On Friday, the newly created California Privacy Protection Agency (CPPA) issued its first proposed regulations under the California Privacy Rights Act (CPRA).

The proposed rules have drawn criticism for requiring companies to treat browser-based “Do Not Track” signals as consumers asserting their opt-out rights. This rule came as a surprise to many observers because, as passed, the statute would have given companies the option to honor or ignore these signals. The draft would additionally require businesses to serve their disclosures in “eye-catching” colors, another area not explicitly prescribed by the CPRA statute.

Perhaps to balance the scales, the proposal also includes a new term of art, “disproportionate effort,” describing situations in which the burden of responding to a consumer request would “significantly outweigh” the consumer’s benefit. A business claiming this exception must give the consumer a detailed explanation that includes enough facts to provide a “meaningful understanding” as to why the business cannot honor the consumer’s request. This exception may also insulate companies from consumers who might abuse the request process. A business could likely claim “disproportionate effort,” for example, if a group of protestors coordinated to overwhelm it with requests.

It seems clear that the CPPA aims to make privacy-by-default the easiest option for California companies. Companies that collect and sell minimal personal information from consumers and respect “Do Not Track” signals will find it easy to comply with these proposed regulations. On the other hand, companies that wish to engage in data brokering would need to jump through significantly more regulatory hurdles.

The CPPA will likely address other key CPRA aspects, such as dark patterns, algorithmic decision making, and child privacy in future proposals. Click here to view the full proposal.

With the passage of the ballot initiative known as the Consumer Privacy Rights Act (CPRA or Act) in California, we are presenting several blog articles on different topics related to this new law. Last week, we wrote about the newly-added definition of sensitive information. This week we will focus on some key effective dates in the CPRA along with what it will mean to have a separate privacy rights enforcement agency.

CPRA Effective January 1, 2023

The good news is that the CPRA’s effective date is January 1, 2023, so businesses have some time to assess and get ready for the new law while the California Consumer Privacy Act (CCPA) is still in effect and enforceable. The CPRA functions like an overlay to CCPA. Once the CPRA takes effect in 2023, it will become the privacy law of the land in California.

There is one exception to the 2023 effective date and that is with respect to the right of access. The CPRA’s right to know or right of access applies to personal information collected by a business on or after January 1, 2022. The exemptions for employee information and business-to-business information remain in place until January 1, 2023. The CPRA also provides additional rulemaking authority, which may also take place prior to the effective date.

Creation of the California Privacy Protection Agency

Section 24 of the CPRA creates the California Privacy Protection Agency (CPPA or Agency), established in the state government of California. The Agency is vested with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act. Section 1798.199.10(a) states that: “[t]he Agency shall be governed by a five-member board, including the Chair. The Chair and one member of the board shall be appointed by the Governor. The Attorney General, Senate Rules Committee, and Speaker of the Assembly shall each appoint one member. These appointments should be made from among Californians with expertise in the areas of privacy, technology, and consumer rights.” Subsection (b) states that the initial appointments to the Agency shall be made within 90 days of the effective date of the Act.

The board will have the authority to appoint an executive director and the Agency will have broad powers to protect “the fundamental privacy rights of natural persons with respect to the use of their personal information.” Section 1798.199.40 (c). The CPRA allows individuals, businesses, customers, advocacy groups and vendors to file complaints with the Agency regarding the privacy practices of a business. The Agency will have the power to investigate complaints, to hold hearings to determine if a violation has occurred, and to issue orders to: cease and desist, and to pay an administrative fine up to $2,500 for each violation or up to $7,500 for each intentional violation as well as each violation involving the personal information of minor consumers. The Agency also has the power to bring a civil action in the superior court for the purpose of collecting unpaid administrative agency fines.

The Agency also is charged with providing guidance to both consumers and businesses regarding their rights and responsibilities under the CPRA. One final note is that Section 1798.199.100 states that the Agency “shall consider the good faith cooperation of the business, service provider, contractor, or other person in determining the amount of any administrative fine or civil penalty for a violation of this title.”

