Tag: California

Posted on by Duane Morris

Proposed Modifications to CCPA Regulations – Definitions and Consumer Notice Requirements

Note: This blog post is the first of three expanding on the information contained in an Alert on the Duane Morris LLP website.

On February 10, 2020, California’s Office of the Attorney General proposed a modified version of the California Consumer Privacy Act (CCPA) regulations first published on October 11, 2019. The initial proposed regulations were summarized in our previous Alert. The deadline for providing comments on the modified proposed regulations is February 25, 2020.

The proposed changes to the definitions, notices, and privacy policies in the modified regulations are summarized below.

Section 999.301 – Definitions

  • The definition of “categories of sources” now requires businesses to provide descriptions of the sources with enough “particularity to provide consumers with a meaningful understanding of the type of person or entity.” The same particularity requirement applies to categories of third parties.
    • CCPA Example: Categories may include advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks and data brokers.
  • COPPA is now explicitly defined as the “Children’s Online Privacy Protection Act, 15 U.S.C. sections 6501 to 6508 and 16 Code of Federal Regulations part 312.5.”
  • “Employment benefits” and “employment related information” are now defined terms.
  • The definition of “household” is clarified and narrowed. Under the prior version of the proposed regulations, this was defined as anyone occupying a single dwelling. Now, household includes those individuals who not only live at the same address, but who must also share a common device or service and be identified by the business as sharing the same account or unique identifier.

Section 999.302 – Definitional Guidance

  • Adds a new section titled “Guidance Regarding the Interpretation of CCPA Definitions.” This guidance clarifies that what is considered “personal information” depends on the manner in which the information is maintained by a business.
    • CCPA Example: If a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be personal information.

Section 999.304 – General Notice Requirements

  • Adds an explicit overview of what notices are required for businesses subject to the CCPA, including the requirements that a business provide consumers with a privacy policy, notice at collection of personal information, notice of right to opt-out of the sale of personal information, if applicable, and notice of financial incentive, if applicable.

Section 999.305 – “At Collection” Notices

  • Requires businesses to following generally recognized industry standards to ensure that the “at collection” notices are reasonably accessible to consumers with disabilities. Also clarifies that the notice must be provided in the languages in which the business generally provides information to consumers in California.
  • Clarifies and provides additional illustrative examples of notice considered readily available at or before the point of collection of any personal information.
    • CCPA Example: When collecting personal information online, providing a conspicuous link to the notice on a business’ introductory page of its website and on all webpages where personal information is collected.
    • CCPA Example: When collecting personal information through a mobile app, providing a link to the notice on the mobile application’s download page and within the application, such as through the application’s settings menu.
    • CCPA Example: When personal information is collected in person or via phone, providing the notice orally.
  • Adds a “just-in-time” notice requirement for personal information collected from a mobile device that a consumer would not “reasonably expect” to be collected in connection with an app. The notice must include a summary of the categories of personal information being collected and a link to the full notice at collection.
    • CCPA Example: If the business offers a flashlight app and the app collects geolocation information, the business shall provide a just-in-time notice, such as through a pop-up window when the consumer opens the app, which contains the required information.
  • Clarifies that a business may not use a consumer’s personal information for any purpose “materially different” from the purpose disclosed at the point of collection, unless the business obtains explicit consent from the consumer for the materially different purpose.
  • For a data broker registered with the Office of the Attorney General, the “at collection” notice is not needed if the registration includes a link to its privacy policy that includes instructions on how to submit a request to opt out. The data broker is no longer required to contact the consumer or the source of personal information directly.
  • Clarifies that for requirements effective January 1, 2021, a “do not sell” link will not be necessary for employment-related information, and the notice at collection for employment-related information may include a link to, or a paper copy of, a business’ privacy policies for job applicants, employees, or contractors as opposed to the privacy policy for consumers.

