Search results for: CPRA

On June 3, 2025, the California Senate unanimously passed Senate Bill 690 (SB 690) in a 35-0 vote, a strong show of support for reining in a flood of lawsuits that have taken many companies by surprise over the last few years. The bill now heads to the California Assembly, where it will face further scrutiny. If ultimately signed into law, SB 690 could reshape how privacy law is enforced in the digital space, offering much-needed clarity (and relief) for businesses across the country.

What is SB 690 All About?

SB 690 is aimed squarely at modernizing how California’s Invasion of Privacy Act (CIPA) is applied in today’s online economy. Originally passed in 1967 to address concerns around wiretapping and old-school eavesdropping, CIPA has recently been used in a very different context against websites and online tools for tracking online users’ behavior and use of a website.

In the last few years, plaintiffs’ lawyers have filed a wave of lawsuits alleging that everyday digital tools, such as cookies, chatbots, and analytics software violate CIPA. Some lawsuits even treat these technologies as illegal surveillance devices under the law. The result? A growing number of businesses, from major retailers to small e-commerce shops, have been hit with expensive and time-consuming legal threats.

Many of these cases are class actions, often pushing businesses to settle rather than fight it out in court. Critics have called this a form of legal “gotcha” using a decades-old law to penalize routine online practices that are otherwise regulated by California’s more recent privacy laws.

What SB 690 Would Change

SB 690 seeks to fix this problem by updating CIPA to reflect how digital communication and data collection actually work today. The bill would:

  • Exempt businesses from CIPA liability when they record or intercept online communications for a “commercial business purpose.”
  • Clarify that tools like session replay software, chat logs, or web tracking pixels are not “wiretaps” or surveillance devices when used in standard business operations.
  • Prevent private lawsuits (i.e., lawsuits brought by consumers, not the government) related to these practices, as long as the company is using the data for a valid business reason.

Importantly, SB 690 defines “commercial business purpose” by borrowing language from California’s existing privacy laws—the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). That means businesses following those laws’ rules around data collection, marketing, analytics, and consumer opt-outs would be protected under SB 690.

What About Current Lawsuits?

Originally, SB 690 was written to apply retroactively, which would have wiped out many of the CIPA lawsuits already in progress. But that retroactive provision faced resistance and was removed just before the Senate vote. As it stands now, the bill would only apply to future cases, so businesses already facing CIPA lawsuits won’t receive immediate relief, and websites that track users before obtaining consent (particularly in California) could still face these demands and lawsuits in the meantime.

Why This Matters

Supporters of SB 690 argue that it restores legal balance. California already has some of the toughest privacy laws in the country. The CCPA and CPRA give consumers strong rights, including the ability to opt out of having their data sold or shared. But CIPA, which wasn’t designed for the internet era, has created an overlapping (and often conflicting) patchwork of rules.

The business community has been calling for reform, arguing that the CIPA lawsuits are stifling innovation and creating a “tax” on companies just for using standard tools to understand their customers or secure their platforms.

What’s Next?

SB 690 now moves to the California Assembly, where it will go through committee hearings and floor votes. If it passes the Assembly without changes, it will head to Governor Newsom’s desk. If amended, it may need to go back to the Senate for a final vote.

If SB 690 becomes law, businesses that use standard online tools for legitimate purposes (marketing, security, customer service, etc.) and comply with CCPA/CPRA rules will be far less likely to face CIPA lawsuits. That could mean fewer legal headaches, fewer settlements, and more certainty in how businesses can operate online.

But until the bill is fully enacted, the current legal risks under CIPA remain so businesses should stay alert and ensure compliance with existing privacy laws. The battle over online privacy enforcement in California is far from over, but SB 690 could mark a turning point.

The California Privacy Protection Agency (CPPA) the agency responsible for implementing and enforcing the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) (collectively the CCPA), protecting consumer privacy, and ensuring compliance with data privacy regulations, has announced an investigate sweep into companies’ collection of sensitive location data. The CPPA has already sent out inquiries to “advertising networks, mobile app providers, and data brokers that appear to be in violation” of the CCPA.

