On September 30, 2022, the Colorado Attorney General’s Office (“Colorado AG”) issued its proposed draft Colorado Privacy Act (“CPA”) Rules (the “CPA Rules” or “Rules”). The draft Rules, which add significant complexity and obligations on businesses, go far beyond what was expected of the Colorado AG and, despite the repeated insistence for interoperability with other state laws, veer sharply away from the approaches being taken in California in many respects.

Rulemaking Process Timeline 

The Colorado AG will hold three virtual stakeholder meetings on November 10, 15, and 17, 2022. The stakeholder meetings are a forum for the AG to gather feedback from a broad range of stakeholders and aid in the development and finalization of the Rules to implement the CPA. Written comments for stakeholder meetings must be submitted by November 7, 2022.

In addition, the AG may host additional opportunities for public input beyond those listed above if it determines doing so is prudent or necessary to revise the Rules and incorporate stakeholder input. The dates and times of these additional sessions will be announced via the CPA rulemaking mailing list and on the AG’s website.

On February 1, 2023, the AG will hold a public hearing at 10:00 am CST. The hearing will be conducted both in person and by video conference. All interested parties must register to attend the public hearing, which can be done through the AG’s website. Interested parties can also testify at the rulemaking hearing and/or submit written comments through the online CPA rulemaking comment portal.

The February 2023 hearing date marks the end of the public comment period (unless the AG makes substantial modifications to the Rules that would require the rulemaking process to be completed a second time). After the hearing, the AG will have 180 days to file adopted Rules with the Colorado Secretary of State for publication in the Colorado Register. The Rules will then take effect twenty days after publication. The CPA itself goes into effect on July 1 of next year.

Content Highlights

The draft Rules are organized into nine parts: (1) general applicability; (2) definitions; (3) consumer disclosures; (4) consumer personal data rights; (5) universal opt-out mechanism (“UOOM”); (6) controller duties; (7) consent; (8) data protection assessments (“DPAs”); and (9) profiling.

While we will be posting a more in-depth analysis of the draft Rules shortly, a few of the more notable aspects of the Rules that jump out immediately are:

  • Privacy Notice Content Requirements: The draft Rules set forth granular requirements as to the content that will be required in CPA-compliant privacy notices. Interestingly, while the Colorado AG has repeatedly emphasized interoperability with other state laws, such as California, the privacy notice requirements encompassed within the draft Rules are tied to processing purposes, rather than categories of personal information, representing a markedly different approach than the current California Consumer Privacy Act (“CCPA”) and proposed, draft California Privacy Rights Act (“CPRA”) regulations. Pursuant to the Rules, each processing purpose must be described “in a level of detail that gives Consumers a meaningful understanding of how their Personal Data is used and why their Personal Data is reasonably necessary for the Processing Purpose.
  • UOOM Specifications: The draft Rules introduce detailed technical and other specifications regarding the UOOM, Colorado’s version of the global privacy control (“GPC”) concept, which includes requirements for browser/device-based opt-outs, along with a publicly available “Do Not Sell” list akin to the “Do Not Call” list maintained by the FCC.
  • Profiling: The draft Rules prescribe detailed provisions regarding profiling in furtherance of decisions that produce legal or similarly significant effects. We do not yet have CPRA regulations on this topic.
  • Sensitive Data Inferences Duty: The draft Rules create a new category of sensitive data known as “Sensitive Data Inferences,” which means “inferences made by a Controller based on Personal Data, alone or in combination with other data, which individuate an individual’s racial or ethnic origin, religious beliefs; mental or physical health condition or diagnosis; sex life or sexual orientation; or citizenship or citizenship status.” Under the Rules, controllers are limited to processing such inferences only under certain circumstances and must ensure that any inferences of this nature are deleted within 12 hours of collection.
  • Explicit Data Retention Schedule Requirement: The draft Rules also provide that in order to ensure that personal data is “not kept longer than necessary, adequate, or relevant, Controllers shall set specific time limits for erasure or to conduct a periodic review.” In practice, this means that companies subject to compliance with the CPA will need to create data retention and destruction schedules if they do not already have one in place.

