This is the time of year for thought pieces reflecting on the past year or so to speculate on the hot topics for next year. I began to wonder about California Consumer Privacy Act (CCPA) enforcement actions over the past year as this was something that we speculated about not that long ago. The California Attorney General’s office has been busy and has even posted a list on its website of 27 examples of recent California Consumer Privacy Act enforcement actions.

The most common violation on the list is that a company’s privacy policy was non-compliant with CCPA requirements. Of the 27 cases cited, at least 16 had some form of privacy policy violation. Some of the privacy policies failed to provide consumers with the required CCPA rights, failed to state whether the company sold personal information, or failed to provide a method for consumers to submit requests about their data. Other violations included failure to provide notice to consumers of opt-out processes and the failure to include a “Do Not Sell My Personal Information” link. One company even tried to charge consumers for making CCPA requests.

All the cases cited appear to have begun with consumer complaints that resulted in a notice of alleged non-compliance. That notice provided the companies the opportunity to correct their deficiencies. In one privacy policy violation, the company updated its privacy policy in response to a complaint that it failed to provide notice of the required CCPA consumer rights and also failed to state whether it had sold personal information within the past 12 months. The company updated its privacy policy, however it was “not easy to read or understandable to the average consumer, e.g. contained unnecessary legal jargon.” The company received a second notice of non-compliance and then revised its privacy policy accordingly.

Enforcement actions will no doubt continue in 2022, but the lesson learned from 2021 is that for companies that must comply with CCPA, having a CCPA-compliant privacy policy will be a great way to start the new year.

Blackbaud, which suffered a data breach of its customers’ data in a ransomware attack in 2020, in which it admitted paying the ransom in a double extortion attack [view related posts], is facing multiple class action cases following the attack. The cases have been consolidated in multi-district litigation and now comprise 29 cases.

The federal judge overseeing the cases has refused to dismiss all of the claims that the plaintiffs alleged against Blackbaud, and ruled that Blackbaud must face claims of violation of the California Consumer Privacy Act (CCPA), deceptive and unfair trade practice allegations made by Florida and New York plaintiffs, and a separate claim by a California plaintiff alleging the compromise of medical information.

The judge declared that the plaintiffs had sufficiently alleged that Blackbaud was a “business” as that term is defined in CCPA partly because Blackbaud was a registered data broker in the state of California.

The judge did dismiss several state statutory claims that had been made by the plaintiffs. We will continue to watch this case and Blackbaud’s defenses to the CCPA claims.

The California Attorney General recently approved modified regulations under the California Consumer Privacy Act (CCPA). One part of the modified regulations bans “dark patterns” on a website. What are dark patterns? Public comments to the proposed regulations describe dark patterns as deliberate attempts to subvert or impair a consumer’s choice to opt-out on a website. Dark patterns could be used on a website to confuse or distract a consumer into granting knowing consent instead of choosing the opt-out option.

The modified regulations therefore ban the use of dark patterns that:

  • Use an opt-out request process that requires more steps than the process for a consumer to opt back into the sale of personal information after previously opting out;
  • Use confusing language (e.g., double-negatives, “Don’t Not Sell My Personal Information”);
  • Require consumers to click through or listen to unnecessary reasons why they should not submit a request to opt-out before confirming their request;
  • Require a consumer to provide personal information that is unnecessary to implement an opt-out request; or
  • Require a consumer to search or scroll through the text of a website or privacy policy to submit the opt-out request after clicking the “Do Not Sell My Personal Information” link (but before actually choosing the option).

If your website uses any such dark patterns you may wish to revise those mechanisms and implement clearer, more transparent methods for your website’s users to opt-out.

Gardiner v. Walmart provided some guidance as to the specificity required to state a claim under the California Consumer Privacy Act (CCPA) and the types of damages that may be recoverable for breaches of California consumer data. On July 10, 2020, Lavarious Gardiner filed a proposed class action against Walmart, alleging that unauthorized individuals accessed his personal information through Walmart’s website. Although Walmart never disclosed the alleged breach or provided any formal notification to consumers (and maintains that no breach occurred), Gardiner claimed that he discovered his personal information on the dark web and was told by hackers that the information came from his Walmart online account. He also claims that by using cybersecurity scan software he discovered many vulnerabilities on Walmart’s website.