California Attorney General Rob Bonta said, “Every day, we give off a steady stream of data that broadcasts not only who we are, but where we go. This location data is deeply personal, can let anyone know if you visit a health clinic or hospital, and can identify your everyday habits and movements.” The CPPA is concerned that this sensitive location data will be used to target vulnerable populations. The CPPA urges businesses to take responsibility as stewards of this sensitive data seriously and affirmatively protect location data.

The CPPA’s investigation will focus on how companies are informing consumers about their right to opt out of the sale and sharing of their data (as required under the CCPA), including geolocation data and other types of personal information collected by businesses. Additionally, the CPPA will investigate how companies actually apply this opt-out requirement when a consumer asserts that right.

If your company hasn’t assessed its opt-out processes and procedures lately, now is the time to confirm that consumers are clearly notified of this right and that they can readily opt-out of such tracking and collection and subsequent sale and/or sharing of that data with their parties.

The California Privacy Protection Agency (CPPA) recently met to discuss automated decision-making technology, privacy risk assessments and cybersecurity audits under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). However, the CPPA also decided to step outside the anticipated agenda and discuss additional revisions to the existing regulations. Once again. changes are on the horizon. What kind of changes? Here are the key things that would change under the CCPA for your organization’s online privacy policy:

  • “Meaningful Understanding” of Sources and Sales/Sharing with Third Parties: the draft revisions would add a requirement for privacy policies to provide “meaningful understanding” of the sources that the business uses to collect personal information and the categories of third parties to which the business shares or sells personal information.
  • Clarifying Disclosures to Service Providers and Contractors: the draft revisions would remove an ambiguity related to the definition of a “third party” and require businesses to explicitly identify the categories of personal information disclosed to a service provider or contractor in the last 12 months.
  • Privacy Policy Links for Mobile Applications: the draft revisions would require mobile apps to include a link to their privacy policies in the settings menu of the app. This link would be in addition to the link on the website homepage and the app store download page.

After the CPPA finalizes the draft revisions, the proposed rule changes will be published for a 45-day public comment period. However, the CPPA did not provide an anticipated start date for that comment period yet.

The rise of AI technology has prompted regulatory agencies to take action and protect consumers’ rights, as evidenced by the recent efforts of the Federal Trade Commission (FTC) and the California Privacy Protection Agency (CPPA).

On November 16, 2023, the FTC approved a resolution that authorizes its staff to issue civil investigative demands (CIDs) in cases involving AI or generative AI products and services. CIDs are legal requests for information or documents that the FTC uses to investigate potential consumer protection or antitrust law violations. The resolution aims to enhance the FTC’s ability to monitor and enforce compliance with existing laws and regulations that apply to AI, such as the Fair Credit Reporting Act, the Children’s Online Privacy Protection Act, and the FTC Act.

The resolution also signals the FTC’s interest in addressing emerging issues related to AI, such as bias, discrimination, privacy, security, and transparency. The FTC has previously issued guidance and reports on these topics and brought enforcement actions against companies that misused or misrepresented their AI capabilities. The resolution indicates that the FTC will continue scrutinizing AI practices and hold companies accountable for any harm they cause to consumers or competition.

On November 22, 2023, the CPPA released the first draft of its rulemaking on automated decision-making technology, which includes systems that use AI, machine learning, or data processing to help humans make decisions or profile individuals. The CPPA is a new agency created by the California Privacy Rights Act (CPRA), passed by voters in November 2020, and will take effect on January 1, 2023. The CPRA expands and strengthens the 2018 California Consumer Privacy Act which is one of the most comprehensive privacy laws in the country.

The draft rules aim to implement and clarify some of the CPRA provisions related to automated decision-making technology. Specifically, the draft rules address the following areas:

– Notice and opt-out rights: The draft rules require businesses that use personal information in their automated decision-making systems to provide clear notice to consumers about how the information is used, their rights to opt out of it, and how to access more information. Some exceptions exist for security, fraud prevention, consumer safety, or business necessity reasons.

