On May 19th, the Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (“Montana CDPA”). The Montana CDPA was chaptered into Montana law on May 22nd. Montana is the fifth state to pass a comprehensive privacy law this year, following Iowa, Indiana, Tennessee and Florida, and the tenth state overall, following the “first five” states of California, Colorado, Connecticut, Utah and Virginia (described here).

Following are some FAQs about the Montana CDPA:

When is the Montana CDPA in effect?

The Montana CDPA is in force as of October 1, 2024. It is effective before the new privacy law in Iowa, which is effective January 1, 2025, Indiana, which is effective January 1, 2026 and Tennessee which is effective July 1, 2025.   Only Florida’s new privacy law is effective earlier, on July 1, 2024.

Who are “consumers” in the Montana CDPA?

A consumer is a Montana resident acting in an individual capacity.

Consumers are not Montana residents acting in a commercial or employment context, or otherwise in a business-to-business or government agency context, e.g., employee, owner, director, officer, or contractor.

What organizations are subject to the Montana CDPA?

Montana CDPA applies to any “person” (which means a natural person or legal entity, subject to the exceptions described below) that:

  • conducts business in Montana or produce products or services that are targeted to consumers and
  • either (i) controls or processes the personal data of 50,000 or more consumers (but excluding personal data processed solely for completing a payment transaction) or (ii) processes the personal data of at least 25,000 consumers and derives 25% or more of gross revenue from the sale of personal data.

The Montana CDPA follows the same role-based processing model as the other state privacy laws; a controller determines the purpose and means of processing personal data; processors to assist controllers in meeting their obligations; and a controller must have a contract with its processors.

What organizations are not subject to the Montana CDPA?

The Montana CDPA does not apply to non-profit organizations, financial institutions regulated by the Gramm-Leach-Bliley Act, national securities associations under the Securities Exchange Act, or to HIPAA covered entities and protected health information (among other exclusions).

What rights are available for consumers under the Montana CDPA?

The Montana CDPA grants the following rights to consumers:

  • Right to confirm processing and access personal data
  • Right to correct inaccuracies in the consumer’s personal data
  • Right to delete personal data about the consumer
  • Right to obtain a copy of the personal data previously provided by the consumer
  • Right to opt-out of the processing of the consumer’s personal data for the purposes of:
    • targeted advertising
    • sale
    • profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer

Consumers can designate an authorized agent to exercise the rights of the consumer to opt out of targeted advertising, sale, and profiling.

What obligations apply to businesses under the Montana CDPA?

Responding to Consumer Rights.  A covered business acting as a controller:

  • must respond to a consumer rights request within 45-days after receipt of the request, subject to a 45-day extension when “reasonably necessary”
  • establish a process for a consumer to appeal the controller’s refusal to act on a consumer rights request
  • within sixty days after receipt of the appeal, the controller must inform the consumer in writing of any action taken or not taken, including an explanation of the reasons for that decision. If the appeal is denied, the controller must provide the consumer with an online mechanism, if available, or another method through which the consumer can contact the Montana Attorney General to submit a complaint.

Special Requirements for Opt-out Requests relating to Targeted Advertising and Personal Data Sale: by January 1, 2025 (three months after Montana DCPA is in force), a controller must allow consumers to opt out of targeted advertising or sale of their personal data through an opt-out preference signal. The consumer’s chosen opt-out preference signal must be easy to use, not unfairly disadvantage another controller, require the consumer to make an affirmative choice to opt out (i.e., not a default setting), and allow the controller to accurately determine whether the consumer is a Montana resident.

Data Minimization: A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which it is processed.

Revocation of Consent: Controllers must provide a mechanism for consumers to revoke their consent that is as easy to use as the mechanism by which the consumer provided their consent. Within 45 days of the revocation, the controller must cease processing the consumer’s personal data.

Privacy Notice: A controller must make available a privacy policy that includes the categories of personal data processed by the controller, the purpose for processing personal data, the categories of personal data that the controller shares with third parties, the categories of third parties with which the controller shares personal data, the controller’s contact information, and how consumers may exercise their rights, including one or more reliable means to submit a request, and appeal a controller’s decision regarding the request.

Sensitive Data Processing: Controller cannot process sensitive data concerning a consumer without obtaining the consumer’s consent.

Minors: Controllers may not process the personal data of a consumer for the purposes of targeted advertising or sale without the consumer’s consent when a controller has actual knowledge that the consumer is at least age 13 but younger than age 16.

Data Protection Assessments: A controller is obligated to conduct and document a data protection assessment for each of the controller’s processing activities created or generated after January 1, 2025 that present a heightened risk of harm to a consumer, including (1) processing personal data for targeted advertising, (2) selling personal data, (3) processing sensitive data, and (4) processing personal data for profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, financial, physical or reputational injury to consumers, intrusion on the solitude or seclusion or the private affairs of consumers, or other substantial injury. Data protection assessments generally must identify and weigh the benefits and risks of the processing, as mitigated by safeguards that the controller may be employ. These requirements generally track the data protection requirements in Virginia’s, Connecticut’s, and Indiana’s consumer privacy laws.

What are the consequences of not complying with the Montana CDPA?

Montana CDPA does not have a private right of action and is enforceable only by the Montana Attorney General. The Montana AG may bring an action if, after notice of a violation, the controller fails to cure the violation within a sixty-day cure period. The cure period expires on April 1, 2026.

Are regulations forthcoming under the Montana CDPA?

The Montana CDPA does not provide for future rulemaking.

2024 and 2025 promise to be busy years for privacy professionals with five new privacy laws coming into effect and likely more on the way. Businesses that already have built compliance programs for one of more of the “first five” state privacy laws will, however, have a much lighter lift.

