BakerHostetler Comments on Draft CCPA Regulations

The California attorney general (the AG) has concluded the first round of public comments on the proposed regulations that would serve to interpret and implement California’s sweeping new privacy law, the California Consumer Privacy Act (the CCPA).

After just under two months since the release of the proposed regulations (the Regs) by the AG and a series of four public hearings across the state in the past week, the final deadline to submit written comments in response to the Regs came and went on Friday, Dec. 6. Now that the first public comment period has ended, there will be revisions to the Regs followed by another wait period, which can be either 15 or 45 days, depending on the extent of changes in response to the first public comment period. In effect, this means that the Regs are subject to further changes, even post-Jan. 1, 2020.

This public comment period provided interested parties with the opportunity to submit written comments regarding the proposed CCPA Regs (set forth at §§ 999.300-999.341 of Title 11, Division 1, Chapter 20 of the California Code of Regulations). While many of our clients sought to convey their comments through their respective trade organizations, more than a dozen other clients asked us to supplement those efforts with a set of aggregate comments, which we filed and which are available here. A summary of our comments is below. Continue Reading

Record-Keeping and Training Requirements in the Proposed Regulations for the CCPA

The California Consumer Privacy Act (CCPA), California Civil Code §1798.100 and following, does not in itself outline specific training and record-keeping requirements that demonstrate business compliance with consumer requests. However, in October 2019, the California attorney general proposed additional CCPA Regulations intended to guide the application of the CCPA, and Section 999.317 of the proposed Regulations aims to detail what additional behaviors (such as training) and records are required under the CCPA for consumer requests.

Specifically, the proposed Regulations require that people who handle inquiries related to a business’s privacy practice or CCPA compliance be trained in all aspects of the CCPA, including the proposed Regulations. This expands a lesser requirement in the CCPA that originally required these individuals to understand only certain applicable portions of the CCPA. The proposed Regulations also require training that includes explanations to consumers of how they can exercise their CCPA rights (which would in turn incorporate the rights in the proposed Regulations). To accomplish this, businesses would therefore be required to develop, document and comply with a CCPA training policy. Continue Reading

Refine CCPA Compliance Plan with the Regulations in Mind

We previously announced the publication of the first set of proposed regulations that will implement the California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020. Partner Alan Friel has authored an article published by OneTrust DataGuidance that details how the proposed regulations – and a half dozen amendments to the CCPA that recently became law – impact CCPA compliance. A copy of the article is available here. The proposed regulations are available here and an initial statement of reasons that explain the thinking behind the proposed regulations is available here.

The attorney general is currently taking written comments on the proposed regulations until December 6. BakerHostetler is preparing comments to file for specific clients, as well as a set of aggregate comments that reflect our clients’ concerns more generally. If you would like to contribute comments or would like assistance in crafting custom comments, contact the author.


Children’s Privacy Law Updates: Tricks or Treats?

It’s finally here! Halloween, the day every kid dreams of for months. It’s a scary time in the world of children’s privacy law – what with the California Consumer Privacy Act (CCPA) lurking around the corner and the specter of FTC enforcement still lingering in the air. But this year, you’ve planned. You know exactly which houses offer full-size candy bars and where to go to avoid neighborhood bullies.

You approach the first house: old man COPPA. Many of the other kids are afraid of Mr. COPPA, but you know better. With updates on the horizon, there’s never been a better time to visit.

The FTC’s Workshop on the Future of COPPA

On October 7, the Federal Trade Commission (FTC) hosted a workshop to discuss updates to the regulations promulgated under the Children’s Online Privacy Protection Act (COPPA). Broadly speaking, the FTC’s COPPA Rule requires that web services, including mobile apps, provide notice and obtain parental consent to collect, use, or disclose personal information from children under age 13. Continue Reading

IAB Releases Draft CCPA Compliance Framework for Digital Advertising Industry

The Interactive Advertising Bureau (IAB) publicly released its draft CCPA Compliance Framework for Publishers and Technology Companies (“Framework”) on Oct. 22, 2019. As we reported here, the Framework is being developed by the IAB and the IAB Tech Lab to address the challenges of the CCPA’s Do Not Sell obligation as it relates to interest-based advertising and related activities.

Along with the draft Framework, the IAB Tech Lab released the Framework’s technical specifications, which are to be used by an organization’s product and engineering teams to technically implement and operationalize the Framework.

The IAB will be accepting public comments on the Framework through Nov. 5, 2019. If you would like more information on the Framework, what it means for your organization or how to file comments, contact the author at

A Balancing Act: A Brief Overview of California Privacy Laws

The California Consumer Privacy Act (“CCPA”) takes effect on January 1, 2020. The CCPA aims to provide consumers with an unprecedented array of rights concerning the control of their personal information and, correspondingly, imposes an unprecedented array of obligations upon businesses concerning consumers’ personal information.

These obligations are not without limitation, however; the CCPA strives to balance the privacy rights it confers onto consumers and the corresponding obligations these rights impose upon businesses. For instance, the CCPA requires businesses that collect a consumer’s personal information to — at or before the point of collection — inform consumers of the categories of personal information to be collected and the purposes for which the categories shall be used. [Cal. Civ. Code § 1798.100(b)]. A business, however, need not disclose the categories and specific pieces of personal information it has collected unless and until a consumer makes a verifiable request for that information. [Cal. Civ. Code § 1798.100(a)].