Section 999.306 – “Do Not Sell” Opt-Out Notices

  • No longer requires a business that “may sell” personal information in the future to provide an opt-out notice if that business is not presently selling personal information.
  • Requires businesses to follow generally recognized industry standards to ensure that the opt-out notices are reasonably accessible to consumers with disabilities. Also clarifies that the notice must be provided in the languages in which the business generally provides information to consumers in California.
  • Clarifies that a business that collects personal information through a mobile app may provide the opt-out notice within the app, such as through the app’s settings menu.
  • Requires an affirmative authorization for the sale of personal information collected when the business does not have a notice of right to opt-out posted.
  • Includes an example opt out button that, if used, must (1) be in addition to, not in lieu of, the posting of a notice of the right to opt-out, (2) appear to the left of the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link, and (3) be approximately the same size as the other buttons on a business’ web page.
  • CCPA Example:

Section 999.307 – Financial Incentive Notices

  • Requires businesses to follow generally recognized industry standards to ensure that the notice of financial incentives is reasonably accessible to consumers with disabilities. Also clarifies that the notice must be provided in the languages in which the business generally provides information to consumers in California and to be readily available where consumers will encounter it before opting into a financial incentive or price or service difference.
  • The notice must explain how the financial incentive or price or service difference is reasonably related to the value of the consumer’s data.

Section 999.308 – Privacy Policies

  • Requires businesses to follow generally recognized industry standards to ensure that the privacy policy is reasonably accessible to consumers with disabilities. Also clarifies that the notice must be provided in the languages in which the business generally provides information to consumers in California.
  • Clarifies that a mobile app may include a link to the privacy policy in the app’s settings menu.
  • Clarifies that the categories of third parties to whom information is disclosed or sold must be provided for each category of personal information identified.
  • Clarifies that the privacy policy must state whether the business has “actual knowledge” that it sells personal information of minors under 16 years of age.
  • Clarifies that the privacy policy should provide instructions on how an authorized agent can make a request on a consumer’s behalf, as opposed to explaining how a consumer can designate an authorized agent.
Posted on by Duane Morris

Employee Rights Rolled Into California’s New Consumer Privacy Act – What Employers Should Know

California has enacted the California Consumer Privacy Act of 2018, establishing the strictest data privacy law in the United States. Recent amendments provide a one-year partial exemption for personal information that is collected from job applicants, employees, business owners, directors, officers, medical staff or contractors. However, qualifying employers are still required to provide certain disclosures and are still liable for statutory damages if unencrypted, sensitive employee data is breached as a result of a failure to implement reasonable security measures.

The following is a CCPA checklist for employers:

·      Determine whether the CCPA applies to your business.

·      Inform key decision-makers about the CCPA and appoint privacy compliance manager.

·      Conduct data mapping of employee personal information.

·      Draft an employee-specific disclosure document.

·      Ensure that the employee disclosure is provided at or prior to the collection of employee personal information (including all applicants).

·      Ensure that all contracts with service providers with access to employee personal information include robust information security and privacy provisions.

·      Ensure compliance with other privacy, security and data protection and disposal laws.

For more detailed information on this topic, please see our Alert.

Posted on by Duane Morris

CCPA Update: Proposed Regulations Published by Attorney General

The Office of the Attorney General has released the long-anticipated proposed CCPA regulations. The proposed regulations outline procedures intended to facilitate consumers’ new rights under the CCPA and provide compliance guidance to businesses regarding:

  1. Notices businesses must provide to consumers under the CCPA;
  2. Handling consumer requests made pursuant to the CCPA;
  3. Verifying the identity of the consumer making those requests;
  4. Personal information of minors; and
  5. Nondiscrimination and offering of financial incentives.

Please see our Alert for a detailed discussion of the proposed regulations.

Posted on by Duane Morris

CCPA Amendments Signed by Gov. Newsom

Governor Gavin Newsom signed five CCPA amendment bills into law on Friday, October 11, 2019.  He also signed an amendment broadening the California breach notification law and a new law which creates a data broker registry for the sale of certain personal information.  The event marked the culmination of the California Legislature’s efforts this year to clarify the terms and scope of the CCPA, which takes effect on January 1, 2020.

