Last week, California Attorney General Rob Bonta announced a new enforcement focus on streaming apps’ failure to comply with the California Consumer Privacy Act (CCPA). This investigation will examine whether streaming services are complying with the opt-out requirements for businesses that sell or share consumers’ personal information as required by the CCPA. Specifically, the agency will examine those services that do not offer an easy mechanism for consumers to exercise this opt-out right.

Attorney General Bonta said that he “urge[s] consumers to learn about and exercise their rights under the [CCPA], especially the right to tell these businesses to stop selling their personal information.” He also warned that the agency will be “taking a close look at how these streaming services are complying with requirements that have been in place since 2020.”

Under the CCPA’s right to opt-out, companies that sell or share personal information for targeted advertising purposes are required to provide consumers with the right to opt-out of such sales or sharing. Not only must the opt-out be available, but the ability to exercise the right must be easy and involve minimal steps. The agency provided an example: on your SmartTV, you should be able to enable a “Do Not Sell My Personal Information” setting in a streaming service’s app. Further, you should not have to opt-out on different devices if you are logged into your account once the opt-out request has been submitted. Lastly, a streaming service’s privacy policy should also be easily accessible to the consumer and include details on individual CCPA rights. Letters of non-compliance are forthcoming.

The California Privacy Protection Agency (CPPA) recently met to discuss automated decision-making technology, privacy risk assessments and cybersecurity audits under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). However, the CPPA also decided to step outside the anticipated agenda and discuss additional revisions to the existing regulations. Once again. changes are on the horizon. What kind of changes? Here are the key things that would change under the CCPA for your organization’s online privacy policy:

  • “Meaningful Understanding” of Sources and Sales/Sharing with Third Parties: the draft revisions would add a requirement for privacy policies to provide “meaningful understanding” of the sources that the business uses to collect personal information and the categories of third parties to which the business shares or sells personal information.
  • Clarifying Disclosures to Service Providers and Contractors: the draft revisions would remove an ambiguity related to the definition of a “third party” and require businesses to explicitly identify the categories of personal information disclosed to a service provider or contractor in the last 12 months.
  • Privacy Policy Links for Mobile Applications: the draft revisions would require mobile apps to include a link to their privacy policies in the settings menu of the app. This link would be in addition to the link on the website homepage and the app store download page.

After the CPPA finalizes the draft revisions, the proposed rule changes will be published for a 45-day public comment period. However, the CPPA did not provide an anticipated start date for that comment period yet.

On September 8, 2023, the California Privacy Protection Agency (CPPA) will discuss the two new sets of proposed California Privacy Protection Act (CCPA) regulations. Here is a breakdown of the two new proposed regulations and issues up for discussion:

Auditing Requirements: If a business processes data that poses a “significant risk to consumers’ security” then the business must complete an annual cybersecurity audit using an independent auditing professional and file a statement of compliance with the CPPA. The auditor(s) may be internal but the findings must be reporting to the board. Further, these audits must take into account multifactor authentication, encryption and zero-trust architecture. The CPPA will discuss the “significant risk” standard at its upcoming meeting.

AI and Automated Decision-Making Risk Assessments: If businesses use AI systems to make decisions, it must conduct regular and thorough risk assessments considering potential negative impacts to consumers as a result of using such technology. The negative impacts could range from economic harm to reputational and psychological harm. Businesses that do any of the following would be subject to the CCPA:

  • Selling or sharing personal information
  • Processing sensitive personal information
  • Using automated decision-making technology in furtherance of a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or contracting opportunities or compensation, healthcare services, or access to essential goods, services, or opportunities
  • Processing the personal information of consumers that the business has actual knowledge are less than 16 years of age
  • Processing the personal information of consumers who are employees, independent contractors, job applicants, or students using technology to monitor employees, independent contractors, job applicants, or students.
  • Processing the personal information of consumers in publicly accessible places using technology to monitor consumers’ behavior, location, movements, or actions.
  • Processing the personal information of consumers to train AI or automated decision-making technology

If your business is subject to the CCPA and it processes data as set forth in the proposed regulations, you should track these changes closely. If your business has not yet assessed its applicability, now is the time to do so. We will monitor these new regulations closely.

Earlier this month, the Commissioner of Data Protection of the Dubai International Financial Centre (DIFC), a financial free-zone in the United Arab Emirates (UAE), issued the first adequacy decision regarding the California Consumer Privacy Act (CCPA), which recognizes the CCPA as an equivalent to the DIFC Data Protection Law (DIFC Law No. 5 of 2020, as amended the DIFC DPL).