– Access and appeal rights: The draft rules also allow consumers to ask businesses what automated decision-making technology is used for and how decisions affecting them were made. Companies must provide details on the system’s logic, the possible outcomes, and the extent of human involvement. Consumers can appeal the denial of access requests to the CPPA and the attorney general’s office.

– Children and profiling: The draft rules address the issue of profiling children under 16, requiring parental consent for children under 13, and providing opt-out rights for children between 13 and 16. Businesses operating in public places which profile consumers using wi-fi or facial recognition must also offer opt-out options.

The draft rules are open for public comment until December 27, 2023. The CPPA will review the comments and issue final regulations by July 1, 2024. Regulators recognize AI’s potential benefits and risks and try to safeguard consumers’ rights and interests. Accordingly, businesses involved in the development or use of AI will want to take note of these regulatory changes and be prepared to comply with them.

A plan for an enforcement program under the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) (collectively CCPA) is on its way from the California Privacy Protection Agency (CPPA). Despite a recent court ruling that the enforcement of some of the amendments under the CPRA cannot begin until March 2024, last week the CPPA revealed three key areas of its enforcement focus. While the CPPA is still in the process of building and hiring the enforcement team, the agency indicated that despite the court ruling it will still begin enforcing the underlying statute and previous regulations this year. The CPPA Deputy Director of Enforcement, Michael Macko, said, “There’s no vacation here from enforcement. When we find violations, we will take aggressive action to protect the public.”

The CPPA will focus its efforts on three areas of enforcement:

  1. privacy notices and policies;
  2. consumers’ right to delete personal information; and
  3. the handling and implementation of consumer requests.

Deputy Director Macko also said, “We expect vigorous enforcement over the coming year, and by March 2024, we would expect to see robust compliance with the entire set of regulations.” The CPPA will be reviewing companies’ privacy policies to see if what they say they are doing matches with what they are actually doing. The agency sees non-compliance with a company’s own privacy policy to likely lead to other issues of non-compliance such as not respecting consumers’ privacy rights. Since the consumer right to delete their data is “well-established” and “long-standing” this will be a focus for enforcement. Another area under scrutiny includes proper notification of a consumers’ right to opt-out of the sale of their data. Deputy Director Macko added in his statement that companies that implement smooth experiences for consumers exercising their rights will more likely be found in compliance.

The CPPA will consider many factors in determining which violations to pursue such as the severity of the harm to consumers, good-faith efforts to comply, and the company’s size and resources. However, incidents that involve children, older adults, marginalized communities, and other vulnerable populations will receive special scrutiny and focus.

One of the ways in which the CPPA will find potential violations will be through its new consumer complaint system. So far, 13 complaints have been submitted via this system. While this statement from the CPPA is certainly helpful guidance for companies struggling with CCPA compliance issues, there are still some unanswered questions. Companies still do not know how fines per number of violations will be calculated or the process for the agency to coordinate with the state attorney general to request an injunction against a business. Next steps for your business: get ready and make sure you are in compliance.

The Office of the California Attorney General recently announced that it will initiate an investigative sweep and will start sending letters to businesses about their mobile apps for failure to comply with the California Consumer Privacy Act (CCPA). There is also a new online tool that allows consumers to directly notify a business of an alleged CCPA violation, so we may see an influx of direct-from-consumer complaints.

The Attorney General’s office will focus its investigation on popular apps in the retail, travel, and food services industries. The goal is to determine whether these apps are complying with consumer opt-out requests and do not sell or share requests under the CCPA. The investigation will also focus on the apps’ failures to process consumer requests submitted through an authorized agent under the CCPA. For example, Consumer Reports’ app, Permission Slip, acts as an authorized agent for consumers to submit requests under the CCPA such as opt-outs and deletion requests.

