Offset angled photo of Proposition 24 from the 2020 California Voter's Guide

What Businesses Need to Know if Voters Pass Proposition 24 (California Privacy Rights Act of 2020, “CPRA”)

Hot on the heels of the California Consumer Privacy Act (CCPA), California residents this November will vote on Proposition 24. A majority yes vote on Prop 24 would pass the California Privacy Rights Act (CPRA). The CPRA proposes several amendments to the CCPA, such as granting new rights to consumers, imposing greater penalties on businesses for certain violations, and creating a new state enforcement agency, the California Privacy Protection Agency (CPPA).

1. Right to Restrict Use of Sensitive Data

Under the newly added Section 1798.121, consumers now have the right to direct businesses to limit the use of “sensitive personal information.”

As defined in CPRA, sensitive personal information appears to combine the conventional definition of “personally identifiable information” from state breach notification laws with the definition of “special category data” under the GDPR. Accordingly, sensitive personal information is data that may include a Social Security Number, driver’s license number, account log-in/debit/credit card information in combination with password or PIN. It may also include a consumer’s precise geolocation, the contents of their e-mails or texts to others, and racial, religious, biometric, or health data.

If directed to do so, businesses must limit the use of sensitive personal information to only those purposes that are necessary to provide a consumer’s requested services or goods.

To facilitate consumer exercise of this right, businesses may be required to add another link, “Limit the Use of my Sensitive Personal Information,” to their websites, in addition to any existing “Do Not Sell My Personal Information” link.

2. Right to Opt-Out of Cross-Context Behavioral Advertising

The CPRA requires a right of opt-out for “cross-context behavioral advertising” regardless of whether it constitutes a “sale” of personal information or not.

Currently, the CCPA is ambiguous as to whether cross-context behavioral advertising—that is, the collection of a consumer’s activities across different websites or even different devices for the purposes of personalized and targeted advertising—constitutes a sale of personal information. Some affiliates, such as Google, have categorized themselves as a service provider providing marketing and advertising services to the business in order to fall out of the definition of sale. Some other affiliates have put forth the position that they never “sold” personal information, because they only allow advertisers to target broad categories of demographics without identifying a specific individual to the advertiser.

The CPRA is quite clear that such activity requires an opt-out regardless whether it is a sale of information or not. Should CPRA come into effect, businesses should expect to present consumers with three opt-out choices in total (subject to further clarification from the Attorney General):

  1. A global opt-out from sale and sharing of personal information
  2. A choice to “Limit the Use of My Sensitive Personal Information”
  3. A choice for “Do Not Sell/Do Not Share/Do Not Share my Personal Information for Cross-Context Behavioral Advertising”

3. Employee and Business-to-Business (B2B) Data

Both employee and B2B data are currently exempted from general CCPA coverage, although these exemptions are set to expire January 1, 2021. Under the CPRA, these exemptions would be extended until January 1, 2023.

However, this does not mean that businesses do not have any obligations with respect to employee data under CCPA (and under CPRA). For data belonging to job applicants, employees, and independent contractors, businesses must disclose the categories of personal information that were collected and what purposes the information was collected for, typically within a separate employee privacy notice. CPRA also extends anti-discrimination rights to employees who exercise their rights and then face retaliatory action from their employer.

4. Children’s Data

Children’s privacy and data collection is a particularly sensitive area of regulation. Tik Tok is commonly scrutinized due to its predominantly younger userbase, and settled with the FTC for $5.7 million in 2019 over allegations that it collected children’s data without parental consent.

Under CPRA, fines may be tripled for violations involving children’s information. Currently, businesses are fined $2,500 for each violation and $7,500 for intentional violations under CCPA. Per the amended Section 1798.155 in CPRA, businesses would be fined $2,500 for each violation and $7,500 for intentional and children’s data violations. Given that violations can potentially involve hundreds of thousands of records for medium sized enterprises and in the millions for large companies, the fines can be staggering when multiplied.

5. Removal of Notice-and-Cure

Previously, under CCPA, businesses were allowed a thirty (30) day period to cure violations following notice by the California Attorney General’s office. CPRA has quietly removed this notice-and-cure provision through its changes to Section 1798.155. The notice-and-cure is often criticized as a “get-out-of-jail-free” card that prevents any real enforcement of CCPA outside of a consumer’s private right of action. If CPRA passes, the removal of this provision means that businesses will need to be more vigilant about getting privacy compliance and privacy implementation correct on the first try.

6. CPPA: New State Enforcement Agency

CPRA will allocate $10 million per year to a new state agency, the CPPA, to investigate and enforce against violations of consumer privacy laws, similar to European data protection authorities. Some portion of this cost will be offset by the proceeds of enforcement actions.

Currently, the California Office of the Attorney General (OAG) enforces the CCPA as part of the office’s functions for protecting consumer rights and prosecuting consumer crimes, amid a host of other duties.

The CPPA being an agency dedicated solely to privacy regulation would relieve much of the strain of enforcement previously on the OAG. If CPRA passes, expect to see more enforcement actions.

Likelihood of Prop 24 Passing

Prop 24 is divided in its support among reputable consumer and civil rights organizations, which can make it harder to gauge how likely Prop 24 will pass. Democratic Presidential candidate Andrew Yang as well as the NAACP has come out in support of Prop 24. However, the ACLU has opposed Prop 24 in official election materials. Other organizations remain neutral, such as the Electronic Frontier Foundation, which has come out as neither endorsing nor opposing Prop 24.

