Privacy regulators in California and Colorado recently made announcements regarding rulemaking for their respective state privacy laws. Last week, the California Privacy Protection Agency (“CPPA”) announced that it will hold its next public meeting this Thursday, February 17, during which it will discuss updates on the rulemaking process, including a timeline. On January 28, Colorado Attorney General Phil Weiser publicly announced the intent of the Colorado Office of the Attorney General (“COAG”) to carry out rulemaking activities to implement the Colorado Privacy Act (“CPA”), providing an indication of focus areas and a rough timeline. We discuss each of these developments in further detail below. Continue Reading California and Colorado Privacy Regulators Provide Updates on Rulemaking

2021 was another record setting year for the California Consumer Privacy Act (“CCPA”).  Read on for CPW’s highlights of the year’s most significant events concerning CCPA litigation, as well as our predictions for what 2022 may bring.

2020 Recap: The CCPA Comes Into Effect

The CCPA went into effect on January 1, 2020.  It regulates any “business” that “does business in California,” even those without a physical presence in the state, and determines the means and purposes of the processing of “personal information”.

As a recap, what entities qualify as a “business” subject to the CCPA? The statute defines a “business” as a for-profit, private entity that (1) collects “personal information”, (2) determines the means of processing that personal information, (3) does business in California, and (4) meets one of the following criteria:

  • Has annual gross revenues exceeding $25 million;
  • Annually sells/buys or receives/shares for commercial purposes the personal information of 50,000 or more California consumers; or
  • Derives 50% or more of its annual revenue from selling personal information.

Generally, the CCPA covers all information so long as it relates to a California resident or California household.  Aligning with the GDPR, the CCPA defines “personal information” to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  Cal. Civ. Code § 1798.140(o).

The CCPA requires compliance with its notification and transparency notices.  First, the CCPA expects businesses to present up to four notices, to be determined by that business’s practices.  Second, businesses must also inform consumers of their rights under the CCPA including their: (1) right to know, (2) right to delete, (3) right to opt out, (4) right to not be discriminated against for exercising their CCPA rights.

Section 1798.150(a)(1) of the CCPA provides a private right of action to “[a]ny consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure” due to a business failing to satisfy “the duty to implement and maintain reasonable security procedures and practices….” (emphasis supplied).  Damages available for a private right of action under Section 1798.150(a)(1) include a statutory amount of between $100 and $750 “per consumer per incident or actual damages, whichever is greater”, as well as injunctive or declaratory relief and “any other relief the court deems proper” (emphasis supplied).

The first CCPA lawsuit, Fuentes v. Sunshine Behavioral Health Group, LLC, No. 8:20-cv-00487 (C.D. Cal.), appeared on March 10, 2020, only three months after the law went into effect.  Others soon followed.

Overview of 2021 CCPA Litigations: What Do the Numbers Show?

To date, over 125 cases asserting CCPA claims have been filed this year, with the vast majority (91.2%) filed in federal courts.  Each quarter of 2021 has seen roughly the same number of cases filed (about 30-35 cases).  Not surprisingly, about 60% of all federal cases were filed in California’s federal courts, with the largest number of cases filed in the Northern and Southern Districts of California.  Outside of California, the Western District of Washington had the largest number of CCPA cases filed with ten total cases filed to date.  A handful of cases have also been filed in district courts in each of the Second, Third, Fourth, Fifth, Sixth, Seventh, Eighth, and Eleventh Circuits.  Ten of the eleven state court cases filed have been filed in California Superior Courts.

Interestingly, nearly 40% of all CCPA cases filed this year either concerned the T-Mobile data event or alternatively, another data event involving a financial services company following account hacks on the California Employment Development Department’s (“EDD”) prepaid debit cards.  As such, the largest number of cases filed this year were concentrated in the communications and financial services industries.  The remaining CCPA cases, however, span a wide range of industries—including technology, healthcare, insurance, and hospitality.  Even a hair transplant company had a CCPA lawsuit brought against it this year.

And while cyber theft remains on the rise, plaintiffs (and plaintiffs’ attorneys) have not lost sight of other data use implications mandated by the CCPA.  For example, Flo Health Inc., an ovulation-tracking app has been hit with a number of class action lawsuits alleging the app “secretly collected” (i.e. without consent) personal information of users—including whether women were trying to get pregnant—and shared that data with third-party data collectors and advertisers.  The lawsuits follow the FTC’s investigation into related concerns.  Some of the complaints against Flo Health reference the CCPA as supporting other claims raised by plaintiffs, such as violation of the California’s Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200, et seq.), without asserting a direct CCPA claim.

2021 Developments in CCPA Case Law

This year has seen a number of developments in CCPA litigation case law.  We highlight a few of those developments here.

