On February 1, 2023, the California Privacy Protection Agency (CPPA) released a final draft of the regulations for enforcing the California Privacy Rights Act (CPRA). These regulations provide stricter restrictions on the collection of personal information. Of note is that collection practices must be “consistent with the reasonable expectations of the consumers.” According to 11 C.C.R. § 7002(b), expected to become final this year, “reasonable expectations” hinge on factors such as the relationship between the business and its consumers, the source of personal information, and the methods employed by the business collecting the data, and the involvement of other entities and third parties. If CPPA takes an expansive enforcement position on Section 7002, several types of automotive businesses could be impacted by this “consumer expectation” test.Continue Reading CPRA Regulation 7002: Detour for Automotive Businesses?

Effective January 1, 2023, companies subject to the California Consumer Privacy Act (“CCPA”) will face heightened compliance requirements when collecting personal information about their workers, business partners, and job applicants. The partial moratoriums in the CCPA that had applied to these data sets are set to expire, meaning that the CCPA will now apply with full force come the new year. Further, the California Privacy Rights Act (“CPRA”), which amends and reenacts the CCPA, becomes fully effective on January 1, 2023, and enforced beginning July 1, 2023, with a look-back period to January 1, 2022. The CPRA provides additional obligations and consumer data rights that will further complicate covered businesses’ compliance efforts with regard to the personal information of their employees and business contacts.

What were the partial exemptions?

Continue Reading CCPA/CPRA Set To Cover Employee, Job Applicant, and Business Personal Information: A Trap for the Unwary?

Just over eight months after the effective date of the California Consumer Privacy Act (CCPA), the California Office of Administrative Law (OAL) approved the final California Attorney General’s CCPA regulations on June 1, 2020. The regulations are effective immediately.

In conjunction with the release of the final version of the regulations, the AG released an Addendum to Final Statement of Reasons explaining that it had (1) withdrawn certain provisions for additional consideration and (2) any changes to the text of the June 1, 2020 regulations were “non-substantive” and for “accuracy, consistency, and clarity.” The AG defined “non-substantive” as those changes that “clarify without materially altering the requirements, rights, responsibilities, conditions or prescriptions contained in the original text.”
Continue Reading CCPA Regulations Are Now Final

The Genesis of Three Competing Federal Bills

In 2018, there were numerous congressional and industry proposals aimed at addressing privacy on the federal level. Although none ever crystalized as federal law, the sheer number of lawmakers introducing proposals and getting involved in the debate made clear that privacy would be a focus in 2019. As 2019 began, there was hope that the various state privacy statutes being enacted and debated were putting even more pressure on the federal government to enact bipartisan federal privacy legislation. The California Consumer Privacy Act’s (CCPA) January 1, 2020 go-live date also seemed to be increasing pressure on Congress to act. Nowhere was the combination of hope and pressure more pronounced than in the Senate Committee on Commerce, Science, and Transportation. Throughout 2019, bipartisan discussions on federal privacy legislation seemed to be progressing. Those talks ultimately broke down towards the end of 2019 and resulted in three separate, rival legislative proposals: COPRA, CDPA, and CDPSA.
Continue Reading Federal Privacy Legislation: Where Are We and Where Are We Going?

Among countless other disruptions, COVID-19 has raised important questions about the limits of data collection and highlighted the shortcomings of both the European Union’s General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”). The pandemic has proven to be a black swan for which neither law nor its enforcement bodies are prepared—and which carries privacy-law implications that will persist long after the health crisis ends. Consequently, governments and businesses must work without meaningful existing guidance to strike a delicate balance between gathering the critical information needed to manage the virus and honoring the GDPR’s and CCPA’s stringent requirements.