Gardiner claimed Walmart violated the CCPA and California’s Unfair Competition Law. In response, Walmart filed a motion to dismiss, which was granted on March 5, 2021 (of note – with leave to amend). While Gardiner has now amended his complaint, the court’s ruling on Walmart’s motion to dismiss addresses some important points related to data breach class actions, including:

  • The compliant MUST state when the alleged breach occurred. Gardiner had only alleged that his information was on the dark web, not when the breach actually occurred. The court also stated that for purposes of a CCPA claim, the relevant conduct is the actual data breach resulting from a “failure to implement and maintain reasonable security procedures and practices.” This means that the breach must have occurred on or after January 1, 2020, the effective date of the CCPA.
  • The complaint must sufficiently allege disclosure of personal information. Gardiner had only alleged that his credit card number was disclosed, but had not alleged that his 3-digit access code was affected.
  • Plaintiff’s damages arising from a data breach MUST not be speculative -this is common across courts that dismiss class action data breach suits. Here, Gardiner had not alleged that he incurred any fraudulent charges or suffered any identity theft or other harm.

The court also dismissed Gardiner’s unfair competition claims that were based on a benefit of the bargain theory.

The court also addressed the disclaimers in Walmart’s privacy policy.; Walmart argued that Gardiner’s contract-based claims were barred by the its website Terms of Use, which included a warranty disclaimer and limitation of liability for data breaches. The court said that the limitation of liability was clear and emphasized with capitalization, which put Gardiner on notice of its contents. This is an important part of the decision for ANY company with online presence -a company’s website Privacy Policy and Terms of Use could be the final line of defense.

Gardiner has since his complaint. Whether the amendments will avoid another motion to dismiss is unknown. Still, this decision provides valuable insight for claims made under the CCPA and important lessons about website Privacy Policies and Terms of Use.

California Attorney General Xavier Becerra announced this week that the Office of Administrative Law approved additional California Consumer Privacy Act (CCPA) regulations, which became effective March 15, 2021.

The additional changes to the regulations primarily affect businesses that sell the personal information of California residents. The changes include a uniform Opt-Out Icon for the purpose of promoting consumer awareness of the right to opt-out of the sale of personal information, guidance to businesses regarding opt-out requests, including what not to do, and changes regarding the proof that a business may require for authorized agents and consumer verifications.

New sections of the regulations include a requirement that a business that sells personal information it collects from consumers offline shall also inform consumers by an offline method of their right to opt-out and provide instructions on how to submit a request to opt-out. The new regulations state that the Opt-Out Icon may be used in addition to posting the notice of the right to opt-out, but not in lieu of any requirement to post the notice of right to opt-out or a “Do Not Sell My Personal Information” link. (A link to download the Opt-Out Icon can be found here.)

With respect to authorized agents, a business may require that the consumer authorized agent provide proof that the consumer gave the agent signed permission to submit the request. The business may also require the consumer to do either of the following: (1) verify their own identity directly with the business or (2) directly confirm with the business that it provided the authorized agent permission to submit the request.

Other new sections of the regulations state that a business’s methods for submitting requests to opt-out should be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. Examples of methods that businesses should not use are specified in the regulations and include:

  • The process for opting out shall not require more steps than the business process for opting in to the sale of personal information;
  • The business should not use confusing language such as double negatives (Don’t Not Sell My Personal Information);
  • The business shall not require consumers to click through or to listen to reasons they should not submit a request to opt-out before confirming their request;
  • The business cannot require the process for submitting a request to opt-out to require the consumer to provide personal information that is not necessary to implement the request; and
  • Upon clicking the “Do Not Sell My Personal Information” link, the business shall not require the consumer to search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to opt-out.