Stay Tuned For More

Please stay tuned for further analysis on these and other provisions in the draft Colorado regs.

On August 24, 2022, California Attorney General Rob Bonta issued a press release announcing the first public settlement by the Office of the Attorney General (OAG) involving alleged violations of the CCPA. The settlement involves a judicial judgment, civil penalties and ongoing monitoring and reporting. The use of noncompliance letters to cajole companies into compliance over many months now appears to be a closed chapter in the CCPA saga. Season 2 promises more drama, more action and more money. Entertaining unless you are the next target!

Continue Reading The Cookie Crumbles – Lessons from First California Consumer Privacy Act (CCPA) Monetary Settlement

Privacy regulators in California and Colorado recently made announcements regarding rulemaking for their respective state privacy laws. Last week, the California Privacy Protection Agency (“CPPA”) announced that it will hold its next public meeting this Thursday, February 17, during which it will discuss updates on the rulemaking process, including a timeline. On January 28, Colorado Attorney General Phil Weiser publicly announced the intent of the Colorado Office of the Attorney General (“COAG”) to carry out rulemaking activities to implement the Colorado Privacy Act (“CPA”), providing an indication of focus areas and a rough timeline. We discuss each of these developments in further detail below. Continue Reading California and Colorado Privacy Regulators Provide Updates on Rulemaking

2021 was another record setting year for the California Consumer Privacy Act (“CCPA”).  Read on for CPW’s highlights of the year’s most significant events concerning CCPA litigation, as well as our predictions for what 2022 may bring.

2020 Recap: The CCPA Comes Into Effect

The CCPA went into effect on January 1, 2020.  It regulates any “business” that “does business in California,” even those without a physical presence in the state, and determines the means and purposes of the processing of “personal information”.

As a recap, what entities qualify as a “business” subject to the CCPA? The statute defines a “business” as a for-profit, private entity that (1) collects “personal information”, (2) determines the means of processing that personal information, (3) does business in California, and (4) meets one of the following criteria:

  • Has annual gross revenues exceeding $25 million;
  • Annually sells/buys or receives/shares for commercial purposes the personal information of 50,000 or more California consumers; or
  • Derives 50% or more of its annual revenue from selling personal information.

Generally, the CCPA covers all information so long as it relates to a California resident or California household.  Aligning with the GDPR, the CCPA defines “personal information” to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  Cal. Civ. Code § 1798.140(o).

The CCPA requires compliance with its notification and transparency notices.  First, the CCPA expects businesses to present up to four notices, to be determined by that business’s practices.  Second, businesses must also inform consumers of their rights under the CCPA including their: (1) right to know, (2) right to delete, (3) right to opt out, (4) right to not be discriminated against for exercising their CCPA rights.

Section 1798.150(a)(1) of the CCPA provides a private right of action to “[a]ny consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure” due to a business failing to satisfy “the duty to implement and maintain reasonable security procedures and practices….” (emphasis supplied).  Damages available for a private right of action under Section 1798.150(a)(1) include a statutory amount of between $100 and $750 “per consumer per incident or actual damages, whichever is greater”, as well as injunctive or declaratory relief and “any other relief the court deems proper” (emphasis supplied).

The first CCPA lawsuit, Fuentes v. Sunshine Behavioral Health Group, LLC, No. 8:20-cv-00487 (C.D. Cal.), appeared on March 10, 2020, only three months after the law went into effect.  Others soon followed.

Overview of 2021 CCPA Litigations: What Do the Numbers Show?

To date, over 125 cases asserting CCPA claims have been filed this year, with the vast majority (91.2%) filed in federal courts.  Each quarter of 2021 has seen roughly the same number of cases filed (about 30-35 cases).  Not surprisingly, about 60% of all federal cases were filed in California’s federal courts, with the largest number of cases filed in the Northern and Southern Districts of California.  Outside of California, the Western District of Washington had the largest number of CCPA cases filed with ten total cases filed to date.  A handful of cases have also been filed in district courts in each of the Second, Third, Fourth, Fifth, Sixth, Seventh, Eighth, and Eleventh Circuits.  Ten of the eleven state court cases filed have been filed in California Superior Courts.

