CCPA Amendments Signed into Law by California Governor

On Friday, October 11, 2019, California’s governor signed into law each of the six CCPA amendment bills passed by the legislature, bringing some finality and clarity to the scope of the CCPA (at least with respect to details which will not be affected by the attorney general’s regulations). In addition to signing into law A.B. 25A.B. 874AB 1146A.B. 1202A.B. 1355 and A.B. 1564, on which we previously reported in detail here, the governor signed into law A.B. 1130, which expands the definition of personal information under California’s data breach statute to include passports and biometric information.

The governor’s signing of these amendments comes on the heels of California’s attorney general releasing draft regulations along with details on a public comment period, which we detail here.

CCPA Regs: “This is the meat on the bones….”

“Data is today’s gold. Everyone is rushing to mine data. Here in California, we are not unfamiliar with gold rushes… [in fact,][w]e are better than Captain Kirk and the Enterprise. We are going [with the CCPA regulations] to where no one has gone before! [A]nd it’s going to be a great series, maybe they will even make a movie about it.” With this lofty introduction, livestreamed on YouTube (see it at here) from a press conference in San Francisco at 10:30 a.m. on Oct. 10, California Attorney General Xavier Becerra released advance copies of the much awaited proposed implementation regulations to the California Consumer Privacy Protection Act (CCPA) and announced public hearings on the regs across the Golden State, to take place Dec. 2 through 5. The deadline for written comments is Dec. 6. There will be a second public comment period following revisions to the draft regulations of either 15 or 45 days depending on the extent of changes in response to the first public comment period. The AG’s office will not entertain private meetings, in order to further a transparent process.

The AG indicated that the time for getting to final published regulations would likely result in an enforcement delay to close to the July 1, 2020, deadline set by the legislature in AB 1121 last year. However, he warned businesses that the law goes into effect Jan. 1, 2020. When asked whether the enforcement delay is a safe harbor, AG Becerra responded with a question of his own: “If someone is murdered and it takes us six months to arrest whoever did it, does that mean that they should go free?” He then answered both questions by saying, “Look, I don’t think so. The law is the law.” This is consistent with comments he has made in the past warning companies not to rely on either the enforcement delay of the CCPA’s notice or the 30-day opportunity to cure. Regarding the cure provision of the CCPA, the AG has previously stated that he is not sure how it is possible to cure a violation of a consumer’s rights that has already happened.

The draft regulations, which number 24 pages, provide more detail on what notices are required to be given to consumers and how notice is delivered (Article 20); how to handle consumer rights requests (Article 3); requirements for verification of consumers making requests (Article 4); special rules for minors (Article 5); and standards for applying the CCPA’s nondiscrimination mandate (Article 6). Also of interest to covered businesses, the Office of the AG issued 47 pages of guidance and explanation titled “Initial Statement of Reasons.” Researchers and trade groups will find the accompanying 48-page economic impact report of interest.

And while we’re on the topic of Star Trek quotes, I leave you with some of my favorites:

  • “Highly illogical.” – Spock
  • “Make it so.” – Capt. Picard
  • “Nuclear wessels.” – Mr. Chekov
  • “Resistance is futile.” – Robotic alien in Star Trek TNG “Best of Both Worlds” episode 1
  • “Change is the essential process of all existence.” – Spock

And I’ll leave you with this: “There is a way out of every box, a solution to every puzzle; it’s just a matter of finding it.” – Capt. Jean-Luc Picard

The U.S. Consumer Privacy Compliance Team at BakerHostetler can help you address your CCPA quandaries and come to see that “things are only impossible until they’re not.” (Capt. Jean-Luc Picard). Venture forward, and “live long and prosper!”

The draft regulations and related filings, which will be officially filed Oct. 11, 2019, are here:

Notice of Proposed Rulemaking Action (NOPA), pdf

Text of Proposed Regulations, pdf

Initial Statement of Reasons (ISOR), includes Appendices A, B, pdf

STD 399 – Economic and Fiscal Impact Statement, pdf

STD 400 (Part A), pdf

See also for more information on the CCPA rulemaking process and how to participate and receive alerts.