Privacy World will continue to cover updates in Montana, as well as other state and federal privacy legislation. Please contact the authors or your relationship partner at SPB for more information.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

This year has widened the landscape of consumer privacy protections, with dozens of comprehensive privacy bills moving through state legislatures and becoming enacted. So far in 2023, Iowa’s Act Relating to Consumer Data Protection (“Iowa Privacy Law”) and Indiana’s Consumer Data Protection Act (“ICDPA”) were signed into law. These two laws join the Virginia Consumer Data Protection Act (“VCDPA”), California Privacy Rights Act (“CPRA”), Colorado Privacy Rights Act (“CPA”), Connecticut’s Public Act No. 22-15 (“CTPA”), and Utah Consumer Privacy Act (“UCPA”) in the state comprehensive consumer privacy law framework. The Iowa Privacy Law becomes effective on January 1, 2025, and the ICDPA becomes effective on July 1, 2026. The VCDPA and CPRA (amending the California Consumer Privacy Act or “CCPA”) went into effect on January 1, 2023, while the CPA and CTPA go into effect on July 1, 2023. The UCPA will go into effect December 31, 2023. Continue Reading Data Protection Impact Assessments: Are You Ready?

On March 29, 2023, the California Office of Administrative Law (OAL) approved the regulations implementing the California Consumer Privacy Act (CCPA). The regulations were approved by the California Privacy Protection Agency (CPPA) during its February 3rd meeting (see our report here) and filed with the OAL on February 14, 2023. The regulations are effective as of March 29, 2023. As soon as they are processed through the OAL, the CPPA will post the officially final regulations here.

The March 29th regulations are the first substantive regulations produced by the CPPA but are not complete. On February 10, 2023, the CPPA invited comments from the public on Cybersecurity Audits, Risk Assessments, and Automated Decision making as required by CCPA (Cal Civ Code § 1798.185(a)(15)-(16)). Comments were due on March 27. (See Privacy World’s discussion of these topics here, here and here.)

Meanwhile, on March 30th, the California Chamber of Commerce filed a lawsuit in Sacramento Superior Court against the CPPA and the California Attorney General. The CalChamber wants complete and final regulations and prohibitions on any civil or administrative CCPA enforcement until 12 months after regulations are adopted. The CalChamber asserts that California voters provided a one-year period for businesses to comply with CCPA, noting that the regulations approved on March 29th are an “incomplete set of regulations”. The CalChamber wants the court to order the CCPA to “adopt final regulations and abide by the timelines for enforcement that were approved by the voters.” No doubt businesses covered by CCPA would welcome the clarity of final regulations and assurance that CCPA enforcement will be delayed. Stay tuned for more on the next round of rule-making.

With much less hoopla, Iowa Governor Kim Reynolds signed Iowa’s comprehensive privacy law on March 28, 2023, noting that Iowa is the sixth US state to enact a general privacy law. Click here for our prior coverage on what we dubbed the Iowa Privacy Law, which goes into effect on January 1, 2025.

A busy end to March, indeed.

On January 1st of this year, the Virginia Consumer Data Protection Act (“VCDPA”) and amendments to the California Consumer Privacy Act (“CCPA”) went into effect. Later this year, the Colorado Privacy Act (“CPA”), Connecticut’s Public Act No. 22-15 (known as the “Connecticut Privacy Act” or “CTPA”), and the Utah Consumer Privacy Act (“UCPA”) will go into effect as well. Aside from the UCPA, these laws will obligate covered entities to document and assess certain processing activities in formal data protection assessments, which will be available to regulators. The purpose is to require companies to look critically at high-risk data processing activities and avoid unjustifiable risks and negative impacts on data subjects. Assessments can also serve the purpose of maintaining current data inventories and retention schedules and ensuring that processing is not inconsistent with the notified purposes at the time of collection. Continue Reading 2023 State Privacy Laws and Regulations Bring Extensive Data Protection Assessment Requirements

On March 15, 2023, after five public input sessions, a rulemaking hearing, and over 130 written comments, the Colorado Privacy Act (“CPA”) rules were officially finalized when the Colorado Attorney General’s Office completed its review and submitted them to the Secretary of State. The final rules will be published later this month and go into effect on the same day as the statute, July 1, 2023. Continue Reading Colorado Privacy Act Rules Finalized; To Be in Effect July 1

Part 1 of How to Approach DPAs in view of Final CCPA Regs: A Series

This is the first in our series of blog posts on top considerations for approaching data processing terms required under the state privacy laws that have, or will, come into effect this year, namely the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CPRA”) (collectively the “CCPA”), the Colorado Privacy Act (“CPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Utah Consumer Privacy Act (“UCPA”), and Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring (“CTPA”), which we collectively refer to throughout as “U.S. Privacy Laws.” This post will focus on the statutory and regulatory requirements on provisions that must be in contracts with data recipients (notably, we use “recipient” for ease of reference, although recipients may, in fact, collect directly from a consumer). For a handy list and chart summarizing the required provisions, see Appendix A. We will publish additional blog posts as part of this series, including with a focus on customer-specific considerations for DPAs, as well as one on vendor-specific considerations.

Note: Where we use a defined term from one of the U.S. Privacy Laws, we will put it in quotation marks in the first instance it is used. We use “personal information” and “PI” to refer to both “personal information” and “personal data” interchangeably. As indicated above, reference to the CCPA is as amended by the CPRA unless stated otherwise. Certainly, the required contractual provisions do not necessarily need to be included in data processing addenda or agreements (“DPAs”) that are separate from a master services or other agreement, but we have drafted this post under the assumption that many companies will approach contracting requirements in that manner, and in many instances companies will have to incorporate these requirements into their DPA templates that already address existing privacy and related requirements, such as under the CCPA (pre-CPRA amendments) and global privacy laws such as the EU and UK GDPR (referred to collectively here as GDPR).