Interestingly, nearly 40% of all CCPA cases filed this year either concerned the T-Mobile data event or alternatively, another data event involving a financial services company following account hacks on the California Employment Development Department’s (“EDD”) prepaid debit cards.  As such, the largest number of cases filed this year were concentrated in the communications and financial services industries.  The remaining CCPA cases, however, span a wide range of industries—including technology, healthcare, insurance, and hospitality.  Even a hair transplant company had a CCPA lawsuit brought against it this year.

And while cyber theft remains on the rise, plaintiffs (and plaintiffs’ attorneys) have not lost sight of other data use implications mandated by the CCPA.  For example, Flo Health Inc., an ovulation-tracking app has been hit with a number of class action lawsuits alleging the app “secretly collected” (i.e. without consent) personal information of users—including whether women were trying to get pregnant—and shared that data with third-party data collectors and advertisers.  The lawsuits follow the FTC’s investigation into related concerns.  Some of the complaints against Flo Health reference the CCPA as supporting other claims raised by plaintiffs, such as violation of the California’s Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200, et seq.), without asserting a direct CCPA claim.

2021 Developments in CCPA Case Law

This year has seen a number of developments in CCPA litigation case law.  We highlight a few of those developments here.

At the beginning of this year, one federal court held that the CCPA does not limit the scope of discovery in litigation.  Will Kaupelis v. Harbor Freight Tools USA, Inc., Case No. 19-01203 (C.D. Cal.).  This case was brought as a putative class action and concerned claims that the defendant allegedly manufactured and sold chainsaws with a design defect.  After defendant’s motion to dismiss was denied, plaintiff sought discovery that included the PI of customers who had complained about the purported product defect (including individuals in California).  The defendant resisted production of this information, in reliance on the CCPA.  Specifically, the defendant argued that the CCPA expanded the privacy rights previously provided under California law.  As such, the defendant argued that the court should “protect the consumers’ PI by allowing consumers an opportunity to opt out from disclosure.”   The defendant claimed this approach was consistent with the CCPA’s notice and consent requirements.  The court, however, granted plaintiff’s motion to compel, stating that, “[n]othing in the CCPA presents a bar to civil discovery.  Notably, no other case has so held.  And the statute itself explicitly says that it is not a restriction on a business’s ability to comply with federal law.”  The court later dismissed an amended complaint on similar grounds.

In March, Walmart scored a massive win for defendants in data privacy litigation in the Lavarious Gardiner v. Walmart Inc. et al. case.  The Court adopted Walmart’s narrow interpretation of the CCPA and dismissed Plaintiff’s non-cognizable CCPA claim.  As a reminder, this case involved a plaintiff inferring, from finding his information on the dark web, that Walmart had suffered a data breach.  In response, Walmart argued first, that Plaintiff’s failure to allege when the breach purportedly occurred was fatal to the Complaint because the CCPA is not retroactive.  The Court sided with Walmart and agreed that Plaintiff needed to plead a breach occurring after January 1, 2020:  “Absent allegations establishing that Walmart’s alleged violation of the CCPA occurred after it went into effect, Plaintiff’s CCPA claim is not viable. Second, the Court also held that Plaintiff’s CCPA claim failed for the additional reason that Plaintiff did not sufficiently allege disclosure of his personal information as defined in the CCPA.  Cal. Civ. Code § 1798.81.5.  The Court found insufficient the Complaint’s allegation that the purported breach compromised the full names, financial account information, credit card information, and other PII of Walmart customers: “[a]lthough in the Complaint Plaintiff generally refers to financial information and credit card fraud, he does not allege the disclosure of a credit or debit card or account number, and the required security or access code to access the account.”  (emphasis added).

