Amendments to the Implementing Regulations
The original regulations governing compliance with the CCPA went into effect on August 14, 2020. The California attorney general issued several amendments to the regulations that were effective on March 15, 2021 (“2021 Amendments”).
The 2021 Amendments require that businesses that sell a consumer’s personal information provide the consumer an offline method with which to exercise their right to opt out and clear instructions on how to submit an opt-out request. The amendments provide that if personal information is collected from a consumer in a brick-and-mortar store, the business may inform consumers of their right to opt out on the paper forms that collect the personal information or by posting signs where the personal information is collected. Similarly, if the personal information is collected over the telephone, the consumers may be orally informed of their rights during the call. Finally, the amendments created an opt-out icon for use by businesses:
The 2021 Amendments require businesses to make it easy for consumers to opt out, and the opt-out method may not be designed to subvert or impair a consumer’s choice to opt out. The amended regulations permit a business to verify an authorized agent’s authority to act on behalf of a consumer and require a consumer verify the authorized agent’s ability to act. The 2021 Amendments also provide disclosures to be given to consumers under age sixteen.
The CPRA requires the CPPA to adopt, amend, and rescind regulations on twenty-two specified topics by July 1, 2022. The CPPA has not proposed regulations as of this writing.
The California Department of Justice (“DOJ”) began enforcing the CCPA on July 1, 2020. In July 2021, the California attorney general held a press conference “announcing successful enforcement efforts [under the CCPA] and urged more Californians to take advantage” of their CCPA rights. He also announced that 75 percent of businesses that had received a notice of an alleged CCPA violation cured the violation and became compliant within the thirty-day cure period provided under the CCPA. The other 25 percent were still within the cure period or were under “active investigation” by the DOJ. The attorney general stated that since CCPA enforcement began, the DOJ has issued cure notices to a wide range of entities, including “data brokers, marketing companies, businesses handling children’s information, media outlets, and online retailers.”
The CCPA limited the ability of consumers to bring civil actions under the act to cases in which there was “an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” The legislature also restricted the ability for a violation of the CCPA to form a basis for a claim under California’s Unfair Competition Law by providing that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.” Accordingly, courts have quickly dismissed non-data breach claims.
For example, in one class action lawsuit alleging violations of various privacy laws, the court dismissed the claims arising under the CCPA, stating that “the CCPA has no private right of action and on its face states that consumers may not use the CCPA as a basis for a private right of action under any statute. Similarly, the court granted a motion to dismiss a CCPA claim where there were no allegations of a security breach. However, the CCPA claim survived a pleading challenge in a case in which the plaintiff alleged a data breach.
Privacy Legislation in Other States
Two other states enacted comprehensive privacy legislation during the past year: the Virginia Consumer Data Protection Act (“VCDPA”) in March 2021 and the Colorado Privacy Act (“CPA”) in July 2021.
Virginia Consumer Data Protection Act
The VCDPA provides consumers with personal data rights, and it imposes responsibilities and duties on businesses that use consumers’ personal information. The law becomes effective on January 1, 2023. The VCDPA applies to persons that conduct business in Virginia or that produce products or services targeted to residents of Virginia and that during a calendar year, either control or process personal data of at least 100,000 consumers, or control or process personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data.
The term “consumer” means “a natural person who is a resident of the Commonwealth [of Virginia] acting only in an individual or household context,” but does not include “a natural person acting in a commercial or employment context.”
The VCDPA regulates businesses acting as “controllers” and “processors,” both in collecting data and in interacting with consumers, and the relationship between controllers and processors. A “controller” means “the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data,” while a “processor” means “a natural or legal entity that processes personal data on behalf of a controller.” The VCDPA defines “process” or “processing” as any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
Consumer Personal Data Rights
The VCDPA creates the following rights for consumers: (a) the right to confirm whether a controller is processing the consumer’s personal data and the right to access the data; (b) the right to correct inaccuracies in personal data; (c) the right to delete personal data; (d) the right to obtain a copy of the consumer’s personal data in a portable and usable format; and (e) the right to opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or other significant effects concerning the consumer. A consumer, or the parent or guardian of a child under age thirteen, may invoke one of these rights at any time by submitting a request to the data controller.
The controller must respond to a consumer request without “undue delay” and within forty-five days, unless the controller provides a notice to the consumer to extend the time period. If the controller declines to take action based on a request, the controller must inform the consumer within forty-five days, along with justification for declining to take action and with instructions for how to appeal the decision. The controller must also establish an appeal process. However, if a controller is unable to authenticate a request using commercially reasonable means, the controller is not required to comply with a request and may request additional information from the consumer needed to authenticate the request.
Duties of Controllers
The VCDPA imposes several duties on controllers of personal data, including: (a) a duty to limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purposes; (b) a duty to establish and maintain data security practices; (c) a duty not to violate anti-discrimination laws; (d) and a duty not to process sensitive data concerning a consumer without obtaining the consumer’s consent, or processing the data of a child contrary to the federal Children’s Online Privacy Protection Act (“COPPA”).