Similarly, the CCPA empowers consumers to direct businesses not to sell their personal information to third parties. [Cal. Civ. Code § 1798.120]. While businesses must not discriminate against consumers for exercising this right, businesses may charge consumers that do exercise it differently, if that difference reasonably relates to the value provided by those consumers’ data. [Cal. Civ. Code § 1798.125(a)(2)]. Businesses may also offer financial incentives, including payments to consumers as compensation for the collection of personal information, if the consumer provides prior opt-in consent to allow his or her information to be sold to third parties. [Cal. Civ. Code § 1798.125(b)(3)]. Continue Reading

Just When You Thought It Was Safe to Go Back into the Water – CCPA 2, the Sequel

If you’ve been feeling encouraged about your company’s preparation for the California Consumer Privacy Act’s (CCPA) launch on January 1, 2020, you may not want to breathe a sigh of relief just yet. Alastair Mactaggart, the founder and board chair of Californians for Consumer Privacy (one of the coauthors of the CCPA), is hoping that a new initiative that he announced is put on the November 2020 ballot in California. Mactaggart filed the 51-page ballot initiative with the California Attorney General on Sept. 25, 2019, with minor modifications made in an updated filing on Oct. 2, 2019.

Officially titled the California Privacy Rights and Enforcement Act (CPREA), the initiative has gained the moniker “CCPA 2.0” because it would make significant changes to the original version of the CCPA enacted last year. Californians for Consumer Privacy has published an annotated version of the CPREA on its website, explaining many of the proposed changes. By June 2020, 623,212 signatures are needed in order for the initiative to qualify for the ballot. By comparison, the CCPA garnered 629,000 signatures in June of 2018. Continue Reading

CCPA Amendments Signed into Law by California Governor

On Friday, October 11, 2019, California’s governor signed into law each of the six CCPA amendment bills passed by the legislature, bringing some finality and clarity to the scope of the CCPA (at least with respect to details which will not be affected by the attorney general’s regulations). In addition to signing into law A.B. 25A.B. 874AB 1146A.B. 1202A.B. 1355 and A.B. 1564, on which we previously reported in detail here, the governor signed into law A.B. 1130, which expands the definition of personal information under California’s data breach statute to include passports and biometric information.

The governor’s signing of these amendments comes on the heels of California’s attorney general releasing draft regulations along with details on a public comment period, which we detail here.

CCPA Regs: “This is the meat on the bones….”

“Data is today’s gold. Everyone is rushing to mine data. Here in California, we are not unfamiliar with gold rushes… [in fact,][w]e are better than Captain Kirk and the Enterprise. We are going [with the CCPA regulations] to where no one has gone before! [A]nd it’s going to be a great series, maybe they will even make a movie about it.” With this lofty introduction, livestreamed on YouTube (see it at here) from a press conference in San Francisco at 10:30 a.m. on Oct. 10, California Attorney General Xavier Becerra released advance copies of the much awaited proposed implementation regulations to the California Consumer Privacy Protection Act (CCPA) and announced public hearings on the regs across the Golden State, to take place Dec. 2 through 5. The deadline for written comments is Dec. 6. There will be a second public comment period following revisions to the draft regulations of either 15 or 45 days depending on the extent of changes in response to the first public comment period. The AG’s office will not entertain private meetings, in order to further a transparent process.

The AG indicated that the time for getting to final published regulations would likely result in an enforcement delay to close to the July 1, 2020, deadline set by the legislature in AB 1121 last year. However, he warned businesses that the law goes into effect Jan. 1, 2020. When asked whether the enforcement delay is a safe harbor, AG Becerra responded with a question of his own: “If someone is murdered and it takes us six months to arrest whoever did it, does that mean that they should go free?” He then answered both questions by saying, “Look, I don’t think so. The law is the law.” This is consistent with comments he has made in the past warning companies not to rely on either the enforcement delay of the CCPA’s notice or the 30-day opportunity to cure. Regarding the cure provision of the CCPA, the AG has previously stated that he is not sure how it is possible to cure a violation of a consumer’s rights that has already happened. Continue Reading

California Bill SB-208 Tackles Pervasive Robocalls

On Sept. 11, 2019, the California State Senate approved the Consumer Call Protection Act of 2019, SB-208. The measure seeks to protect consumers from fraudulent robocalls and enact into law provisions that, despite strong support from Federal Communications Commission (FCC) Chairman Ajit Pai, have not been enacted on the federal level.[1] The bill empowers the Public Utilities Commission of California (Commission) to work with the attorney general to enforce the law, and also requires telecommunication providers to authenticate and verify caller identification for calls made using an internet protocol network.

Specifically, the bill dictates that telecom companies implement Secure Telephony Identity Revisited (STIR) and Secure Handling of Asserted information toKENs (SHAKEN) protocols (or comparable technology) that require outbound calls to be issued with a digital “token” that can be verified when received by the call recipient. If the tokens match, then the call is considered authenticated. If the tokens do not match, the recipient would be alerted to that fact.

Fraudulent Robocalls a Pervasive Problem, Expected to Worsen

Approximately 5.1 billion robocalls were made in October 2018, according to Irvine tech firm YouMail, with the average American receiving 16 robocalls per month.[2] Such calls accounted for 30% of all calls made in 2018, according to First Orion, provider of caller-ID and call-blocking services for major cell companies.[3] Some states and municipalities are harder hit than others, including California, with people in cities such as Los Angeles receiving nearly 172 million robocalls in October 2018.[4]

Fraudsters typically utilize a technique called “neighbor spoofing,” where scammers pretend to be from the same area code as the consumer in the hopes the recipient will be more likely to believe the call is personally relevant. Common schemes that utilize neighbor spoofing include scammers falsely claiming to be a local utility company threatening to levy penalties for past due electric bills or fake IRS calls claiming that the recipient’s taxes are past due.[5] Continue Reading