At the beginning of this year, one federal court held that the CCPA does not limit the scope of discovery in litigation.  Will Kaupelis v. Harbor Freight Tools USA, Inc., Case No. 19-01203 (C.D. Cal.).  This case was brought as a putative class action and concerned claims that the defendant allegedly manufactured and sold chainsaws with a design defect.  After defendant’s motion to dismiss was denied, plaintiff sought discovery that included the PI of customers who had complained about the purported product defect (including individuals in California).  The defendant resisted production of this information, in reliance on the CCPA.  Specifically, the defendant argued that the CCPA expanded the privacy rights previously provided under California law.  As such, the defendant argued that the court should “protect the consumers’ PI by allowing consumers an opportunity to opt out from disclosure.”   The defendant claimed this approach was consistent with the CCPA’s notice and consent requirements.  The court, however, granted plaintiff’s motion to compel, stating that, “[n]othing in the CCPA presents a bar to civil discovery.  Notably, no other case has so held.  And the statute itself explicitly says that it is not a restriction on a business’s ability to comply with federal law.”  The court later dismissed an amended complaint on similar grounds.

In March, Walmart scored a massive win for defendants in data privacy litigation in the Lavarious Gardiner v. Walmart Inc. et al. case.  The Court adopted Walmart’s narrow interpretation of the CCPA and dismissed Plaintiff’s non-cognizable CCPA claim.  As a reminder, this case involved a plaintiff inferring, from finding his information on the dark web, that Walmart had suffered a data breach.  In response, Walmart argued first, that Plaintiff’s failure to allege when the breach purportedly occurred was fatal to the Complaint because the CCPA is not retroactive.  The Court sided with Walmart and agreed that Plaintiff needed to plead a breach occurring after January 1, 2020:  “Absent allegations establishing that Walmart’s alleged violation of the CCPA occurred after it went into effect, Plaintiff’s CCPA claim is not viable. Second, the Court also held that Plaintiff’s CCPA claim failed for the additional reason that Plaintiff did not sufficiently allege disclosure of his personal information as defined in the CCPA.  Cal. Civ. Code § 1798.81.5.  The Court found insufficient the Complaint’s allegation that the purported breach compromised the full names, financial account information, credit card information, and other PII of Walmart customers: “[a]lthough in the Complaint Plaintiff generally refers to financial information and credit card fraud, he does not allege the disclosure of a credit or debit card or account number, and the required security or access code to access the account.”  (emphasis added).

In July, 2021 the Central District of California denied a motion to compel arbitration brought by the Gap in the data breach litigation, Shadi Hayden v. Retail Equation et al., No. 20-cv-01203 (C.D. Cal. July 07, 2020).  There the court reasoned that, because the Gap was not a party to the arbitration agreement it attempt to invoke, the arbitration agreement did not apply to bar the litigation.  The Gap subsequently appealed, and the case remains pending.

In an August decision, a federal judge found the majority of Plaintiffs’ statutory claims to withstand a Rule 12(b)(6) motion to dismiss in the In re Blackbaud data privacy multi-district litigation.  MDL No. 2972 (D.S.C. Aug. 12, 2021).  Plaintiffs’ allegations that a cyberattack resulting from Blackbaud’s “deficient security program” and failure to comply with industry and regulatory standards, was sufficient to withstand a motion to dismiss.   As to the CCPA, the Court found that Blackbaud was alleged to be a “business” under the CCPA, relying largely on its registration as a “data broker” under California law.  The Court notably rejected Blackbaud’s argument that it was a “service provider” as insulating it from liability under the CCPA.

In another significant ruling, in Brooks v. Thomson Reuters Corp., No. 21-cv-01418-EMC, 2021 U.S. Dist. LEXIS 154093 (N.D. Cal. Aug. 16, 2021) the Northern District of California recently denied in part a defendant’s motion to dismiss a complaint alleging violations of various consumer privacy statutes. Of note, the Court found that an affirmative defense of compliance with one privacy statute, the CCPA, did not shield defendant from liability for alleged violations of other state laws.

Finally, in December, the Northern District of California denied a motion to intervene and oppose a preliminary approved settlement in the litigation that followed a widespread data event Accellion had suffered.  Cochran v. Accellion, Inc., 2021 U.S. Dist. LEXIS 214686 (N.D. Cal. Nov. 5, 2021).  In Cochran, one of the entities that used Accellion as a services provider agreed as part of a $5 million dollar settlement to modify its business practices going forward.  This would include switching to a “new secure file transfer solution,” securing or destroying the personal information subject to the data event and boosting its third-party vendor risk management program.  In denying the Proposed Intervenor’s Motion to Intervene, the Court analyzed intervention as a matter of right and permissive intervention. The Court, however, rejected that intervenors could intervene as a matter of right because the Court heard the Proposed Intervenors’ objections to the proposed settlement on two occasions, the settlement agreement allows putative intervenors to protect their interests by opting out of the settlement class, and because the Court found that the Proposed Intervenors interest in a preliminary settlement approval is not a “significant protectable interest.”  The Court denied permissive intervention because, among other things, the Proposed Intervenors already had the opportunity to participate in the fairness hearings.