If you would like more information on the proposed rules, what they mean and how to file comments, contact the author at

California Bill SB-208 Tackles Pervasive Robocalls

On Sept. 11, 2019, the California State Senate approved the Consumer Call Protection Act of 2019, SB-208. The measure seeks to protect consumers from fraudulent robocalls and enact into law provisions that, despite strong support from Federal Communications Commission (FCC) Chairman Ajit Pai, have not been enacted on the federal level.[1] The bill empowers the Public Utilities Commission of California (Commission) to work with the attorney general to enforce the law, and also requires telecommunication providers to authenticate and verify caller identification for calls made using an internet protocol network.

Specifically, the bill dictates that telecom companies implement Secure Telephony Identity Revisited (STIR) and Secure Handling of Asserted information toKENs (SHAKEN) protocols (or comparable technology) that require outbound calls to be issued with a digital “token” that can be verified when received by the call recipient. If the tokens match, then the call is considered authenticated. If the tokens do not match, the recipient would be alerted to that fact.

Fraudulent Robocalls a Pervasive Problem, Expected to Worsen

Approximately 5.1 billion robocalls were made in October 2018, according to Irvine tech firm YouMail, with the average American receiving 16 robocalls per month.[2] Such calls accounted for 30% of all calls made in 2018, according to First Orion, provider of caller-ID and call-blocking services for major cell companies.[3] Some states and municipalities are harder hit than others, including California, with people in cities such as Los Angeles receiving nearly 172 million robocalls in October 2018.[4]

Fraudsters typically utilize a technique called “neighbor spoofing,” where scammers pretend to be from the same area code as the consumer in the hopes the recipient will be more likely to believe the call is personally relevant. Common schemes that utilize neighbor spoofing include scammers falsely claiming to be a local utility company threatening to levy penalties for past due electric bills or fake IRS calls claiming that the recipient’s taxes are past due.[5] Continue Reading

If Signed by Governor, California Bill AB-602 Will Provide Private Right of Action for Victims of Sexually Explicit ‘Deepfakes’

AB-602, passed by the California State Senate on September 12, 2019, will, if approved by the governor, create a private right of action against persons who create or disclose another’s sexually explicit content through use of “deepfake” technology. Specifically, the cause of action may be brought against a person who creates and intentionally discloses sexually explicit material where the person knows, or reasonably should know, that such creation or disclosure was not consented to by the depicted individual, or where such person did not create but intentionally discloses such material knowing that the depicted individual did not consent to its creation.

Sponsors of the bill envision it applying in two distinct scenarios: (1) where a person’s face is superimposed on another’s body in such a way as to suggest that person is engaging in a sexually explicit way, and (2) where a mainstream filmmaker digitally alters a scene to make it look as though the actor engaged in sexually explicit activity when, in fact, he or she did not.

Issues AB-602 Seeks to Resolve

Deepfake (a portmanteau of deep learning and fake)[1] is used for many purposes, including political commentary and parody.[2] However, it is often used nefariously to depict individuals engaging in sexual acts in which they did not actually engage.[3] It is these sexually explicit depictions that AB-602 seeks to prevent.[4]

Once sexually explicit deepfakes are proliferated online, a person’s reputation becomes irreparably damaged and the person may suffer deep shame, humiliation and emotional damage. Additionally, such proliferation can result in long-lasting economic harm by tainting the depicted person’s professional image to such a degree that he or she becomes unemployable.[5] Thus, AB-602 was introduced to provide victims of such deepfakes with a cause of action that provides sufficient redress. Continue Reading

AB-1790 Seeks to Add Transparency to the Marketplace/Marketplace Seller Relationship

