BakerHostetler Comments on Draft CCPA Regulations

The California attorney general (the AG) has concluded the first round of public comments on the proposed regulations that would serve to interpret and implement California’s sweeping new privacy law, the California Consumer Privacy Act (the CCPA).

After just under two months since the release of the proposed regulations (the Regs) by the AG and a series of four public hearings across the state in the past week, the final deadline to submit written comments in response to the Regs came and went on Friday, Dec. 6. Now that the first public comment period has ended, there will be revisions to the Regs followed by another wait period, which can be either 15 or 45 days, depending on the extent of changes in response to the first public comment period. In effect, this means that the Regs are subject to further changes, even post-Jan. 1, 2020.

This public comment period provided interested parties with the opportunity to submit written comments regarding the proposed CCPA Regs (set forth at §§ 999.300-999.341 of Title 11, Division 1, Chapter 20 of the California Code of Regulations). While many of our clients sought to convey their comments through their respective trade organizations, more than a dozen other clients asked us to supplement those efforts with a set of aggregate comments, which we filed and which are available here. A summary of our comments is below.

Safe Harbors

During the press conference on Oct. 10, at which the AG discussed the draft Regs as we reported here, the AG clearly and pointedly stated that he would not be treating the period between the effective date of the CCPA (Jan. 1, 2020) and the date on which the AG can enforce the law (July 1, 2020) as a safe harbor.

  • The period between the effective date of the CCPA (Jan. 1, 2020) and the date on which the AG can enforce the law (July 1, 2020) should be treated as a safe harbor for businesses making good faith efforts to come into compliance by July 1.It is clear that the Regs will not be final prior to Jan. 1, leaving businesses and their advisors in limbo as to consequential aspects of the law. Even for companies that have spent the past year or more preparing for the CCPA, compliance with a law that is not final before its effective date is impossible.
  • A business should have the opportunity to cure if it believes, in good faith, that it has achieved compliance and the AG advises otherwise. The proposed Regs leave many unanswered questions and the legislative history provides little guidance on how to comply with the law. Many parts of the statute are ambiguous and subject to entirely reasonable but conflicting interpretations. The right to cure provided in the statute (Section .155(b)) should be a real and meaningful right to prospectively cure.

Retail and Other Offline Collection

The Regs place significant, and sometimes impossible, burdens on retail businesses and other businesses that substantially interact with consumers offline.

  • The numerous in-person notices required by the Regs will only confuse consumers. Retail and other businesses that interact with consumers offline are already required under the Regs to post a link to their privacy notice via prominent, in-store signage or printed forms. Rather than providing additional notices, the privacy policy link posted pursuant to other requirements should be sufficient to meet the numerous notice requirements in the Regs. California consumers are already greeted with numerous written notices when entering a retail location (e.g., Prop. 65). Additional notices will only confuse consumers and will not further the purposes of the CCPA.
  • Retail and other offline businesses should not have to accept consumer requests (e.g., requests to delete, know and opt out of sale) on paper forms at in-person locations, as currently required in the proposed Regs. These businesses should be able to point consumers to the privacy policy where the information can be found, or to the 1-800 number where consumers can exercise these rights. This requirement not only creates operational headaches for businesses, but will potentially expose the personal information of requesting consumers to any number of employees at the location where the request was submitted.
  • Businesses should not be required to train retail-level and similar employees on how to field a consumer request, as would be required by the current draft of the Regs. It is not realistic to expect this of businesses, particularly where employees are often part-time or actually employees of a franchisee and not the brand.

Consumer Requests and Verification

Businesses are scrambling to operationalize and develop procedures to respond to consumer requests, and the Regs do not provide a clear picture of how to provide the rights to only California consumers. Moreover, some of the Regs conflict with the amendments to the CCPA that were signed into law a couple of days after the AG released the draft Regs (as we discussed here and here).

