You Are Viewing California

Meet the Upcoming California Privacy Rights Act (CPRA)

Posted by fgilbert on November 12th, 2020

California voters approved Proposition 24 on November 3, 2020, paving the way to the California Privacy Rights Act (CPRA). Starting in January 2023, CPRA will expand California consumers’ ability to limit the use of their personal information in the context of targeted advertising, beyond the rights already acquired under the current provisions of CCPA, and create additional rights for consumers. There will be, as well, additional obligations and restrictions for businesses related to the use of consumer’s personal information, including limits to data collection and retention, among other.

Unfortunately, this takes 52 pages of clauses that are anything but clear and easy to understand

In practice, the will be additional benefits for consumers, and additional administrative and financial burdens for businesses. CPRA is not really a CCPA 2.0.  It introduces new concepts that have not yet permeated US laws, for example data minimization and retention limitation, which is likely to require most businesses within its scope to re-evaluate their activities and develop new processes beyond those that they may have just finished implementing to comply with CCPA.

CPRA is intended to replace the California Consumer Privacy Act (CCPA) in 2023. Most of CPRA will become operative on January 1, 2023, and the law will apply to personal information collected after January 1, 2022. There will be a 6-month delay between the effective date of the act and its enforcement, with enforcement actions commencing on July 1, 2023. In the meantime, CCPA will remain in full force and effect until it is superseded by CPRA.

New or Updated Definitions

CPRA changes existing definitions and introduces new terms. The most noticeable changes include the following:

Sharing

CPRA introduces “sharing” as an activity different from “selling”. “Sharing” is defined as disclosing, making available, transferring, or communicating a consumer’s personal information to a third party for “cross-context behavioral advertising”, whether or not for monetary or other valuable consideration. The new definition is especially relevant to affiliate advertising networks, advertisers and data brokers in the context of re-targeting and behavioral advertising, in which advertisements are targeted to a consumer based on information derived from information collected about that consumer’s activities across different websites, applications or services.

Business

CPRA revises the definition of “business”, i.e., those entities subject to the law. The current definition under CCPA identifies three threshold: gross revenue, number of records processed, and percentage of revenue from the sale of personal information compared to gross revenue. The threshold associated with the number of records purchased or sold is increased from 50,000 to 100,000, and the threshold associated with calculating the percentage of revenue from the use of personal information is now computed by combining both revenue from selling and revenue from “sharing” personal information.

Contractor; Service Provider

CPRA introduces the notion of “contractor” and updates the definition of “service provider” to keep the two definitions consistent. Under CPRA, a business “makes available” personal information to a “contractor” for a business purpose pursuant to a written contract that prohibits the contractor from selling or sharing the personal information and includes other restrictions.

The definition of Service Provider is modified to include the new concept of “sharing”. A service provider is a person that “receives personal information” from, or on behalf of, a business and processes the information on behalf of that business for a business purpose pursuant to a written contract that prohibits the service provider from selling or sharing the personal information and includes other restrictions.

Sensitive Information

CPRA creates the concept of “sensitive personal information”, which includes, among other, Social Security numbers and other identity-related information; financial account or payment card information in combination with access code; precise geolocation data; race, ethnic origin, religion; sexual orientation; genetic, biometric information when used to uniquely identify a consumer; and certain health information outside the context of HIPAA.

New Rights for Individuals

The CPRA introduces several new consumer rights. Some of these rights are similar to those found in most data protection laws, such as Canada’ PIPEDA or the EU General Data Protection Regulation. Examples of new rights include:

Right to Know what Personal Information is Sold or Shared

The right to know under CPRA is an expanded version of the “Right to Know” under CCPA. It is a consequence of the introduction of the concept of sharing personal information as a restricted activity. It will be important to keep in mind that the definition of “sharing” is limited to “cross-context behavioral advertising”.

Right to Opt-out of Information Sharing / Behavioral Advertising

Consumers will be granted the right to opt-out of information sharing with third parties for behavioral advertising across websites. This right supplements the pre-existing right to opt-out of the sale of personal information. The new provisions concerning the use of personal information for marketing purposes are detailed below.