In July, 2021 the Central District of California denied a motion to compel arbitration brought by the Gap in the data breach litigation, Shadi Hayden v. Retail Equation et al., No. 20-cv-01203 (C.D. Cal. July 07, 2020).  There the court reasoned that, because the Gap was not a party to the arbitration agreement it attempt to invoke, the arbitration agreement did not apply to bar the litigation.  The Gap subsequently appealed, and the case remains pending.

In an August decision, a federal judge found the majority of Plaintiffs’ statutory claims to withstand a Rule 12(b)(6) motion to dismiss in the In re Blackbaud data privacy multi-district litigation.  MDL No. 2972 (D.S.C. Aug. 12, 2021).  Plaintiffs’ allegations that a cyberattack resulting from Blackbaud’s “deficient security program” and failure to comply with industry and regulatory standards, was sufficient to withstand a motion to dismiss.   As to the CCPA, the Court found that Blackbaud was alleged to be a “business” under the CCPA, relying largely on its registration as a “data broker” under California law.  The Court notably rejected Blackbaud’s argument that it was a “service provider” as insulating it from liability under the CCPA.

In another significant ruling, in Brooks v. Thomson Reuters Corp., No. 21-cv-01418-EMC, 2021 U.S. Dist. LEXIS 154093 (N.D. Cal. Aug. 16, 2021) the Northern District of California recently denied in part a defendant’s motion to dismiss a complaint alleging violations of various consumer privacy statutes. Of note, the Court found that an affirmative defense of compliance with one privacy statute, the CCPA, did not shield defendant from liability for alleged violations of other state laws.

Finally, in December, the Northern District of California denied a motion to intervene and oppose a preliminary approved settlement in the litigation that followed a widespread data event Accellion had suffered.  Cochran v. Accellion, Inc., 2021 U.S. Dist. LEXIS 214686 (N.D. Cal. Nov. 5, 2021).  In Cochran, one of the entities that used Accellion as a services provider agreed as part of a $5 million dollar settlement to modify its business practices going forward.  This would include switching to a “new secure file transfer solution,” securing or destroying the personal information subject to the data event and boosting its third-party vendor risk management program.  In denying the Proposed Intervenor’s Motion to Intervene, the Court analyzed intervention as a matter of right and permissive intervention. The Court, however, rejected that intervenors could intervene as a matter of right because the Court heard the Proposed Intervenors’ objections to the proposed settlement on two occasions, the settlement agreement allows putative intervenors to protect their interests by opting out of the settlement class, and because the Court found that the Proposed Intervenors interest in a preliminary settlement approval is not a “significant protectable interest.”  The Court denied permissive intervention because, among other things, the Proposed Intervenors already had the opportunity to participate in the fairness hearings.

Predictions for CCPA Litigation in 2022

So what is on the horizon for 2022? Certainly an expansion of consumer privacy laws that follow California’s lead.  This past year saw Virginia and Colorado launch privacy legislation and that trend will continue in 2022.  While claims invoking the consumer privacy law of other states may be kept at bay during 2022, the lessons learned from CCPA litigation will come into play in 2023 as those new laws, particularly those with a private right of action, start going into effect.

In the meantime, we can expect that the lawsuits making their way through the courts will continue shaping the contours of CCPA litigation.  Of particular interest will be the impact of the Ramirez v. TransUnion decision upon class action litigation, including CCPA claims arising from a data incident.  As previously noted, which commentators worried that Ramirez might preclude data breach litigations from being brought in federal courts, those concerns have not materialized, with CCPA claims remaining just at home in federal court in state court.

We can also expect to see continued enforcement activity at the state level.  In July 2021, California’s Attorney General Bonta issued a press release summarizing its first year of CCPA enforcement and reinforcing its commitment to CCPA enforcement.  The pressure will remain on companies to annually update their California privacy notices to avoid finding themselves the target of enforcement activities.

2022 is going to remain busy for CCPA litigation and enforcement.  Not to worry, CPW will be there to keep you in the loop.  Stay tuned.