This decision allows businesses to transfer data between the DIFC and companies located in California, in accordance with the DIFC DPL, without any additional contractual measures. In the DIFC Commissioner’s public statement about this decision, he said, “The importance of additional safeguards for imported personal data is evidenced by the factors set out in published adequacy protocols as well as the DIFC Ethical Data Management Risk Index (EDMRI) and due diligence tool. In evaluating California’s privacy law and regulations, together with implementation, enforcement, and other holistic factors, it became clear that in large part, California importers will treat personal data from DIFC ethically and fairly.” This decision will also likely serve as precedent for the DIFC to establish a similar relationship with other U.S. states. As of today, there are only 49 establishments and/or locations (countries, jurisdictions, and organizations) subject to an adequacy decision by the DIFC.

The decision comes as a result of an assessment by the DIFC commissioner of the grounds for lawful and fair processing of data under the CCPA, the existence of data protection principles and data subjects’ rights, international and onward data transfer restrictions, measures regarding security of processing, and breach reporting and accountability. To read the full decision, click here.  

However, since the CCPA does not have a provision related to the transfer of personal information outside of California or the U.S., DIFC exporters that send personal information to a California-based importer under the decision would still need to ensure that the onward transfer of such personal information is safeguarded. Additionally, this decision will be reviewed annually by the DIFC Commissioner to ensure that the CCPA’s protections still meet expectations.

The California Attorney General recently announced an initiative to investigate employers’ non-compliance with the California Consumer Privacy Act/California Privacy Rights Act (collectively the CCPA).

At the beginning of this year, the CCPA’s disclosure requirements and consumer rights provisions became applicable to job applicants, employees (and their beneficiaries), and independent contractors. Now, the California AG’s office has started to send out inquiry letters to California employers requesting information about their CCPA compliance. This is a big step forward for enforcement under the CCPA and this initiative focuses on employee data. The initial set of inquiry letters has gone out to large California employers, but this should be a reminder for ALL businesses to confirm they are in compliance with the CCPA if it applies to their business.

Businesses that have implemented CCPA compliance programs should evaluate whether they have met certain requirements, such as:

  • Issuing or updating privacy notices to job applicants and employees, and addressing applicant and HR data;
  • Updating any procedures or policies related to consumer requests to be sure that employees are included, and training HR professionals regarding the handling of those requests;
  • Review and potentially revise data deletion and retention policies given broad access rights for employees and associated compliance costs and risks; and
  • Conducting assessments pertaining to the business’ use of “sensitive personal information” (as defined by the CCPA) to support reliance on exceptions and offering opt-out rights to employees where required.

Note that the CCPA applies to for-profit entities that do business in California and have annual gross revenues over $25 million. If you have not yet assessed the applicability of the CCPA and issued an employee notice of collection, now is the time.

A plan for an enforcement program under the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) (collectively CCPA) is on its way from the California Privacy Protection Agency (CPPA). Despite a recent court ruling that the enforcement of some of the amendments under the CPRA cannot begin until March 2024, last week the CPPA revealed three key areas of its enforcement focus. While the CPPA is still in the process of building and hiring the enforcement team, the agency indicated that despite the court ruling it will still begin enforcing the underlying statute and previous regulations this year. The CPPA Deputy Director of Enforcement, Michael Macko, said, “There’s no vacation here from enforcement. When we find violations, we will take aggressive action to protect the public.”

The CPPA will focus its efforts on three areas of enforcement:

  1. privacy notices and policies;
  2. consumers’ right to delete personal information; and
  3. the handling and implementation of consumer requests.

Deputy Director Macko also said, “We expect vigorous enforcement over the coming year, and by March 2024, we would expect to see robust compliance with the entire set of regulations.” The CPPA will be reviewing companies’ privacy policies to see if what they say they are doing matches with what they are actually doing. The agency sees non-compliance with a company’s own privacy policy to likely lead to other issues of non-compliance such as not respecting consumers’ privacy rights. Since the consumer right to delete their data is “well-established” and “long-standing” this will be a focus for enforcement. Another area under scrutiny includes proper notification of a consumers’ right to opt-out of the sale of their data. Deputy Director Macko added in his statement that companies that implement smooth experiences for consumers exercising their rights will more likely be found in compliance.

The CPPA will consider many factors in determining which violations to pursue such as the severity of the harm to consumers, good-faith efforts to comply, and the company’s size and resources. However, incidents that involve children, older adults, marginalized communities, and other vulnerable populations will receive special scrutiny and focus.

