A February 2020 Surprise: California Attorney General Proposes Significant Revisions to CCPA Regulations
Just as companies were starting to recover from their exertions to put in place California Consumer Privacy Act (“CCPA”) compliance programs before the law’s January 1, 2020 entry into force, the California Attorney General (“AG”) provided an early February surprise. CCPA watchers long expected that the AG would revise the CCPA regulations he initially proposed on October 10, 2019. But when the AG actually released his proposed regulations on February 7 – a proposal he subsequently modified slightly on February 10 – both the timing and breadth of the revisions were surprising. In short, the revisions were both sooner and more significant than expected.
California Department of Business Oversight December 2019 Actions
The California Department of Business Oversight (CDBO) recently concluded that the point of sale consumer financing programs offered by Sezzle, Inc., and another, unnamed party constituted making loans for purposes of the California Financing Law (CFL). A number of payment providers and technology companies have been developing innovative payment options, including consumer financing options, that are facilitated by advances in technology and mobile connectivity. Some market participants have structured their products such that a license should generally not be required under state law. The CDBO’s actions, however, may require companies to revisit that analysis and consider their licensing obligations.
Oregon Requires Vendors to Report Data Breaches
While much of the New Year attention has been focused on California due to the effective date of the California Consumer Privacy Act, a new Oregon law also went into effect on January 1, 2020 complicating compliance with data breach obligations. The law is unique among state data breach notification laws in that it imposes a direct obligation on vendors to provide regulatory notice to the state. It also requires vendors to provide notice to the data owner within 10 days. This new regulatory notice requirement may take some control away from data “owners” that typically manage (and often contractually demand sole control over) initial regulator communications with regard to incidents impacting their data. However, the new requirement may also incentivize service providers to take more responsibility for incident response.
Examining Legislative Proposals to Protect Consumer Data Privacy
On December 4, 2019, the Senate Commerce Committee addressed data privacy in a hearing titled, “Examining Legislative Proposals to Protect Consumer Data Privacy.” The hearing focused on the two leading privacy proposals that were put forward in the week leading up to the hearing, the Consumer Online Privacy Rights Act (COPRA), introduced by Sen. Maria Cantwell, D-Wash., ranking member on the Committee, and a Staff Discussion Draft of the United States Consumer Data Privacy Act of 2019 (CDPA), introduced by Sen. Roger Wicker, R-Miss., Chairman of the Committee. The competing proposals share many similarities, including their scope of covered data and entities, as well as their approaches to consumer transparency and access. However, as witness testimony during the hearing revealed, the proposals diverge on a few critical issues.
CCPA 2.0 Moves to Next Critical Stage of Referendum Process
In the evening of December 17, 2019, Californians for Consumer Privacy, the consumer privacy rights organization led by Alastair Mactaggart that propelled California towards the U.S.’s first comprehensive privacy legislation, tweeted the Attorney General’s release of the title and summary for Initiative 19-0021. This Initiative would substantively amend and essentially replace the California Consumer Privacy Act (“CCPA”) with the proposed Consumer Privacy Rights Act of 2020—also known colloquially as CCPA 2.0. (more…)
Federal and State Authorities Increase Scrutiny and Enforcement of Children’s Privacy; Google, YouTube Agree to Pay a Record $170 Million Fine
This fall, scrutiny has increased on children’s privacy with the FTC and New York Attorney General’s announcement of the largest fine ever for violations of the Children’s Online Privacy Protection Act (“COPPA”), followed by FTC public workshops on updating the COPPA Rule. Combined with increased requirements for the sale of teen personal information under the California Consumer Privacy Act (“CCPA”), and calls for triple fines for children’s privacy violations under a potential CCPA 2.0 referendum for 2020, children’s privacy has come to the forefront of privacy risks.
The Final Countdown: What You Need to Know About the CCPA and its Draft Regulations Before January 1
Companies doing business in California or with Californians must be ready to comply with the California Consumer Privacy Act (CCPA) by January 1, 2020 – less than three months away. However, as businesses were putting the finishing touches on their compliance efforts, the California legislature amended the law and the Attorney General proposed a round of very significant regulatory requirements. Now businesses find themselves making last-minute adjustments as the deadline approaches.
