Updates: California Privacy Rights Act (“CPRA”)

Last month, we reported on the California Privacy Protection Agency’s (“CPPA”) engagement of an Executive Director and its proposal for a rulemaking framework. The CPPA’s efforts are assisted by provisions of Assembly Bill 694 (“AB 694”), which California Governor Gavin Newsom signed last month. AB694 includes changes to California’s consumer privacy law and clarifies the CPPA’s rulemaking process. You can find the changes here. Continue Reading CPRA Amended and Updates Regarding the CDPA

Registration is open for a series of upcoming not-to-be-missed webinars covering key areas for companies seeking to regulate the global compliance landscape.  Register below for insights from CPW’s Alan Friel, Marisol Mork, Eric Troutman and others.

Webinar Series: Advertising, Media and Brands – Global Compliance Challenges

2021 has provided unique challenges for businesses operating across the advertising, media and brands industry. Aside from the impact of the pandemic, we are seeing a changing and challenging landscape due to increasing economic, consumer, regulatory and compliance pressures.

With increased exposure as a result of these pressures, Squire Patton Boggs and BDO will be hosting four webinars to support the advertising, media and brands industry in navigating these challenges:

  • November 11, 2021 – Global Data, Technology and Tax
  • November 30, 2021 – M&A Landscape, Post-COVID-19 Transaction Trends and Tips, and Top Five Due Diligence Risks
  • January 12, 2022 – Global Anti-counterfeiting and Brand Protection Trends, and Top Five AMB Hot Topics
  • February 2, 2022 – The Rise of ESG and Global Workplace Challenges

Hosted by Squire Patton Boggs and BDO

Click here to register.

Conference: ANA/BAA Marketing Law Conference (In-Person and Virtual)

Nov. 15-17, 2021: San Diego

Session: California Privacy: What Direction Next From CCPA and CRPA?

Alan Friel (Squire Patton Boggs) will review California’s privacy laws with representatives from the California Privacy Protection Agency and the OAG.

Session: State and Local Attorney General Enforcement updates by Marisol Mork (Squire Patton Boggs)

Session: TCPA updates by Eric Troutman (Squire Patton Boggs)

Hosted by ANA.

Click here to register.

As Ann LaFrance, Alan Friel, Elliot Golding, Kyle Fath, Glenn Brown, Kyle Dull, Niloufar Massachi, and Gicel Tomimbang explain in a comprehensive expert analysis, recent changes in US consumer privacy laws that will require most US businesses to make material changes to their privacy compliance and information governance programs by January 1, 2023 (July 1, 2023, in the case of Colorado), and include infographics that compare and contrast the applicable laws.  Besides discussing these changes, they make recommendations on what to do during the remainder of 2021 and throughout 2022 to ensure business readiness by 2023.

You can read their breakdown here or below.

CPRA/CDPA/CPA Unpacked: Develop a Preparedness Plan Now

Just this week Virginia joined California as being one of the few states where consumers have a “right to delete” under applicable state privacy laws.  This loosely follows the approach in the EU General Data Protection Regulation (“GDPR”) that also contains a right to delete which is quite broad (“right to obtain . . . erasure of personal data concerning him or her”), though subject to a number of exceptions.  State approaches to consumers’ “right to delete” are not uniform, however, which makes understanding the nuance in the California Consumer Privacy Act (the “CCPA”), the California Privacy Rights Act, which amends and will essentially replace the CCPA on January 1, 2023 (the “CPRA”), and the Virginia Consumer Data Protection Act (the “VCDPA”) all the more important.

CPW’s Glenn Brown has prepared a detailed analysis that is a must-read in light of the VCDPA’s passage that compares the “right to delete” under the CCPA, CPRA and VCDPA.  As he explains, the CCPA, CPRA and VCDPA each provide that a consumer has the right to request that a business delete their personal information, but they differ in certain respects, including their scope. The CCPA provides that consumers “… have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.”  (emphasis added).  Notably, the CPRA does not amend the wording of this right.  By comparison, the VCDPA provides that consumers “… have the right to delete personal data provided by or obtained about the consumer.”  (emphasis added).  The VCDPA’s deletion right is therefore broader than that provided by the CCPA and CPRA, in that it applies to personal information that a business has collected from a consumer or that the business has collected about a consumer from another source.