Predictions for CCPA Litigation in 2022

So what is on the horizon for 2022? Certainly an expansion of consumer privacy laws that follow California’s lead.  This past year saw Virginia and Colorado launch privacy legislation and that trend will continue in 2022.  While claims invoking the consumer privacy law of other states may be kept at bay during 2022, the lessons learned from CCPA litigation will come into play in 2023 as those new laws, particularly those with a private right of action, start going into effect.

In the meantime, we can expect that the lawsuits making their way through the courts will continue shaping the contours of CCPA litigation.  Of particular interest will be the impact of the Ramirez v. TransUnion decision upon class action litigation, including CCPA claims arising from a data incident.  As previously noted, which commentators worried that Ramirez might preclude data breach litigations from being brought in federal courts, those concerns have not materialized, with CCPA claims remaining just at home in federal court in state court.

We can also expect to see continued enforcement activity at the state level.  In July 2021, California’s Attorney General Bonta issued a press release summarizing its first year of CCPA enforcement and reinforcing its commitment to CCPA enforcement.  The pressure will remain on companies to annually update their California privacy notices to avoid finding themselves the target of enforcement activities.

2022 is going to remain busy for CCPA litigation and enforcement.  Not to worry, CPW will be there to keep you in the loop.  Stay tuned.

As Ann LaFrance, Alan Friel, Elliot Golding, Kyle Fath, Glenn Brown, Kyle Dull, Niloufar Massachi, and Gicel Tomimbang explain in a comprehensive expert analysis, recent changes in US consumer privacy laws that will require most US businesses to make material changes to their privacy compliance and information governance programs by January 1, 2023 (July 1, 2023, in the case of Colorado), and include infographics that compare and contrast the applicable laws.  Besides discussing these changes, they make recommendations on what to do during the remainder of 2021 and throughout 2022 to ensure business readiness by 2023.

You can read their breakdown here or below.

CPRA/CDPA/CPA Unpacked: Develop a Preparedness Plan Now

On July 19, the Office of the Attorney General of California (OAG) issued a press release summarizing its first year of CCPA enforcement. Seventy-five percent of companies receiving a notice to cure are said to have come into compliance within the 30-day cure period, with 25% reportedly still within that period or under ongoing investigation. The OAG also published summaries of 27 resolved exemplary cases. The OAG was careful to note that the summaries do not constitute advice and do not include all of the facts, however they do offer some insights. Disappointingly, however, the summaries often lack enough detail to allow readers to surmise the enforcement posture that was taken by the OAG, the exact nature of the alleged violations, or the specific actions taken by the company that satisfied the OAG’s inquiry.

Continue Reading California AG Offers Cryptic CCPA Enforcement Summaries, and Launches Complaint Tool

As Alan Friel, Glenn Brown, Ann LaFrance, Kyle Fath, Elliot Golding, Niloufar Massachi and Kyle Dull explain in a comprehensive, 16-page analysis here, on June 8, 2021, the Colorado legislature passed SB 21-190, known as the Colorado Privacy Act (CPA or CO Act), which the governor signed into law on July 7, 2021.  The CO Act is a mishmash of concepts from other jurisdictions. It is in large part modeled on the March 2021 Virginia Consumer Data Protection Act (CDPA), but with California influences, such as a broader definition of “sale” and requiring companies to look for and honor global privacy signals. Both the California consumer privacy regime, and even more so the CDPA, were inspired by Europe’s General Data Protection Regulation (GDPR), but depart from it in many material ways.

In their must read analysis, they down the similarities and differences of the three US state consumer privacy regimes.

With the stroke of his pen on July 7, Governor Jared Polis (D) signed the Colorado Privacy Act (CPA or Act) into law, making the Centennial State the third U.S. state to pass comprehensive consumer privacy legislation.  The Act, passed by the legislature on June 8, is a combination of elements of California and Virginia consumer privacy laws, possibly creating a harmonization model for other states to follow.  For a comprehensive comparison of the three states’ laws click here.   The CPA will be enforceable as of July 1, 2023.

Colorado’s SB 21-190 has passed both chambers and if not vetoed will become the 3rd omnibus state privacy law enforceable 7/1/23.  It has no private right of action, but includes the right to object to processing for purposes of targeted advertising, the sale of personal data, or profiling, including via means of an online global privacy control, as well as the rights to access, correct and/or delete personal data, or obtain a portable copy of it.  It does not apply to employee data.  It specifies how controllers must fulfill duties regarding consumers’ assertion of their rights, transparency, purpose specification, data minimization, avoiding secondary use, avoiding unlawful discrimination and sensitive data, and requires risk assessments for certain “high risk” processing activities.  The law is closer to Virginia’s CDPA than California’s CCPA/CPRA, but there are material differences.  Look for a post next week that compares and contrasts the three states’ laws and the EU’s GDPR, which inspired this growing state trend.

