Refine CCPA Compliance Plan with the Regulations in Mind

We previously announced the publication of the first set of proposed regulations that will implement the California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020. Partner Alan Friel has authored an article published by OneTrust DataGuidance that details how the proposed regulations – and a half dozen amendments to the CCPA that recently became law – impact CCPA compliance. A copy of the article is available here. The proposed regulations are available here and an initial statement of reasons that explain the thinking behind the proposed regulations is available here.

The attorney general is currently taking written comments on the proposed regulations until December 6. BakerHostetler is preparing comments to file for specific clients, as well as a set of aggregate comments that reflect our clients’ concerns more generally. If you would like to contribute comments or would like assistance in crafting custom comments, contact the author.


Children’s Privacy Law Updates: Tricks or Treats?

It’s finally here! Halloween, the day every kid dreams of for months. It’s a scary time in the world of children’s privacy law – what with the California Consumer Privacy Act (CCPA) lurking around the corner and the specter of FTC enforcement still lingering in the air. But this year, you’ve planned. You know exactly which houses offer full-size candy bars and where to go to avoid neighborhood bullies.

You approach the first house: old man COPPA. Many of the other kids are afraid of Mr. COPPA, but you know better. With updates on the horizon, there’s never been a better time to visit.

The FTC’s Workshop on the Future of COPPA

On October 7, the Federal Trade Commission (FTC) hosted a workshop to discuss updates to the regulations promulgated under the Children’s Online Privacy Protection Act (COPPA). Broadly speaking, the FTC’s COPPA Rule requires that web services, including mobile apps, provide notice and obtain parental consent to collect, use, or disclose personal information from children under age 13. Continue Reading

IAB Releases Draft CCPA Compliance Framework for Digital Advertising Industry

The Interactive Advertising Bureau (IAB) publicly released its draft CCPA Compliance Framework for Publishers and Technology Companies (“Framework”) on Oct. 22, 2019. As we reported here, the Framework is being developed by the IAB and the IAB Tech Lab to address the challenges of the CCPA’s Do Not Sell obligation as it relates to interest-based advertising and related activities.

Along with the draft Framework, the IAB Tech Lab released the Framework’s technical specifications, which are to be used by an organization’s product and engineering teams to technically implement and operationalize the Framework.

The IAB will be accepting public comments on the Framework through Nov. 5, 2019. If you would like more information on the Framework, what it means for your organization or how to file comments, contact the author at

A Balancing Act: A Brief Overview of California Privacy Laws

The California Consumer Privacy Act (“CCPA”) takes effect on January 1, 2020. The CCPA aims to provide consumers with an unprecedented array of rights concerning the control of their personal information and, correspondingly, imposes an unprecedented array of obligations upon businesses concerning consumers’ personal information.

These obligations are not without limitation, however; the CCPA strives to balance the privacy rights it confers onto consumers and the corresponding obligations these rights impose upon businesses. For instance, the CCPA requires businesses that collect a consumer’s personal information to — at or before the point of collection — inform consumers of the categories of personal information to be collected and the purposes for which the categories shall be used. [Cal. Civ. Code § 1798.100(b)]. A business, however, need not disclose the categories and specific pieces of personal information it has collected unless and until a consumer makes a verifiable request for that information. [Cal. Civ. Code § 1798.100(a)].

Similarly, the CCPA empowers consumers to direct businesses not to sell their personal information to third parties. [Cal. Civ. Code § 1798.120]. While businesses must not discriminate against consumers for exercising this right, businesses may charge consumers that do exercise it differently, if that difference reasonably relates to the value provided by those consumers’ data. [Cal. Civ. Code § 1798.125(a)(2)]. Businesses may also offer financial incentives, including payments to consumers as compensation for the collection of personal information, if the consumer provides prior opt-in consent to allow his or her information to be sold to third parties. [Cal. Civ. Code § 1798.125(b)(3)]. Continue Reading

Just When You Thought It Was Safe to Go Back into the Water – CCPA 2, the Sequel

If you’ve been feeling encouraged about your company’s preparation for the California Consumer Privacy Act’s (CCPA) launch on January 1, 2020, you may not want to breathe a sigh of relief just yet. Alastair Mactaggart, the founder and board chair of Californians for Consumer Privacy (one of the coauthors of the CCPA), is hoping that a new initiative that he announced is put on the November 2020 ballot in California. Mactaggart filed the 51-page ballot initiative with the California Attorney General on Sept. 25, 2019, with minor modifications made in an updated filing on Oct. 2, 2019.