Glenn provides a fantastic breakdown discussing the relevant exceptions to the “right to delete” under each of these laws, including a chart describing the various uses of personal information that will allow a business to retain the relevant personal information subject to these laws, even when a consumer has requested the business to delete it.

*The CCPA and CPRA provide that the exception is available only if: (a) deletion of the information is likely to render impossible or seriously impair the ability to complete such research; and (b) the consumer has provided informed consent.

**The VCDPA requires that the research be approved, monitored, and governed by an institutional review board, or similar independent oversight entities, that determine whether: (i) the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller; (ii) the expected benefits of the research outweigh the privacy risks; and (iii) the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification.

The CPRA also requires that such uses be compatible with the context in which the consumer provided the information in order to qualify for the exception.

Be sure to check out Glenn‘s complete analysis here.

In a recent blog post we reported that the advocacy group behind CPRA, Californians for Consumer Privacy, was going to court in an effort to prevent their plans to put the California Privacy Rights Act (“CPRA”) to a referendum vote in November from being derailed by a delay in the reporting of signature counts. A Writ of Mandate that was filed by the advocacy group led to a hearing before the Sacramento Superior Court, which took place on Friday, June 19, 2020. Continue Reading Court Order Means CPRA Likely to Make November Ballot

On Monday, May 4, 2020, Californians for Consumer Privacy – the organization behind the ballot initiative that was the genesis of the California Consumer Privacy Act of 2018 (CCPA) – announced that it is submitting signatures to qualify the California Privacy Rights Act (CPRA) for the November 2020 ballot. According to the announcement, “well over 900,000 signatures” will be submitted in counties across the state over the next several days. Continue Reading CPRA Proponents Submit Over 900,000 Signatures for Ballot Initiative

On December 9, 2021, Alan Friel, Co-Chair of the SPB Global Data Privacy, Cybersecurity & Digital Assets Practice, led a fireside chat between U.S. Congresswoman Suzan DelBene and Alastair Mactaggart, as part of the session on Privacy, Security, Data Protection and Trust at the International Institute of Communications’ (“IIC”) Washington DC Telecommunications & Media Forum (“TMF”).  A recording of the discussion is available here.

Congresswoman DelBene serves as the Vice Chair of the powerful House Ways and Means Committee, is the co-chair of the Women’s High-Tech Coalition, and has introduced a federal consumer privacy legislation, the Information Transparency & Personal Data Control Act (“H.R. 1816”).  Mr. Mactaggart is the force behind California’s privacy laws and is the Board Chair and Founder of the Californians for Consumer Privacy, the organization that sponsored Proposition 24 (the California Privacy Rights Act or the “CPRA”) and the California Consumer Privacy Act of 2018 (“CCPA”).

The panelists discussed recently enacted U.S. state privacy laws and Congresswoman DelBene’s privacy bill, H.R. 1816, which was referred to the Subcommittee on Consumer Protection and Commerce in March 2021.  While the two policymakers agreed on the importance of consumer privacy legislation, their points of view on what that should mean for consumers and businesses diverged, and a spirited debate ensued.  Highlights are as follows:

A National Privacy Standard?

The panelists agreed it would be valuable to have a national privacy standard for safeguarding consumers’ personal data.  Congresswoman DelBene explained that a national privacy standard would:

  • curtail consumer confusion by making it so that consumers’ privacy rights do not change as much as they currently do when consumers travel from state to state;
  • alleviate the burden on businesses, especially small businesses, who may have to use considerable resources to comply with the requirements of each state privacy law; and
  • help to establish the U.S. as a key player in shaping global privacy policy—the Congressperson expressed that it is challenging for the U.S. to weigh in on international privacy issues when we lack a unified national standard.