Congress is considering omnibus privacy legislation, and it reportedly has bipartisan support. If passed, this would be a massive shake-up for American consumer privacy, which has been left to the states up to this point. So, how does the American Data Privacy and Protection Act (ADPPA) stack up against existing privacy legislation such as the California Consumer Privacy Act and the Virginia Consumer Data Protection Act?

The ADPPA includes a much broader definition of sensitive data than we’ve seen in state-level laws. Some notable inclusions are income level, voicemails and text messages, calendar information, data relating to a known child under the age of 17, and depictions of an individual’s “undergarment-clad” private area. These enumerated categories go much further than recent state laws, which tend to focus on health and demographic information. One asterisk though – unlike other state laws, the ADPPA only considers sexual orientation information to be sensitive when it is “inconsistent with the individual’s reasonable expectation” of disclosure. It’s unclear at this point, for example, if a member of the LGBTQ+ community who is out to friends would have a “reasonable expectation” not to be outed to their employer.

Like the European Union’s General Data Protection Regulation, the ADPPA includes a duty of data minimization on covered entities (the ADPPA borrows the term “covered entity” from HIPAA). There is a laundry list of exceptions to this rule, including one for using data collected prior to passage “to conduct internal research.” Companies used to kitchen-sink analytics practices may appreciate this savings clause as they adjust to making do with less access to consumer data.

Another innovation is a tiered applicability, in which all commercial entities are “covered entities,” but “large data holders” – those making over $250,000,000 gross revenue and that process either 5,000,000 individuals’ data or 200,000 individuals’ sensitive data – are subject to additional requirements and limitations, while “small businesses” enjoy additional exemptions. Until now, state consumer privacy laws have made applicability an all-or-nothing proposition. All covered entities, though, would be required to comply with browser opt-out signals, following a trend started by the California Privacy Protection Agency’s recent draft regulations. Additionally, individuals have a private right of action against covered entities to seek monetary and injunctive relief.

Finally, and controversially, the ADPPA explicitly preempts all state privacy laws. It makes sense – the globalized nature of the internet means that any less-stringent state law would become the exception that kills the rule. Still, companies that only recently finalized CCPA- and CPRA-compliance programs won’t appreciate being sent back to the drawing board.

Read the bill for yourself here.

Connecticut Governor Ned Lamont signed the Personal Data Privacy and Online Monitoring Act (CPDPA) into law on May 10, 2022, making Connecticut the most recent state to pass its own privacy law in the absence of comprehensive federal privacy legislation. Connecticut follows in the steps of Nevada, California, Virginia, Colorado and Utah in enacting its own comprehensive privacy legislation, with more pending in various state legislatures.

The Connecticut law goes into effect on July 1, 2023, giving companies just over a year to determine whether it applies, and if so to take steps to comply. Luckily, many organizations have already put compliance programs in place for the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), so adding some nuances from other state laws, including Connecticut, will not be as daunting as the first go-round with California’s law.

The CPDPA is designed to establish a framework for controlling and processing personal data. It:

  1. sets responsibilities and privacy protection standards for data controllers;
  2. gives consumers the right to access, correct, delete, and obtain a copy of personal data and to opt out of the processing or personal data for certain purposes (e.g., targeted advertising);
  3. requires controllers to conduct data protection assessments;
  4. authorizes the state attorney general to bring an action to enforce the bill’s requirements; and
  5. deems violations to be Connecticut Unfair Trade Practices Act violations. https://cga.ct.gov/2022/ACT/PA/PDF/2022PA-00015-R00SB-00006-PA.PDF

The CPDPA applies to individuals and entities that conduct business in the state of Connecticut or target products or services to Connecticut residents and either: control or process personal data of at least 100,000 Connecticut consumers (except if the data is processed solely for completing a payment transaction) or control or process the personal data of at least 25,000 Connecticut consumers and derives more than 25 percent of their gross revenue from the sale of personal data. The application of the law is not tied to an actual gross revenue figure like the CCPA is ($25 million), which is an important distinction that may narrow its applicability to organizations.