The bottom line for these additional changes to the CCPA regulations is that the overriding principles remain the same: inform consumers of their right to opt-out of the sale of their personal information and present this information to consumers in a way that is easy to read and understand.

A federal District Court in California recently dismissed a lawsuit against Walmart that arose from an alleged data breach. (Gardiner v. Walmart, Inc., 20-cv-04618-JSW (N.D. Cal., March 5, 2021). Among other things, the court determined that California’s Consumer Privacy Act (CCPA) does not apply retroactively, dismissing the CCPA claim because the plaintiff had not specified the date of the alleged breach.

According to the allegations of the complaint, the plaintiff had provided certain personal identifying information (PII) to Walmart, including credit card information, when he created an online account. Plaintiff claimed that Walmart has been targeted numerous times by individuals who have hacked its website and its customers’ computers, and that the hackers posted stolen account information—including his—on the dark web. As a result, plaintiff asserted that he and others faced an imminent threat of identity theft and fraud, had to spend time and resources to mitigate the effects of the data breach, and suffered economic damages. The complaint alleged violations of the CCPA and also California’s Unfair Competition Law, along with common law claims such as negligence and breach of contract.

Walmart, which disputed that there was any breach of its network, moved to dismiss the complaint. The court granted the motion. As to the CCPA claim, the court concluded that CCPA only applies to breaches occurring on or after January 1, 2020, and does not apply retroactively. Plaintiff therefore had to allege that Walmart’s purported violation of its duty to implement reasonable security procedures to prevent the breach occurred on or after that date. Because plaintiff did not allege a specific date of the alleged breach, he did not have a viable CCPA claim. The court held that the CCPA claim also failed because the complaint did not sufficiently allege disclosure of plaintiff’s PII, such as disclosure of his credit card number and security code.

In addition, the court dismissed all of plaintiff’s remaining claims for negligence, contract, and unfair competition on the grounds that plaintiff had failed to plead a cognizable injury. In doing so, the court found that, without factual allegations identifying what PII was stolen, plaintiff’s bare assertion that his PII had economic value was insufficient to support his claims. The court also determined, among other things, that conclusory allegations of an increased risk of identity theft were insufficient to establish injury. The decision may not end the litigation, however, as the court granted plaintiff leave to amend his complaint to cure the identified deficiencies. It remains to be seen if he will do so.

Marriott recently won dismissal of a proposed class action data breach lawsuit alleging several violations, including a violation of the California Consumer Privacy Act (CCPA). The case, Arifur Rahman v. Marriott International, Inc. et al., Case No.: 8:20-cv-00654, was dismissed in an Order by U.S. District Court Judge David O. Carter on January 12, 2021.

The Plaintiff in the lawsuit alleged that he was a member of a “class that were victims of a cybersecurity breach at Marriott when to employees of a Marriott franchise in Russia accessed class members’ names, addresses, phone numbers, email addresses, genders, birth dates, and loyalty account numbers without authorization.” Marriott admitted there was a breach, sent letters to affected individuals, and confirmed that no sensitive information, such as social security numbers, credit card information, or passwords, was compromised.

The matter was dismissed, as the Court found that it lacked subject matter jurisdiction as the Plaintiff lacked standing to sue. The Court was clear that in the 9th Circuit, the sensitivity of the personal information, combined with its theft, are prerequisites to finding that plaintiffs alleged injury in fact. Injury in fact is one of the three elements necessary to support Article III standing.

The data breach in this case affected approximately 5.2 million Marriott customers, but the information accessed by hackers was not “sensitive information,” which was a required element to be able to continue the lawsuit.

On December 11, 2020, California Attorney General Xavier Becerra released the fourth set of proposed modifications to the regulations of the California Consumer Privacy Act of 2018 (CCPA). This fourth set of proposed modifications is in response to comments received to the third set of modifications that were released on October 12, 2020. According to the update released with the proposed text, the changes include:

Revisions to section 999.306, subd. (b)(3), to clarify that a business selling personal information collected from consumers in the course of interacting with them offline shall inform consumers of their right to opt-out of the sale of their personal information by an offline method; and

Proposed section 999.315, subd. (f), regarding a uniform button to promote consumer awareness of the opportunity to opt-out of the sale of personal information.

