It’s official. The California Privacy Rights Act has received enough valid signatures to appear on the November 2020 ballot. And if polling from late last year remains accurate, California voters are likely to approve it. If voters approve the initiative, the CPRA would significantly expand the CCPA, establish the California Privacy Protection Agency, remove the CCPA’s cure period, and impose a number of GDPR-styled obligations on businesses, among other requirements. The substantive provisions of the CPRA would take effect January 1, 2023.
On June 1, The California Attorney General submitted the final text of the CCPA regulations to the California Office of Administrative Law for approval. Though regulations submitted to the OAL in June ordinarily would not become effective—if approved—until October 1, the CA AG has requested an expedited review. According to the CA AG, the expedited review would allow the regulations to become effective by July 1, which still is the date his office plans to begin enforcing the CCPA according to a public statement.
The California Privacy Rights Act is progressing through California’s elections process for inclusion on the November 2020 ballot. Businesses may want to begin considering how their data privacy obligations in California may change if voters enact CPRA. The CPRA would significantly amend the CCPA. Included in this blog post is a summary of key additions and modifications to the CCPA’s existing obligations.
Businesses spent the latter months of 2019 working hard to prepare for the January 1, 2020 implementation of the California Consumer Privacy Act. Months later, those businesses still are uncertain of their full range of potential compliance obligations because the California Attorney General’s CCPA implementing regulations are still not final. As businesses refine their CCPA compliance programs, they should also be aware that privacy rules in California could again change before the end of this year if the California Privacy Rights Act ballot initiative is approved by voters. Both the regulations and the CPRA are subject to complicated administrative processes that could affect their adoption and implementation, as described in this post.
A recent decision by the U.S. Court of Appeals for the Second Circuit in Duran v. La Boom Disco, Inc. has interrupted the emerging consensus around the definition of “autodialer” in the Telephone Consumer Protection Act. On April 7, 2020, a Second Circuit panel joined a Ninth Circuit panel in adopting a broad reading of the statutory definition of “automatic telephone dialing system,” commonly referred to as an autodialer. The Duran decision also rejected the reasoning in opinions issued by panels in the Seventh and Eleventh Circuits earlier this year, which deepens the split between the Courts of Appeals and increases the pressure on the Federal Communications Commission, Congress, and even the U.S. Supreme Court to provide clarity on what constitutes an autodialer under the TCPA.
On March 20, the FCC released a Declaratory Ruling confirming that the pandemic caused by the novel coronavirus qualifies as an emergency under the Telephone Consumer Protection Act. As a result, hospitals, health care providers, health officials, and other government officials may use automated calls and text messages to communicate information about COVID-19 when “necessary to protect the health and safety of citizens,” without violating the TCPA.
On March 11, The California Attorney General released a second set of modifications to the proposed regulations implementing the California Consumer Privacy Act. These modifications update the initial draft regulations published on October 11, 2019 as well as the first set of modified draft regulations published on February 10, 2020. The second set of modifications contain a small number of impactful changes, which we summarize in this post.
Slowly but surely, the U.S. Courts of Appeal increasingly agree on how to interpret the definition of “automatic telephone dialing system” in the Telephone Consumer Protection Act. On February 19, 2020, a unanimous Seventh Circuit panel refused to revise a putative class action in Gadelhak v. AT&T Services, Inc. after concluding that the dialing system used by AT&T did not qualify as an autodialer. Like the Eleventh Circuit in Glasser v. Hilton Grand Vacations Company, LLC and Third Circuit in Dominguez v. Yahoo, Inc., the Seventh Circuit held that an “autodialer” must use “a random or sequential number generator” to either store or produce numbers. Because the system used by AT&T simply pulled numbers from a database, the court found that the system was not an autodialer and the texts did not violate the TCPA.
On January 27, 2020, an Eleventh Circuit panel released a landmark ruling in Glasser v. Hilton Grand Vacations Company, LLC. The key issue in the case was how to interpret ambiguous language in the Telephone Consumer Protection Act’s definition of “automatic telephone dialing system”. In recent years, imprecise statutory phrasing and the Federal Communication Commission’s liberal reading of the legislative history empowered plaintiffs to assert TCPA claims based on a wide array of calling systems. The Eleventh Circuit panel’s decision in Glasser rejects that trend, joins the D.C. Circuit in adopting a much narrower view of the TCPA’s scope, and establishes a clear circuit split with the Ninth Circuit.
On Friday, February 7, 2020, the California Attorney General released notice of changes to the California Consumer Privacy Act draft regulations. Initial draft regulations were published for public comment on October 11, 2019. Public comments on these modified draft CCPA regulations will be accepted by the CA AG until Monday, February 24, 2020, at 5 pm PST.
Washington State is already shaping up as a center of state privacy legislation for 2020. Last year, SB 5376 gained significant traction in the legislature, passing the state Senate almost unanimously but ultimately failing in the House due to discussions around facial recognition and compliance challenges. State Senator Reuven Carlyle, chair of the state’s Senate Energy, Climate & Technology Committee, has now released a revised draft of the WPA for 2020. If enacted as drafted, this new version of the WPA would come into effect on July 31, 2021.