The California Privacy Protection Agency (“CPPA” or “Agency”) hosted its first public meeting yesterday following publication of the first draft of proposed regulations (“Regs”) (on May 27) and the initial statement of reasons (“ISOR”) on June 3. Immediately below, we summarize highlights of the meeting held by the CPPA, including taking a further step towards formal rulemaking. Further below, we provide our initial but detailed insights on the first draft of proposed regulations (initially published here last week), including, among other things, on the controversial opt-out preference signal (“OOPS”).

June 8, 2022 Meeting Highlights

Not a Surprise, the CPPA and OAG Co-Wrote the RegsDuring the meeting, representatives from the California Department of Justice, Office of the Attorney General (“OAG”) provided a high-level summary of the proposed Regs, confirming that the CPPA worked closely with the OAG to draft the proposed Regs. This is not surprising given that prior to the CPPA’s formation, the OAG was responsible for adopting and publishing the initial set of the California Consumer Privacy Act’s (“CCPA”) regulations. Rulemaking authority under the CCPA, as amended by the California Privacy Rights Act (“CPRA”), formally transferred to the CPPA on April 21, 2022. The California Office of Administrative Law (“OAL”) approved the transfer on May 5, 2022. The text of the current CCPA regulations (the “Regs”) are now available Title 11, new Division 6, beginning with section 7000 of the California Code of Regulations. Although this formal transfer marks a step in the CPPA’s rulemaking, it is important to note that the CPPA has not begun formal rulemaking activities. The OAG emphasized that the proposed Regs do the following:  (1) updates the CCPA regs to harmonize requirements with the CPRA amendments and to address any confusion; (2) operationalizes new rights and concepts introduced by the CPRA amendments, including, among others, requirements for and limits on the use of sensitive personal information; and (3) reorganizes and restates the requirements of the law, where appropriate, to maximize readability and understanding of legal obligations.

Global Opt-Out, Not Optional. The OAG confirmed its position that it interprets the provisions of the CCPA regarding opt-out preference signals (aka Global Privacy Controls) (see Section 1798.135(b)(3) of the statute (“A business that complies with subdivision (a) [i.e., by including opt-out links] … is not required to comply with subdivision (b) [i.e., honoring OOPS]”) and Section 1798.185(a)(20)(referring to an election to comply with (b)) as mandatory.  Thus, if the Regs are approved, businesses must develop a process for honoring such signals.

One Step Closer to Commencing Formal Rulemaking. The CPPA approved a motion to delegate authority to Ashkan Soltani, Executive Director of the CPPA, for rulemaking functions. Again, the CPPA has not commenced formal rulemaking activities yet. They are currently in the staff production phase of the pre-rulemaking stage, whereby staff prepares the rulemaking file. The CPPA will then approve the rulemaking file and file a Notice of Proposed Rulemaking Action (“NOPA”) together with the rulemaking file to the OAL. The NOPA will be posted on the CPPA’s website and published in the California Regulatory Notice Register. This will mark the first day of formal rulemaking.  Afterwards, a 45-day public comment period begins. The CPPA will also hold a public hearing during this time as scheduled or by request. At the conclusion of the public comment period, the CPPA must address public comments and may notice changes. A subsequent 15-day comment period will open if the CPPA proposes material changes to the Regs following the initial comment period. This process may be repeated. The CPPA is required to summarize and respond to every public comment in its Final Statement of Reasons (“FSOR”). Once the CPPA finalizes the regulations, it will submit the final version together with the FSOR in a final rule package to the OAL. Once approved, the Agency will formally adopt the regulations and the rulemaking record will close.

Stakeholders Continue to Press for Transparency and Compliance Timeline ExtensionDuring the public comment portion of the meeting, representatives from business organizations, including the California Hispanic Chambers of Commerce, opined that there is much concern over the uncertainty of privacy regulations and potential consequences of the same on the business community, especially among small businesses. The representatives collectively expressed that the lack of complete regulations and uncertainty over the scope and timing of compliance and enforcement pursuant to the same create hardships for businesses who are concerned about the cost and timing of compliance. The representatives requested for greater transparency from the CPPA and at least a 6-month extension of the current compliance deadline, reasoning that an extension is fair in light of the delay in regulations.

OOPS! And Other Takeaways from the First Draft of CPRA Regulations

While the draft Regs do provide an indication of what the Agency’s priorities may be, they certainly are incomplete. The document purposely omits regulations on key topics, including automated decision-making and profiling, cybersecurity audits, and risk assessments (which the Agency announced would not be included in the first draft during its May 26 meeting), so we can expect the Regs to expand far beyond their current 66-page length.