The law does not apply to nonprofits, state and local governments, higher education institutions, or national securities associations registered under the Securities Exchange Act. Consistent with other state data privacy laws, it also exempts financial institutions and data subject to the Gramm-Leach-Bliley Act and covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA).

The law excludes 16 different categories of data from its purview, including protected health information under HIPAA, information subject to the Fair Credit Reporting Act, employee and job applicant data, and information protected by the Family Educational Rights and Privacy Act.

A “consumer” is defined as a Connecticut resident, and excludes individuals “acting in a commercial or employment context,” also known as a business-to-business exception, which is consistent with other state privacy laws.

Connecticut consumers will have the right to opt out of the processing of their personal data for targeted advertising, the sale of their data, or profiling for automated decisions that produce legal or significant effects on the consumer. Entities subject to the law will have to provide “clear and conspicuous” links on their websites giving consumers the choice to opt-out of that type of processing and provide a universal opt-out preference signal by January 1, 2025. Consistent with other state privacy laws, the CPDPA contains an anti-discrimination clause. These requirements, along with those of the other state laws that go into effect in 2023, warrant another look at companies’ websites to see if they need to be updated.

The CPDPA requires controllers to limit:

  • collection of personal data to the minimum amount necessary for the purpose of the collection;
  • use of the personal data to only the purpose of the collection or as the consumer has authorized; and
  • establish and implement data security practices to protect the data
  • obtain consent before processing sensitive data, including data of any individual under the age of 13, and follow the provisions of the Children’s Online Privacy Protection Act.

Controllers will be required to update their website and other Privacy notices to be transparent about the categories of data collected, the purpose of the collection, how consumers can exercise their rights under the law, including an active email address at which to contact the controller, what information is shared with third parties, and the categories of third parties with which the controller shares the information. In addition, a controller must disclose that it is selling personal data for targeted advertising and provide consumers with information on how they can opt-out of the sale of their information.

Also consistent with the other state data privacy laws, the CPDPA requires that data controllers enter into a written contract with data processors prior to disclosing the personal data, outlining specific instructions for the data processing and data security requirements for the protection of the personal data. This requires organizations to review third-party contracts to determine whether they are disclosing personal data to third parties, whether CPDPA applies and to amend contracts with those third parties, as appropriate.

Violation of the CPDPA may land companies in an enforcement action by the Connecticut Attorney General (AG), who can levy fines and penalties under the Connecticut Unfair Trade Practices Act. However, there is a grace period for enforcement actions until December 31, 2024, for the AG to provide organizations an opportunity to cure any alleged violations. Beginning on January 1, 2025, the AG has discretion to provide companies with that opportunity to cure and can look at the conduct of the organization during the cure period to determine fines and penalties.

Significantly, consistent with Colorado, Virginia, and Utah, but tacking away from California, the CPDPA is clear that the law does not provide a private right of action for consumers to seek damages against organizations for violation of the law.  Jurisdiction for violations is solely with the AG 2023 will be a busy compliance year for state data privacy laws as laws in Virginia, Colorado, Utah, and now Connecticut will all go into effect. Now is the time to determine whether these new privacy laws apply to your organization and to start planning compliance obligations.

We all know businesses collect our data. But did you know that businesses can draw inferences from those data to determine whether a consumer is married, or is a homeowner, or is a likely voter? Recently, the question arose whether those inferences constitute personal information under the California Consumer Privacy Act of 2018 (CCPA or the Act) and whether consumers in California have a right to know about those inferences.

Attorney General Rob Bonta recently issued an opinion on a question of law to answer that very question. See Opinion of Rob Bonta, California Attorney General, No. 20-203, March 10, 2022. The question presented under the CCPA was: “Does a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer apply to internally generated inferences the business holds about the consumer from either internal or external information sources?”