One of the ways in which the CPPA will find potential violations will be through its new consumer complaint system. So far, 13 complaints have been submitted via this system. While this statement from the CPPA is certainly helpful guidance for companies struggling with CCPA compliance issues, there are still some unanswered questions. Companies still do not know how fines per number of violations will be calculated or the process for the agency to coordinate with the state attorney general to request an injunction against a business. Next steps for your business: get ready and make sure you are in compliance.

The Office of the California Attorney General recently announced that it will initiate an investigative sweep and will start sending letters to businesses about their mobile apps for failure to comply with the California Consumer Privacy Act (CCPA). There is also a new online tool that allows consumers to directly notify a business of an alleged CCPA violation, so we may see an influx of direct-from-consumer complaints.

The Attorney General’s office will focus its investigation on popular apps in the retail, travel, and food services industries. The goal is to determine whether these apps are complying with consumer opt-out requests and do not sell or share requests under the CCPA. The investigation will also focus on the apps’ failures to process consumer requests submitted through an authorized agent under the CCPA. For example, Consumer Reports’ app, Permission Slip, acts as an authorized agent for consumers to submit requests under the CCPA such as opt-outs and deletion requests.

Attorney General Rob Bonta said in the office’s recent press release, “[B]usinesses must honor Californians’ right to opt out and delete personal information, including when those requests are made through an authorized agent. [The] sweep also focuses on mobile app compliance with the CCPA, particularly given the wide array of sensitive information that these apps can access from our phones and other mobile devices. I urge the tech industry to innovate for good — including developing and adopting user-enabled global privacy controls for mobile operating systems that allow consumers to stop apps from selling their data.” Businesses that are subject to the CCPA – and the newly effective amendments under the California Privacy Rights Act (CPRA) – should continue to update and implement their policies, procedures, and processes to ensure compliance with the requirements of these regulations and to hopefully avoid being caught up in this investigative sweep.

A class action lawsuit, Seirafi et al v. Samsung Electronics America, Inc., Case 4:22-cv-05176-KAW, filed recently in the Northern District of California, alleges that Samsung’s unnecessary personal information collection, and failure to secure that information, violate the California Consumer Privacy Act (CCPA). This lawsuit was inspired by two recent data breaches that allegedly included personal data of American users. The plaintiffs go beyond the facts of the breaches, though, to allege that Samsung should never have collected that information in the first place.

The California Consumer Privacy Act provides: “A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.” According to the plaintiffs, Samsung acted unreasonably by requiring them to register accounts to use smart televisions and other devices. If this theory succeeds, tech companies could find that locking devices behind online registration is more risk than it’s worth.

In the first of its kind under the California Consumer Privacy Act (CCPA), Sephora settled an enforcement action with the California Attorney General for violation of the CCPA. Sephora must pay $1.2 million in penalties and implement a CCPA compliance program. The enforcement action alleged that Sephora permitted third parties to create customer profiles that included details related to the brand of their laptops or concealer and eyeliner to use for targeted advertising without consumer knowledge or consent.  

Sephora must inform customers in California that it sells their personal data, including their location and items in their online shopping cart, and let them opt out of a sale of that information if they choose to do so.

Attorney General Rob Bonta said in the office’s public statement, “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. . . My office is watching, and we will hold you accountable.” This should be a reminder for companies to determine if the CCPA applies to them and get their processes in place before the AG’s office comes knocking on their door, too.

California Attorney General Rob Bonta is serious about compliance with the California Consumer Privacy Act (CCPA). So serious, that on January 28, 2022, also known as Data Privacy Day, he announced that his office was commencing an investigative “sweep” of “businesses operating loyalty programs in California” and sent notices of noncompliance to businesses requiring them to cure within thirty days.

According to the AG’s press release, “Under the CCPA, businesses that offer financial incentives, such as discounts, free items, or other rewards, in exchange for personal information must provide consumers with a notice of financial incentive. This notice must clearly describe the material terms of the financial incentive program to the consumer before they opt into the program.” Although the AG did not reveal how many letters were issued, he did say that letters were sent “to major corporations in the retail, home improvement, travel, and food services industries.”

The timing of the issuance of the letters appears to be no coincidence. The AG stated, “On Data Privacy Day, we’re issuing notices to business that operate loyalty programs and use personal information in violation of California’s data privacy law. I urge all businesses in California to take note and be transparent about how you’re using your customer’s data. My office continues to fight to protect consumer privacy, and we will enforce the law.”

Warnings from a regulator are words to follow closely. If you offer a loyalty program, these words from the enforcer of the CCPA are clear and strong. If you haven’t implemented a CCPA compliance program, there is no better time than now.