Opt-Out Preference Signal; Do Not Sell / Share. The CPRA includes a Global Privacy Control concept referred to as the “opt-out preference signal” (or “OOPS”). Though the statute makes honoring OOPS optional (see Section 1798.135(b)(3) of the statute (“A business that complies with subdivision (a) [i.e., by including opt-out links] … is not required to comply with subdivision (b) [i.e., honoring OOPS]”) and Section 1798.185(a)(20)(referring to an election to comply with (b)), the Agency has decidedly taken the position that honoring OOPS is mandatory. Section 7025(e) and 7026(a)(1). The Agency appears to be hanging its hat on its new concept of processing OOPS signals in a “frictionless manner”—i.e., if your business processes OOPS in a frictionless manner it can forgo the opt-out links and mechanism, but if it does not then it must have both the opt-out links and mechanism and have a process for honoring OOPs, though that may involve certain steps and conditions, as discussed in further detail in the next paragraph. Regs. Sections 7013(d), 7025 (but compare to Section 7026(a)(1), which requires, at minimum, two methods in conflict with Section 7013(d) and 7025(e)). This approach is certain to receive a lot of comments and, should it become final, likely judicial challenge.

WTF is a “Frictionless Manner”? To be considered to have honored a OOPS signal in a frictionless manner, the business must not: (1) Charge a fee or require any valuable consideration if the consumer uses an opt-out preference signal; (2) Change the consumer’s experience with the product or service offered by the business; or (3) Display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial content in response to the opt-out preference signal (however, the business is permitted to present a pop-up or other notification asking for consent to ignore the OOPS). Therefore, for example, publishers will still have the opportunity to monetize content and present pop-ups in the way that is currently done when they detect a pop-up blocker. Section 7025(f).

The criteria for a “frictionless manner” comes from what the statute tasks the Agency to determine are part of the specification for the OOPS at 1798.185(a)(20) so there is a basis for requiring the OOPS to be “frictionless,” however, that does not necessarily mean that Section 1798.135 does not permit publishers to elect between links or frictionless OOPS. In addition, to qualify under Section 7025(g) to avoid having to post the DNSale / DNShare link and mechanism, the frictionless OOPS must also act as a consumer opt-out of offline sales and sharing if the business has the ability to link the signal to offline consumer data (e.g., the website visitor is logged in and thereby tied to their profile). It is not clear what is meant by “offline” as it is not defined in the Regs or the statute. Finally, it is proposed that third party controllers (e.g., cookie operators) collecting personal information on a first party business’ website are also required to look for and honor OOPS. Section 7052(c).

What can the opt-out link(s) say? In terms of what links may be used, the Regs provide that they can either state: (1) “Do Not Sell or Share My Personal Information” and, if applicable, “Limit the Use of My Sensitive Information;” (2) Your Privacy Choices; or (3) Your California Privacy Choices; however, “this alternative opt-out link is to provide businesses the option of providing consumers with a single, clearly-labeled link that allows consumers to easily exercise both their right to opt-out of selling/sharing, and the right to limit, instead of posting the two separate [links] ” (emphasis added). That begs the question: can a company that does not use or disclose sensitive personal data in a manner that is subject to limitation still take advantage of the alternative link to address sale/share? Given that some sort of conspicuous opt-out link will be required for the other 2023 state privacy laws (e.g., Colorado, Virginia), option 2 would seem to present a clean and consumer friendly way of pointing consumers to their various opt-in and opt-out options. To emphasize, however, if the proposed OOPS provision is not reworked the processing of opt-out preference signals would still be required, they would just seemingly not have to be in a “frictionless manner.” See Sections 7013(b) and 7015(b).

Combined DNSell / DNShare Requests? The Agency appears to treat the separate opt-out from sale and sharing rights as a single, combined obligation to a business. In other words, if a business receives a “Do Not Sell” request it must also treat is as a “Do Not Share” request, and vice versa. A number of sections, including the new definition of “Opt-Out of Sale/Sharing” indicate that the Agency is not bifurcating the concepts and will seemingly require businesses to treat one as both. See, e.g., Sections 7001(z) (“neither sell nor share”), 7025(c) and 7026, among others. While the statute speaks in terms of a combined DNSale or DNShare link, it provides that such link be “to an internet webpage that enables a consumer … to opt-out of a sale or sharing…” (emphasis added). It is conceivable that some consumers may want to opt-out of sale, but not sharing for cross-context behavioral advertising, or vice versa, and the conflation of these rights in the Regs would prevent that. This, too, is likely to receive comments, assuming the full Agency Board even votes the provision forward. Furthermore, the Regs require DNSell / DNShare opt-outs to be flowed down to third party sale / share recipients, who must honor the opt-out in the same manner as the business. Section 7052(a). There is no express authority in the statute for such a pass through of opt-outs.

No OOPS Technical Details. Setting aside the controversy of the requirement (or lack thereof) of processing OOPS signals, the Agency provided no technical requirements on opt-out preference signal or regulations touching on the statute’s requirement that the signal must be sent with a consumer’s consent, which would likely require it to be a user-enabled rather than a default setting. In addition, the Regs provide no details on how a business can and should determine residency with respect to an OOPS signal. While we need significantly more detail on this, and as the debate regarding the optional nature of OOPS rages on, a few other interesting aspects the OOPS-related Regs worth raising include: (1) effectively requiring businesses to tie an OOPS opt-out to non-cookie and other non-online information where a consumer is signed into the business’ account online (but not if the consumer is not signed in) (Section 7025(c)(7)(A)-(B)); and (2) displaying an online message as to whether the business has “Honored” the OOPS opt-out for a particular device/consumer (Section 7025(c)(6)). In addition, the Regs not applying the OOPS to limitation of sensitive information, as the statute provides, alone arguably causes the current proposal on OOPS to fall short of the statutory requirements.