Right to Limit the Use of Sensitive Information

Consumers will have the right to direct a business that collects sensitive personal information about them to limit its use of that information to that which is necessary to perform the services or provide the goods, as “reasonably expected by an average consumer who requests such goods or services”. The detail of the definition is left to upcoming Regulations.

Right of Correction

Consumers will have the right to request the correction of inaccurate information. Businesses that receive requests for correction will be required to use commercially reasonable efforts to correct inaccurate personal information, as directed by the consumer.

Right to Object to Automated Decision Making and Profiling

Consumers will have the ability to object to the use of their personal information for automated decision making and profiling. Profiling is defined as automated processing of personal information to evaluate certain aspects relating to a natural person, such as economic situation, health, personal preferences, interests, reliability, behavior, location, movements, or performance at work.

New Obligations for Businesses

The CPRA creates new obligations for businesses, some of them are similar to those found in other data protection laws, worldwide.

Updated Content of the Notices to Consumers

CCPA requires that different types of notices be provided to consumers at different stages of the interaction between the consumer and the business. CPRA modifies the content of these notices to match the new rights of consumers and obligations of businesses.

Retention Limitation

CPRA introduces a data retention requirement. CPRA makes it a “general duty” for a business that collects personal information not to retain personal information for longer than necessary for the purposes for which the personal information was collected. Businesses will also be required to inform consumers of the length of time they retain each category of personal information or if not possible, the criteria used to determine such period.

Data Minimization

Data Minimization is another “general duty” introduced by CPRA. CPRA requires that the collection, use, retention and sharing of personal information be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed”, and prohibits the further processing of the data for a purpose incompatible with the disclosed purpose.

Reasonable Security Measures

CPRA significantly expands the obligation of businesses to implement reasonable security measures and practices for personal information. These measures are discussed later in this article.

Contract with Service Providers, Contractors and Third Parties

CPRA imposes mostly similar direct or contractual obligations on service providers and contractors and significantly expands those that are currently imposed under CCPA. As a result, businesses will have to review their contracts with their service providers and contractors to ensure these contracts contain all of the newly required provisions. Overall, the new data processing agreements will have significant similarities – and differences – with the corresponding provisions required by GDPR Article 28.

Use of Personal Information for Cross-Context Behavioral Advertising

One of the key changes from CCPA is the introduction of the term “sharing” as the practice of disclosing or communicating a consumer’s personal information for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transaction between a business and a third party. Under CPRA, consumers will have the right to opt-out of the sharing of their personal information. This addition is likely to have a significant impact on businesses that use digital marketing techniques to target California consumers.

Security

CPRA gives security and security measures a more prominent place.

General Duty to Use Security Measures

First, CPRA makes it a general duty for businesses to implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification or disclosure. Regulations will be needed to clarify whether the obligation applies to all categories of personal data, or to a subset.

Security Audits and Privacy Risk Assessments

CPRA will also impose security audits and privacy risk assessments in certain circumstances. At this point, there is limited detail, and CPRA points to upcoming Regulations but provides minimal guidance, limited to a handful of general requirements.  These obligations with apply only to businesses whose processing of consumers’ personal information “presents a significant risk to consumers’ privacy or security”.

Security Breaches

CCPA provides for a limited private right action in the event of a data breach for failure to provide adequate security, and statutory damages in case of a data breach affecting certain categories of personal information. CPRA makes a minor addition to the type personal information that may trigger action for damages: unauthorized access to an email address in combination with a password or security question.

Children

CPRA increases the protection of personal information of children under the age of 16 by tripling the statutory amounts currently imposed by the CCPA. CCPA §1798.155(b) as amended by CPRA will impose penalties up to $7,500 for “violations involving the personal information of consumers whom the business, service provider, contractor or other person has actual knowledge is under 16 years of age”.

California Privacy Protection Agency

CPRA establishes the California Privacy Protection Agency (CPPA) as a regulatory body with full administrative power and jurisdiction, to enforce any CPRA violations. The CPPA will enforce consumer privacy laws and impose fines. Among its numerous responsibilities and powers, the CPPA will be responsible for providing guidance to businesses regarding their duties and responsibilities, and appoint a “Chief Privacy Auditor” to conduct audits of businesses to ensure compliance with the law and its regulations.