Mr. Mactaggart agreed, explaining that a national privacy standard would grant privacy protections to people around the country.  However, he raised that H. R. 1816 in its current form would preempt state privacy laws by prohibiting states from adopting, enforcing (or continuing to enforce) laws and regulations related to data privacy, with exceptions.  Mr. Mactaggart recommended that a national privacy standard “should be a floor, not a ceiling,” and should not preempt stricter, non-conflicting state laws so states have an opportunity to strengthen privacy protections to meet the needs of their constituents.  He pointed to the Health Insurance Portability and Accountability Act (“HIPAA”) and Sarbanes-Oxley Act of 2002 as examples of federal laws that have created legal baselines by establishing minimum consumer protection requirements while also allowing states to strengthen protections for their constituents.

Transparency and Enabling Choice Regarding Use

H.R. 1816, as currently drafted, does not include an express right of access (other than with respect to sensitive information), transportable copies, or rights of correction or deletion.  The Congressperson explained that her intent was to propose a bill focused on fundamental policy and consumer rights that sets a solid foundation on which federal legislators can continue building.  Mr. Mactaggart expressed that although he understands the Congressperson’s goal, the effect of H.R. 1816 (which, in its current form, preempts state laws) would be to deprive consumers in states with existing privacy laws (e.g., California) of  rights they currently enjoy.  For example, according to Mr. Mactaggart, passing H.R. 1816 as currently drafted would deprive Californians of their rights to see, delete, or correct their information, among other things.  He recommended that a national privacy standard not remove existing privacy protections granted to consumers under state laws.

Scope of Rulemaking

The panelists agreed that an independent agency should be granted rulemaking authority. H.R. 1816, if passed, would grant rulemaking authority to the Federal Trade Commission (FTC) for privacy issues.  In California, the California Privacy Protection Agency (CPPA) has rulemaking authority for privacy.

Enforcement Authorities and Penalties for Non-Compliance

The panelists agreed that the FTC is the most qualified federal agency to lead privacy enforcement.  H.R. 1816, if passed, would be enforceable by both the FTC, a federal agency that has experience and expertise to lead meaningful privacy enforcement, and state attorneys general (but only if the FTC has not acted).  In California, the CPPA has administrative enforcement authority to enforce the CCPA/CPRA.

Private Right of Action

The panelists agreed that granting a private right of action creates challenges for covered businesses.  The Congressperson explained that H.R. 1816 does not have a private right of action because the threat of litigation can be very costly, especially for small businesses.  Mr. Mactaggart agreed and clarified that although there is a private right of action under the CCPA, the right is limited to a specific subset of personal information, and only for instances where a business is negligent in its data security practices.

Public Policy Balance Between Transparency and Choice in Digital Advertising

The panelists agreed that advertising is an important tool in commerce, but that it should be balanced with consumer protection considerations.

  • Mactaggart advised that privacy laws should contemplate including a distinction between contextual advertising and behavioral advertising, which he believes to be a more invasive form of advertising.
  • The Congressperson added that consumers should have the ability to opt-in and opt-out of information sharing depending on the context of their relationship and interaction with a business, and consumers should be provided with tools to help them understand their privacy rights, such as privacy notices that are easy to understand.

Sensitive Personal Information

The panelists agreed that certain types of information are more sensitive, and therefore, should be subjected to a heightened protection standard.

  • The Congressperson explained that companies should be required to obtain affirmative express consent before they can collect and share sensitive personal information (e.g., financial information, health or genetic information, information about children, citizenship or immigration status, gender, religious beliefs, etc.).
  • Mactaggart added that in California, the new category of “sensitive information” was added to balance giving consumers meaningful privacy rights with the need to enable businesses to utilize data to provide services to consumers.

Where to go from here?

Interestingly, the Congressperson expressed an openness to learn more and noted that her bill was merely a first draft to get the legislative process moving and welcomed input from stakeholders.  Mr. Mactaggart offered to sit down with her staff.  Where this will go next is unclear, but it appears that the discussion will continue.  A recording of the discussion is available here.  The IIC/TMF also covered international privacy issues.  A blog post on that is available here.

On December 9, 2021, Ann LaFrance, SPB Senior Partner and Vice President of the International Institute of Communications (“IIC”), moderated a panel discussion involving U.S. and international stakeholders’ perspectives on privacy and data protection trends and  the value of interoperability in cross-border data transfers at the IIC’s (virtual) annual Telecommunications & Media Forum (“TMF”) in Washington DC.