The answer is yes, California consumers have a right to know internally-generated inferences unless a business can demonstrate that a statutory exception to the Act applies. The opinion begins by tracing the history of privacy laws over the past twenty years, which ultimately resulted in the enactment of the CCPA. The opinion discusses relevant provisions of the CCPA, including the duties, responsibilities, and enforcement authority of the Attorney General. The recently-enacted amendment to the CCPA, the California Privacy Rights Act (CPRA), set to take effect January 1, 2023, is also discussed as CPRA expands consumer rights, thereby making the law more consistent with European Union rules. The opinion indicates that the CPRA’s enactment does not change the analysis with respect to the opinion regarding inferences.

The substance of the analysis begins with the definition of “personal information” under the CCPA. The opinion notes that the definition of personal information under the CCPA is very broad with numerous sub parts, however, the most relevant language is as follows:

(o)(1) . . . Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household: [. . .]

(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. Cal. Civ. Code 1798.140 (o)(1)(A)-(K).

The opinion is clear that inferences constitute “personal information” under the CCPA. According to the analysis, if an inference is drawn from any of the personal information collected by a business that is subject to the CCPA, and that information is used to create a profile about a consumer, the inference must be disclosed to the consumer. This leads to the questions: what is an inference and why is this important?

The opinion states that an “inference” means “the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data. An inference is essentially a characteristic deduced about a consumer (such as “married,” “homeowner,” “online shopper,” or “likely voter”) that is based on other information a business has collected (such as online transactions, social network posts, or public records).” This opinion is clear that the statutory definition of personal information includes inferences, and therefore, consumers are not only entitled to know what specific data points a business collects about them, but also the inferences that those data points create.

Finally, the opinion concludes that businesses are not required to disclose their trade secrets or the proprietary means they may use to create those inferences, however, the caveat is that a business that “withholds inferences on the ground that they are protected trade secrets bears the ultimate burden of demonstrating that such inferences are indeed trade secrets under the applicable law.”

California is the gold standard for state privacy laws, having recently enacted the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Virginia and Colorado also have enacted comprehensive privacy laws, which will take effect in 2023. Recently, the International Association of Privacy Professionals (IAPP) released its state privacy legislation tracker. The IAPP offers a map of the states that shows all the states and the status of any privacy legislation. The map shows the various stages of any privacy legislation, from bills introduced all the way through bills signed.

In addition, IAPP has compiled a  handy chart of pending comprehensive privacy legislation that provides the name of the bill, a link to the bill, and whether the bill provides various consumer rights, business obligations, and a private right of action, similar to the consumer privacy laws passed in California, Virginia, and Colorado.

At the current time, the IAPP Westin Research Center is tracking comprehensive consumer privacy bills in  22 states. Many states, including Alaska, Hawaii, Massachusetts, New York, Pennsylvania, Washington, Wisconsin, and New Jersey, have multiple privacy bills pending.  Most of the bills listed in the chart are described as “in committee,” and two states (Indiana and Oklahoma) have bills in cross- committee status. According to the IAPP, the focus of the bills selected for the tracker is on bills that provide legislative approaches “governing the use of personal information in a state.”

It remains to be seen whether other states will pass similar consumer privacy legislation. Lawmakers are paying close attention to privacy issues and consumers seem to be more aware that they can have some control over their data.

For those that still hold out hope of a federal privacy bill, the IAPP also has a federal privacy legislation tracker.

California Governor Gavin Newsom, along with Attorney General Xavier Becerra, Senate President pro Tempore Toni G. Atkins (D-San Diego), and Assembly Speaker Anthony Rendon (D-Lakewood), announced the appointment of the five-member inaugural board for the California Privacy Protection Agency (CPPA) this week.

The Board was established by the California Consumer Privacy Rights Act (CPRA) and will oversee the rulemaking process for various topics relating to the CPRA, including privacy audits, consumer opt-out rights, and compliance relating to the protection of the privacy rights of consumers with regard to their personal information.

According to Attorney General Xavier Becerra, “The California Privacy Protection Agency marks a historic new chapter in data privacy by establishing the first agency in the country dedicated to protecting forty million Californians’ fundamental privacy rights. The CPPA Board will help California residents understand and control their data privacy while holding online businesses accountable.”

The Board members will select an Executive Director and may serve for no more than eight years.