Attorney General Rob Bonta said in the office’s recent press release, “[B]usinesses must honor Californians’ right to opt out and delete personal information, including when those requests are made through an authorized agent. [The] sweep also focuses on mobile app compliance with the CCPA, particularly given the wide array of sensitive information that these apps can access from our phones and other mobile devices. I urge the tech industry to innovate for good — including developing and adopting user-enabled global privacy controls for mobile operating systems that allow consumers to stop apps from selling their data.” Businesses that are subject to the CCPA – and the newly effective amendments under the California Privacy Rights Act (CPRA) – should continue to update and implement their policies, procedures, and processes to ensure compliance with the requirements of these regulations and to hopefully avoid being caught up in this investigative sweep.

Effective Date: January 1, 2023 

Your Rights and Choices

The California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively the “CCPA”) provides California residents with specific rights regarding their personal information. In addition to our Privacy Policy, https://www.rc.com/california-privacy-rights, this webpage further describes your CCPA rights and explains how to exercise

Since the California Privacy Protection Agency (CPPA) released its draft regulations pursuant to the California Privacy Rights Act (CPRA), the biggest gripe from businesses has been the website tracking opt-out requirements. Recognition of opt-out requests from consumers could potentially cost companies some significant dollars.

The CPRA amends the California Consumer Privacy Act of 2020 and goes into effect on January 1, 2023. One of the amendments included a new consumer right to opt-out of cross-context behavioral advertising (i.e., the ability to request that a website not track the user across time or across websites). There are many ways in which a consumer can opt-out of this sharing of data. One way could be to click on an opt-out button or link on a specific website. Another way could be to download an app, use a specific browser or platform (such as Global Privacy Control (GPC)) to automatically emit opt-out signals for every website visited. However, if a consumer uses GPC but does not turn off the universal opt-out signal, and then visits a website where the consumer actively and knowingly participates in an opt-in rewards program, it remains unclear on how a business should proceed in response to that signal.

Without more clarity under the CPRA regulations on how companies should respond on a TECHNICAL LEVEL, it may be difficult to achieve full compliance with consumers’ opt-out choices. This means that the potential for a violation and subsequent liability will increase beginning in the new year.

The CPPA has not wavered on its ‘do not track’ requirement, saying that a plain reading of the CPRA indicates flexibility for site-specific opt-out links. As currently written, the draft regulations would not require businesses to add opt-out links on their websites if they in fact do process opt-out signals from external apps in a “frictionless” manner. A “frictionless” manner means that the business does not:

  1.  Charge a fee for recognizing an opt-out signal
  2.  Change the consumer experience with the product or service
  3.  Display pop-ups, notifications, graphics, etc., in response to the signal

Businesses that should include opt-out links on their websites process external ‘do not track’ signals in a “non-frictionless” manner, which means that the signal is processed in a way that could change the user experience. Even the use of “non-frictionless” (which essentially means “with friction”) convolutes the issue and creates confusion among companies that are trying to comply before the end of the year. We will continue to watch for updates on the final regulations and further technical guidance on ‘do not track’ signals and consumer choice when it comes to the same

California law will soon require businesses to treat their employees and business partners as consumers under the California Consumer Privacy Act (CCPA). The CCPA and its successor legislation, the California Privacy Rights Act (CPRA), grant California consumers dignitary rights over their personal information collected and processed by commercial entities that do business in California. The CCPA applies to to such entities that do business in California and collect California consumers’ personal data, have annual gross revenues over $25 million, possess the personal information of 100,000 or more consumers, or earn more than half of their yearly income from brokering data.

Employee, Job Applicant and 1099 Contractor Data

Previously, the CCPA excluded employee data; however, this exemption is set to expire on December 31, 2022. The California State Legislature defied expectations by ending the 2022 legislative session without passing an extension. While the legislature may pass a new exemption in its next legislative session, businesses subject to the CCPA should prepare to process employee CCPA requests as of January 1, 2023.

Fortunately, most businesses already have HR processes to allow employees to access and correct their personal data. Existing OSHA and EEOC record-retention-requirements will also cover most employee data, meaning that it will likely be exempt from deletion requests under the CCPA (i.e., the data cannot be deleted in order to “comply with a legal obligation”).  However, companies must now also allow job applicants to know, view, delete, and correct personal information, and EEOC regulations require businesses to retain applicant records for one year. Businesses must keep close track of when that obligation ends and allow applicants to delete their data as soon as that is legally permissible.

