California Consumer Privacy Act

Keypoint: The thirteen new enforcement case examples – released just a few months before the CCPA’s right to cure sunsets – provide further insight into the Attorney General’s enforcement priorities.

As we previously reported, last week the California Attorney General’s Office announced its first public settlement for alleged non-compliance with the California Consumer Privacy Act (CCPA), consisting of a $1.2 million penalty as well as injunctive relief. Although much of the discussion since the announcement has been appropriately focused on the contours of the settlement agreement, the Office contemporaneously published thirteen new CCPA enforcement case examples. The new examples add to the twenty-seven examples the Office published in July 2021.

Because the Office does not generally release information to the public about its investigations, the new case examples provide a rare glimpse into the Office’s past year of CCPA enforcement activities. With the CCPA’s thirty day right to cure sunsetting on January 1, 2023, businesses should review these case examples as part of their ongoing compliance efforts.

Below is an overview of the new enforcement case examples.Continue Reading CCPA Update: Cal. AG Releases Thirteen New Enforcement Case Examples

Keypoint: The Attorney General’s announcement of a $1.2 million penalty sends a “strong message” to companies to come into compliance.

On August 24, 2022, California Attorney General Bonta announced the first public enforcement action under the California Consumer Privacy Act (CCPA) as well as a new round of investigative sweeps and more enforcement case examples.

During an online press conference, Attorney General Bonta announced a $1.2 million settlement with a company over allegations it illegally sold data in violation of the CCPA. Bonta stated the enforcement action should send a “strong message” to companies to comply with the CCPA. The enforcement action arose out of a prior investigative sweep in which the Attorney General’s office sent over one-hundred (100) notices of violation.Continue Reading California Attorney General Announces First Public CCPA Enforcement Action

Keypoint: Organizations that collect personal data from children under 16 will need to ensure compliance with additional requirements once the laws go into effect.

This is the ninth post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws treat children’s personal data. The CPRA divides children into two groups, children under 13 and children the ages of 13-15. While both groups require consent to sell or share information, the latter may do so without a parent or guardian. In comparison, the VCDPA and CPA handle children’s data similar to each other by both defining a child as under 13 years old and including personal data of a child under the definition of sensitive data (for which consent is required to process). The VCDPA and CPA do not address the treatment of data for children ages 13-15.

In addition to these three state laws, California recently introduced a bill that would further regulate children’s personal data by creating additional obligations for companies collecting data of consumers under the age of 18. Momentum is also gathering for federal legislation that further regulates children’s online personal data, with several bills aiming to update the Children’s Online Privacy Protection Act (COPPA). In March, President Joe Biden addressed the importance of protecting children’s data in his State of the Union address. We provide an overview of these new bills in this article as well.Continue Reading How do the CPRA, VCDPA & CPA treat children’s data?

Keypoint: In its first CCPA interpretive opinion, the Attorney General’s office confirmed that businesses responding to requests to know must disclose internally generated inferences they hold about a consumer from either internal or external information sources.

On March 10, 2022, the California Attorney General’s office issued a first-of-its-kind interpretive opinion on the California Consumer Privacy Act’s (CCPA) application.

The Opinion states that, unless an exception applies, a consumer “has the right to know internally generated inferences about that consumer” held by the business from either external or internal sources. The Office reached this Opinion based on a plain reading of the CCPA’s text. A few questions result, including whether inferences based on otherwise exempt information must be disclosed.

Below is a further analysis of the Opinion.Continue Reading CCPA Update: California Attorney General Issues Opinion on Disclosure of Inferences

Keypoint: With the CCPA’s “right to cure” violations expiring at the end of the year, businesses should take note of the AG’s recent enforcement efforts and, to the extent necessary, provide the requisite notice of financial incentive if the business offers discounts, free items, loyalty programs, or other rewards, in exchange for personal information.