Seeking to increase transparency and, consequently, fairness in the marketplace/marketplace seller commercial relationship, the California State Senate approved AB-1790 Marketplaces: marketplace seller on Sept. 12, 2019. AB-1790 aims to achieve this transparency by imposing certain obligations on a marketplace. These obligations will in turn provide a marketplace seller with more insight into the terms and conditions of its commercial relationship with that marketplace. AB-1790 defines “marketplace” as a physical or electronic place that sells or offers for sale services or personal property for delivery in California and has an agreement with the marketplace seller to make such sales through the marketplace. Commonly known marketplaces include Amazon, eBay, and online destinations of brick-and-mortar stores like Walmart and Target. A “marketplace seller” under AB-1790 is a person residing in California who has an agreement with a marketplace and makes sales through the marketplace. The governor has until Oct. 13, 2019, to sign or veto AB-1790.

Marketplace Requirements

AB-1790 requires a marketplace to ensure that its terms and conditions regarding its commercial relationships with marketplace sellers (1) are plainly and intelligibly drafted; (2) are easily available online for marketplace sellers at all stages of their commercial relationship, including at the relationship’s outset; and (3) identify the dispute resolution process and grounds for terminating the marketplace/marketplace seller commercial relationship.

AB-1790 also requires the marketplace to describe the possibilities and effects of a marketplace seller paying the marketplace to influence search results or otherwise obtain preferential placements within the marketplace. While AB-1790 does not require the marketplace to disclose the price of that ranking or preferential treatment, it must describe how a marketplace seller may obtain a written price. Continue Reading

AB-1130 Expands the Definition of Personal Information for Data Breaches

In what appears to be yearly tradition, the California State Senate has again amended its Data Breach Notification Law. [Civ. Code § 1798.29.] On Sept. 11, 2019, the California State Senate voted in favor of AB-1130 Personal information: data breaches, which expands the existing definition of “personal information” under California’s Data Breach Notification Law. Assuming the governor signs AB-1130 before the Oct. 13, 2019 deadline, personal information under California’s Data Breach Notification Law will now include (1) unique biometric data, and (2) government-issued identification numbers, such as passport numbers.

Closing a Gap

AB-1130 seeks to close openings within California’s Data Breach Notification Law. The current law requires any agency, person, or business that owns or licenses computerized data that includes personal information to disclose a breach of the security of the system to any California resident whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. [Civ. Code. §§ 1798.29(a), (c); 1798.82(a), (c).] The current definition of “personal information” does not extend to passport numbers or unique biometric data, a gap that was highlighted in the wake of several high-profile data breaches. Continue Reading

IAB Previews Solution for Interest-Based Advertising and CCPA ‘Do Not Sell’ Right

On September 17, 2019, numerous stakeholders in the digital advertising industry, including publishers, advertisers/brands, AdTech companies, and law firms (including numerous representatives from BakerHostetler) convened at the Interactive Advertising Bureau’s (IAB) headquarters in New York for a preview of its CCPA Industry Compliance Framework.

Throughout the course of 2019, IAB has solicited input from a broad swath of digital advertising industry stakeholders to develop the industry’s approach to addressing consumer Do Not Sell requests arising out of the multiparty, downstream sharing of consumer behavioral data to effectuate interest-based advertising. IAB’s efforts began by addressing what level of industry cooperation is required in ad buying transactions to cause compliance with the CCPA, and developing policy parameters around a technical solution to pass “signals” relating to the sale of personal information (or restrictions thereof).

The downstream sharing of this behavioral data involved in digital advertising is implicated by Section 1798.115(d) of the CCPA, which requires that a third party cannot onward sell (i.e., sell data that has been sold to it) unless the consumer has received explicit notice and is provided the opportunity to opt-out pursuant to Section 1798.120. In short, the IAB framework addresses the fact that various participants in the interest-based advertising ecosystem must onward sell personal information, but do not have the ability to obtain the explicit notice required by .115(b), which is only afforded to website and mobile application publishers (a website operator with advertising on its site or app). Continue Reading

CCPA Exceptions: What Qualifies as Activity ‘Wholly Outside’ of California?