B2B Data

The CCPA also included an exemption for business-to-business (B2B) data collected from agents or representatives of other businesses. However, this exemption also is set to expire on December 31, 2022. As of January 1, 2023, California B2B contacts have the right to know, view, correct, and delete personal information. Some personal information may be exempted as necessary to “complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated by the consumer within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.” However, companies will need to think outside the box when responding to these requests. Unlike employee and general consumer data, which companies typically collect in a centralized system, B2B data might be scattered across systems tracking emails, contracts, accounts payable, and countless other business processes.

How Can You Prepare?

  • Inventory Your Employee + B2B Data: Businesses should review employee and applicant information (as well as 1099 contractors) to confirm that their privacy notice correctly describes the categories of personal information they collect and process in order to identify “sensitive personal information” subject to the new CPRA right. Businesses should pay special attention to B2B data and clearly document which categories of personal data are stored and on which systems.
  • Enter into Data Processing Agreements with Service Providers: Businesses that use third-party HR software such as Workday and ServiceNow should add data processing addendums that include specific required terms to their contracts. The CCPA requires these agreements with all service providers, including providers that process employees’ personal information.
  • B2B Portals or Websites: If your business collects B2B contact information via a portal or website, you may need to update your privacy policy and include specific provisions required under the CCPA/CPRA.

These are just basic steps. However, if you haven’t assessed whether the CCPA applies to your business, now is the time. And, after that assessment is done, it could mean implementation of a compliance program to avoid fines and penalties and private actions against your business.

Congress is considering omnibus privacy legislation, and it reportedly has bipartisan support. If passed, this would be a massive shake-up for American consumer privacy, which has been left to the states up to this point. So, how does the American Data Privacy and Protection Act (ADPPA) stack up against existing privacy legislation such as the California Consumer Privacy Act and the Virginia Consumer Data Protection Act?

The ADPPA includes a much broader definition of sensitive data than we’ve seen in state-level laws. Some notable inclusions are income level, voicemails and text messages, calendar information, data relating to a known child under the age of 17, and depictions of an individual’s “undergarment-clad” private area. These enumerated categories go much further than recent state laws, which tend to focus on health and demographic information. One asterisk though – unlike other state laws, the ADPPA only considers sexual orientation information to be sensitive when it is “inconsistent with the individual’s reasonable expectation” of disclosure. It’s unclear at this point, for example, if a member of the LGBTQ+ community who is out to friends would have a “reasonable expectation” not to be outed to their employer.

Like the European Union’s General Data Protection Regulation, the ADPPA includes a duty of data minimization on covered entities (the ADPPA borrows the term “covered entity” from HIPAA). There is a laundry list of exceptions to this rule, including one for using data collected prior to passage “to conduct internal research.” Companies used to kitchen-sink analytics practices may appreciate this savings clause as they adjust to making do with less access to consumer data.

Another innovation is a tiered applicability, in which all commercial entities are “covered entities,” but “large data holders” – those making over $250,000,000 gross revenue and that process either 5,000,000 individuals’ data or 200,000 individuals’ sensitive data – are subject to additional requirements and limitations, while “small businesses” enjoy additional exemptions. Until now, state consumer privacy laws have made applicability an all-or-nothing proposition. All covered entities, though, would be required to comply with browser opt-out signals, following a trend started by the California Privacy Protection Agency’s recent draft regulations. Additionally, individuals have a private right of action against covered entities to seek monetary and injunctive relief.

Finally, and controversially, the ADPPA explicitly preempts all state privacy laws. It makes sense – the globalized nature of the internet means that any less-stringent state law would become the exception that kills the rule. Still, companies that only recently finalized CCPA- and CPRA-compliance programs won’t appreciate being sent back to the drawing board.

Read the bill for yourself here.