The text of the proposed modifications can be found here. Probably the biggest news for the opt-out option is the proposal to include an opt-out button, which may be used in addition to posting the right to opt-out, but not in lieu of any requirement to post a “Do Not Sell My Personal Information” link. The proposed regulations state that if a business posts the “Do Not Sell My Personal Information” link, then the opt-out button shall be added to the left of the text as follows:    The proposed modifications also add language that states that submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. Businesses are not to use confusing language for opt-out requests or to require consumers to click through or listen to reasons why they should not submit a request to opt out. Businesses may not require consumers to provide personal information that is not necessary to implement the request, nor can a business require the consumer to search or scroll through the text of a privacy policy to locate the mechanism to opt out. In short, the proposed modifications appear to  strive for a simple process with minimal steps for consumers to opt out of the sale of their personal information.

The Attorney General’s Office will accept written comments on the proposed changes to the regulations until 5:00 p.m. on December 28, 2020. Comments may be sent by email to PrivacyRegulations@doj.ca.gov or by mail at the address contained in the notice of the fourth set of proposed modifications.

The California Consumer Privacy Act (CCPA) requires businesses covered by the CCPA to notify their employees of the categories of personal information the business collects about employees and the purposes for which the categories of personal information are used. The categories of personal information are broadly defined in the CCPA and include personal information such as medical information, geolocation data, biometric information, and sensory data.

As a result of the COVID-19 pandemic, many businesses are conducting screenings of employees for COVID symptoms. In many states, it is either required or recommended that businesses conduct such screenings of employees prior to entering the workplace. These employee screenings vary across the country but many include documenting an employee’s temperature, whether they have any COVID-related symptoms or exposure to individuals with COVID-19, or documenting travel out of state or out of the country. States vary too, in the method of collection of this information, with employees completing a written questionnaire via email, text, or mobile application. COVID-19 screening and temperature data is recorded and kept daily to demonstrate compliance with state and local public health requirements.

So, what does this mean for CCPA compliance? None of us could have predicted a year ago that employers would be collecting temperature data, lists of symptoms, and travel information from our employees. If you drafted your CCPA employee notice prior to the start of the pandemic, you may want to review the categories of personal information you now collect in light of these COVID-19 data collection requirements and recommendations. For example, depending upon the type of temperature check, this data could be considered biometric information or sensory data. Your employee notice may also need to disclose how such categories of personal information are used by the business, such as to comply with state and local public health requirements.

While the CCPA requires notice to employees of the categories of data collected, in light of the pandemic, businesses may wish to review their employee notice to determine if it needs to be updated to accurately reflect any additional categories of personal information collected and how the business is using that personal information.

Proposition 24 is known as the California Privacy Rights Act of 2020 (CPRA). It is on the ballot in California on November 3, and if it passes it will amend and expand certain provisions of the California Consumer Privacy Act (CCPA). Some say it’s CCPA 2.0, however, there are some provisions that make the CPRA look more like the General Data Protection Regulation (GDPR) – the European data regulation that reshaped privacy rights in the European Union. Two provisions in particular are very GDPR-like; specifically, the creation of the California Privacy Protection Agency (CPPA), which will become the regulator charged with implementing and enforcing both the CCPA and CPRA, and the expanded definition of sensitive personal information. CPRA would become effective Jan. 1, 2023, with an enforcement date of July 1, 2023. Here are some key highlights of Proposition 24.

What’s new for California consumers in CPRA? CPRA creates a new category of data, similar to GDPR, for sensitive personal information. CPRA also adds several new rights for consumers:

  • to restrict the use of sensitive personal information;
  • to correct inaccurate personal information;
  • to prevent businesses from storing data longer than necessary;
  • to limit businesses from collecting more data than necessary;
  • to know what personal information is sold or shared and to whom, and to opt out of that sale or sharing of personal information;
  • CPRA expands the non-discrimination provision to prevent retaliation against an employee, applicant for employment, or independent contractor for exercising their privacy rights.