Much has been said about the scope of the California Consumer Privacy Act (CCPA) and the far-reaching implications the law will have on businesses throughout the United States. Although it is true that the territorial reach of the law is broad, it is not without limits. The CCPA explicitly includes a geographic exception that may be important in determining the applicability of the law to personal information processed by businesses that do not have a physical presence (including employees) in California.

CCPA Section 1798.145(a)(6) states that the obligations imposed by the law “shall not restrict a business’s ability to … [c]ollect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California.” The statute provides that commercial conduct will be considered “wholly outside of California” where:

  1. The business collects information while the consumer is outside of California;
  2. No part of the sale of the consumer’s “personal information” occurs in California; and
  3. No “personal information” collected while the consumer is in California is sold.

The exception includes a provision to prevent a potential “traveling Californian” loophole: Businesses may not store personal information about a California resident while the consumer is in California (such as on their mobile device), and then later “collect” that personal information when the consumer and stored personal information are outside of California. Continue Reading

CCPA Amendments – Where They Stand Today

A little more than 100 days prior to the effective date of the California Consumer Privacy Act (CCPA), six amendments (A.B. 25, A.B. 874, AB 1146, A.B. 1202, A.B. 1355 and A.B. 1564) to the act were approved by California lawmakers at the close of the legislative session, which ended on Friday, Sept. 13. The governor must sign or veto these bills by Oct. 13. Most notably, if they become law, the bills would delay implementation of most of the CCPA’s data subject rights to human resources data and business-to-business transaction communications data for one year. A bill that would have clarified that certain data collection and use in connection with loyalty programs was permissible (A.B. 846) was pulled by the author, but may be brought back up in the next legislative session if the regulations implementing the act, a first draft of which is expected from the California Attorney General’s (Cal AG) office in late September or early October, do not address the issue. The proposed amendments also would require a business that collects and sells consumer personal information (PI), but does not have a direct relationship with those consumers, to register with the state as a data broker. In addition, the bills address the scope of personal information that is covered by the act, the meaning of certain consumer rights and how those rights are to be administered, and what training is required of personnel that will handle privacy inquiries and requests.

Data Broker Registry

AB 1202 would require “businesses” that knowingly collect and sell consumer personal information, that lack a direct relationship with those consumers, to register with the Cal AG, whose office would then publish the names and contact information of the registrants on the Cal AG’s website. A prior version of the bill would have also required data brokers to give consumers certain precollection notice of the categories of personal information collected and the purposes for the collection, which could have been satisfied by posting such notice on the data broker’s website, but those provisions were struck prior to passage. The intent of the law is to provide consumers with a way to identify businesses that may be collecting and selling their information that they may not know how to contact to determine if they have collected their personal information and to exercise their do-not-sell and other consumer privacy rights (e.g., to obtain a copy of the personal information and/or request its deletion). Continue Reading

Just How Far Does California’s New IoT Security Law Reach?

Group of people standing in line and looking at their smart phonesOn January 1, 2020, California’s new Internet of Things (IoT) Security Law goes into effect. The law is the first IoT-specific security law in the United States and, simply put, requires all IoT devices sold in California to be equipped with reasonable security measures.

There has been a significant amount of discussion regarding exactly what types of devices are covered by the new regulations and what “reasonable security measures” entail.

Who is covered?

Any “manufacturers” of connected devices that sell their products in California will be required to incorporate reasonable security features into their devices. It does not matter where the product is made. It is also important to note that “manufacturers” include not only those companies that perform the manufacturing themselves, but also companies that “contract with” others to manufacture devices on their behalf. The law does contain several exclusions, including security vulnerabilities caused by user installation of third-party software and devices already regulated by certain healthcare statutes. However, since the interconnectivity of third-party software may be the source of a security breach, the question arises whether to consider how a covered device interacts with such third-party software. Continue Reading