Principles Regarding Consumer Requests and Consent. In addition to the specific requirements regarding the various consumer request types discussed below, the Agency outlined several overarching requirements applicable to all types of consumer requests. Among these general requirements, businesses must:

  1. Ensure the consumer request methods and accompanying instructions are easy to understand;
  2. Offer symmetry in choice. In other words, “[t]he path for a consumer to exercise a more privacy protective option shall not be longer than the path to exercise a less privacy-protective option.”
  3. Avoid confusing language (including double negatives).
  4. “Avoid manipulative language or choice architecture.”
  5. Be easy to execute.

Section 7004(a). Failure to comply with the requirements above may be considered a “dark pattern” under the CPRA. Additionally, the Regs clarify that “[a] user interface is a dark pattern if the interface has the effect of substantially subverting or impairing user autonomy, decisionmaking [sic], or choice, regardless of a business’s intent.” Section 7004(b) and (c).

Right to Delete. The draft Regs make explicit businesses’ obligations to flow down requests to delete to service providers, contractors, and third parties. Specifically, the Regs instruct businesses to notify contractors and service providers delete PI on request from an eligible consumer, and also require service providers and contractors to comply with those requests and pass the request down to subprocessors. Section 7022(b)(2) and (c). Additionally, third parties to whom a business has shared or sold PI must be instructed to delete the PI(Section 7022(b)(3)), and the Regs add that they must comply (Section 7052(a)). The former is required by the statute, but the latter is not explicitly stated.

Right to Correct. The Regs’ provisions regarding requests to correct primarily revolve around issues of contested data, as well as how businesses are expected to effectuate correction requests. On the former point, the Agency instructs businesses to consider the “totality of the circumstances” when determining whether to accept new PI presented by a consumer, or to reject the request. Factors to consider include:

(A) The nature of the personal information (e.g., whether it is objective, subjective, unstructured, sensitive, etc.).

(B) How the business obtained the contested information.

(C) Documentation relating to the accuracy of the information whether provided by the consumer, the business, or another source. Requirements regarding documentation are set forth in subsection (d).

Section 7023(b)(1). Helpfully, the Regs add that “[i]f the business is not the source of the personal information and has no documentation to support the accuracy of the information, the consumer’s assertion of inaccuracy may be sufficient to establish that the personal information is inaccurate.” Section 7023(b)(2).

With respect to the implementation of correction requests, the Regs advise that businesses should update the PI on existing systems, and also take measures to ensure that the information stays accurate. Essentially, the CPPA is telling businesses to make sure that corrected information is not subsequently overwritten by incorrect information. Additionally, businesses are obligated to pass along correction requests to contractors and service providers. Section 7023(c).

Limit the Use of My Sensitive Personal Information. In a regulatory scheme rife with difficult acronyms, we have to compliment the Agency here for coining the phrase “right to limit” to refer to a consumer’s right to limit the use or disclosure of sensitive personal information. As promised by the statute, the Regs provide the purposes for which a business can use or disclose sensitive PI without offering the right to limit, including performing services reasonably expected by an average consumer, fraud prevention, ensuring physical safety of natural persons, short term transient use for nonpersonalized advertising, and other routine business purposes. In addition to enumerating such business purposes, the Agency provides helpful examples within each one. See Section 7027.  The Regs also require that the privacy notice and retention schedule break out disclosure of sensitive personal information collected into the nine subcategories set forth in the statute.

Right to Know (access). Consistent with the statute’s expansion of the lookback period for access requests beyond 12 months after January 1, 2022, the Regs do so, but clarify that they may limit such requests where compliance would involve disproportionate effort, measured by a balancing test of the time and resources against the benefit to the consumer. Section 7001(h) and 7024(h). “For example, responding to a consumer request to know may require disproportionate effort when the personal information which is the subject of the request is not in a searchable or readily-accessible format, is maintained only for legal or compliance purposes, is not sold or used for any commercial purpose, and would not impact the consumer in any material manner.” Section 7001(h)(emphasis added). However, failure to put appropriate systems in place to reasonably fulfill requests will negate a claim of disproportionate effort.  Id.

Verification. Interestingly, these regulations provide few revisions to the sections relating to verification of requests.

Purpose Limitation. “Reasonably Necessary and Proportionate” Defined. The Regs provide helpful guidance on the purpose limitation requirements in the statute, namely, by defining “reasonably necessary and proportionate.” The Regs provide that this limitation means that collection, use, retention, and sharing of PI must be “consistent with what an average consumer would expect when the personal information was collected” or “for other disclosed purpose(s) if they are compatible with what is reasonably expected by the average consumer.” Section 7002(a). This section also provides examples of what may or may not be reasonably necessary and proportionate. However, the examples suggest that certain advertising and marketing practices, particularly regarding geolocation and third party marketing, would not be permissible without specific notice and express consent.

