On June 1, The California Attorney General submitted the final text of the CCPA regulations to the California Office of Administrative Law for approval. Though regulations submitted to the OAL in June ordinarily would not become effective—if approved—until October 1, the CA AG has requested an expedited review. According to the CA AG, the expedited review would allow the regulations to become effective by July 1, which still is the date his office plans to begin enforcing the CCPA according to a public statement.
On March 11, The California Attorney General released a second set of modifications to the proposed regulations implementing the California Consumer Privacy Act. These modifications update the initial draft regulations published on October 11, 2019 as well as the first set of modified draft regulations published on February 10, 2020. The second set of modifications contain a small number of impactful changes, which we summarize in this post.
On Friday, February 7, 2020, the California Attorney General released notice of changes to the California Consumer Privacy Act draft regulations. Initial draft regulations were published for public comment on October 11, 2019. Public comments on these modified draft CCPA regulations will be accepted by the CA AG until Monday, February 24, 2020, at 5 pm PST.
Alongside its flurry of CCPA amendments last term, the California legislature passed Assembly Bill 1202, the nation’s second “data broker” registration law. AB 1202 requires “data brokers” to register with and pay an annual fee to the California Attorney General. AB 1202 uses the CCPA’s definitions for key terms, so even businesses that are not traditional data brokers may need to register.
On October 22, the Interactive Advertising Bureau, a media and marketing industry trade group, released for public comment the California Consumer Privacy Act Compliance Framework for Publishers and Technology Companies and accompanying technical specifications to implement the Framework. The draft Framework is designed to help Framework participants (including publishers and intermediaries) comply with the California Consumer Privacy Act by: (1) establishing a digital signal that Framework participants can use to communicate consumer requests to opt out of “sales” of personal information associated with digital advertising; and (2) supporting that signal with a standard contract designed to create service provider relationships between publishers and advertising companies after a consumer registers an opt out. The IAB is requesting comments, which can be sent to firstname.lastname@example.org, by November 5, 2019.
A number of legislative proposals seeking to amend the California Consumer Privacy Act are moving forward following an April 23 hearing before the California Assembly’s Committee on Privacy and Consumer Protection in which the bills were approved. The bills will now advance to the Assembly’s Appropriations Committee before being voted on by the full Assembly and potentially advancing to the California Senate for consideration.
The California legislature is considering significant amendments to the California Consumer Privacy Act ahead of the law’s January 1, 2020 implementation date. Of particular note has been the potential for CCPA amendments to expand the private right of action beyond violations of businesses’ duty to implement and maintain reasonable security procedures to instead cover violations of any CCPA rights.
On February 27, 2019, the Federal Trade Commission (“FTC”) announced that it settled with the operators of a video social networking app for a record civil penalty of $5.7 million under the Children’s Online Privacy Protection Act (“COPPA”). This FTC COPPA action was notable not just for the size of the penalty, but also because of the joint statement by the two Democratic Commissioners, Rebecca Slaughter and Rohit Chopra, that future FTC enforcement should seek to hold corporate officers and directors accountable for violations of consumer protection law.
A bill introduced to amend the California Consumer Privacy Act of 2018 (“CCPA” or the “Act”) could greatly expand the risks to businesses that collect the personal information of California consumers. Senate Bill 561 (“SB 561”) would expand the CCPA’s private right of action to any violation of a consumer’s CCPA rights, remove the existing 30-day cure period, and eliminate businesses’ right to consult the AG’s office regarding compliance. SB 561 would not impact the CCPA’s current effective date of January 1, 2020.
The California Attorney General Xavier Becerra and the California Department of Justice will hold six public forums about the California Consumer Privacy Act (CCPA) that are open to all members of the public. These public forums are being held pursuant to Section 1798.185 of the CCPA, which requires the Attorney General to “solicit broad public participation and adopt regulations to further the purposes” of the CCPA.
On December 4, 2018, the New York Attorney General (NYAG) announced that Oath Inc., which was known until June 2017 as AOL Inc. (AOL), has agreed to pay a $4.95 million civil penalty to settle allegations that AOL’s ad exchange practices violated the Children’s Online Privacy Protection Act (COPPA). The $4.95 million penalty is the largest ever assessed by any regulator in a COPPA enforcement matter.