Officially titled the California Privacy Rights and Enforcement Act (CPREA), the initiative has gained the moniker “CCPA 2.0” because it would make significant changes to the original version of the CCPA enacted last year. Californians for Consumer Privacy has published an annotated version of the CPREA on its website, explaining many of the proposed changes. By June 2020, 623,212 signatures are needed in order for the initiative to qualify for the ballot. By comparison, the CCPA garnered 629,000 signatures in June of 2018. Continue Reading

CCPA Amendments Signed into Law by California Governor

On Friday, October 11, 2019, California’s governor signed into law each of the six CCPA amendment bills passed by the legislature, bringing some finality and clarity to the scope of the CCPA (at least with respect to details which will not be affected by the attorney general’s regulations). In addition to signing into law A.B. 25A.B. 874AB 1146A.B. 1202A.B. 1355 and A.B. 1564, on which we previously reported in detail here, the governor signed into law A.B. 1130, which expands the definition of personal information under California’s data breach statute to include passports and biometric information.

The governor’s signing of these amendments comes on the heels of California’s attorney general releasing draft regulations along with details on a public comment period, which we detail here.

CCPA Regs: “This is the meat on the bones….”

“Data is today’s gold. Everyone is rushing to mine data. Here in California, we are not unfamiliar with gold rushes… [in fact,][w]e are better than Captain Kirk and the Enterprise. We are going [with the CCPA regulations] to where no one has gone before! [A]nd it’s going to be a great series, maybe they will even make a movie about it.” With this lofty introduction, livestreamed on YouTube (see it at here) from a press conference in San Francisco at 10:30 a.m. on Oct. 10, California Attorney General Xavier Becerra released advance copies of the much awaited proposed implementation regulations to the California Consumer Privacy Protection Act (CCPA) and announced public hearings on the regs across the Golden State, to take place Dec. 2 through 5. The deadline for written comments is Dec. 6. There will be a second public comment period following revisions to the draft regulations of either 15 or 45 days depending on the extent of changes in response to the first public comment period. The AG’s office will not entertain private meetings, in order to further a transparent process.

The AG indicated that the time for getting to final published regulations would likely result in an enforcement delay to close to the July 1, 2020, deadline set by the legislature in AB 1121 last year. However, he warned businesses that the law goes into effect Jan. 1, 2020. When asked whether the enforcement delay is a safe harbor, AG Becerra responded with a question of his own: “If someone is murdered and it takes us six months to arrest whoever did it, does that mean that they should go free?” He then answered both questions by saying, “Look, I don’t think so. The law is the law.” This is consistent with comments he has made in the past warning companies not to rely on either the enforcement delay of the CCPA’s notice or the 30-day opportunity to cure. Regarding the cure provision of the CCPA, the AG has previously stated that he is not sure how it is possible to cure a violation of a consumer’s rights that has already happened. Continue Reading

California Bill SB-208 Tackles Pervasive Robocalls

On Sept. 11, 2019, the California State Senate approved the Consumer Call Protection Act of 2019, SB-208. The measure seeks to protect consumers from fraudulent robocalls and enact into law provisions that, despite strong support from Federal Communications Commission (FCC) Chairman Ajit Pai, have not been enacted on the federal level.[1] The bill empowers the Public Utilities Commission of California (Commission) to work with the attorney general to enforce the law, and also requires telecommunication providers to authenticate and verify caller identification for calls made using an internet protocol network.

Specifically, the bill dictates that telecom companies implement Secure Telephony Identity Revisited (STIR) and Secure Handling of Asserted information toKENs (SHAKEN) protocols (or comparable technology) that require outbound calls to be issued with a digital “token” that can be verified when received by the call recipient. If the tokens match, then the call is considered authenticated. If the tokens do not match, the recipient would be alerted to that fact.

