Among countless other disruptions, COVID-19 has raised important questions about the limits of data collection and highlighted the shortcomings of both the European Union’s General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”). The pandemic has proven to be a black swan for which neither law nor its enforcement bodies are prepared—and which carries privacy-law implications that will persist long after the health crisis ends. Consequently, governments and businesses must work without meaningful existing guidance to strike a delicate balance between gathering the critical information needed to manage the virus and honoring the GDPR’s and CCPA’s stringent requirements.

Data Collection in Europe

The European Data Protection Board’s general guidance on how to collect data, in the context of COVID-19, leaves much room for interpretation. GDPR Articles 6 and 9 permit data collection without consent if the processing is necessary for the performance of a task carried out in the public interest. Although combating COVID-19 qualifies as a public interest need, it is unclear whether the collection methods employed, which vary by country, qualify as “necessary” under GDPR, or whether or to what extent those processes can sustain after the pandemic without violating the law. Each member state decides for itself how much intrusion is necessary, which invites comparisons to determine how far is far enough when gathering data in the public interest.
Continue Reading The Crisis Beyond the Crisis: How Data Tracking for COVID-19 Creates Privacy Issues That Will Persist Once the Pandemic Is Over

The California Consumer Protection Act (“CCPA”) was in effect for just over three months when the American economy stopped cold in the face of the COVID-19 global pandemic. Much effort was expended in the months before the January 1, 2020 effective date to ensure compliance with the CCPA which, like its European cousin, the General Data Protection Regulation (“GDPR”) aspires to protect data and personal information. But also like the GDPR, many anticipated enforcement by the California attorney general (scheduled to begin on July 1, 2020) to provide guidance on how the CCPA would be interpreted and applied. Then the world came to a halt. Literally. Notwithstanding, as discussed in our earlier post, the California Attorney General has signaled that businesses subject to the CCPA should not expect any delays in enforcement. To be clear, privacy concerns did not cease to exist because of the pandemic. These concerns simply took a back seat as the world focused on defeating the virus. But privacy rights may be moving to the forefront again with the advent of COVID-19 tracking applications under consideration by governments seeking to use this technology to contain the spread of the virus. Most recently, on April 10, 2020, Google and Apple announced a joint endeavor to use Bluetooth technology in conjunction with apps from public health authorities to allow contact tracing of those individuals affected with COVID-19. The system is supposed to ensure users’ privacy and operate only with valid consent. See also our recent blog post on Locating COVID-19 Without the Location Data. Although tracking technology is not new–other iterations were used to track other diseases such as the seasonal flu–its use here would be one of the first to be used in the CCPA era. And arguably, the need to comply with the CCPA–passed by referendum in one state–has affected the usefulness of contact tracing solutions in every state. The Apple-Google solution, for example, covers the vast majority of mobile devices and is likely to be the only solution agreed upon by these two companies. It skirts the need to handle geolocation data, reducing the regulatory footprint under the CCPA, but the very lack of geolocation data degrades the usefulness of this system to local governments for finding and locking down hotspots–and to users in avoiding them. Few, if any, privacy professionals envisioned that preparation for CCPA compliance needed to include protocols for responding to governmental requests for data in combatting a public health crisis. But here we are.
Continue Reading Will COVID-19 Finally Prompt a Federal Privacy Law?

Recently, Apple and Google – two of the world’s biggest tech firms–jointly devised a system of contact tracing for COVID-19. This contact tracing does not involve analyzing centralized data stores of personal data. Rather, it leverages a proximity technology most often seen in retail stores and shopping centers plus a peer-to-peer (P2P) communications concept that parallels methods explored for connected vehicles. The Apple-Google design is a fascinating departure from the conventional model of central collection and processing of personal data.

Coincidence… or Bluetooth?

You may have encountered mobile applications that have asked for Bluetooth access. Or you may have received what seems like a strangely coincidental promotional email as you have walked through the door of a store. This is not a coincidence; retailers frequently use Bluetooth, among other methods, to determine where a customer is standing in a store and to trigger promotions. This is not regulated in most of the United States. We normally think of Bluetooth as a way that a “master” device (a computer, car, or audio source, typically) can communicate with an “accessory” such as keyboards, mice, headphones, hands-free sets, etc. As most users encounter the technology, it is a matter of “pairing” one device with another. But Bluetooth can run under numerous profiles that transmit a variety of data types. GPS-free location tracking was largely enabled by Bluetooth LE, which allows the radio technology to run on a mobile device without creating an excessive battery drain. This eliminated a major inconvenience of prior versions of Bluetooth, and the practical effect is that it can remain “on” all the time. Many implementations of Bluetooth 4.0/LE allow range-finding between a transmitter and receiver. A store, for example, can determine where a customer is standing by measuring the distances from the visitor’s phone to sensors in the store.
Continue Reading Locating COVID-19 Without the Location Data

Last week, a coalition of over sixty trade associations and businesses representing almost every business sector authored a joint letter to the California Attorney General requesting that the Attorney General defer enforcement of the CCPA in light of the COVID-19 pandemic.  Although the CCPA has been in effect since January 1, 2020, the Attorney General is not set to commence enforcement actions under CCPA until July 1, 2020.  The basis for the request to defer enforcement of the CCPA centered on two grounds: (1) the significant challenges associated with implementing compliance with a new law when the majority of businesses are either closed or operating remotely and (2) the lack of final regulations providing critical guidance about interpreting the CCPA from the Attorney General.
Continue Reading CCPA: July 1, 2020 Attorney General Enforcement Start Date Looms Despite COVID-19

The California Consumer Privacy Act (“CCPA”), Cal. Civ. Code 1798.100-199, presents some interesting questions for mobility businesses and service providers that handle data developed or transmitted by vehicles. Although the CCPA was passed with an effective date of January 1, 2020, the regulations implementing it are still in flux—and are on their second iteration. But whether final regulations are in place or not, enforcement by the California Attorney General’s office could start as early as July 1, 2020.  Because the CCPA provided only limited exemptions for information collected by the automotive industry—information collected under the Driver’s Privacy Protection Act of 1994 and certain information developed and exchanged by new auto dealers and vehicle manufacturers in connection with warranty work or vehicle/part recalls—significant questions remain as to how the CCPA will be applied to the mobility industry.