Entering into appropriate data processing terms is one of the most challenging aspects of a privacy compliance program. A number of factors affect a company’s ability to enter into compliant DPAs, including the sheer number of existing processor agreements that pre-date the requirements of new U.S. Privacy Laws, bargaining power as between the parties, timing (e.g., contract renewals and regulatory deadlines), and which states’ laws apply, among others. In addition, different companies and their counsel have different interpretations of, levels of sophistication with regard to, and understanding of, the U.S. Privacy Laws generally, the prescriptive requirements that exist across them, and the parties’ roles in processing data.

Despite having at least draft CCPA Regulations (also referred to as “Regs”) for the CPRA’s updates for about nine months now, some vendors have been reluctant over the last year or so to update their MSAs or DPAs to include certain required provisions. Both vendors and customers have correspondingly been reluctant to commit the substantial resources required to amend or enter into DPAs with to-be-required language in view of the regulatory uncertainty and prospect of it changing as the regulations change. Now that we have some regulatory certainty, given that the California Privacy Protection Agency (“CPPA”) has submitted final Regs to the Office of Administrative Law for administrative approval, this will likely – or rather, it should – spur companies into action to address the contracting requirements under the CCPA and other state privacy laws by July 1, when the CPRA’s amendments become enforceable and the Colorado and Connecticut laws become effective and enforceable. As many are aware, contracting requirements are among many others on the compliance checklist to be completed by July 1.

While there are a number of issues and considerations to address with respect to DPAs, one of the foundational issues is meeting the prescriptive contracting requirements, which is particularly important under the CCPA. This is because failure to have a compliant contract in place results in the data transfer being deemed a “sale” and/or “sharing.” Yet, at least in our experience, this is an area where both vendors and customers struggle to agree. Below, we provide some practical guidance on this topic, starting with understanding the roles of the parties involved and key provisions that are required to be in DPAs.

High Level Takeaways

  • The CCPA’s terms are arguably the most important. Tracking the CCPA’s required provisions closely, and making sure they are in your contracts, is of utmost importance because they are required to avoid the consequence of sale and/or sharing. This continues to be an area of focus of enforcement by the Office of the Attorney General of California (“OAG”), as indicated in enforcement summaries issued by the OAG, and will almost certainly be one of the CPPA, which will share enforcement responsibility of the CCPA with the OAG.
  • C2C terms are only required under CCPA. So-called controller-to-controller terms, or C2C terms, are only required in California (in certain situations). “Businesses” must have contracts in place with certain “third party” recipients where sale or sharing is implicated, but “controllers” under the other U.S. Privacy Laws do not have a corresponding or similar requirement.
  • GDPR-like schedules will become commonplace. The non-CA states require the types of personal information processed by a “processor” to be disclosed, which effectively necessitates a GDPR-style schedule in your DPA templates that sets forth various details of processing. Similarly, CA’s requirement of specifying business purposes for processing more specifically than referring to the services or the underlying agreement also makes boilerplate DPAs technically deficient.
  • Going beyond the bare minimum requirements will assist with broader compliance. Given the complexity of operationalizing consumer requests, the need for considering how vendors and data recipients’ processing is implicated, and requirements under U.S. Privacy Laws, contracts between vendors and their customers necessitate addressing specifics on how the parties will address these issues.
  • An interim approach? Assuming existing DPAs provide that the processor must process the business’ PI pursuant to its instructions, as provided from time-to-time (which is a typical provision found in many DPAs), a short-term solution to shoring up existing DPAs may be to provide written directions that confirm the new obligations and restrictions. While this remains untested, for some businesses it may be the only practical path to addressing multitudes of existing agreements.

Service Providers/Processors, Contractors, and Third Parties

To implement data processing terms required by U.S. Privacy Laws into DPAs, it is important to first understand the roles of the parties involved. The U.S. Privacy Laws require certain language to be included in DPAs depending on the parties involved, data use, and data sharing.

While the determination of a party’s role under the U.S. Privacy Laws can be nuanced at times (which we do not discuss in detail in this blog post), a quintessential service provider/processor relationship is a traditional vendor relationship where the vendor processes PI on behalf of a customer (the business/controller). There are not many factual situations that align with the “contractor” designation under CCPA, though there are limited situations (such as auditors) where the business simply “makes available” PI to the counterparty that may be appropriate. The third party designation under CCPA is appropriate where the recipient cannot qualify as a service provider, such as where it processes for purposes that disqualify it as such (for example, using its customer’s PI to provide services to another customer), where the services are processing of PI for cross-contextual behavioral advertising, or where a sale is clearly implicated (e.g., selling a list of email addresses to a recipient for the recipient’s purposes for cash). The requirements to enter into contracts under the CCPA are even further nuanced; by way of example, though a data recipient may qualify as a third party, a contract is not required if a business makes available data to the third party under an available exception that would avoid a sale/sharing from occurring (such as an “intentional interaction”). (Contracts with non-processor recipients are not required under the non-CA laws.) You should certainly consider all of these nuances in your vendor and third-party management program to classify data recipients appropriately. 