California Attorney General Rob Bonta marked Data Privacy Day (January 28) by announcing an “investigative sweep of a number of businesses operating loyalty programs in California” for allegedly failing to comply with the California Consumer Privacy Act’s (CCPA) notice of financial incentive requirement. Letters were sent on January 28 “to major corporations in retail, home improvement, travel, and food services industries.” As required under the CCPA, entities that received letters will have thirty days to cure the alleged violation.

The press release did not disclose the number of letters sent or provide details on the specific nature of the alleged violations other than stating this “sweep of notices . . . focuses on businesses that are failing to provide a notice of financial incentive to customers that opt into their loyalty program.”

For businesses that offer loyalty programs or other financial incentives, below is a discussion on the CCPA’s notice of financial incentive requirement, including what the notices must contain and how businesses should relay the notices to California residents.Continue Reading Analyzing the CCPA’s Notice of Financial Incentive Requirement in the Wake of the Attorney General’s Issuance of Violation Notices for Loyalty Programs

CPRA Regulations: California Privacy Protection Agency Commences Preliminary Rulemaking ProcessKeypoint: The California Privacy Protection Agency initiates preliminary rulemaking activities under the California Privacy Rights Act.

On Wednesday, September 22, 2021, the California Privacy Protection Agency (Agency) issued an Invitation for Preliminary Comments on Proposed Rulemaking Under the California Privacy Rights Act of 2020.

California voters approved the California Privacy Rights Act (CPRA) in November 2020. The CPRA, which goes into effect on January 1, 2023, significantly revises the California Consumer Privacy Act (CCPA).Continue Reading CPRA Regulations: California Privacy Protection Agency Commences Preliminary Rulemaking Process

Keypoint: A detailed analysis of the Attorney General’s twenty-seven published examples of noncompliance notices sent during the first year of CCPA enforcement reveals key learnings for CCPA compliance efforts.

In July, the California Attorney General published twenty-seven “illustrative examples” of noncompliance notices it sent to businesses during its first year of enforcing the CCPA. The examples provide a rare glimpse into the Attorney General’s enforcement priorities.

The office sent enforcement notices to a wide range of businesses spanning a variety of industries. The alleged violations primarily concerned privacy policy disclosures, consumer requests, and opt-out of sale requirements. Other noncompliance topics included service provider contracts and “just in time” notices.

Below is an analysis of the published enforcement examples. The office emphasizes, however, that the information provided “does not include all the facts of each situation and does not constitute legal advice.”Continue Reading CCPA Update: Analysis and Key Takeaways from AG’s Example Enforcement Cases

Keypoint: Businesses that sell personal information under the CCPA are now required to honor Global Privacy Control signals.

In an update to its CCPA FAQs, the California Attorney General’s office has stated that businesses that sell personal information must honor Global Privacy Control (GPC) signals.Continue Reading California AG Requires Businesses to Recognize GPC Signals for Requests to Opt Out of Sales

Keypoint: The appointment of the five California Privacy Protection Agency board members is the first significant step to the California Privacy Rights Act becoming fully operative in 2023.

On March 17, California officials announced the establishment of the five-member inaugural board for the California Privacy Protection Agency (CPPA). The CPPA was established by the California Privacy Rights Act (CPRA), which California voters approved in the November election. The CPPA will take over rulemaking duties from the California Attorney General’s office and will administratively enforce the CPRA. Given that California has the world’s fifth largest economy, the CPPA has the potential to be one of the most important data privacy authorities in the world.Continue Reading CPRA Update: Board Appointments Announced for California Privacy Protection Agency

Keypoint: Modifications to the CCPA regulation’s provisions regarding requests to opt-out and authorized agent requests are now final.

On March 15, 2021, the California Attorney General’s office announced that the Office of Administrative Law has approved the Attorney General’s proposed changes to the CCPA regulations. The new regulations make three general changes relating to the right to opt out of sales and one change to authorized agent requests. In addition, the Attorney General’s press release reaffirms that enforcement activities are proceeding.Continue Reading CCPA Update: New Regulations Approved