Privacy and Cybersecurity

California Department of Justice Releases Post-Finalization Modifications to CCPA Regulations

October 13, 2020 By Dan Felz

On October 12, 2020, the California Department of Justice (“Department”) released its first set of proposed post-finalization modifications to the California Consumer Privacy Act Regulations (the “CCPA Regulations”).

As many businesses know, the CCPA Regulations were finalized on August 14, 2020. The Department styled these new modifications as a “Third Set of Proposed Modifications” to the CCPA Regulations, suggesting that it sees them as related to the two rounds of modifications it proposed before the Regulations were finalized. (You can read our summaries of the key impacts of these prior modifications here (first round of modification) and here (second round of modifications)).

While the Department’s new proposed modifications are modest in volume, they contain potentially significant impacts for businesses. If passed in their current form, the modifications would modify the CCPA Regulations as follows:

(1) Required Offline Opt-Out Notices Would Return: Pre-finalization drafts of the Regulations required businesses that “substantially interact[] with consumers offline” to provide an offline notice to consumers about their right to opt-out of data sales. However, this requirement was deleted as the Regulations were finalized during review by California’s Office of Administrative Law.

The Department’s new proposed modifications would reintroduce the requirement to provide offline opt-out notices whenever a “business … collects personal information in the course of interactions with consumers offline.”
As illustrations of how this required offline notice can be provided, the modifications state that “brick-and-mortar store[s]” may provide notice by (a) “printing the notice on the paper forms that collect the personal information” or by (b) posting signage in “the area where the personal information is collected.” Likewise, businesses that collect personal information over the phone may provide notice orally “during the phone call where such personal information is collected.”

(2) The Requirement for “Easy” Opt-Outs Would Return – with Specified Prohibited Practices: Pre-finalization draft of the Regulations required businesses’ methods enabling consumer to make Opt-Out requests to be “easy for consumers to execute and [] require minimal steps.” Again, however, this requirement was deleted as the Regulations were finalized during review by California’s Office of Administrative Law.

The Department’s new proposed modifications would reintroduce verbatim the requirements that (a) “[a] business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps,” and (b) opt-out submission methods cannot “subvert[] or substantially impair[]” consumers’ choice to opt-out.
The new proposed modifications contain a list of prohibited opt-out practices, potentially derived from the California Attorney General’s initial experience enforcing the CCPA. For example, businesses cannot:
- Use confusing double-negative language (e.g., “Don’t Not Sell My Personal Information”),
- Require consumers to click through or listen to reasons why they should not submit an opt-out request;
- Require consumers to provide personal information not necessary for the opt-out request; or
- If a consumer has already clicked on “Do Not Sell My Personal Information,” require the consumer to scroll through a Privacy Policy to locate the opt-out submission form.

(3) Businesses Could Ask Authorized Agents for Proof of their Authority (and Would Not Need to Go to the Consumer): The new proposed modifications would clarify that, when businesses receive a CCPA request from an individual purporting to act as a consumer’s authorized agent, they can require the authorized agent to provide proof it has written permission to act for the consumer. Under the current Regulations, businesses would have to go to the consumer to obtain this proof.

(4) All Notices to Consumers Under 16 Years of Age Would Require Additional Disclosures: The modifications would clarify that any privacy policy directed towards individuals under the age of 16 must meet the CCPA Regulations’ additional information requirements. Currently, the Regulations imply that these additional information requirements only apply to privacy policies directed at children that are both under 13 (regulated under § 999.330 Regulations) as well as age 13-15 (regulated under § 999.331). The modifications would clarify that any privacy policy that is directed at any individual under 16 – irrespective of under 13 or age 13-15 – must contain the additional content required under the CCPA Regulations.

A redline showing the proposed changes based on the currently effective regulations is available here. The proposed modifications are open for public comment until Wednesday, October 28, 2020.

California Passes Bill Extending Exemptions for Employment and Business-to-Business Information Under the CCPA

September 2, 2020 By Dorian Simmons

On Friday, August 28, the California state legislature passed Assembly Bill 1281 (“AB 1281”), potentially extending until January 1, 2022 the partial exemptions for employment and business-to-business data under the California Consumer Privacy Act (the “CCPA”). AB 1281 only takes effect if the California Privacy Rights Act of 2020 (the “CPRA”), an initiative to amend the CCPA, is not approved in the statewide general election on November 3. If the CPRA is not approved, the exemptions will expire on January 1, 2022. If the CPRA is approved, the exemptions will expire on January 1, 2023.

Before the passage of AB 1281, there was more uncertainty regarding when businesses would have to fully incorporate employment and business-to-business data into their CCPA compliance programs. The exemptions were previously set to expire on January 1 of the coming year unless the CPRA were to pass in November. Businesses now have until at least January 1, 2022 to fully incorporate employment and business-to-business information into their CCPA compliance programs.

For more information on AB 1281 and its impact on a business’s decision to fully extend its compliance program to employment and business-to-business data, please visit our previous blog post here. A summary of the CPRA’s key business impacts may be found here.

Massachusetts AG Announces Division Focused on Data Privacy and Security

August 18, 2020 By Consumer Finance Team

On August 13, Massachusetts Attorney General Maura Healey announced the creation of a Data Privacy and Security Division with the AG’s office, and named Sara Cable as Chief of the new division. The new division is intended to protect Massachusetts consumers from increased threats to the privacy and security of their data.