The CCPA has three categories of recipients of personal information — (1) service providers, (2) contractors, and (3) third parties. The CCPA requires particular contract terms to be in place with each type of recipient, and the language that is required differs across the three, which we touch on below. Also very notable is that the CCPA prohibits third parties from receiving PI from a business without the proper contractual provisions in place with the business. As a result, the CCPA imposes direct contracting obligations on third party recipients as well.

Virginia, Colorado, Utah, and Connecticut require both “controllers” and “processors” to enter into contract terms that govern the processing of PI. These laws all generally follow the same blueprint in terms of their required contractual provisions, although there are some variations between the states regarding the specific language or provisions that must be included in these contracts. The non-CA laws do include the concept of a “third party” but, unlike the CCPA, they do not require controllers to impose contractual requirements on recipients of data that qualify as third parties, nor do they require third parties to have certain terms in place with controllers to receive PI. The failure of the required contract in the non-CA states is a statutory violation, but it does not convert the transfer into a “sale” as does the CCPA.

What data processing terms should be included in contracts between businesses/controllers and service providers/processors?

For the remainder of this blog post, we will focus on the provisions that are required to be in place between a business/controller and its service providers/processors under the U.S. Privacy Laws. You will note (as you likely have already) that there is overlap between a number of the provisions required in the CCPA and in the other U.S. Privacy Laws, as well as under the GDPR. As a result, in many instances, having a DPA which amalgamates the states’ requirements (and where applicable, the GDPR and other jurisdictions) is likely a sound approach. That said, such an approach may not be appropriate or desirable for certain parties that, for example, have the technical ability to apply differential requirements to California PI vs. PI of consumers from other states or jurisdictions, or that are not subject to the laws of certain jurisdictions. Details on third party transfers and agreements will be addressed in a future blog post. However, in Appendix A, we provide a handy chart that compares the requirements across the various U.S. Privacy Laws and the GDPR, and includes the CCPA’s requirements for contracts with third parties.

Below is a summary of provisions that are required under the CCPA to be in contracts with service providers (in some instances, we have paraphrased for sake of efficiency):

  • Identifying the specific business purposes (and not by mere reference to the services or underlying agreement) and specifying that such purposes are the only purposes for which the business is disclosing the PI to the service provider;
  • Setting forth prescriptive prohibitions on the service provider’s data processing (e.g., cannot sell/share; cannot retain, use, or disclose except for certain, limited purposes; cannot use outside of direct relationship with the business; cannot combine with other PI it has)
  • Requiring the service provider to comply with the CCPA and to provide the same level of privacy protection required by CCPA businesses (examples provided in the Regs include assisting with compliance with consumer requests and implementing reasonable security);
  • Requiring the service provider to enable the business to comply with consumer requests made pursuant to the CCPA or requiring the service provider to comply with a request upon a business informing it of one;
  • Requiring notice by the service provider if the service provider can no longer meet its legal obligations;
  • Granting the business the right to stop & remediate unauthorized use of PI;
  • Granting the business the right to take reasonable and appropriate steps to ensure that the service provider uses the PI consistent with the business’ obligations under the CCPA (e.g., through annual audits);
  • Requiring the service provider to enter into written contract with subcontractors to comply with the CCPA (i.e., effectively mirroring these obligations); and
  • If the business makes available deidentified data to the service provider, incorporating the specific requirements from the CCPA that apply to deidentified data (not having this provision will not prevent the service provider designation from being in place).

The CCPA requires the same for contracts with contractors, with the addition of a certification made by the contractor that it understands the restrictions set forth in the contract and will comply with them.

The following is a summary of what the non-CA U.S. Privacy Laws (the CPA, VCDPA, UCPA, and CTPA) require contracts between controllers and processors to include:

  • Instructions for processing, including the nature & purpose of processing (specific to the transaction and services);
  • Types of PI being processed (specific to the transaction and services);
  • Duration of processing (specific to the transaction and services);
  • Rights and obligations of the parties;
  • Provisions requiring the processor to:
  • Enter into a written contract with its subcontractors;
  • Provide the controller an opportunity to object to subcontractor engagement (arguably implied contractual requirement under certain of the non-CA U.S. Privacy Laws);
  • Require all persons processing PI to be subject to duty of confidentiality;
  • Delete/return PI (required by all non-CA U.S. Privacy Laws except UCPA);
  • Allow, and cooperate with/contributes to, reasonable assessments/audits (required by all non-CA U.S. Privacy Laws except UCPA); and
  • Make info available to demonstrate compliance (only for certain of the non-CA U.S. Privacy Laws).

A table summarizing and comparing the required data processing terms is provided in Appendix A.

Though not required, it may be desirable in many instances to include provisions that address processors’ statutory obligations and other issues and risks, such as:

  • Details regarding how the parties will operationalize the passing through of deletion and other requests or how the service provider/processor will assist with access requests;
  • Limitations on processing of sensitive PI (e.g., so as to avoid the CCPA’s right to limit from being invoked);
  • Specifics and/or limitations with respect to audits;
  • Specific information regarding protecting PI and security obligations;
  • Restrictions and obligations with respect to the use of tracking technologies by the recipient, or access to the business’/controller’s IT systems;
  • Provisions requiring data breach notification and assistance with investigation, remediation, etc., by the recipient;
  • Shifting of liability for losses related to data processing (e.g., indemnity), and reimbursement of costs and expenses arising out of a data breach; and
  • Intellectual property and other non-data privacy related considerations on use of data.

Conclusion

Implementing appropriate data processing terms is a vital aspect of complying with U.S. Privacy Laws. Coming into compliance requires a number of considerations including identifying the roles of the parties involved and whether the roles require a contract to be in place. Most importantly, it requires assessing which terms are required and keeping in mind that the bargaining power between the parties may weigh on where they land in terms of the specifics of data processing terms, such as the parameters of required audits, assistance with consumer rights, and so on. Now that there is some regulatory certainty in California, companies should, if they have not already, prioritize addressing data processing contracting requirements under the U.S. Privacy Laws.