Notice at Collection. Along with the statutory additions to the notice at collection requirements—most notably, retention details on a category basis (and for sensitive person information, subcategories)—the Regs have added significant substance, particularly as it relates to third parties controlling the collection on a first party’s website or premises. See Section 7012. In particular, the Regs require, among other things:

  • The first party business to include in its notice at collection names of all such third parties, or in the alternative, information about the third parties’ business practices. Section 7012(g)(2).
  • The third party businesses that control the collection on another business’s website or physical premises, such as in a retail store or in a vehicle, must still provide a notice at collection in a conspicuous manner, though it can do so as part of the first party’s notice (e.g., the first party provides notice at collection of where the third party’s notice can be found online). Section 7012(g)(1)-(4).
  • However, these provisions explicitly do not relive the first party of its obligations “to comply with a consumer’s right to opt-out of sale/sharing. If a consumer makes a request to opt-out of sale/sharing with the first party, both the first party and third parties controlling the collection of personal information shall comply with sections 7026, subdivision (f) (honoring opt-outs) and 7052, subdivision (a) (passing opt-outs down to the sale/share recipient). Section 7012(g)(1)(A).

There is no discussion on how this relates to the broadening of the exemption to sale / sharing under the statute where the consumer “uses or directs the business to: (1) intentionally disclose personal information; or (2) intentionally interact with one or more third parties,” Section 1798.140(ad)(2)(A) and (ah)(2)(A), and the Regs do not provide any guidance on this type of disclosure.

Notice of Financial Incentive. While few changes and details are provided in relation to financial incentives (such as loyalty programs, discounts in exchange for email sign-ups, etc., which have been a focus of CCPA enforcement), the Regs remove the requirements of personal information valuation and explaining how that value is reasonably related to the program benefits, unless the program requires waiver of consumer rights to avoid a price or service difference. Sections 7016(d)(5), 7080 and 7081.

Human Resources. The Regs include amendments that take into account the January 1, 2023 sun-setting of the current exceptions applied to applicants, current and former employees and contractors.  They also add a specific requirement that the business include in its privacy notice a statement that the business will not retaliate against applicants, employees or contractors that exercise their CCPA rights.

Service Provider, Contractor, and Third Party Management. This first draft of the Regs perhaps hints at one of the Agency’s potentially greatest area of focus, namely the management of data relationships. In short, the practice of papering relationships with a one size fits all template will not be sufficient in the eyes of the Agency. In addition, it is clearly focused on the “sale/share” issue on vendor-by-vendor (or other recipient) basis.

  • New Expanded Requirements.
    • Service Providers/Contractors. The Regs require very prescriptive contractual terms to designate a data recipient as a service provider or contractor, including identification of the specific business purposes and services for which the service provider or contractor is processing information. Further, the Regs specify that “[t]he description shall be specific” and “shall not be descried in generic terms.” As a result, businesses would not be able to apply generic provisions across what is sometimes thousands of vendors. On the flip side, vendors will have to be specific in contract templates about the business purposes and services involved. See Section 7051. Importantly, the Regs state that failure to meet these prescriptive requirements means that the recipient is not a service provider or contractor, and thus, a sale / sharing is occurring. Section 7051. In addition, the Regs, in keeping with the statute, require at least eleven specific contractual obligations to be valid. Beyond that, the Regs add non-contractual obligations that apply to service provider / contactors and their subprocessors.
    • Third Parties (sale or sharing recipients). The agreement with statutorily-defined third-parties must identify “the limited and specified purposes for which the personal information is sold or disclosed” and “must not be described in generic terms”, but rather “shall be specific.” The contractual requirement is very strict; any third party is restricted from collecting, using, processing, retaining, selling, or sharing personal information from a business in the absence of a compliant contract. Section 7053. In addition, although not expressly provided for under the statute, the Regs add affirmative obligations on third parties, including the obligation to honor deletion and DNSale / DNShare requests made to a first party and passed down, and to look for an honor OOPS signals to a first party website on which they operate. Section 7052.
  • Diligence and Audits of Data Recipients. The Regs certainly incentivize businesses to audit their vendors and other data recipients (a right which must be in contracts with service providers, contractors, and third parties): “[D]epending on the circumstances, a business that never enforces the terms of the contract nor exercise its rights to audit or test the [recipient’s] systems might not be able to rely on the defense that it did not have reason to believe that the [recipient] intends to use the personal information in violation of the CCPA and these regulations….” Section 7051 and 7053.
  • Notice at Collection Requirements. As discussed above, both first parties and third parties controlling the collection of personal information on a first party website or premises have notice at collection obligations with respect to the third parties’ collection.