Fraudulent Robocalls a Pervasive Problem, Expected to Worsen

Approximately 5.1 billion robocalls were made in October 2018, according to Irvine tech firm YouMail, with the average American receiving 16 robocalls per month.[2] Such calls accounted for 30% of all calls made in 2018, according to First Orion, provider of caller-ID and call-blocking services for major cell companies.[3] Some states and municipalities are harder hit than others, including California, with people in cities such as Los Angeles receiving nearly 172 million robocalls in October 2018.[4]

Fraudsters typically utilize a technique called “neighbor spoofing,” where scammers pretend to be from the same area code as the consumer in the hopes the recipient will be more likely to believe the call is personally relevant. Common schemes that utilize neighbor spoofing include scammers falsely claiming to be a local utility company threatening to levy penalties for past due electric bills or fake IRS calls claiming that the recipient’s taxes are past due.[5] Continue Reading

If Signed by Governor, California Bill AB-602 Will Provide Private Right of Action for Victims of Sexually Explicit ‘Deepfakes’

AB-602, passed by the California State Senate on September 12, 2019, will, if approved by the governor, create a private right of action against persons who create or disclose another’s sexually explicit content through use of “deepfake” technology. Specifically, the cause of action may be brought against a person who creates and intentionally discloses sexually explicit material where the person knows, or reasonably should know, that such creation or disclosure was not consented to by the depicted individual, or where such person did not create but intentionally discloses such material knowing that the depicted individual did not consent to its creation.

Sponsors of the bill envision it applying in two distinct scenarios: (1) where a person’s face is superimposed on another’s body in such a way as to suggest that person is engaging in a sexually explicit way, and (2) where a mainstream filmmaker digitally alters a scene to make it look as though the actor engaged in sexually explicit activity when, in fact, he or she did not.

Issues AB-602 Seeks to Resolve

Deepfake (a portmanteau of deep learning and fake)[1] is used for many purposes, including political commentary and parody.[2] However, it is often used nefariously to depict individuals engaging in sexual acts in which they did not actually engage.[3] It is these sexually explicit depictions that AB-602 seeks to prevent.[4]

Once sexually explicit deepfakes are proliferated online, a person’s reputation becomes irreparably damaged and the person may suffer deep shame, humiliation and emotional damage. Additionally, such proliferation can result in long-lasting economic harm by tainting the depicted person’s professional image to such a degree that he or she becomes unemployable.[5] Thus, AB-602 was introduced to provide victims of such deepfakes with a cause of action that provides sufficient redress. Continue Reading

AB-1790 Seeks to Add Transparency to the Marketplace/Marketplace Seller Relationship

Seeking to increase transparency and, consequently, fairness in the marketplace/marketplace seller commercial relationship, the California State Senate approved AB-1790 Marketplaces: marketplace seller on Sept. 12, 2019. AB-1790 aims to achieve this transparency by imposing certain obligations on a marketplace. These obligations will in turn provide a marketplace seller with more insight into the terms and conditions of its commercial relationship with that marketplace. AB-1790 defines “marketplace” as a physical or electronic place that sells or offers for sale services or personal property for delivery in California and has an agreement with the marketplace seller to make such sales through the marketplace. Commonly known marketplaces include Amazon, eBay, and online destinations of brick-and-mortar stores like Walmart and Target. A “marketplace seller” under AB-1790 is a person residing in California who has an agreement with a marketplace and makes sales through the marketplace. The governor has until Oct. 13, 2019, to sign or veto AB-1790.

Marketplace Requirements

AB-1790 requires a marketplace to ensure that its terms and conditions regarding its commercial relationships with marketplace sellers (1) are plainly and intelligibly drafted; (2) are easily available online for marketplace sellers at all stages of their commercial relationship, including at the relationship’s outset; and (3) identify the dispute resolution process and grounds for terminating the marketplace/marketplace seller commercial relationship.

AB-1790 also requires the marketplace to describe the possibilities and effects of a marketplace seller paying the marketplace to influence search results or otherwise obtain preferential placements within the marketplace. While AB-1790 does not require the marketplace to disclose the price of that ranking or preferential treatment, it must describe how a marketplace seller may obtain a written price. Continue Reading