We have a number of DPA forms and detailed vendor/third-party management guidance documents available for fixed fees plus customization charges. Forms available include service provider/processor, third party/C2C terms, and hybrid service provider/processor and third party/C2C terms, crafted for a range of scenarios (e.g., short form, long form, pro-service provider/processor, pro-business/controller). Forms include US only as well as a variety of global DPAs that also include requirements under the laws of a variety of other nations, including UK/EU, Canada, Mexico, Australia and China. Contact one of the authors or your SPB relationship attorney for more information.

2022 saw cases continue to be filed under the California Consumer Privacy Act (“CCPA”), although perhaps reflecting the increasing reliance of the plaintiffs’ bar on negligence and tort-based privacy claims concerning a defendant’s alleged failure to maintain “reasonable security,” the number of cases of CCPA based claims declined. Read on for Privacy World’s highlights of the year’s most significant events concerning the CCPA, as well as our predictions for what 2023 may bring.

Background

The CCPA went into effect on January 1, 2020, with the vast majority of its provisions applying to entities that qualify as “businesses.”

As a recap, what entities qualify as a business under the CCPA? The statute defines a business as a for-profit, private entity that (1) collects “personal information”, (2) determines the purposes and means of processing that personal information, (3) does business in California, and (4) meets certain revenue thresholds (>$25 million global gross revenue annually) and/or data collection/selling/sharing thresholds.

In addition to imposing numerous compliance obligations* on businesses, CCPA covered businesses are also subject to the law’s limited private right of action for certain security breaches.

*While the majority of this post focuses on the private right of action and enforcement-related issues, for those interested in the CCPA’s compliance obligations, effectiveness of the California Privacy Rights Act (“CPRA,”* which substantially amends the CCPA and became effective as of Jan. 1 this year), applicability of the CCPA to human resources and business-to-business data, and information on other state privacy laws, please see our recent post Are You Ready for the 2023 Privacy Laws? *References to CPRA in the remainder of this article mean the CCPA as amended by the CPRA, unless otherwise indicated.

Back to the private right of action, Section 1798.150(a)(1) of the CCPA provides a private right of action to “[a]ny consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure” due to a business failing to satisfy “the duty to implement and maintain reasonable security procedures and practices….” (emphasis supplied).

Damages available for a private right of action under Section 1798.150(a)(1) include a statutory amount of between $100 and $750 “per consumer per incident or actual damages, whichever is greater”, as well as injunctive or declaratory relief and “any other relief the court deems proper” (emphasis supplied).

CCPA Litigation Activity in 2022

Since the CCPA came into effect, nearly 300 cases have been filed by plaintiffs alleging violations of the statute.  The majority of these have been filed in California federal court (Northern and Central Districts of California being the most favored jurisdiction for such filings), with some also being brought in California state court and in other jurisdictions.

Although the number of CCPA filings declined from 2021, this may be due to the plaintiffs’ bar shifting towards alleging negligence and tort-based privacy claims in the wake of a data event.  This can be explained in part that such claims typically (although not always) are less burdensome to plead for them to survive past the motion to dismiss stage.  By contrast, it appears that based on at least rulings thus far courts have attempted to narrowly construe the CCPA’s limited private right of action.

Courts have consistently dismissed CCPA claims when it is clear from the face of the complaint that Plaintiff’s allegations do not concern a security breach as required to plead a civil cause of action under the CCPA.  Additional rulings this year reinforced the temporal requirements of the statute (that it must involve conduct arising as of the CCPA’s date of enactment, not before) and that the CCPA could not be relied upon by a defendant as a basis for refusing to comply with its discovery obligations in litigation.  Although many CCPA litigations involve software based claims and the tech industry in the wake of a data breach, healthcare and financial services entities, among others, have also been targeted.

CCPA Claims, Article III standing and Settlement Activity

As longtime readers of the blog are aware, Article III standing in the context of data privacy cases is in a constant state of flux—particularly in the Ninth Circuit.

When a CCPA claim is asserted in federal court, it must meet that “irreducible minimum,” as it is frequently described.  Article III standing consists of 1) suffering some actual or threatened injury; 2) fairly traceable to the defendant; which 3) is likely to be redressed by a favorable decision.  The injury must be concrete, rather than abstract, and particularized, meaning that it affects the plaintiff in a personal and individual way.  Spokeo, Inc. v. Robins, 578 U.S. 330, 339 (2016).  But as the Supreme Court held in 2021, “an injury in law is not an injury in fact,” and a plaintiff must do more than show a bare statutory violation for a claim to exist. TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2205 (2021).

In Kirsten, 2022 WL 16894503, the Central District of California addressed a defendant’s contention that a plaintiff lacked standing to pursue a CCPA claim, among others, because they could not fairly trace instances of identity theft, fraudulent credit card charges, and inability to access online accounts to the data breach at issue.  The court rejected the defendant’s argument, holding instead that past injury from misappropriated personal information gave rise to a substantial risk of threatened injury in the future.  Particularly notable is the court’s premising standing both on the actual injuries the plaintiffs experienced and the injuries they might experience in the future.

In Hayden v. Retail Equation, Inc., 2022 WL 2254461 (reconsidered and vacated in part on other grounds), the Central District of California addressed the specific requirements necessary to give rise to an injury under the CCPA.  Plaintiffs, retail consumers, sued a variety of retailers for their use of a “risk scoring” system that collected and shared individualized personal data with a vendor in order to assess the risk of fraud when a consumer attempted a product return or exchange.