  • The Regs should clarify that CCPA rights apply only to California consumers, and that a business may decline to provide CCPA rights where it cannot reasonably verify residency. A close read of the Regs reveals that the focus is more on proving that a consumer is who they say they are, and not that the consumer is, in fact, a California consumer. Moreover, the Regs in multiple contexts do not allow businesses, service providers or third parties to limit the application of the CCPA to only personal information of California consumers.
  • Businesses, service providers and third parties should be able to use IP address, reference to address on file and other reasonable methods of establishing location to   determine a person’s status as a California consumer, including in the context of identity verification.
  • Online-only businesses that have a direct relationship with a consumer should be required only to provide an email address for submitting requests to know. This is consistent with amendments passed in AB 25, which we discussed in detail here.

Service Providers

The Regs put businesses and service providers in a position that will make compliance with the law impossible. As currently written, the Regs would prevent service providers from carrying out routine operational activities.

  • The AG should revise the Regs to state that a service provider shall retain its status as a service provider so long as the purposes for which it is permitted to process personal information under the contract with the business meets the definition of “business purpose” under the CCPA. The Regs’ proposed bright-line rule on what a service provider can and cannot do is unnecessary and does not address the reality of processing activities carried out by vendors that process personal information on behalf of their customers.

Loyalty Programs

The Regs impose restrictions on any “financial incentive,” the definition of which hinges on the collection of personal information. Many consumers want to keep their loyalty programs, which are entirely voluntary in nature. As part of a loyalty program, consumers choose to give their information to a company so that it can provide them with certain benefits, including marketing, sometimes from third parties. Loyalty programs by their nature are financial incentives that require personal information, and are prohibited unless the value received by a consumer from the financial incentive is reasonably related to the value to the business of the consumer’s data.

  • The Regs should establish that “[l]oyalty program benefits are reasonably related to the value of a consumer’s data to the business offering the program arising out of the business’ use and disclosure of that personal information as set forth in the program terms, as a condition of ongoing loyalty program participation, if the terms and benefits of the loyalty program, and the scope of the business’ potential use and disclosure of the personal information, and any related waivers of consumer rights under the Title, are clearly stated in the program terms, the consumer affirmatively accepts the program terms and the consumer can prospectively withdraw from the program and upon doing so prospectively regain the consumer’s full rights under the Title regarding that personal information (including right to know, right to delete and opt out).”

With less than a month until the CCPA becomes effective, we will continue to monitor the AG’s rule-making process. If you would like more information on the Regs and what they mean for your organization, contact the authors at kfath@bakerlaw.com and tbloom@bakerlaw.com.

For more information, see our other CCPA blog posts and visit our U.S. Consumer Privacy and the CCPA page.

Record-Keeping and Training Requirements in the Proposed Regulations for the CCPA

The California Consumer Privacy Act (CCPA), California Civil Code §1798.100 and following, does not in itself outline specific training and record-keeping requirements that demonstrate business compliance with consumer requests. However, in October 2019, the California attorney general proposed additional CCPA Regulations intended to guide the application of the CCPA, and Section 999.317 of the proposed Regulations aims to detail what additional behaviors (such as training) and records are required under the CCPA for consumer requests.

Specifically, the proposed Regulations require that people who handle inquiries related to a business’s privacy practice or CCPA compliance be trained in all aspects of the CCPA, including the proposed Regulations. This expands a lesser requirement in the CCPA that originally required these individuals to understand only certain applicable portions of the CCPA. The proposed Regulations also require training that includes explanations to consumers of how they can exercise their CCPA rights (which would in turn incorporate the rights in the proposed Regulations). To accomplish this, businesses would therefore be required to develop, document and comply with a CCPA training policy. Continue Reading

Refine CCPA Compliance Plan with the Regulations in Mind

We previously announced the publication of the first set of proposed regulations that will implement the California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020. Partner Alan Friel has authored an article published by OneTrust DataGuidance that details how the proposed regulations – and a half dozen amendments to the CCPA that recently became law – impact CCPA compliance. A copy of the article is available here. The proposed regulations are available here and an initial statement of reasons that explain the thinking behind the proposed regulations is available here.

The attorney general is currently taking written comments on the proposed regulations until December 6. BakerHostetler is preparing comments to file for specific clients, as well as a set of aggregate comments that reflect our clients’ concerns more generally. If you would like to contribute comments or would like assistance in crafting custom comments, contact the author.

 

Children’s Privacy Law Updates: Tricks or Treats?