Enforcement. The Regs contain a procedure for consumers to submit requests to the Agency, including the information that must be submitted in connection with a complaint. In its Regs, the Agency commits to notifying complainants “in writing of the action, if any, the Agency has taken or plans to take on the complaint,” as well as the Agency’s rationale for action or inaction. When the Agency initiates an enforcement action, it will issue a probable cause notice to the alleged violator. The Agency will conduct a Probable Cause Proceeding in a closed hearing (unless a public hearing is requested by the alleged violator at least 10 days prior to the proceeding), in which it will evaluate evidence presented by the alleged violator (with counsel) and the CPPA Enforcement Division. The Agency will issue a written Probable Cause Determination based on evidence presented, which will not be a public document. The decision “is final and not subject to appeal.” Section 7302. Alternatively, the Enforcement Division and the subject of the complaint may enter into a stipulated order, prior to the entry of a Probable Cause Determination, which will be a public document. Section 7303. Finally, the Regs also empower the Agency to conduct audits, “to investigate possible violations of the CCPA” and also where “the subject’s collection or processing of personal information presents significant risk to consumer privacy or security, or if the subject has a history of noncompliance with the CCPA or any other privacy protection law.” Section 7304. Presumably this means entities which have been subject to significant enforcement actions (for example, by EU supervisory authorities) may expect to be audited by the CPPA.

Notable Regs–Cookies and AdTech.

  • Non-First Party Cookies are deemed a sale or sharing if not qualified as service providers / contractors. The Regs do not specifically state that the collection of personal information by third-party cookies on a first party site constitute a sale/sharing by the first party site. However, the statute changed the definition of third party to exclude service providers and contractors. The Regs provide that “[a] third party shall comply with a consumer’s request to delete or request to opt-out of sale/sharing forwarded to them from a business that provided, made available, or authorized the collection of the consumer’s personal information.” Section 7052(a). Further, the Regs make clear that a first party that allows third-party businesses to collect personal information are not thereby relieved from passing DNSale / DNShare opt-out to those third parties. Combined, this implies that absent an exception from sale / share, such as an express direction / interaction (i.e., opt-in) opt-outs apply to third party controllers such as third party cookie operators.
  • Cookie Banners alone are not sufficient for Do Not Sell/Share Opt-Outs. While this point seems obvious given the growing reliance on cookieless technology and identifiers to target advertisements, it underscores a potential enforcement priority for the Agency of looking beyond facial compliance. The Agency emphasizes that cookie controls like cookie banners only address the “collection” and not the sale or sharing of personal information.
  • Turning off Cookies Will Not Be Sufficient for Honoring a Do Not Sell / Do Not Share Request. In addition to its statements regarding cookie banners, the Regs require businesses to notify sale/sharing recipients of the request, and require such sale/sharing recipients to notify other downstream recipients, Section 7026(f)(3), and requires third parties to do so, Section 7052(a). In effect, the Regs require a signal-based opt-out system, much like the one that was developed by the Interactive Advertising Bureau (IAB) for the CCPA, and that such signal also trigger a downstream opt-out and not just a termination of ongoing sales / shares. It will remain to be seen how organizations outside of the AdTech ecosystem will pass such signals or otherwise provide notifications in relation to DNSell / DNShare requests for more traditional types of PI.
  • Any use cases involving cross-contextual behavioral advertising will prevent a vendor from being considered a service provider or contractor. In addition, routine activities that are able to fit under the service provider role under the current CCPA, such as custom audiences or email matching for advertising purposes, are stated explicitly in the Regs to fall outside of service provider permitted purposes (and thus would constitute a sale/sharing). Section 7050(c)(1).

CONCLUSION

While the Agency kicked some of the more difficult issues down the road for further consideration, its first draft of proposed Regs is quite comprehensive with respect to the issues addressed. The authority for some of what is proposed is questionable and will likely be challenged in comments, if not judicial action if such provisions become final. Interested businesses are encouraged to submit public comments. In addition to assisting specific clients and their trade organizations make comments, SPB plans on making comments based on unnamed clients that seek to be anonymous. While we will make it clear that such comments do not necessarily reflect the opinions or concerns of all of our clients we found during the CCPA rulemaking that this is a useful way for clients to get their views across when they are not comfortable doing so directly and lack a trade group that they can work through to get their views in front of the regulator.

For more information, contact the authors or your SPB relationship partner.

Dark patterns are top of mind for regulators on both sides of the Atlantic. In the United States, federal and state regulators are targeting dark patterns as part of both their privacy and traditional consumer protection remits. Meanwhile, the European Data Protection Board (EDPB) is conducting a consultation on proposed Guidelines (Guidelines) for assessing and avoiding dark pattern practices that violate the EU General Data Protection Directive (GDPR) in the context of social media platforms. In practice, the Guidelines are likely to have broader application to other types of digital platforms as well. Continue Reading “Dark Patterns” Are Focus of Regulatory Scrutiny in the United States and Europe