The Federal Trade Commission (FTC) recently published a paper recapping its December 2017 Informational Injury Workshop. Workshop participants, including academics, industry experts, consumer advocates, and government researchers, discussed what types of consumer harm might qualify as “substantial injury” under the FTC Act and what factors should be considered. The paper noted that several important points emerged from the workshop.
As the most comprehensive privacy law to be enacted in the United States thus far, the California Consumer Privacy Act (CCPA) has inevitably invited comparisons to the European Union’s General Data Protection Regulation (GDPR). At first glance, it is clear that the drafters of the CCPA (and the ballot measure that spurred its passage) drew inspiration from the GDPR. However, the CCPA is not a carbon copy of the GDPR, and a GDPR compliance program will not automatically meet the requirements of the CCPA. As businesses begin their CCPA compliance efforts, awareness of these laws’ similarities and differences will be key to creating efficient and effective compliance programs that capitalize on prior GDPR compliance work but also address the unique nuances of the CCPA.
The National Science Foundation is seeking public comment on US policy for artificial intelligence, according to the Federal Register Notice of Request for Information (RFI) filed in September 26, 2018. Specifically, the RFI requests input from the public as to whether the National Artificial Intelligence Research and Development Strategic Plan (AI Strategic Plan) should be updated or improved. Comments to the RFI are due to the National Science Foundation by October 26, 2018.
The U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) issued a Request for Comments (RFC) on a new consumer privacy approach that is designed to focus on outcomes instead of prescriptive mandates. The RFC presents an important opportunity for organizations to provide legal and policy input to the administration, and comments are due October 26.
We have heard the California Consumer Privacy Act of 2018 (CCPA) called many things since its enactment on June 28, 2018. Our experience to date has confirmed the compliance challenge ahead for organizations that engage with the residents of the world’s fifth-largest economy. We will explore the ramifications for businesses of this seminal legislation in this multi-part series, “The Challenge Ahead” authored by members of Hogan Lovells’ CCPA team. In this first installment, we describe recent activity to enact so-called “technical” amendments to the CCPA.
California continues to be a first mover in privacy in the United States, enacting the US’s toughest and most comprehensive privacy legislation on Thursday, June 28, 2018. Unlike existing state and federal privacy legislation that has generally focused on specific sectors or privacy issues, the California Consumer Privacy Act of 2018 (AB 375), applies broadly to businesses that collect personal information about California consumers and aims to create significant new consumer privacy rights. In doing so, it creates significant new obligations for businesses.
On June 22, California lawmakers announced Assembly Bill 375, a broad-based consumer privacy bill that is intended to serve as an alternative to the California Consumer Privacy Act, a far-reaching consumer privacy initiative that is on track to be on the California ballot this November. The chief sponsor of the CCPA, Alastair Mactaggart, has stated that he will withdraw the initiative from the ballot if AB 375 is passed this week.
On Monday, June 12, South Korea became the latest country approved to officially join the Asia-Pacific Economic Cooperation’s Cross-Border Privacy Rules system. It is the fifth APEC economy to participate in the system, joining the United States, Canada, Japan, and Mexico. To date, twenty companies—including Apple, Cisco, HP, IBM, Rackspace, and Workday—have been certified under CBPR.
Recent changes to Japan’s Act on the Protection of Personal Information and the establishment of a new Personal Information Protection Commission have raised questions about how the world’s third-largest economy plans to implement new domestic requirements and engage internationally on cross-border data transfers, APEC, new technologies, and more. Hogan Lovells recently hosted some of Japan’s senior data privacy regulators and advisors for a special briefing in our Washington, D.C. offices.
In a move counter to the trending precedent in data breach litigation, the U. S. Court of Appeals for the Seventh Circuit ruled on July 20 that data breach plaintiffs whose personal information was potentially exposed in a confirmed hacking breach of a major retailer’s network alleged enough risk of harm to meet the standing requirements of Article III of the U.S. Constitution. Plaintiffs’ lawyers will herald this decision, but standing is only the first of many hurdles data breach plaintiffs must cross to proceed to the merits in data breach litigation.