It’s finally here! Halloween, the day every kid dreams of for months. It’s a scary time in the world of children’s privacy law – what with the California Consumer Privacy Act (CCPA) lurking around the corner and the specter of FTC enforcement still lingering in the air. But this year, you’ve planned. You know exactly which houses offer full-size candy bars and where to go to avoid neighborhood bullies.

You approach the first house: old man COPPA. Many of the other kids are afraid of Mr. COPPA, but you know better. With updates on the horizon, there’s never been a better time to visit.

The FTC’s Workshop on the Future of COPPA

On October 7, the Federal Trade Commission (FTC) hosted a workshop to discuss updates to the regulations promulgated under the Children’s Online Privacy Protection Act (COPPA). Broadly speaking, the FTC’s COPPA Rule requires that web services, including mobile apps, provide notice and obtain parental consent to collect, use, or disclose personal information from children under age 13. Continue Reading

IAB Releases Draft CCPA Compliance Framework for Digital Advertising Industry

The Interactive Advertising Bureau (IAB) publicly released its draft CCPA Compliance Framework for Publishers and Technology Companies (“Framework”) on Oct. 22, 2019. As we reported here, the Framework is being developed by the IAB and the IAB Tech Lab to address the challenges of the CCPA’s Do Not Sell obligation as it relates to interest-based advertising and related activities.

Along with the draft Framework, the IAB Tech Lab released the Framework’s technical specifications, which are to be used by an organization’s product and engineering teams to technically implement and operationalize the Framework.

The IAB will be accepting public comments on the Framework through Nov. 5, 2019. If you would like more information on the Framework, what it means for your organization or how to file comments, contact the author at kfath@bakerlaw.com.

A Balancing Act: A Brief Overview of California Privacy Laws

The California Consumer Privacy Act (“CCPA”) takes effect on January 1, 2020. The CCPA aims to provide consumers with an unprecedented array of rights concerning the control of their personal information and, correspondingly, imposes an unprecedented array of obligations upon businesses concerning consumers’ personal information.

These obligations are not without limitation, however; the CCPA strives to balance the privacy rights it confers onto consumers and the corresponding obligations these rights impose upon businesses. For instance, the CCPA requires businesses that collect a consumer’s personal information to — at or before the point of collection — inform consumers of the categories of personal information to be collected and the purposes for which the categories shall be used. [Cal. Civ. Code § 1798.100(b)]. A business, however, need not disclose the categories and specific pieces of personal information it has collected unless and until a consumer makes a verifiable request for that information. [Cal. Civ. Code § 1798.100(a)].

Similarly, the CCPA empowers consumers to direct businesses not to sell their personal information to third parties. [Cal. Civ. Code § 1798.120]. While businesses must not discriminate against consumers for exercising this right, businesses may charge consumers that do exercise it differently, if that difference reasonably relates to the value provided by those consumers’ data. [Cal. Civ. Code § 1798.125(a)(2)]. Businesses may also offer financial incentives, including payments to consumers as compensation for the collection of personal information, if the consumer provides prior opt-in consent to allow his or her information to be sold to third parties. [Cal. Civ. Code § 1798.125(b)(3)]. Continue Reading

Just When You Thought It Was Safe to Go Back into the Water – CCPA 2, the Sequel

If you’ve been feeling encouraged about your company’s preparation for the California Consumer Privacy Act’s (CCPA) launch on January 1, 2020, you may not want to breathe a sigh of relief just yet. Alastair Mactaggart, the founder and board chair of Californians for Consumer Privacy (one of the coauthors of the CCPA), is hoping that a new initiative that he announced is put on the November 2020 ballot in California. Mactaggart filed the 51-page ballot initiative with the California Attorney General on Sept. 25, 2019, with minor modifications made in an updated filing on Oct. 2, 2019.