California Privacy Rights Act (CPRA) Will be on November Ballot

June 25, 2020 By Dan Felz

The California Secretary of State has announced that the California Privacy Rights Act (CPRA) will be on California’s November 3, 2020 ballot. If approved by California voters, the CPRA would significantly update and amend the California Consumer Privacy Act (CCPA) that went into effect at the beginning of this year. The organization that submitted the CPRA for inclusion on the ballot has stated its polling shows 88% of Californians would support a ballot measure expanding privacy protections.

We published a summary of the CPRA’s key business impacts here. The most recent version of the CPRA can be view downloaded here.

As a ballot initiative, the CPRA could only be placed on California’s November ballot if a sufficient number of signatures of registered voters were collected and validated. Until last night, the California Secretary of State was still working with California counties to determine whether Alastair Mactaggart’s organization – which submitted the CPRA for placement on the ballot – had collected sufficient qualifying signatures. As we reported, Mactaggart had petitioned California courts to compel the placement of the CPRA on this year’s California ballots. The Secretary of State’s announcement confirms the CPRA will be voted on this year.

Proposed Federal Privacy Legislation Tackles COVID-19 Data

May 25, 2020 By Privacy & Data Security Team

Data collection and analysis is becoming a key weapon in the fight against COVID-19 both here in the United States and around the globe. But as governments and tech companies roll out a variety of applications and contact tracing tools, legislators from both sides of the political aisle are questioning how to handle the data being collected, analyzed, and shared. The following is a short summary of two recently-proposed pieces of federal legislation.

The COVID-19 Consumer Data Protection Act

On May 7, 2020, a group of Republicans introduced the COVID–19 Consumer Data Protection Act of 2020 (“CCDPA”). Assigned to the Senate Committee on Commerce, Science, and Transportation, the CCDPA has several key features.

What The CCDPA Covers:

It covers to a wide range of organizations, including businesses under the Federal Trade Commission’s jurisdiction as well as non-profits and common carriers (“covered entities”).
It covers a variety of types of data, including geolocation data, proximity data, persistent identifiers such as IP addresses or device IDs, and personal health information (“covered data”).
It covers certain purposes or use cases, including the collection, processing, or transfer of covered data to (1) track the spread, symptoms, or signs of COVID-19; (2) measure compliance with social distancing guidelines; and (3) conduct contact tracing (“covered purposes”).
It does not cover, among other things, data that is already protected by HIPAA and data collected by employers to determine whether employees may enter a physical location.

What The CCDPA Requires:

It makes it unlawful for a covered entity to collect, use, or transfer covered data for a covered purpose unless three requirements are met:

Individuals receive notice prior to collection, use, or transfer of the data;
Individuals give affirmative express consent; and
The covered entity publicly commits to not collect, use, or transfer the data for any purpose.

The CCDPA also requires covered entities to update their privacy policies, to use reasonable security to protect the covered data, to use principles of data minimization, to provide an opt-out mechanism for individuals who previously consented, and to delete the data when it is no longer needed for the covered purposes.

Who Enforces The CCDPA:

The CCDPA does not include a private right of action and would be enforced by either the Federal Trade Commission or state attorneys general.

The Public Health Emergency Privacy Act

On May 14, 2020, members of the House and Senate introduced the Public Health Emergency Privacy Act (“PHEPA”). PHEPA has been referred to the House Energy and Commerce Committee as well as the Senate Health, Education, Labor and Pensions Committee.

What The PHEPA Covers:

Generally speaking, PHEPA would apply to certain entities that collect “emergency health data” (“EHD”). Importantly, “EHD” means (in brief) data that concerns the public COVID-19 public health emergency, which means the “outbreak and public health response pertaining to [COVID-19], associated with the emergency declared” by HHS in January of 2020, and “any renewals” or “subsequent declarations…related to the coronavirus.”

What The PHEPA Requires:

The PHEPA imposes restrictions and compliance obligations similar to those set forth in CCDPA. It limits the permissible purposes for collecting, using, and disclosing EHD, including reasonable safeguards to prevent unlawful discrimination based on EHD; requires reasonable security to protect EHD; requires reasonable measures to ensure EHD accuracy and a mechanism to correct inaccuracies; requires certain privacy policy disclosures and, if an organization has collected data of at least 100,000 individuals, certain additional disclosures every 90 days; and requires deletion of EHD upon the occurrence of specified events. The PHEPA generally also requires affirmative express consent prior to the collection, use, or disclosure of EHD (subject to limited exceptions) and requires a mechanism for individuals to revoke consent.

Who Enforces the PHEPA:

PHEPA would not preempt or supersede any requirements or authorizations under applicable federal or state laws and contemplates rule making by the FTC regarding EHD collected prior to the law’s enactment. PHEPA expressly does not apply to a covered entity or business associate under HIPAA, though PHEPA directs HHS to promulgate guidance on the applicability of similar requirements.

In addition to rule making authority, the FTC would have the authority to enforce the law along with state attorneys general.

Unlike the CCDPA, the PHEPA provides a private right of action for violations that constitute a concrete and particularized injury in fact to the individual.

The PHEPA Applies To The Government, Not Just Private Entities

Unlike the CCDPA, the PHEPA is not limited to private entities and would also regulate some governmental use, collection, and disclosure of EHD.

PHEPA also includes provisions focused on protecting voters’ rights. It prohibits government entities from denying, restricting, or interfering with (or attempting to do so), or retaliating against someone for, voting in an election, on the basis of EHD, an individual’s medical condition, or participation or non-participation in a program to collect EHD. PHEPA also prohibits covered organizations from knowingly facilitating such activities.