Data Collection in Europe

The European Data Protection Board’s general guidance on how to collect data, in the context of COVID-19, leaves much room for interpretation. GDPR Articles 6 and 9 permit data collection without consent if the processing is necessary for the performance of a task carried out in the public interest. Although combating COVID-19 qualifies as a public interest need, it is unclear whether the collection methods employed, which vary by country, qualify as “necessary” under GDPR, or whether or to what extent those processes can sustain after the pandemic without violating the law. Each member state decides for itself how much intrusion is necessary, which invites comparisons to determine how far is far enough when gathering data in the public interest.
Continue Reading The Crisis Beyond the Crisis: How Data Tracking for COVID-19 Creates Privacy Issues That Will Persist Once the Pandemic Is Over

The California Consumer Protection Act (“CCPA”) was in effect for just over three months when the American economy stopped cold in the face of the COVID-19 global pandemic. Much effort was expended in the months before the January 1, 2020 effective date to ensure compliance with the CCPA which, like its European cousin, the General Data Protection Regulation (“GDPR”) aspires to protect data and personal information. But also like the GDPR, many anticipated enforcement by the California attorney general (scheduled to begin on July 1, 2020) to provide guidance on how the CCPA would be interpreted and applied. Then the world came to a halt. Literally. Notwithstanding, as discussed in our earlier post, the California Attorney General has signaled that businesses subject to the CCPA should not expect any delays in enforcement. To be clear, privacy concerns did not cease to exist because of the pandemic. These concerns simply took a back seat as the world focused on defeating the virus. But privacy rights may be moving to the forefront again with the advent of COVID-19 tracking applications under consideration by governments seeking to use this technology to contain the spread of the virus. Most recently, on April 10, 2020, Google and Apple announced a joint endeavor to use Bluetooth technology in conjunction with apps from public health authorities to allow contact tracing of those individuals affected with COVID-19. The system is supposed to ensure users’ privacy and operate only with valid consent. See also our recent blog post on Locating COVID-19 Without the Location Data. Although tracking technology is not new–other iterations were used to track other diseases such as the seasonal flu–its use here would be one of the first to be used in the CCPA era. And arguably, the need to comply with the CCPA–passed by referendum in one state–has affected the usefulness of contact tracing solutions in every state. The Apple-Google solution, for example, covers the vast majority of mobile devices and is likely to be the only solution agreed upon by these two companies. It skirts the need to handle geolocation data, reducing the regulatory footprint under the CCPA, but the very lack of geolocation data degrades the usefulness of this system to local governments for finding and locking down hotspots–and to users in avoiding them. Few, if any, privacy professionals envisioned that preparation for CCPA compliance needed to include protocols for responding to governmental requests for data in combatting a public health crisis. But here we are.
Continue Reading Will COVID-19 Finally Prompt a Federal Privacy Law?

Recently, Apple and Google – two of the world’s biggest tech firms–jointly devised a system of contact tracing for COVID-19. This contact tracing does not involve analyzing centralized data stores of personal data. Rather, it leverages a proximity technology most often seen in retail stores and shopping centers plus a peer-to-peer (P2P) communications concept that parallels methods explored for connected vehicles. The Apple-Google design is a fascinating departure from the conventional model of central collection and processing of personal data.

Coincidence… or Bluetooth?

You may have encountered mobile applications that have asked for Bluetooth access. Or you may have received what seems like a strangely coincidental promotional email as you have walked through the door of a store. This is not a coincidence; retailers frequently use Bluetooth, among other methods, to determine where a customer is standing in a store and to trigger promotions. This is not regulated in most of the United States. We normally think of Bluetooth as a way that a “master” device (a computer, car, or audio source, typically) can communicate with an “accessory” such as keyboards, mice, headphones, hands-free sets, etc. As most users encounter the technology, it is a matter of “pairing” one device with another. But Bluetooth can run under numerous profiles that transmit a variety of data types. GPS-free location tracking was largely enabled by Bluetooth LE, which allows the radio technology to run on a mobile device without creating an excessive battery drain. This eliminated a major inconvenience of prior versions of Bluetooth, and the practical effect is that it can remain “on” all the time. Many implementations of Bluetooth 4.0/LE allow range-finding between a transmitter and receiver. A store, for example, can determine where a customer is standing by measuring the distances from the visitor’s phone to sensors in the store.
Continue Reading Locating COVID-19 Without the Location Data