A summary of these laws and their impact may be found in our previous Alert.

Stay tuned to the Duane Morris TechLaw Blog for developments regarding the CCPA and its implementation.

Posted on by Duane Morris

Amendments to the CCPA Ready for Governor’s Signature

By:  Michelle Hon Donovan, Brandi Taylor and Angelica Zabanal

Last Friday, September 13, 2019, marked the final day for the California Legislature to vote to pass amendments intended to clarify the terms and scope of the California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020. The bills are now on Governor Gavin Newsom’s desk for approval, and the Governor will have until October 13, 2019, to sign or veto them.

Of the CCPA amendment bills that were in consideration, the following were passed:

  • AB 25, regarding employee exemption
  • AB 874, regarding the definition of PI (personal information)
  • AB 1146, regarding warranty and vehicle repairs
  • AB 1355, regarding the B2B exemption and other clarifying amendments
  • AB 1564, regarding toll-free telephone number exception

Also of note, AB 1130 – a bill that does not specifically amend CCPA – also passed. This bill expands the categories of PI covered by California’s data breach notification laws, which will now include tax identification numbers, passport numbers, military identification numbers and unique identification numbers issued on a government document, as well as certain types of specified unique biometric data. This expansion is anticipated to impact liability under the CCPA’s private right of action

While not an exhaustive list of the bills that stalled during the legislative process, the following bills of note failed to be passed by the legislature:

  • AB 873, regarding the definition of de-identified
  • AB 846, regarding customer loyalty programs
  • AB 981, regarding exemption for certain insurance transactions

While the approved amendments did not significantly overhaul the CCPA, several notable changes were made. Please see our Alert for a detailed discussion of these changes.

Posted on by Eric J. Sinrod

California Net Neutrality Law Put On Hold Pending Federal Litigation

California recently passed what some argue to be the most robust net neutrality state law in the United States. That law has not yet gone into effect.

The very same day that California Governor Jerry Brown signed the net neutrality bill into law, the US Department of Justice was quick to filed a federal lawsuit, among other goals, to block implementation of the law. And last week, the Department of Justice and California Attorney General Xavier Becerra entered into an agreement to further postpone implementation of the California net neutrality law until the federal lawsuit is concluded.

So, what is at stake here? Continue reading “California Net Neutrality Law Put On Hold Pending Federal Litigation”

Posted on by Eric J. Sinrod

New California Law Seeks to Lead the U.S. in Online Privacy Protection

Privacy is like oxygen. It generally is not noticed by a consumer until it is gone. California lawmakers, however, are quite aware of privacy and have recently passed perhaps the most strict privacy law in the United States.

Only days ago, the California Consumer Privacy Act of 2018 (“the Act”) was signed into law by Governor Jerry Brown after it had been approved on a unanimous basis by the California State Assembly and the California Senate. The Act does not become operative until 2020, but when it goes it to effect, it will pack a punch. Indeed, the Act will provide great control to consumers with respect to their own personal data.  Continue reading “New California Law Seeks to Lead the U.S. in Online Privacy Protection”

Posted on by Eric J. Sinrod

Revenge Porn Website Creator Faces 31 Criminal Charges

The other shoe has dropped — a recently enacted revenge porn law has reached the point of criminal prosecution in California.

Indeed, a San Diego man has just been charged with operating a Web site that allows users to post sexual images of others so that he then allegedly could extort large sums of money from the victims whose images had been posted.

Continue reading “Revenge Porn Website Creator Faces 31 Criminal Charges”

Posted on by Eric J. Sinrod

California Criminalizes “Revenge Porn”

In my most recent blog, I reported on the phenomenon of “revenge porn,” the unfortunate practice by former lovers, boyfriends, and husbands of posting nude and sexual photos and videos of women with whom they had been intimate.

Now, according to Reuters, California Gov. Jerry Brown has just signed a unique state law that criminalizes revenge porn.

Continue reading “California Criminalizes “Revenge Porn””

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress