, this requirement was deleted as the Regulations were finalized during review by California’s Office of Administrative Law.

  • The Department’s new proposed modifications would reintroduce verbatim the requirements that (a) “[a] business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps,” and (b) opt-out submission methods cannot “subvert[] or substantially impair[]” consumers’ choice to opt-out.
  • The new proposed modifications contain a list of prohibited opt-out practices, potentially derived from the California Attorney General’s initial experience enforcing the CCPA. For example, businesses cannot:
    • Use confusing double-negative language (e.g., “Don’t Not Sell My Personal Information”),
    • Require consumers to click through or listen to reasons why they should not submit an opt-out request;
    • Require consumers to provide personal information not necessary for the opt-out request; or
    • If a consumer has already clicked on “Do Not Sell My Personal Information,” require the consumer to scroll through a Privacy Policy to locate the opt-out submission form.

(3) Businesses Could Ask Authorized Agents for Proof of their Authority (and Would Not Need to Go to the Consumer): The new proposed modifications would clarify that, when businesses receive a CCPA request from an individual purporting to act as a consumer’s authorized agent, they can require the authorized agent to provide proof it has written permission to act for the consumer. Under the current Regulations, businesses would have to go to the consumer to obtain this proof.

(4) All Notices to Consumers Under 16 Years of Age Would Require Additional Disclosures: The modifications would clarify that any privacy policy directed towards individuals under the age of 16 must meet the CCPA Regulations’ additional information requirements.  Currently, the Regulations imply that these additional information requirements only apply to privacy policies directed at children that are both under 13 (regulated under § 999.330 Regulations) as well as age 13-15 (regulated under § 999.331).  The modifications would clarify that any privacy policy that is directed at any individual under 16 – irrespective of under 13 or age 13-15 – must contain the additional content required under the CCPA Regulations.

A redline showing the proposed changes based on the currently effective regulations is available here.  The proposed modifications are open for public comment until Wednesday, October 28, 2020.