Controllers are required to provide consumers with a privacy notice that includes specified content and information. Controllers must conduct and document a data protection assessment for certain enumerated types of processing activities involving personal data. In addition, other specified requirements apply to a controller when processing de-identified data.
The VCDPA exempts the following entities from application of the act, including: any government authority, agency, or political subdivision of Virginia; financial institutions or data subject to Title V of the Gramm-Leach-Bliley Act (“GLBA”); nonprofit organizations; or institutions of higher education.
The VCDPA also exempts certain types of information, including, among others: health information protected by the Health Insurance Portability and Accountability Act (“HIPAA”); certain types of personal information that are collected, maintained, disclosed, sold, communicated, or used pursuant to the Fair Credit Reporting Act (“FCRA”); personal data regulated by the Family Educational Rights and Privacy Act (“FERPA”); and data processed or maintained: (i) in the course of a person employed by or acting as an agent for a controller, processor, or third party; (ii) as emergency contact information, when used for that purpose; or (iii) that is necessary to retain to administer benefits for an individual in certain contexts.
The Virginia attorney general has exclusive authority to enforce the VCDPA and the act has no private right of action. Before initiating an action under the VCDPA, the attorney general must provide controllers or processors thirty days’ notice identifying the alleged violations and allowing them to cure the violation. If they cure the violation within thirty days, the attorney general will not take action. If an entity fails to cure the violation, the attorney general may seek an injunction and up to $7,500 in civil penalties for each violation.
Colorado Privacy Act
Like the VCDPA, the CPA creates new privacy rights for Colorado consumers and places duties and restrictions on entities that act as controllers and processors. Most of the provisions of the CPA become effective on July 1, 2023. The CPA applies to and distinguishes between controllers and processors of personal data. The CPA applies to a “controller” that conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado, and either controls or processes the personal data of 100,000 Colorado consumers or more during a calendar year, or derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.
The CPA defines a “controller” as a person that, alone or jointly with others, determines the purposes for and means of processing personal data. A “processor” means a person that processes personal data on behalf of a controller. “Process” or “processing” means the collection, use, sale, storage, disclosure, analysis, deletion, or modification of personal data and includes the actions of a controller directing a processor to process personal data.
Consumer Personal Data Rights
Like the CCPA and the VCDPA, the CPA creates new personal data rights for Colorado consumers. These include: (a) the right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or certain profiling that produces legal or other significant effects; (b) the right of access to confirm whether a controller is processing personal data concerning the consumer and to access the consumer’s personal data; (c) the right to correct inaccuracies in personal data; (d) the right to delete personal information; and (e) the right to data portability.
Consumers may exercise these rights by submitting a request to a controller at any time specifying which rights the consumer wants to exercise. The controller must inform the consumer of the action taken on a request without “undue delay,” and notification requirements are substantially similar to those of the VCDPA.
Duties of Controllers
The CPA provides a list of specific duties applicable to controllers, including: (a) a duty of transparency, including the requirement to provide a specific privacy notice; (b) a duty to specify why the personal data is collected and processed; (c) a duty of data minimization, meaning that a controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary; (d) a duty to avoid secondary use; (e) a duty of care, meaning that a controller must take reasonable measures to secure personal data from unauthorized acquisition during both storage and use; (f ) a duty to avoid unlawful discrimination against consumers; and (g) a duty regarding sensitive data, meaning that a controller must not process a consumer’s sensitive data without first obtaining the consumer’s consent, or without the parent’s or guardian’s consent in the case of a child under age thirteen.
Other duties under the CPA apply to controllers when they conduct “processing that presents a heightened risk of harm to the consumer.” In such circumstances, controllers must conduct and document a data protection assessment for each of its processing activities that involve a heightened risk of harm. Additional duties and provisions apply when controllers process de-identified data.
The CPA provides a list of exempt persons and information. The list is extensive, but includes: (a) health information protected by HIPAA; (b) certain de-identified information; (c) certain activities regulated by the FCRA done by a consumer reporting agency, furnisher of consumer report information, or a user of a consumer report; (d) data collected, processed, sold, or disclosed pursuant to the GLBA; (e) data regulated by the COPPA; (f ) data regulated by FERPA; (g) data maintained for employment record purposes; (h) data maintained by a financial institution or an affiliate as defined by the GLBA; and (i) other data and entities enumerated under the CPA. The CPA also provides limitations on processing data pursuant to an exemption.
The CPA provides that the Colorado attorney general and district attorneys have exclusive authority to enforce the CPA by bringing an action on behalf of the state or on behalf of persons residing in Colorado. There is no private right of action.
Before bringing an enforcement action, the attorney general or a district attorney must issue a notice of violation to the controller and give a sixty-day opportunity to cure, if a cure is deemed possible. In addition, for purposes only of enforcement by the attorney general or a district attorney, any violation of the CPA is considered a deceptive trade practice under Colorado law.