California Consumer Privacy Act

On July 31, 2023, the California Privacy Protection Agency announced a review of data privacy practices by connected vehicle (CV) manufacturers and related CV technologies. According to the Agency, “[t]hese vehicles are embedded with several features including location sharing, web-based entertainment, smartphone integration, and cameras. Data privacy considerations are critical because these vehicles often automatically

Keypoint: The Attorney General’s investigatory sweep focuses on how large California employers are handling the expiration of the CCPA’s employee data exemption.

On July 14, 2023, the California Attorney General announced a new CCPA investigatory sweep focused on employee data. The Attorney General’s Office reported that it had sent inquiry letters “to large California employers requesting information on the companies’ compliance with the California Consumer Privacy Act (CCPA) with respect to the personal information of employees and job applicants.”

Keypoint: Enforcement by the California Privacy Protection Agency of the new CCPA regulations will be delayed until March 2024, but the Agency can still enforce the CCPA statutory changes as of July 1, 2023.

As first reported by Amy Miller at mlex, on June 30, 2023, Judge Arguelles of the Superior Court of California entered an Order granting, in part, the California Chamber of Commerce’s Petition for Writ of Mandate and Compliant for Declaratory and Injunctive Relief. In so doing, the Court held that enforcement of any final regulation published by the California Privacy Protection Agency must be stayed for a period of 12 months from the date that regulation becomes final. This means the Agency cannot enforce the new California Consumer Privacy Act (CCPA) regulations finalized on March 29, 2023, until March 29, 2024. Importantly, the ruling does not prohibit the Agency or the Attorney General’s Office from enforcing the statutory changes to the CCPA that went into effect on January 1, 2023.

Keypoint: The thirteen new enforcement case examples – released just a few months before the CCPA’s right to cure sunsets – provide further insight into the Attorney General’s enforcement priorities.

As we previously reported, last week the California Attorney General’s Office announced its first public settlement for alleged non-compliance with the California Consumer Privacy Act (CCPA), consisting of a $1.2 million penalty as well as injunctive relief. Although much of the discussion since the announcement has been appropriately focused on the contours of the settlement agreement, the Office contemporaneously published thirteen new CCPA enforcement case examples. The new examples add to the twenty-seven examples the Office published in July 2021.

Because the Office does not generally release information to the public about its investigations, the new case examples provide a rare glimpse into the Office’s past year of CCPA enforcement activities. With the CCPA’s thirty day right to cure sunsetting on January 1, 2023, businesses should review these case examples as part of their ongoing compliance efforts.

Below is an overview of the new enforcement case examples.

Keypoint: The Attorney General’s announcement of a $1.2 million penalty sends a “strong message” to companies to come into compliance.

On August 24, 2022, California Attorney General Bonta announced the first public enforcement action under the California Consumer Privacy Act (CCPA) as well as a new round of investigative sweeps and more enforcement case examples.

During an online press conference, Attorney General Bonta announced a $1.2 million settlement with a company over allegations it illegally sold data in violation of the CCPA. Bonta stated the enforcement action should send a “strong message” to companies to comply with the CCPA. The enforcement action arose out of a prior investigative sweep in which the Attorney General’s office sent over one-hundred (100) notices of violation.

Keypoint: Organizations that collect personal data from children under 16 will need to ensure compliance with additional requirements once the laws go into effect.

This is the ninth post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws treat children’s personal data. The CPRA divides children into two groups, children under 13 and children the ages of 13-15. While both groups require consent to sell or share information, the latter may do so without a parent or guardian. In comparison, the VCDPA and CPA handle children’s data similar to each other by both defining a child as under 13 years old and including personal data of a child under the definition of sensitive data (for which consent is required to process). The VCDPA and CPA do not address the treatment of data for children ages 13-15.

In addition to these three state laws, California recently introduced a bill that would further regulate children’s personal data by creating additional obligations for companies collecting data of consumers under the age of 18. Momentum is also gathering for federal legislation that further regulates children’s online personal data, with several bills aiming to update the Children’s Online Privacy Protection Act (COPPA). In March, President Joe Biden addressed the importance of protecting children’s data in his State of the Union address. We provide an overview of these new bills in this article as well.

Keypoint: In its first CCPA interpretive opinion, the Attorney General’s office confirmed that businesses responding to requests to know must disclose internally generated inferences they hold about a consumer from either internal or external information sources.

On March 10, 2022, the California Attorney General’s office issued a first-of-its-kind interpretive opinion on the California Consumer Privacy Act’s (CCPA) application.

The Opinion states that, unless an exception applies, a consumer “has the right to know internally generated inferences about that consumer” held by the business from either external or internal sources. The Office reached this Opinion based on a plain reading of the CCPA’s text. A few questions result, including whether inferences based on otherwise exempt information must be disclosed.

Below is a further analysis of the Opinion.

Keypoint: With the CCPA’s “right to cure” violations expiring at the end of the year, businesses should take note of the AG’s recent enforcement efforts and, to the extent necessary, provide the requisite notice of financial incentive if the business offers discounts, free items, loyalty programs, or other rewards, in exchange for personal information.

California Attorney General Rob Bonta marked Data Privacy Day (January 28) by announcing an “investigative sweep of a number of businesses operating loyalty programs in California” for allegedly failing to comply with the California Consumer Privacy Act’s (CCPA) notice of financial incentive requirement. Letters were sent on January 28 “to major corporations in retail, home improvement, travel, and food services industries.” As required under the CCPA, entities that received letters will have thirty days to cure the alleged violation.

The press release did not disclose the number of letters sent or provide details on the specific nature of the alleged violations other than stating this “sweep of notices . . . focuses on businesses that are failing to provide a notice of financial incentive to customers that opt into their loyalty program.”

For businesses that offer loyalty programs or other financial incentives, below is a discussion on the CCPA’s notice of financial incentive requirement, including what the notices must contain and how businesses should relay the notices to California residents.

CPRA Regulations: California Privacy Protection Agency Commences Preliminary Rulemaking ProcessKeypoint: The California Privacy Protection Agency initiates preliminary rulemaking activities under the California Privacy Rights Act.

On Wednesday, September 22, 2021, the California Privacy Protection Agency (Agency) issued an Invitation for Preliminary Comments on Proposed Rulemaking Under the California Privacy Rights Act of 2020.

California voters approved the California Privacy Rights Act (CPRA) in November 2020. The CPRA, which goes into effect on January 1, 2023, significantly revises the California Consumer Privacy Act (CCPA).

Keypoint: A detailed analysis of the Attorney General’s twenty-seven published examples of noncompliance notices sent during the first year of CCPA enforcement reveals key learnings for CCPA compliance efforts.

In July, the California Attorney General published twenty-seven “illustrative examples” of noncompliance notices it sent to businesses during its first year of enforcing the CCPA. The examples provide a rare glimpse into the Attorney General’s enforcement priorities.

The office sent enforcement notices to a wide range of businesses spanning a variety of industries. The alleged violations primarily concerned privacy policy disclosures, consumer requests, and opt-out of sale requirements. Other noncompliance topics included service provider contracts and “just in time” notices.

Below is an analysis of the published enforcement examples. The office emphasizes, however, that the information provided “does not include all the facts of each situation and does not constitute legal advice.”