For the past hundred or so years, most vehicles did not have the electronic brains to require a CCPA “gut check.” When electronics made their debut in automobiles, tools like OBD allowed vehicles to store diagnostic codes, and eventually event recorders (now regulated by the Driver Privacy Act of 2015) recorded pre-accident conditions. Telematics began to change the picture in the late 1990s, with automobiles transmitting information to central locations using cellular (and now wireless) technology. Modern connected vehicles can collect vast amounts of data when driven—and they can pass large amounts of it to manufacturers and service providers. And even when they are not actively transmitting this information, such information can be extracted from vehicles by service personnel. SAE Level 4 and Level 5 autonomous vehicles will necessarily be more dependent on connectivity both to central data sources and to each other—and can be expected to drive an explosion in data transmitted and analyzed on a central basis. Some of this will be regulated by data privacy laws, such as the CCPA, despite the above noted exceptions for automotive information.
Continue Reading CCPA: Keeping the Wheels on the Road

Cookies are the subject of much discussion in data regulation. If you visited a website that complies with the European General Data Protection Regulation (GDPR), you have seen the usual cookies popup. Maybe you wondered why this is necessary. At a basic level, the use of cookies is regulated by GDPR and the California Consumer Privacy Act (“CCPA”), and concerned site owners. Conventional knowledge (and in many cases practice) is that cookies should be disclosed—and that non-essential cookies, particularly those involved in advertising, require consent.

What exactly are cookies?

The “what” is known. The “why” is rarely discussed. The term “cookies” has its roots in magic cookies—identification tokens – in UNIX. Web cookies made their appearance in 1994 with Netscape Navigator 0.9 beta—in other words, the beta of the first commercialized web browser. This technology, which was once patented(!) involves data that is placed on a user’s computer in response to a user action. That information can then be read by the site later. It was first designed for use in shopping carts—so that a commercial website would not have to create an ID and store shopping selections unless and until a user decided to buy. Cookies were recognized by Internet Explorer 2 by 1995, they hit the media in 1996 in the Financial Times, and in the same year, the Federal Trade Commission began public hearings on them. Just as they have always been a part of the internet landscape, so have they been controversial. 
Continue Reading Understanding Regulation of Cookies

As businesses and privacy professionals were holding their breath awaiting the California Governor’s signature on pending amendments to the much anticipated California Consumer Privacy Act (“CCPA”), California’s Attorney General took the spotlight yesterday by releasing the similarly anticipated CCPA Regulations, Cal. Code Regs. tit. 11, .§999.300, et seq. (“Regulations”). Since the passage of the CCPA in June 2018, the regulations to accompany the CCPA have been touted as “guidance” on how to comply with the CCPA. Although only in draft form, some may argue that the newly released regulations increase the CCPA compliance burden, while others may argue the Regulations merely provide much needed detail on how to comply with the CCPA.

On October 10, 2019, California’s Office of the Attorney General released a notice of proposed rulemaking action, text of the proposed regulations, initial statement of reasons, and economic impact statement. The deadline to provide comments is December 6, 2019. 
Continue Reading The Regs are In! California’s Attorney General Releases the Long Awaited CCPA Regulations

After a busy year of legislative activity that brought forth many proposed amendments to the California Consumer Privacy Act (CCPA), Governor Gavin Newsom will be presented with six bills that will alter and/or clarify the scope of the CCPA. He is expected to sign all of them into law in October.

Employee Data:  The original version of the CCPA did not contain an exemption for employees’ personal information. Assembly Bill 25 brings needed clarity to the question of whether employee data will fall under the CCPA. This is a critical issue, given that certain personal information is necessarily used on a daily basis for business. Under AB 25, employees and prospective employees are excluded from most of the CCPA’s protections, which include: the right to request deletion of personal information; the right to inquire about what personal information is collected; the right to inquire about the sources of personal information; the right to inquire about the purpose for collecting or selling personal information; and the right to inquire about the categories of third parties with whom the employer or prospective employer shares their personal information. 
Continue Reading California Legislative Sessions Closes and Brings Finality to CCPA Amendments for Now

This blog post is the third in a series of Q&A posts following Dykema’s February 27, 2019 webinar on the California Consumer Privacy Act (“CCPA”). The statute takes effect on January 1, 2020–which is less than six months away. Please feel free to reach out to us if you have a unique question or would like to discuss in detail how the CCPA may apply to you.

You may see our first and second posts here and here.

Thanks for reading!


Continue Reading February 27, 2019, CCPA Webinar Q&As: Private Claims Under the CCPA

April was another busy month for legislative activity on the California Consumer Privacy Act (CCPA), following a very busy February [see our prior post here]. A proposed sweeping revision to the CCPA, AB 1760, was withdrawn, while three key amendments, AB 25, AB 873, and AB 874, are up for a floor vote. Meanwhile, SB 561, which greatly expands the private right of action under the CCPA, is now in the Senate Appropriations Committee’s Suspense File awaiting a May 17, 2019 deadline for a vote as to whether it makes it out of the Suspense File. 
Continue Reading CCPA Watch: Proposed Sweeping Overhaul Withdrawn, Three Amendments Providing Key Clarifications Remain Pending