Officially titled the California Privacy Rights and Enforcement Act (CPREA), the initiative has gained the moniker “CCPA 2.0” because it would make significant changes to the original version of the CCPA enacted last year. Californians for Consumer Privacy has published an annotated version of the CPREA on its website, explaining many of the proposed changes. By June 2020, 623,212 signatures are needed in order for the initiative to qualify for the ballot. By comparison, the CCPA garnered 629,000 signatures in June of 2018. Continue Reading

CCPA Amendments Signed into Law by California Governor

On Friday, October 11, 2019, California’s governor signed into law each of the six CCPA amendment bills passed by the legislature, bringing some finality and clarity to the scope of the CCPA (at least with respect to details which will not be affected by the attorney general’s regulations). In addition to signing into law A.B. 25A.B. 874AB 1146A.B. 1202A.B. 1355 and A.B. 1564, on which we previously reported in detail here, the governor signed into law A.B. 1130, which expands the definition of personal information under California’s data breach statute to include passports and biometric information.

The governor’s signing of these amendments comes on the heels of California’s attorney general releasing draft regulations along with details on a public comment period, which we detail here.

CCPA Regs: “This is the meat on the bones….”

“Data is today’s gold. Everyone is rushing to mine data. Here in California, we are not unfamiliar with gold rushes… [in fact,][w]e are better than Captain Kirk and the Enterprise. We are going [with the CCPA regulations] to where no one has gone before! [A]nd it’s going to be a great series, maybe they will even make a movie about it.” With this lofty introduction, livestreamed on YouTube (see it at here) from a press conference in San Francisco at 10:30 a.m. on Oct. 10, California Attorney General Xavier Becerra released advance copies of the much awaited proposed implementation regulations to the California Consumer Privacy Protection Act (CCPA) and announced public hearings on the regs across the Golden State, to take place Dec. 2 through 5. The deadline for written comments is Dec. 6. There will be a second public comment period following revisions to the draft regulations of either 15 or 45 days depending on the extent of changes in response to the first public comment period. The AG’s office will not entertain private meetings, in order to further a transparent process.

The AG indicated that the time for getting to final published regulations would likely result in an enforcement delay to close to the July 1, 2020, deadline set by the legislature in AB 1121 last year. However, he warned businesses that the law goes into effect Jan. 1, 2020. When asked whether the enforcement delay is a safe harbor, AG Becerra responded with a question of his own: “If someone is murdered and it takes us six months to arrest whoever did it, does that mean that they should go free?” He then answered both questions by saying, “Look, I don’t think so. The law is the law.” This is consistent with comments he has made in the past warning companies not to rely on either the enforcement delay of the CCPA’s notice or the 30-day opportunity to cure. Regarding the cure provision of the CCPA, the AG has previously stated that he is not sure how it is possible to cure a violation of a consumer’s rights that has already happened. Continue Reading

California Bill SB-208 Tackles Pervasive Robocalls

On Sept. 11, 2019, the California State Senate approved the Consumer Call Protection Act of 2019, SB-208. The measure seeks to protect consumers from fraudulent robocalls and enact into law provisions that, despite strong support from Federal Communications Commission (FCC) Chairman Ajit Pai, have not been enacted on the federal level.[1] The bill empowers the Public Utilities Commission of California (Commission) to work with the attorney general to enforce the law, and also requires telecommunication providers to authenticate and verify caller identification for calls made using an internet protocol network.

Specifically, the bill dictates that telecom companies implement Secure Telephony Identity Revisited (STIR) and Secure Handling of Asserted information toKENs (SHAKEN) protocols (or comparable technology) that require outbound calls to be issued with a digital “token” that can be verified when received by the call recipient. If the tokens match, then the call is considered authenticated. If the tokens do not match, the recipient would be alerted to that fact.

Fraudulent Robocalls a Pervasive Problem, Expected to Worsen

Approximately 5.1 billion robocalls were made in October 2018, according to Irvine tech firm YouMail, with the average American receiving 16 robocalls per month.[2] Such calls accounted for 30% of all calls made in 2018, according to First Orion, provider of caller-ID and call-blocking services for major cell companies.[3] Some states and municipalities are harder hit than others, including California, with people in cities such as Los Angeles receiving nearly 172 million robocalls in October 2018.[4]

Fraudsters typically utilize a technique called “neighbor spoofing,” where scammers pretend to be from the same area code as the consumer in the hopes the recipient will be more likely to believe the call is personally relevant. Common schemes that utilize neighbor spoofing include scammers falsely claiming to be a local utility company threatening to levy penalties for past due electric bills or fake IRS calls claiming that the recipient’s taxes are past due.[5] Continue Reading

LexBlog