What do businesses need to know regarding CPRA? It creates a new data protection agency with regulatory authority for enforcement of both CCPA and CPRA. Some new key provisions for businesses are:

  • the CPRA creates a Chief Auditor, who will have the authority to audit businesses data practices;
  • the CPRA also requires high risk data processors to perform regular cybersecurity audits and regular risk assessments;
  • the CPRA adds provisions regarding profiling and automated decision making;
  • the CPRA adds restrictions on transfer of personal information;
  • the CPRA requires businesses that sell or share personal information to provide notice to consumers and a separate link to the “Do Not Sell or Share My Personal Information” webpage and a separate link to the “Limit the Use of My Sensitive Personal Information” webpage or a single link to both choices;
  • the CPRA triples the fines set forth in CCPA for collecting and selling children’s private information and requires opt-in consent to sell personal information of consumers under the age of 16;
  • the CPRA expands the consumer’s private right of action to include a breach of a consumer’s email address and password/security question and answer.

The CPRA also changes the definition of “business” to more clearly define the annual period of time to determine annual gross revenues, which specifies that a business must comply with CPRA if, “as of January 1 of the calendar year,” the business had annual gross revenues in excess of twenty-five million dollars “in the preceding calendar year,” or alone or in combination annually buys or sells or shares the personal information of 100,000 or more consumers or households, or derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.

In addition to these criteria, CPRA adds somewhat puzzling language that states that a business would also be defined in the CPRA as a person that does business in California, that is not covered by one of the criteria described above, who may voluntarily certify to the California Privacy Protection Agency that it is in compliance with and agrees to be bound by CPRA.

The CPRA adds the new term “contractor” in addition to service provider. A contractor is a person to whom the business makes available a consumer’s personal information for a business purpose pursuant to a written contract with the business. The CPRA contains specific provisions to be included in the contract terms, and the contract must include a certification that the contractor understands the restrictions and will comply with them. The CPRA adds several new definitions, including definitions for cross-context behavioral advertising, dark pattern, non-personalized advertising, and profiling, and makes some changes to the definition of personal information. The CPRA eliminates some of the CCPA language regarding the “categories” of personal information.

The CPRA also adds “sensitive personal information” as a defined term which means:

(l) personal information that reveals: (A) a consumer’s social security, driver’s license, state identification card, or passport number; (B) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (C) a consumer’s precise geolocation; (D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication; (F) a consumer’s genetic data; and (2) (A) the processing of biometric information for the purpose of uniquely identifying a consumer; (B) personal information collected and analyzed concerning a consumer’s health; or (C) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

The CPRA retains the CCPA exemptions for medical information governed by the California Confidentiality of Medical Information Act or protected health information collected by a covered entity or business associate under HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act), personal information collected as part of a clinical trial or other biomedical research study, activity involving the collection of personal information bearing on a consumer’s credit worthiness, and personal information collected, processed, sold or disclosed subject to the Gramm-Leach-Bliley Act or the federal Driver’s Privacy Protection Act of 1994.

The CCPA’s limited exemptions for employment information and so-called business-to-business information are also continued in the CPRA, however these provisions shall expire on January 1, 2023.

The CPRA provides authority for the CPPA to create extensive regulations, including a requirement for regulation of businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security to: (A) perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent; and (B) to submit to the CPPA on a regular basis a risk assessment with respect to the processing of personal information.

The private right of action under CPRA is expanded to include that consumers whose email address in combination with a password or security question and answer that would permit access to the account be able to institute a civil action and to recover damages or other injunctive relief. The CCPA 30-day cure period after notice of a breach is eliminated and administrative fines for violation of the CPRA increase to not more than $2,500 for each violation or $7,500 for each intentional violation or violations involving the personal information of consumers that the business has actual knowledge is under 16 years of age. The CPPA will have broad powers of investigation and enforcement for violations of the CPRA.

We will follow the progress of Proposition 24 on election day and provide an update here next week.