linked in


March 24, 2020

California Attorney General Issues Another Round of CCPA Regulations as Class-Action Filings Filter in Amidst COVID-19

By Roy Wyman, Joelle Hupp, Colton Driver, CIPP/E

As of March 11, 2020, the California Attorney General issued another round of proposed California Consumer Privacy Act regulations. Notably, this round of regulations, beyond some formatting modifications, is far less comprehensive in scope than the draft regulations published in early February, but did have a few substantive areas of interest.

The following are substantive revisions that appear to impact a broader scope of businesses:

  • Personal Information Definition: One area that raised concerns during the prior comment period was how the definition of ‘personal information’ used an IP address as an example. That example has now been removed. The guidance rested on the concept of a “reasonable linking” of IP addresses as a trigger for qualification as ‘personal information’. This approach was criticized as both too broad for smaller businesses and too narrow for more sophisticated actors. One commentator remarked that even the FCC currently interprets an IP address as personally identifiable information. Ambiguity remains, however, as to what may be “reasonably linked…with a particular consumer or household.”
  • Financial Incentive Definition & Related Regulations: Revised regulations bring the definition offered for financial incentives more in line with the current broad definition for sale of data. While previous language spoke to ‘compensation,’ the current revisions strike the term ‘compensation’ altogether. Additionally, requirements surrounding financial incentive obligations change the terms ‘disclosure’ and ‘deletion’ to ‘collection’ and ‘retention,’ which appears to recognize the value in collecting and/or retaining information, but could expand the reach of the statute.
  • Notice at Collection B2B: Current draft regulations clarify obligations of businesses that (i) do not collect personal information directly from consumers and (ii) do not sell consumers’ personal information. Notice at Collection need not be provided to consumers if both of these parameters are met. Any business that meets the first parameter but fails the second may be defined as a ‘Data Broker’ and would be required to register as such per California’s data broker law.  Additional information regarding the data broker registry may be found here:
  • ‘Do Not Sell’ Logo: References to the Opt-Out button or logo have been removed in their entirety. As a threshold matter, the logo was always permissive rather than mandatory under the draft regulations, and several commentators opined that the logo as currently designed may cause more confusion to consumers in actual practice.
  • Privacy Policies Specific to Non-Consumers: Prior revisions suggested that companies, in their Notices at Collection, may direct non-consumers such as employees and contractors to separate and distinct privacy policies apart from the general privacy policy presented to consumers. These references have been removed. The March revisions still clearly state companies are not required to provide a link to the business’ privacy policy in the Notice at Collection for employment-related information.
  • Non-Disclosure of Certain Identifiers: Regulations issued thus far consistently outlined certain pieces of highly sensitive information businesses should never transmit to consumers even in response to a request to know (e.g. SSNs, passport IDs, biometric data [added in February 2020]). March revisions confirm that businesses maintaining this type of information must still disclose to consumers with ‘sufficient particularity’ if this type of information is collected from a consumer.

The full draft regulations in comparison form may be found at this link. A synopsis of the draft regulations previously issued in February is available here.

CCPA Enforcement Timing

The current comment period concludes on March 27, 2020. Questions linger as to whether CCPA enforcement timing will be impacted by COVID-19.  On March 17, several large trade associations and companies filed a request for temporary forbearance of CCPA enforcement until January 2021. Request letter available at this link. However, an advisor to the Attorney General recently commented “Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first.  We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.”  Given the delay in regulation finalization, most agree the earliest possible enforcement date remains July 1, 2020 based on the statute as written. With the Attorney General’s office only anticipating resources for a handful of CCPA enforcement actions per year, the most likely targets for enforcement actions remain companies evidencing “flagrant violations”.

Class Actions Claiming CCPA Violations

A private right of action under CCPA, as opposed to enforcement through the Attorney General, is only available where personal information of a consumer was compromised under the data breach provisions of the CCPA, however, the retroactivity of this provision remains unclear. Both Barnes v. Hanna Andersson, LLC (filed February 3, 2020) and Fuentes v. Sunshine Behavioral Health Group, LLC (filed March 10, 2020) claim violations of CCPA data breach provisions. Both cases likely face an uphill battle for survival of the CCPA claims as the circumstances giving rise to the alleged breaches occurred prior to CCPA’s effective date. Burke v. Clearview AI, Inc. (filed on February 27, 2020) claims general violation of the CCPA on account of alleged ‘scraping’ and selling of biometric data without proper advance notice and consent. Enforcement of the notice and consumer request provisions of the CCPA lies within the purview of the Attorney General and not private citizens.  Complainants in Clearview AI look to avoid this conundrum by casting violation of the CCPA as a violation of the California Unfair Competition Law (“UCL”). Unfortunately for the viability of the CCPA claims in Clearview AI, the CCPA already explicitly precludes interpreting the CCPA “to serve as a basis for a private right of action under any other law.”