According to recent polling conducted by Redfield & Wilton Strategies, 60% of respondents indicated that they would vote ‘Yes’ on Prop 24, with 17% opposing and 23% undecided. Even if Prop 24 fails to pass, businesses should not breathe a sigh of relief and assume that the trendlines are moving toward deregulation. In fact, the greatest opposition to CPRA is centered on the fact that the law is not protective enough of consumer privacy and has too many loopholes that cater to big tech companies collecting large amounts of data. The pattern is moving toward greater privacy regulation, and CPRA is an experiment in seeing how far the boundary can be pushed.

Image of interconnected web of people

Website Accessibility for Privacy Policies – California Consumer Privacy Act Regulations

Image Credit: Gordon Johnson from Pixabay

On October 10, the California Attorney General released proposed guidelines to implement the California Consumer Protection Act (CCPA), which goes into effect in January 2020. One of the provisions that surprised many was a new requirement that privacy notices given to consumers “[b]e accessible to consumers with disabilities” and “[a]t a minimum, provide information on how a consumer with a disability may access the notice in an alternative format.” [Note: the AG’s regulations are not final, and interested parties may submit comments about them before December 6, 2019 at a series of public hearings, by mail, or by email.]

The requirement to provide the privacy notice in a format that is accessible to people with disabilities is consistent with recent trends towards website compliance with the Americans with Disabilities Act (ADA). Whether out of a desire to advance equity or to comply with the spirit or letter of accessibility laws, we see more businesses and website operators making earnest attempts to make their websites accessible to the broadest audience possible.

Unfortunately, the AG did not provide very much guidance on how businesses could make their privacy notice or websites more accessible. Luckily, several organizations doing work in this area, including the W3 Web Accessibility InitiativeStanford Online Accessibility Program and Berkeley WebAccess, have put resources online for designers, developers and content creators.

While not exhaustive, the following is a list of fairly straightforward best practices distilled from other lists that businesses and website operators can implement to make their websites accessible to people with disabilities:

1.     Use headings correctly to organize the structure of your content

2.     Pay attention to color contrast

3.     Images should include alternate text in the markup/code; complex images should have more extensive descriptions near the image

4.     Provide transcripts for podcasts

5.     Websites with videos should provide visual access to the audio information through in-sync captioning

6.     Sites should consider using skiplinks

Millions of internet users have special needs, disabilities and impairments that make certain websites difficult or impossible to access and use. By designing your website with these challenges in mind, you can ensure that it is welcoming to as many users as possible.

Image of scale weighing human against law section code

Privacy Rights in Class Action Lawsuits – Should Putative Class Members Opt-In Before Their Personal Information Is Disclosed in California Consumer Privacy Act Litigation?

[Originally published in Orange County Lawyer Magazine, May 2019, Vol. 61 No.5.,by Lily Li and Matthew Wegner; Image Credit: kmicican from pixabay.com]

In 2020, the nation’s toughest data privacy law will take effect in California. The California Consumer Privacy Act of 2018 (CCPA) imposes harsh restrictions on companies seeking to sell consumers’ data, including statutory penalties for any breaches of data. This legislation was spurred by public outrage against the Facebook-Cambridge Analytica scandal and Equifax, Target, and Yahoo data hacks, and reflects a growing trend to protect consumer data privacy.

As with so many legislative and judicial movements in California—for example, the Save-On decision, which ushered in a wave of wage-and-hour class actions in the early 2000s, or Business & Professions Code section 17200, which before Proposition 64 was tacked-on to countless consumer class actions—the CCPA is likely to usher in a host of new class action litigation as plaintiffs (and their attorneys) seek to recover statutory damages for data privacy violations.

Continue Reading Privacy Rights in Class Action Lawsuits – Should Putative Class Members Opt-In Before Their Personal Information Is Disclosed in California Consumer Privacy Act Litigation?
Pole with sign saying "future".

Privacy Law Forecast for 2019

Image Credit: ID 23689850 © Steve Ball | Dreamstime.com

This past year was quite a whirlwind for privacy and cybersecurity watchers. Just to sum up a few of the top events of last year:

  • Facebook’s Cambridge Analytica scandal rocked political headlines
  • Europe introduced the GDPR, the most comprehensive data protection legislation to date in the world
  • California enacted the California Consumer Privacy Act, becoming the first US state to create GDPR-style rules
  • Google came under fire for allowing app developers to read your email, and track your location (even with location tracking off!)
  • Marriott’s guest reservation system was hacked, exposing the personal information of up to 500 million guests, including passport numbers and payment numbers for some of those hacked

What will happen in 2019? Here are our top 5 predictions:

Continue Reading Privacy Law Forecast for 2019

Image of gears directing arrows to shield.

California Consumer Privacy Act vs GDPR – How to Maximize Your Privacy Compliance Program

California’s recent passage of the Consumer Privacy Act of 2018 now places the world’s fifth-largest economy under European style data protection rules. Given the new law, US businesses that were previously hesitant to implement GDPR are now reconsidering their position.

Luckily, the GDPR and the California Consumer Privacy Act (CCPA or CaCPA) share some similarities. Both provide for consumer-facing privacy notices, data access rights, and data portability. As businesses automate their GDPR compliance processes, they should also leverage those same processes under the CaCPA to save significant time and expense.

Below, we have listed five common operational steps that all businesses should take in their GDPR and CaCPA privacy compliance programs:
Continue Reading California Consumer Privacy Act vs GDPR – How to Maximize Your Privacy Compliance Program

1 2