Please join us for a discussion that highlights the key takeaways from the recent CCPA amendments and proposed regulations, identifies the steps companies should be taking to meet these new obligations, and provides benchmarks for how companies are addressing key issues surrounding the CCPA.
CCPA In-Depth Series: Draft Attorney General Regulations on Consumer Requests
This post is the second in a three part series taking a deep dive into the five key articles of the Attorney General’s CCPA draft regulations: Article 2 on Notice to Consumers; Article 3 on Business Practices for Handling Consumer Requests; Article 4 on Verification of Requests; Article 5 on Special Rules Regarding Minors; and Article 6 on Non-Discrimination. Today we look at consumer requests. Check back daily for the next installment, or visit the CCPA Monitor for a collection of all our CCPA insights.
Intro and Background. In the summer of 2018, the California Legislature drafted and passed the California Consumer Privacy Act (CCPA) in record time. Facing a procedural deadline for a ballot initiative, the Legislature acted with dispatch, as it did not want to add to the State Constitution, with its super-majority amendment requirements, many of the provisions that ultimately found their way into the CCPA. This abbreviated legislative process produced a bill with numerous gaps and anomalies, however. Businesses, consumer advocates, and privacy watchers have thus been eagerly waiting for over a year for the Attorney General to propose the regulations the CCPA requires him to promulgate.
On October 10, 2019, this wait finally ended. As laid out below, the nature and breadth of the Attorney General’s proposed regulations explain why they took so long to produce. Put simply, the proposed regulations are significant and will have substantial implications on businesses’ ongoing efforts to comply with the CCPA with less than three months left to go before the effective date. Indeed, even if they do not resolve all of the Law’s many ambiguities, they do provide helpful implementation guidance – along with surprising new requirements, some of which may questionably extend beyond the CCPA itself.
CCPA In-Depth Series: Draft Attorney General Regulations on Consumer Notice
This post is the first in a three part series taking a deep dive into the five key articles of the Attorney General’s CCPA draft regulations: Article 2 on Notice to Consumers; Article 3 on Business Practices for Handling Consumer Requests; Article 4 on Verification of Requests; Article 5 on Special Rules Regarding Minors; and Article 6 on Non-Discrimination. Today we look at consumer notice. Check back daily for the next installment, or visit the CCPA Monitor for a collection of all our CCPA insights.
Intro and Background. In the summer of 2018, the California Legislature drafted and passed the California Consumer Privacy Act (CCPA) in record time. Facing a procedural deadline for a ballot initiative, the Legislature acted with dispatch, as it did not want to add to the State Constitution, with its super-majority amendment requirements, many of the provisions that ultimately found their way into the CCPA. This abbreviated legislative process produced a bill with numerous gaps and anomalies, however. Businesses, consumer advocates, and privacy watchers thus have been eagerly waiting for over a year for the Attorney General to propose the regulations the CCPA requires him to promulgate.
On October 10, 2019, this wait finally ended. As laid out below, the nature and breadth of the Attorney General’s proposed regulations explain why they took so long to produce. Put simply, the proposed regulations are significant and will have substantial implications on businesses’ ongoing efforts to comply with the CCPA with less than three months left to go before the effective date. Indeed, even if they do not resolve all of the Law’s many ambiguities, they do provide helpful implementation guidance – along with surprising new requirements, some of which may questionably extend beyond the CCPA itself.
California Attorney General Releases Proposed CCPA Regulations
Earlier today, the California Attorney General ended months of anticipation by releasing the text of his proposed California Consumer Privacy Act (CCPA) regulations. Comments on the proposed regulations are due by December 6, 2019, and the Attorney General’s office will hold public hearings on the regulations on December 2 (Sacramento), December 3 (Los Angeles), December 4 (San Francisco), and December 5 (Fresno).