Last week, a coalition of over sixty trade associations and businesses representing almost every business sector authored a joint letter to the California Attorney General requesting that the Attorney General defer enforcement of the CCPA in light of the COVID-19 pandemic.  Although the CCPA has been in effect since January 1, 2020, the Attorney General is not set to commence enforcement actions under CCPA until July 1, 2020.  The basis for the request to defer enforcement of the CCPA centered on two grounds: (1) the significant challenges associated with implementing compliance with a new law when the majority of businesses are either closed or operating remotely and (2) the lack of final regulations providing critical guidance about interpreting the CCPA from the Attorney General.
Continue Reading CCPA: July 1, 2020 Attorney General Enforcement Start Date Looms Despite COVID-19

The California Consumer Privacy Act (“CCPA”), Cal. Civ. Code 1798.100-199, presents some interesting questions for mobility businesses and service providers that handle data developed or transmitted by vehicles. Although the CCPA was passed with an effective date of January 1, 2020, the regulations implementing it are still in flux—and are on their second iteration. But whether final regulations are in place or not, enforcement by the California Attorney General’s office could start as early as July 1, 2020.  Because the CCPA provided only limited exemptions for information collected by the automotive industry—information collected under the Driver’s Privacy Protection Act of 1994 and certain information developed and exchanged by new auto dealers and vehicle manufacturers in connection with warranty work or vehicle/part recalls—significant questions remain as to how the CCPA will be applied to the mobility industry.

For the past hundred or so years, most vehicles did not have the electronic brains to require a CCPA “gut check.” When electronics made their debut in automobiles, tools like OBD allowed vehicles to store diagnostic codes, and eventually event recorders (now regulated by the Driver Privacy Act of 2015) recorded pre-accident conditions. Telematics began to change the picture in the late 1990s, with automobiles transmitting information to central locations using cellular (and now wireless) technology. Modern connected vehicles can collect vast amounts of data when driven—and they can pass large amounts of it to manufacturers and service providers. And even when they are not actively transmitting this information, such information can be extracted from vehicles by service personnel. SAE Level 4 and Level 5 autonomous vehicles will necessarily be more dependent on connectivity both to central data sources and to each other—and can be expected to drive an explosion in data transmitted and analyzed on a central basis. Some of this will be regulated by data privacy laws, such as the CCPA, despite the above noted exceptions for automotive information.
Continue Reading CCPA: Keeping the Wheels on the Road

Cookies are the subject of much discussion in data regulation. If you visited a website that complies with the European General Data Protection Regulation (GDPR), you have seen the usual cookies popup. Maybe you wondered why this is necessary. At a basic level, the use of cookies is regulated by GDPR and the California Consumer Privacy Act (“CCPA”), and concerned site owners. Conventional knowledge (and in many cases practice) is that cookies should be disclosed—and that non-essential cookies, particularly those involved in advertising, require consent.

What exactly are cookies?

The “what” is known. The “why” is rarely discussed. The term “cookies” has its roots in magic cookies—identification tokens – in UNIX. Web cookies made their appearance in 1994 with Netscape Navigator 0.9 beta—in other words, the beta of the first commercialized web browser. This technology, which was once patented(!) involves data that is placed on a user’s computer in response to a user action. That information can then be read by the site later. It was first designed for use in shopping carts—so that a commercial website would not have to create an ID and store shopping selections unless and until a user decided to buy. Cookies were recognized by Internet Explorer 2 by 1995, they hit the media in 1996 in the Financial Times, and in the same year, the Federal Trade Commission began public hearings on them. Just as they have always been a part of the internet landscape, so have they been controversial. 
Continue Reading Understanding Regulation of Cookies