Plaintiffs sued under Cal. Civ. Code § 1798.150(a), which required them to show that “nonencrypted and nonredacted personal information” was “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”  The Court found that Plaintiffs had not asserted a claim under the CCPA because the disclosure of their information was not the result of a failure to implement and maintain reasonable security procedures and practices; rather, it was “a business decision to combat retail fraud.”  Plaintiffs’ failure to allege a violation of specific duties under the CCPA, as opposed to a more generalized complaint about the misuse of their data, could not support their claim.  The Hayden court also found that non-California residents lacked standing to bring suit under the CCPA.

The most significant CCPA settlement of 2022 was the $350 million T-Mobile settlement to resolve multidistrict litigation brought by T-Mobile customers whose data was allegedly exposed in a 2021 data breach.  In August 2021, T-Mobile disclosed that it had been the victim of a cyberattack that resulted in the compromise of some current, former and prospective customers’ SSN, name, address, date of birth and driver’s license/ID information the “Data Event”).  By T-Mobile’s account, no “customer financial information, credit card information, debit or other payment information” was exposed in the attack.  Nevertheless, over 40 putative class action claims were filed seeking damages for the improper disclosure of Plaintiffs’ personal information.

On July 22, 2022, Plaintiffs in the T-Mobile case filed an unopposed motion for preliminary approval of a proposed settlement to the class.  As part of the settlement, T-Mobile agreed to fund a non-reversionary $350 million settlement fund to pay class claims for out-of-pocket losses or charges incurred as a result of identity theft or fraud, falsified tax returns, or other alleged misuse of a class member’s personal information.  The settlement fund will then make payments to class members on a claims-made basis with a $25,000 aggregate claims cap per class member.  The proposed settlement also contemplates attorneys’ fees of no more than 30% of the settlement fund, approximately $105 million, and $2,500 individual service awards to class representatives.

2022: Continued Enforcement Activity by California OAG

As we predicted at the end of last year, 2022 saw continued enforcement activity at the state level. Headlines were ablaze in August with California’s Office of the Attorney General announcing its first settlement of a CCPA enforcement action.

Readers of the blog will know that the CA OAG’s CCPA enforcement efforts started in July 2020. While numerous cookie DNS and GPC cases were initially (and quietly) settled by the OAG without monetary penalty or public settlements, that all changed in August 2022 with the OAG announcing its required payment of $1.2 million from a retailer to settle claims of alleged CCPA violations.

The settlement marks a new era of CCPA enforcement in which real repercussions, including monetary penalties, may be imposed. In addition to the settlement, the OAG released “illustrative examples” of other non-public enforcement cases, including the types of violations, remediation activities carried out by the alleged violators, and the alleged violators’ type of business/industry (which included a number of industries that surprised many who thought they were perhaps not on the OAG’s radar for CCPA compliance, such as B2B-focused businesses and companies that are largely (but not fully) exempt from the CCPA, such as healthcare businesses and financial and insurance businesses.  For detailed analysis of the OAG’s settlement, see our blog post here.

Litigation and Enforcement in 2023 and Beyond

Litigation

The CPRA’s amendments to the CCPA brought some changes to the private right of action for certain security breaches, namely an expansion of the private right of action where a breach involves data in the form of an email address in combination with a password or security question and an answer that would permit access to an account. In addition, the CPRA’s amendments provide that that remediation of vulnerabilities post-breach are an insufficient cure to preclude statutory damages.

There is not otherwise a private right of action for non-security breach related violations under the CPRA; however, the CPRA opens the possibility of enforcement by all California county district attorneys and the four largest city district attorneys (though that is up for debate). In addition, despite the clarity that the private right of action is limited to certain types of security incidents, it is conceivable that an incomplete or inaccurate response to a consumer request might also give rise to an independent deception claim, and plaintiffs’ lawyers are expected to otherwise test the scope of the limitation on private consumer and class action relief. There is no private right of action for violations of the Virginia Consumer Data Protection Act (“VCDPA”), Colorado Privacy Act (“CPA”), Utah Consumer Privacy Act (“UCPA”), or Connecticut Act Concerning Personal Data Privacy and Online Monitoring (referred to as the “CTPA” herein). Put another way, this means there is not a private right of action for security breaches or security-breach related violations under those laws.

Enforcement

The enforcement risk will certainly increase under the CPRA in 2023 with the California Privacy Protection Agency, or CPPA, enforcing the CPRA alongside the OAG starting on July 1, 2023. In addition to California, Virginia’s privacy law came into effect and was enforceable as of January 1, and privacy laws in Colorado, Connecticut, and Utah will become effective throughout the year (see chart below).

  CPRA VCDPA CPA UCPA CTPA
Effective Date Jan. 1, 2023 Jan. 1, 2023 July 1, 2023 Dec. 31, 2023 July 1, 2023
Enforcement Date July 1, 2023 Jan. 1, 2023 July 1, 2023 Dec. 31, 2023 July 1, 2023
Enforcement Details 30-Day Notice and Cure Provision will remain in effect indefinitely for security breach violations only. 30-Day Notice and Cure Provision will remain in effect indefinitely. 60-Day Notice and Cure Provision will remain in effect until January 1, 2025 30-Day Notice and Cure Provision will remain in effect indefinitely. 30-Day Notice and Cure Provision will remain in effect until December 31, 2024.