Employee and B2B Exceptions

While most provisions of CPRA will enter into force in January 2023, several provisions have an effective date of January 1, 2021. As a results of amendments to CCPA adopted in October 2019, CCPA contains partial exemptions for the handling of personal information collected in an Employer / Employee relationship (employees, job applicants and independent contractors), and information obtained in the context of a B2B relationship. That exemption, which took employee and independent contractors, and information collected in the context of a B2B relationship out of the scope of the application of CCPA, was due to expire as of January 1, 2021. CPRA extends that moratorium period through the end of 2022.

Rulemaking

CPRA requires the development of regulations on a wide range of topics relating to definitions, exemptions, technical specification for opt-out preference signals, automated decision making, cybersecurity audits, risk assessments, and monetary thresholds for the definition of a “business”. The final regulations must be adopted by July 1, 2022.

Conclusion

California voters have approved Proposition 24, and CPRA is here to stay. Starting in January 2023, CPRA will expand California consumers’ ability to limit the use of their personal information in the context of targeted advertising,. But, CPRA does more than just that. It has significant implications for privacy and data management as they exist currently in the United States. It creates a significant paradigm shift towards concepts found in most privacy laws worldwide, outside the United States.

CPRA imposes specific new restrictions on data collection and data retention, making them part of the “general duties” of businesses that collect personal information of California consumers. Both concepts, which were shaped in the 1970’s and laid down in the 1980 OECD Privacy Principles. While they have been an integral part of most foreign privacy laws, worldwide, for decades, United States laws, for most parts, have stay away from these restrictions, allowing enterprises to collect and retain large amounts of data, so long as they disclosed these practices in their privacy notices.

Requiring data minimization and storage limitation paves the way for drastic changes to the framework in which personal data is collected and processed, and the way businesses monetize personal information in the United States. These changes will require that businesses assess the nature and scope of their personal information collection and use practices, and balance those activities against their actual needs or legal obligations, to determine whether they can justify why certain information is needed or why it stored longer than necessary.

Posted in California, US Law
Comments Off on Meet the Upcoming California Privacy Rights Act (CPRA)

CCPA – California Consumer Privacy Act – A Primer

Posted by fgilbert on April 15th, 2019

The California Consumer Privacy Act of 2018 (CCPA), codified as Cal. Civ. Code §1798.100 et seq,is California’s current attempt at regulating the collection and use of personal information of California residents. The statute has numerous similarities with the GDPR – the EU General Data Protection Regulation – especially those provisions of the GDPR that define the rights of individuals.

CCPA grants California consumers the right to know what personal information about them is collected by a business, and how the business uses it. It also gives consumers the means to prevent the sale of their personal information to third parties. The statute becomes effective on January 1, 2020. Regulations are being drafted.  Enforcement actions may not be brought by the Attorney General until the earlier of (i) the publication of the final regulations or (ii) July 1, 2020.

CCPA has been the focus of much attention due to its far reaching provisions.  Within California, numerous bills have been presented to attempt to amend it. Outside California, several states, such as the State of Washington, are evaluating bills with similar goals. At the Federal level, there is also significant activity. Hearings are held regularly for evaluating the possibility of a federal data protection law that would supersede the California statute and address the patchwork of inconsistent state data protection laws derived from the CCPA that might be adopted in the meantime.

For now, it is not clear whether a Federal bill will have sufficient support to pass both houses and be signed by the President before the end of December 2019.  If a Federal law is not signed before the end of 2019, entities, worldwide, that collect personal information of California residents and meet the CCPA definition of a “business” must be prepared to post a Privacy Notice that meets the CCPA requirements, and have in place processes and procedures to respond to consumers’ request for access to information, copy or erasure of information about them, or request to block the sale of their personal information by that business.

Who is Subject to CCPA?

CCPA protects all individuals who are California residents, whether they are interacting with a business in the context of the needs of their households, or as part of an employment relationship.

CCPA applies to “businesses.” A “business” is an entity that does business in the State of California, is organized or operated for profit, collects consumers’ personal information, determines the purposes and means of the processing of such information; and meets at least one of the following criteria:

  • Annual gross revenues in excess of twenty-five million dollars ($25,000,000);
  • Buys, sells, receives or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices annually; or
  • Derives 50% or more of its annual revenues from the sale of personal information.

