On October 10, 2019, the California Attorney General’s office published its long-awaited proposed CCPA regulations. Members of Husch Blackwell’s privacy and data security practice group will host a webinar on Tuesday, October 15, from 12:00-1:30 p.m. CT, to analyze the proposed regulations. Click here to register.
Keypoint: The long-awaited proposed AG regulations are here, and while they provide some much-needed clarity, they will leave businesses wanting more.
On October 10, 2019, the California Attorney General’s office published its long-awaited proposed CCPA regulations. The AG’s office also announced that it will hold public hearings on the regulations on December 2, 3, 4 and 5, 2019, and that the written comment period will end on December 6, 2019, at 5:00 p.m.
In the following blog post, we will analyze and discuss many of these proposed regulations. In addition, members of Husch Blackwell’s privacy and data security practice group will host a webinar on Tuesday, October 15, from 12:00-1:30 p.m. CT, to analyze the proposed regulations. Click here to register.
We previously posted that Alastair Mactaggart, one of the co-authors of the California Consumer Privacy Act (CCPA), intended to submit a new ballot initiative to strengthen the privacy rights that already exist in the CCPA. The full text of the ballot measure – which is entitled the California Consumer Privacy Rights and Enforcement Act of 2020 – is now available on the California Attorney General’s website. There also is an annotated version of the initiative available here.
While Mactaggart’s press release identified a few of the proposed changes, our initial review of the initiative is that it would bring about a substantial rewrite of the CCPA. While there is a lot to unpack in this initiative, here are our initial highlights:
Alastair Mactaggart, Founder & Chair of Californians for Consumer Privacy, announced that he intends to file a ballot initiative – the California Privacy Enforcement Act – to appear on the November 2020 ballot. According to his press release, the new law would:
- Create new rights around the use and sale of sensitive personal information, such as health and financial information, racial or ethnic origin, and precise geolocation;
- Triple the CCPA’s fines for violating the law’s requirements governing the collection and sale of children’s private information and require opt-in consent to collect data from consumers under the age of 16;
- Require transparency around automated decision-making and profiling;
- Establish a new authority to protect the privacy rights;
- Amend election disclosure laws to require corporations to disclose whether, and how, they use personal information to influence elections; and
- Require that future amendments be in furtherance of the law.
According to the San Francisco Chronicle, Mactaggart intends to spend as much as $3 million collecting over 600,000 signatures to qualify the measure for the November 2020 ballot. Those familiar with the CCPA’s history will know that Mactaggart’s initial ballot initiative drove the ultimate passage of the CCPA legislation in June 2018. The fact that he is once-again pursuing a ballot initiative is not to be taken lightly.
Keypoint: The California Attorney General’s office is on track to publish draft CCPA regulations in October and final regulations by year end. Although the exact contours of the regulations are yet to be determined, businesses subject to the CCPA will need to understand the regulations and integrate their requirements into their CCPA compliance efforts.
The final piece of the CCPA puzzle should be in place by year end. According to Bloomberg Law, the California Attorney General’s office is on track to publish draft CCPA regulations in October and final regulations by the CCPA’s January 1, 2020, effective date. That report is in line with prior expectations that the AG’s office would publish draft regulations shortly after the California Governor’s October 13 deadline to sign the CCPA amendments that passed the legislature on September 13.
Although the CCPA becomes effective on January 1, 2020, the AG’s office cannot bring an enforcement action “until six months after the publication of final regulations . . . or July 1, 2020, whichever is sooner.” Therefore, it appears the AG’s office could potentially be poised to start enforcement actions prior to July 1, 2020.
Key Point: The FTC’s fine is the largest for any COPPA-related incident; however, two issues of first impression alleged in the Complaint could have a more significant impact over the long term.
We previously reported that the Federal Trade Commission (“FTC”) entered into a settlement agreement with Facebook, Inc., which included a record-breaking $5 billion fine for repeat violations of consumers’ privacy rights. The FTC recently announced that it had entered into a settlement with Google, LLC (“Google”) and its subsidiary YouTube, LLC (“YouTube”), in which those entities will pay a $170 million fine for violating the Children’s Online Privacy Protection Act (“COPPA”) Rule. The $170 million fine is the largest the FTC has issued in a COPPA case since Congress enacted the law in 1998.
September 13 was the final day for the California legislature to pass bills amending the California Consumer Privacy Act (CCPA) prior to its January 1, 2020, effective date. After months of speculation and anticipation, we finally have clarity (subject to the Governor’s approval) on the CCPA’s provisions.
Although there were changes – and both business and privacy advocates are claiming victories – the CCPA did not undergo a dramatic change. For businesses, the most notable changes are the addition of limited exemptions for the personal information of employees and business to business contacts as well as changes to the definition of personal information. On the other hand, privacy advocates will point to what did not change, namely, the CCPA retained its core privacy rights.
Below we discuss the changes.
Key Point: If signed by the Governor, the legislation will expand the types of personal information covered by the CCPA’s provision authorizing private litigants to seek statutory damages of between $100 and $750, per consumer per incident, for data breaches.
On September 6, the California legislature passed amendments to the state’s data breach notification statutes (Cal. Civ. Code §§ 1798.29 & 1798.82) and information security statute (Cal. Civ. Code § 1798.81.5). The bill was enrolled and presented to the Governor on September 11.
If signed by the Governor, the legislation will expand the types of personal information that are covered under those statutes to include (1) tax identification numbers, passport numbers, military identification numbers, or other unique identification numbers issued on a government document commonly used to verify the identity of a specific individual and (2) unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless stored for facial recognition purposes.
This is the first CCPA-related bill to pass the California legislature prior to the September 13 deadline. Husch Blackwell will be hosting a webinar on September 16 to analyze what bills did and did not pass. For more information, click here.
The passage of this legislation implicates the CCPA through § 1798.150 of the CCPA, which provides that any “consumer whose nonencrypted or nonredacted personal information, as defined in [Cal Civ. Code § 1798.81.5(d)(1)(A)], is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of a business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action” to recover damages of between $100 and $750 per consumer per incident. By expanding the types of personal information included in Cal Civ. Code § 1798.81.5(d)(1)(A), the legislation expands the types of personal information subject to the CCPA’s statutory penalties.
It goes without saying that businesses that are operating in California and collecting these additional types of personal information should take steps to ensure that they are properly protected, including the use of encryption and redaction.
Friday, September 13 is the final day for the California legislature to pass bills amending the California Consumer Privacy Act (CCPA). Join us on Monday, September 16 for a first look at what bills passed and how any amendments will impact your CCPA compliance efforts. During this webinar, we will review and discuss the fate of numerous assembly bills (AB), including:
- AB 25: employee information carve-out
- AB 846: customer loyalty program carve-out
- AB 873 and 874: changes to the definitions of “deidentified” and “personal information”
- AB 1564: changes to methods for receiving verifiable consumer requests
- AB 1130 and 1035: changes to California’s data breach notification statute
This is a must-attend webinar for anyone with organizational responsibility for CCPA compliance.
Click here for more information and to register.
Notably, a close read of the legislation shows that operators must provide an opt-out right even if they are not currently selling information. Specifically, the legislation states that, after receiving a verified request, operators “shall not make any sale of any covered information the operator has collected or will collect about the consumer.” Therefore, operators cannot rely on the fact that they do not presently sell covered information and will need to take steps to log these requests in case anything changes in the future.
To comply with these changes, entities subject to the statute should revise their online privacy policies by the October 1, 2019, deadline.
Our detailed examination of Nevada’s existing statutory requirements and the changes effective October 1 is available here.