Enforcement of the CPRA is delayed until July 1, 2023 and, unlike the CCPA between its effective and enforcement dates, there is an explicit grace period between January 1 and July 1, 2023. However, the CCPA’s provisions (without the CPRA’s amendments) will remain effective and enforceable between January 1 and July 1, and the required 30-day cure period no longer exists. Importantly, this means that the full scope of the CCPA also currently applies to HR and B2B data, and there is no delay in enforcement with respect to the same.

Under the CPRA, both agencies can seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation or violations involving the data of minors. Violations may be potentially calculated based on each applicable piece of data or consumer, and, thus, exposure could be substantial. The existing requirement in the CCPA to provide notice of violation and give a 30-day cure period before bringing an enforcement action is eliminated by the CPRA, but the law permits the agencies to consider good faith cooperation efforts by the business when calculating the fine, and prosecutorial discretion is not limited. Further, CPPA actions are subject to a probable cause hearing prior to commencement of an administrative enforcement proceeding.

In Virginia, Utah, and Connecticut, the Attorney General has exclusive enforcement authority. The Virginia Attorney General may seek injunctive relief and civil penalties of $7,500 per violation. In Colorado, the state Attorney General or District Attorneys may bring an action for injunctive relief and civil penalties under the Colorado Consumer Protection Act, which provides for civil penalties of $500 per violation, actual damages, or three times actual damages if bad faith is shown. In Utah, the Attorney General may bring an action for actual damages to consumers and civil penalties of up to $7,500 per violation. In Connecticut, the Attorney General may treat a violation of CTPA as an unfair trade practice under the Connecticut Unfair Trade Practices Act (“CUTPA”); however, the private right of action and class action provisions of CUTPA dot not extend to violations of the CTPA. Nevertheless, remedies available for violations of CUTPA include restraining orders; actual and punitive damages, costs, and reasonable attorneys’ fees; and civil penalties of up to $5,000 for willful violations and $25,000 for restraining order violations.

However, like the CCPA (but unlike the CPRA), the respective Attorneys General of Virginia and Utah must provide a controller or processor with 30 days’ written notice of any violation of the VCDPA/UCPA, specifying the provisions that the Attorney General alleges have been violated. In Virginia and Utah, a controller or processor can avoid statutory damages if, within this 30-day cure period, it cures the noticed violation and provides the Attorney General with an express written statement that the alleged violations have been cured and that no further violations will occur. Under Connecticut and Colorado’s laws, their respective AGs must provide violators with notice of alleged violations and an opportunity to cure any such violations within a 60-day period following delivery of the notice. The requirement to allow for a cure period in Colorado sunsets on January 1, 2025 (though, the AG would almost certainly have prosecutorial discretion to allow for a cure). In Connecticut, the cure requirement becomes discretionary on January 1, 2025, as well.

Check back often for our continued updates on privacy litigation and enforcement trends and updates.  Privacy World will be there to keep you in the loop.

2022 was another year of high activity and significant developments in the realm of artificial intelligence (“AI”) and biometric privacy related matters, including in regard to issues arising under the Illinois Biometric Information Privacy Act (“BIPA”) and others.  This continues to be one of the most frequently litigated areas of privacy law, with several notable rulings and emerging patterns of new activity by the plaintiffs’ bar.  Following up on Privacy World’s Q2 and Q3 2022 Artificial Intelligence & Biometric Privacy Quarterly Newsletters, be sure to read on for a recap of key developments and insight as to where 2023 may be headed.

Continue Reading Privacy World 2022 Year in Review: Biometrics and AI

Last week, a federal court in California dismissed a complaint concerning allegations that Otonomo, a data broker that partnered with car manufacturers, “used electronic devices in [drivers’] cars to send real-time GPS location data directly to [defendant],” allowing Otonomo to track drivers’ location in real-time.  Read on to learn more about what this means for limiting CIPA litigation exposure for geolocation tracking going forward.

Plaintiff in the case was a resident of California who alleged that her data was being “tracked and exploited by Otonomo.”  The core allegations in the Complaint concern Plaintiff’s contention that Otonomo “is a data broker that secretly collects and sells real-time GPS location information from more than 50 million cars throughout the world, including from tens of thousands in California.”  More specifically, Plaintiff asserted that Otonomo collaborates with its clients, who are automobile manufacturers that install electronic devices in the vehicles they manufacture.  Plaintiff alleged that Otonomo partnered with car manufacturers “to use electronic devices in their cars to send real-time GPS location data directly to Otonomo through a secret ‘always on’ cellular data connection.”

Plaintiff asserted that “[b]y secretly tracking the locations of consumers in their cars, Otonomo has violated and continues to violate the California Invasion of Privacy Act (‘CIPA’), which specifically prohibits the use of an “electronic tracking device to determine the location or movement of a person” without consent.”  The Complaint pled a single claim under CIPA for violation of Section 637.7.  Plaintiff sought to represent a putative class comprised of “[a]ll California residents who own or lease a vehicle and whose GPS data has been collected by Otonomo”.

By way of reference, Section 637.7 provides that:

(a) No person or entity in this state shall use an electronic tracking device to determine the location or movement of a person.

(b) This section shall not apply when the registered owner, lessor, or lessee of a vehicle has consented to the use of the electronic tracking device with respect to that vehicle.

(c) This section shall not apply to the lawful use of an electronic tracking device by a law enforcement agency.

(d) As used in this section, “electronic tracking device” means any device attached to a vehicle or other movable thing that reveals its location or movement by the transmission of electronic signals.

Cal. Penal Code § 637.7 (West 2022).  CIPA is a heavily litigated statute that has been relied upon recently by plaintiffs in privacy class actions involving a number of recent tracking-related claims and technologies.  However, Plaintiff’s application of CIPA Section 637.7 to a built-in component of a vehicle (as opposed to a standalone device) was one of first impression.