The panel participants represented a diverse cross-section of international stakeholders, including: Maureen Mahoney, Senior Policy Analyst for Consumer Reports; Sam Schofield, Trade Policy Advisor – Global Data Policy, International Trade Administration (“ITA”); Vitelio Ruiz Bernal, Director General of Investigation and Verification of the Private Sector, Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (“INAI”); and Christopher Calabrese, Senior Director, Privacy Policy, Microsoft.

The panelists discussed a wide range of topics, including the prospects for interoperability between and among national data privacy and protection regimes, data localization, emerging international frameworks, enforcement challenges and consumer trust.  A summary of the major themes covered by the panelists is provided below.

Global Interoperability

Stakeholders in the U.S. and abroad recognize the importance of facilitating cross-border transfers of personal data, and are advocating for interoperable privacy laws,  including agreement on a new framework  to replace the EU-US Privacy Shield (“Privacy Shield”), which the European Court of Justice concluded was invalid from an EU law perspective in 2020.

One emerging framework to facilitate the free flow of personal data is the Asia-Pacific Economic Cooperation (“APEC”) Cross-Border Privacy Rules (“CBPR”) System, which currently has nine participating countries, including the United States and Mexico.  The panelists discussed the conditions for an effective cross-border interoperability regime, including the following principles:

  1. Be transparent so that it is not difficult to comprehend what companies are doing with an individual’s data;
  2. Empower individuals by giving them rights over their own data;
  3. Promote corporate responsibility among companies that collect personal information;
  4. Have a strong enforcement mechanism to ensure that if consumers are granted rights they also have adequate remedies;
  5. Respect national sovereignty but limit data localization where necessary for national governments to protect legitimate state interests; and
  6. Be sufficiently flexible to allow for the evolution of technology and evolving regulatory requirements.

Although there is a consensus on the value of interoperable privacy regimes, there is also a recognition that there are different perspectives on what the critical elements of “interoperability” should consist of, how they should be implemented and what enforcement mechanisms should apply.

Data Localization

Data localization laws place restrictions on where personal information may be stored and processed. The panelists discussed the impact of data localization laws, including:

  1. The obstacles data localization laws create for businesses seeking to serve customers both globally and locally (e.g., significant operational costs), which affects cross-border commerce;
  2. Governments’ national security and law enforcement interests; and
  3. The need to balance the benefits of enabling data to flow freely across borders with the legitimate interests of governments to protect their citizens.

Emerging International Frameworks

Two models of interoperability were the focus of discussion: the APEC CBPR System, and the EU “adequacy” test established under the EU General Data Protection Regulation (the “GDPR”).  The panelists discussed the benefits and challenges of both models and observed that, although the GDPR is generally considered a more stringent regime, the two models are not incompatible and there are countries that participate in both (e.g., Japan, Canada).

Enforcement Challenges

The panelists agreed that establishing a global privacy standard is challenging because privacy is culturally rooted, and each country may have a different understanding of human rights and civil liberties.  Thus, what may be considered “private” in one country may not be so in another, which could affect the enforcement mechanisms included in each country’s privacy regime.  The panelists also identified additional challenges in privacy enforcement, including the:

  1. Importance of allocating sufficient resources and enforcement powers to data protection authorities so they can promote accountability and secure redress for consumers;
  2. Privacy considerations in public and private sectors, which may sometimes be divergent; and
  3. Importance of developing legally enforceable mechanisms that evolve alongside changing technology.

Consumer Trust

From the consumer perspective, ensuring trust in online transactions is an imperative that will require laws designed to protect consumer privacy by default, including strong data minimization requirements, as well as effective opt-out mechanisms, such as global privacy controls that can be activated through browser settings.

There was a general consensus that we are now approaching an inflection point, with new and divergent privacy laws coming into force around the world, such as the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or LGPD), China’s Personal Information Protection Law (“PIPL”), California’s CCPA/CPRA  and number of other privacy laws at the state level in the U.S.  The panelists agreed that the next five years will be critical to the development of a global consensus on the minimum inter-operability requirements to legitimize cross-border data flows in a world that is ever more reliant on the global internet. 

A recording of this discussion is available here. The IIC/TMF also hosted a panel on U.S. privacy law developments.  A blog post on that is available here.