As Ann LaFrance, Alan Friel, Elliot Golding, Kyle Fath, Glenn Brown, Kyle Dull, Niloufar Massachi, and Gicel Tomimbang explain in a comprehensive expert analysis, recent changes in US consumer privacy laws that will require most US businesses to make material changes to their privacy compliance and information governance programs by January 1, 2023 (July 1, 2023, in the case of Colorado), and include infographics that compare and contrast the applicable laws.  Besides discussing these changes, they make recommendations on what to do during the remainder of 2021 and throughout 2022 to ensure business readiness by 2023.

You can read their breakdown here or below.

CPRA/CDPA/CPA Unpacked: Develop a Preparedness Plan Now

On July 19, the Office of the Attorney General of California (OAG) issued a press release summarizing its first year of CCPA enforcement. Seventy-five percent of companies receiving a notice to cure are said to have come into compliance within the 30-day cure period, with 25% reportedly still within that period or under ongoing investigation. The OAG also published summaries of 27 resolved exemplary cases. The OAG was careful to note that the summaries do not constitute advice and do not include all of the facts, however they do offer some insights. Disappointingly, however, the summaries often lack enough detail to allow readers to surmise the enforcement posture that was taken by the OAG, the exact nature of the alleged violations, or the specific actions taken by the company that satisfied the OAG’s inquiry.

Continue Reading California AG Offers Cryptic CCPA Enforcement Summaries, and Launches Complaint Tool

As Alan Friel, Glenn Brown, Ann LaFrance, Kyle Fath, Elliot Golding, Niloufar Massachi and Kyle Dull explain in a comprehensive, 16-page analysis here, on June 8, 2021, the Colorado legislature passed SB 21-190, known as the Colorado Privacy Act (CPA or CO Act), which the governor signed into law on July 7, 2021.  The CO Act is a mishmash of concepts from other jurisdictions. It is in large part modeled on the March 2021 Virginia Consumer Data Protection Act (CDPA), but with California influences, such as a broader definition of “sale” and requiring companies to look for and honor global privacy signals. Both the California consumer privacy regime, and even more so the CDPA, were inspired by Europe’s General Data Protection Regulation (GDPR), but depart from it in many material ways.

In their must read analysis, they down the similarities and differences of the three US state consumer privacy regimes.

With the stroke of his pen on July 7, Governor Jared Polis (D) signed the Colorado Privacy Act (CPA or Act) into law, making the Centennial State the third U.S. state to pass comprehensive consumer privacy legislation.  The Act, passed by the legislature on June 8, is a combination of elements of California and Virginia consumer privacy laws, possibly creating a harmonization model for other states to follow.  For a comprehensive comparison of the three states’ laws click here.   The CPA will be enforceable as of July 1, 2023.

Colorado’s SB 21-190 has passed both chambers and if not vetoed will become the 3rd omnibus state privacy law enforceable 7/1/23.  It has no private right of action, but includes the right to object to processing for purposes of targeted advertising, the sale of personal data, or profiling, including via means of an online global privacy control, as well as the rights to access, correct and/or delete personal data, or obtain a portable copy of it.  It does not apply to employee data.  It specifies how controllers must fulfill duties regarding consumers’ assertion of their rights, transparency, purpose specification, data minimization, avoiding secondary use, avoiding unlawful discrimination and sensitive data, and requires risk assessments for certain “high risk” processing activities.  The law is closer to Virginia’s CDPA than California’s CCPA/CPRA, but there are material differences.  Look for a post next week that compares and contrasts the three states’ laws and the EU’s GDPR, which inspired this growing state trend.

The Interactive Advertising Bureau (IAB) and IAB Tech Lab have proposed updates their industry level agreements and privacy signal program to support the efforts of marketers, agencies, publishers, and ad tech companies to comply with the US state privacy laws going into effect in 2023. The comment period on the updates is open until October 27. Continue Reading Ad Industry Group Modifies Its Compliance Program to Address 2023 US State Privacy Laws