On October 10, California Attorney General Xavier Becerra released proposed regulations to implement certain provisions of the California Consumer Privacy Act. The proposed regulations would create many new requirements. They provide clarifications to businesses and consumers in five key CCPA areas as summarized within this post.
Since the California Consumer Privacy Act’s hasty passage in June last year and minor changes last September, the CCPA has vexed businesses working on compliance. Among many practical challenges, the CCPA often includes inconsistent or ambiguous requirements that have been an obstacle to implementing clear compliance strategies. Businesses, some academics, and various legislators thought that further amendments were needed to make the CCPA work effectively and accomplish its objectives. Over the past several months, the California legislature debated several amendments, eventually passing five bills, which now sit on the Governor’s desk. These bills collectively do not provide the sweeping changes sought by businesses. Instead amendments make minor tweaks and postpone for a year some of the more challenging requirements.
On June 20, 2019, the Supreme Court released its long-awaited decision in PDR v. Carlton & Harris Chiropractic. The Court was expected to provide greater clarity about the extent to which litigants can challenge the Federal Communications Commission’s Telephone Consumer Protection Act interpretations in private litigation. Instead of deciding that issue, however, the Court vacated the Fourth Circuit’s ruling and remanded the case for further development. How the Fourth Circuit rules on remand may ultimately provide more insight on how much deference is owed to the FCC’s TCPA interpretations.
Nevada has a new privacy law. On May 29, Nevada Governor Steve Sisolak signed Senate Bill 220 (SB-220) into law, making Nevada the first state to join California in granting consumers the right to opt out of the sale of their personal information. The act, which amends an existing online privacy notice law, is significantly narrower than the California Consumer Privacy Act (CCPA).
On May 1, 2019, the National Institute of Standards and Technology (NIST) announced a Request for Information (RFI) in the Federal Register regarding ongoing efforts to develop technical standards for artificial intelligence (AI) technologies and the identification of priority areas for federal involvement in AI standards-related activities. Responses to the RFI are due by May 31, 2019.
A number of legislative proposals seeking to amend the California Consumer Privacy Act are moving forward following an April 23 hearing before the California Assembly’s Committee on Privacy and Consumer Protection in which the bills were approved. The bills will now advance to the Assembly’s Appropriations Committee before being voted on by the full Assembly and potentially advancing to the California Senate for consideration.
The California legislature is considering significant amendments to the California Consumer Privacy Act ahead of the law’s January 1, 2020 implementation date. Of particular note has been the potential for CCPA amendments to expand the private right of action beyond violations of businesses’ duty to implement and maintain reasonable security procedures to instead cover violations of any CCPA rights.
A bill introduced to amend the California Consumer Privacy Act of 2018 (“CCPA” or the “Act”) could greatly expand the risks to businesses that collect the personal information of California consumers. Senate Bill 561 (“SB 561”) would expand the CCPA’s private right of action to any violation of a consumer’s CCPA rights, remove the existing 30-day cure period, and eliminate businesses’ right to consult the AG’s office regarding compliance. SB 561 would not impact the CCPA’s current effective date of January 1, 2020.
The California Department of Justice has announced a March 8, 2019 deadline for submitting written pre-rulemaking comments on the California Consumer Privacy Act (CCPA). The March 8 deadline is an extension from the previously set end-of-February deadline. Pursuant to section 1798.185(a) of the CCPA, the California Attorney General (AG) is obligated to solicit broad public participation and adopt regulations to further the purposes of the CCPA. The CCPA sets out seven specific areas for AG rulemaking.
One of the most controversial elements of the California Consumer Privacy Act (“CCPA”) is the establishment of an “anti-discrimination” right – businesses may not “discriminate” against consumers for exercising certain rights under the CCPA, and they will need to assess whether and how they can require consumers to accept certain data practices as a condition of service. Compliance would be challenging even if the provision were articulated clearly, but as we have discussed in this blog series, the accelerated drafting process and passage of the CCPA earlier this year left little time for public comment and responsive amendments. As a result, the law includes a series of ambiguities that complicate compliance, and nowhere is that more apparent than in the anti-discrimination provision.
This entry in Hogan Lovells’ ongoing series on the CCPA focuses on the law’s anti-discrimination clause, its ambiguities and potentially contradictory provisions, and impact on businesses.
The Federal Trade Commission (FTC) recently published a paper recapping its December 2017 Informational Injury Workshop. Workshop participants, including academics, industry experts, consumer advocates, and government researchers, discussed what types of consumer harm might qualify as “substantial injury” under the FTC Act and what factors should be considered. The paper noted that several important points emerged from the workshop.
The National Science Foundation is seeking public comment on US policy for artificial intelligence, according to the Federal Register Notice of Request for Information (RFI) filed in September 26, 2018. Specifically, the RFI requests input from the public as to whether the National Artificial Intelligence Research and Development Strategic Plan (AI Strategic Plan) should be updated or improved. Comments to the RFI are due to the National Science Foundation by October 26, 2018.
The U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) issued a Request for Comments (RFC) on a new consumer privacy approach that is designed to focus on outcomes instead of prescriptive mandates. The RFC presents an important opportunity for organizations to provide legal and policy input to the administration, and comments are due October 26.