Otonomo moved to dismiss the Complaint, raising three purported fundamental deficiencies with Plaintiff’s claim.  First, Plaintiff did not allege an “electronic tracking device” “attached to” his car as the terms are used in CIPA.  Second, Plaintiff did not allege that Otonomo “determine[s] the location or movement of” Plaintiff.  And finally, Plaintiff did not allege that he did not consent to be tracked.  The Court found Otonomo’s arguments persuasive, dismissing the Complaint with prejudice.

In regard to Otonomo’s first argument, violation of CIPA Section 637.7 requires that the location or movement of a person be determined by an “electronic tracking device.”  Cal. Penal Code § 637.7(a).  Additionally, an “electronic tracking device” is defined as a device “attached to a vehicle . . . that reveals its location or movement.” Cal. Penal Code § 637.7(d).  The Court took notice of other CIPA precedent which examined the statue’s legislative history to find that “the statute governs electronic tracking devices placed on vehicles or other movable things.”  As such, the Court ruled, “that the ‘device’ must be a separate device that is attached, or placed, onto an automobile by the alleged wrongdoer.”  On this basis, Plaintiff’s CIPA claim had to be dismissed.  The Court observed that this result was consistent with concessions made by Plaintiff’s counsel at oral argument, which included that the device at issue “is a component part of Plaintiff’s vehicle that is not removable by Plaintiff, nor was the Plaintiff able to obtain his vehicle without [it].”

The Court was also persuaded by Otonomo’s argument that, at most, Otonomo merely received data about the location of vehicles.  This was insufficient under Section 637.7 of CIPA which prohibits the use of “an electronic tracking device to determine the location or movement of a person.” Cal Penal Code § 637.7(a).  This was because, the Court explained, “[t]he wording of the statute explicitly prohibits tracking the location or movement of a person, not a vehicle.”  In this instance, the complaint was devoid of allegations that Otonomo obtained personal information of the drivers of these vehicles.  Furthermore, Plaintiff did not allege that Otonomo received Plaintiff’s personal information from manufacturers, that would possess this information.  On this basis as well Plaintiff’s claim independently failed.

Finally, the Court also adopted Otonomo’s argument regarding Paintiff’s failure to allege that he did not consent to the device installed in his car being used to track him.  Notably, Section 637.7 is not violated “when the registered owner, lessor, or lessee of a vehicle has consented to the use of the electronic tracking device with respect to that vehicle.” Cal. Penal Code § 637.7(b).

In this case, the Complaint did not include an allegation that Plaintiff did not consent to being tracked by his vehicle’s manufacturer.  This was a fundamental deficiency also requiring the Complaint’s dismiss because CIPA Section 637.7 “is not violated if any consent is given to the vehicle being tracked,” (emphasis supplied).  This required that, in order to plead a cognizable claim, Plaintiff had to allege the lack of consent with respect to both Otonomo and his vehicle manufacturer—which he did not.  In so ruling, the Court dismissed Plaintiff’s contention that consent did not need to be pled, as it was an affirmative defense, ruling instead that consent was “an element of the statute.”

Because the Court found that Plaintiff could not plausibly allege other facts that the device at issue was an electronic tracking device within the meaning of CIPA, Plaintiff’s claim was dismissed with prejudice.  Had Plaintiff’s interpretation of CIPA been adopted by the Court in this case, it would have dramatically expanded the scope of the statute.  Additionally, it could have also potentially limited the services provided to drivers on a daily basis due to perceived litigation risk.

As Otonomo’s motion pointed out, “Otonomo’s receiving vehicle GPS data through its contracts with car manufacturers and fleet managers. . .[was] used for things like roadside assistance, emergency location, vehicle theft protection, real-time weather and hazard notifications, and traffic flow management.”  At bottom, Plaintiff in this case sought to create liability under CIPA for any entity that receives GPS data from car manufacturers derived from features the car manufacturers themselves built into the vehicles.  The Court was prudent in this case to reject such an expansion of CIPA.  It remains to be seen, however, how similar claims brought in future filed cases are treated and if this first ruling is adopted in other litigations.

For more on this, and the latest developments concerning privacy, security and innovation, stay tuned.  Privacy World will be there to keep you in the loop.

2022 was another eventful year in the realm of privacy, security and innovation.  Privacy World was there every step of the way, to keep you informed on key developments.  Starting next week, we will be rolling out our popular Year in Review series.  As a lead up to that, below are our ten most popular posts of 2022.

Squire Patton Boggs Named a World Leader in Data Protection by Global Data Review | Privacy World

Connecticut and Utah Latest States to Jump On Consumer Privacy Bandwagon | Privacy World

Third Time Lucky or Schrems III? The European Union Data Pact with the US Moves One Step Closer (To Be Challenged – Again) | Privacy World

New Webinar Recording: “Employee and Other HR Data Under the California Privacy Rights Act” | Privacy World

Security Breach Results in FTC Action, With Accompanying Executive Liability | Privacy World

Recent FTC Settlement Highlights Agency’s Focus on Children’s Privacy & Use of Disgorgement Remedy Including in AI Context | Privacy World

2022 Q3 Artificial Intelligence & Biometric Privacy Report | Privacy World

Congress Proposes Federal Privacy Legislation to Preempt Certain State Privacy Laws, Hearing Scheduled for Next Week | Privacy World

2021 Year in Review: Data Breach and Cybersecurity Litigations | Privacy World

2021 Year in Review: Financial Privacy Litigation and Developments Post-Ramirez | Privacy World