With the passage of the Consumer Privacy Rights Act (CPRA), we are presenting several blog articles on different topics related to the new law. We previously wrote about key effective dates and the newly-added definition of sensitive information. This week, we will focus on consumer opt-out rights and data profiling.

Consumer Opt-Out Rights

The CPRA created several new rights for consumers – one of which is the right to opt out of the sale or the sharing of their personal information. In order to understand this new opt-out right, we need to review the new definition of sharing personal information in the CPRA.

The CPRA differentiates between the sale of personal information and the sharing of personal information. Sharing personal information means disclosing it to third parties for “cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.” Section 1798.140 (a)(h)(1).

What is cross-contextual behavioral advertising? Think about advertising targeted to the consumer based on their internet behavior. Contextual advertising might be an ad shown specifically to a consumer for a product related to that consumer’s internet search. If you are a California resident, the CPRA will give you the right to opt out of the sharing of your personal information in this way. How will a consumer exercise this right? The CPRA states that a consumer shall have the right, at any time, “to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer’s personal information.” Section 1798.120(a).

Data Profiling – What is it?

Another consumer right related to the consumer opt-out rights found in the CPRA pertains to data profiling. Profiling is defined in the CPRA as the automated processing of personal information to “to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.” Section 1798.140 (z). One bright note is that Section 1798.185 (a)(16) states that regulations will need to be developed “governing access and opt-out rights with respect to businesses’ use of automated decision-making technology, including profiling and requiring businesses’ response to access requests to include meaningful information about the logic involved in such decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer.”

We will be following these opt-out rights closely – both from a consumer privacy standpoint and for businesses that use such targeted advertising technologies, including automated processing of personal information – to see how the regulations will address the logic involved in the decision-making process and its impact on consumers.

The California Privacy Rights Act (CPRA) expands the definition of personal information as it currently exists in the California Consumer Privacy Act (CCPA). The CPRA adds “sensitive personal information” as a defined term, which means:

(l) personal information that reveals:

(A) a consumer’s social security, driver’s license, state identification card, or passport number;

(B) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;

(C) a consumer’s precise geolocation;

(D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership;

(E) the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication;

(F) a consumer’s genetic data; and

(2) (A) the processing of biometric information for the purpose of uniquely identifying a consumer;

(B) personal information collected and analyzed concerning a consumer’s health; or

(C) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

This is perhaps the broadest definition of personal information in the country as it now includes entirely new classes of personal information such as racial, ethnic origin, religious or philosophical beliefs or union membership, the content of a consumer’s mail, email and text messages, genetic data, biometric data, and data collected and analyzed concerning a consumer’s health or sex life or sexual orientation.

What does this mean for a business that is covered by the CPRA? In a previous post, we provided a detailed overview of  the CPRA, but suffice it to say that if the business had to comply with CCPA, it also will likely be covered by CPRA. Given this new definition of sensitive personal information, one of the first steps in thinking about CPRA compliance will be to think about data mapping to determine whether the business collects any of these new categories of sensitive personal information. The CPRA is still very much a consumer-focused law with the goal of expanding consumer knowledge about the types of personal information businesses collect about consumers and how that personal information is used, sold, or shared. It will be a critical first step for businesses to understand the data and personal information they collect about consumers and whether they collect any sensitive personal information under this new definition.

According to the Los Angeles Times and other media outlets, Californians passed Proposition 24, also known as the California Privacy Rights Act of 2020 (CPRA). With 71.61 percent of precincts reporting, the measure passed with 56.1 percent of the vote. We wrote about the CPRA last week, and we provided an overview of this new privacy law in California that expands on the California Consumer Privacy Act (CCPA).

The CPRA has some new privacy provisions that pull from other privacy laws. Of particular interest in the CPRA are provisions to expand the restrictions on the sale of personal information to include the sharing of personal information, the regulation of automated decision making, the requirement of additional security and risk assessments for certain businesses, additional requirements for third parties, and the creation of a new regulatory agency for enforcement actions.

We will continue to review the CPRA and will provide more details soon regarding this new California privacy law and what it means for businesses.