In addition, any entity that controls or is controlled by a business, as defined above, and that shares common branding with the business is also a “business” subject to CCPA.

What Personal Information is Protected by CCPA?

CCPA applies to all forms of personal information (paper or digital). It defines “personal information” as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The statute provides an exhaustive list of 11 categories of personal data, which includes among other, identifiers, customer records, commercial information, biometric information, online activity, geolocation data, biological data, professional information, education and inferences drawn from other information.

Medical information, financial information, credit information, driver’s license information, and information that is deidentified or aggregated are excluded to the extent that they are regulated under other laws.

Right of Access to Information

Consumers are granted the right to request a business to disclose the categories and specific pieces of personal information that it has collected.  The business must be able to identify the categories of personal information that it collectedabout the consumer; categories of sourcesfrom which the personal information is collected; business or commercial purpose for collecting or sellingpersonal information; categories of personal information that the business sold or disclosedfor a business purpose; and categories of third partiesto whom the personal information was sold or disclosed.

In response to a consumer’s request for information, a business must promptly disclose and deliver the required information, by mail or electronically, and free of charge. It is not required to provide such information to a consumer more than twice in a 12-month period. It has 45 days to respond to a verified consumer request.

Consumer’s Right of Erasure

Consumers have the right to request the deletion of any personal information that the business has collected from the consumer (with exceptions).

Sale of Personal Information: Opt-Out / Opt-In Rights

CCPA allows businesses to sell personal information of individuals older than 16 years of age unless the individual has opted-out of such sale. For children under 16, the sale is prohibited unless the child (between 13 and 16) or his/her parent or guardian (if the child is younger than 13) opts-in to the sale. Consumers may authorize third parties to opt-out on the consumer’s behalf.

Businesses must inform consumers that they have the “right to opt-out” of the sale of their personal information. A clear and conspicuous icon must be displayed on the business’s website or app homepage, titled “Do Not Sell My Personal Information.” The icon must be linked to a page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information.

Discrimination Based on Exercise of Consumer Rights

Businesses are prohibited from discriminating against a consumer who has exercised any of the rights provided by CCPA. They may not deny goods or services to the consumer, charge different prices or rates for goods or services, or provide a different level or quality of goods or services. However, they are permitted to charge different prices or rates, or provide different levels or quality of goods or services if that difference is “reasonably related to the value provided to the consumer by the consumer’s data.”

Privacy Notice

Businesses that collect personal information must disclose, at or before the point of collection, the categories of personal information to be collected and the purposes for which they will be used; categories of personal information that the business has collected in the preceding 12 months; categories of sources from which the personal information is collected; specific pieces of personal information that the business collects; categories of personal information that the business has sold; categories of personal information that the business has disclosed for a business purpose, or if the business has not sold / disclosed personal information for a business purpose, state that the business has not sold / disclosed personal information for business purposes; business or commercial purpose for the collection or sale; categories of third parties with whom the business shares personal information.  

In addition, the privacy notice must inform consumers of their right to know which information the business has collected, which information has been sold or disclosed, and that consumers have the right to request the deletion of their personal information.  The notice must be updated at least once every 12 months.

Interaction with Service Providers and Third Parties

Businesses that disclose personal information to a service provider or third party should ensure that they enter into written contracts that prohibit them from selling the personal information and from retaining, using, or disclosing it other than for performing the services or business purpose outlined in the contract.  They should also ensure that the recipient of the personal information understands the prohibitions. If they do so, and the service provider or third party violates these restrictions, the CCPA makes them liable for these violations and exempts the business from liability for the activities that are contrary to these instructions.

Enforcement, Injunctions and Fines

Any business, service provider, or other person that is found to violate CCPA may face an injunction and a civil penalty of two thousand five hundred dollars ($2,500) for each violation, or seven thousand five hundred dollars ($7,500) for each intentional violation.

Consumers’ Private Right of Action in Case of Security Breaches

CCPA grants consumers the ability to institute a civil action for injunctive relief and damages in event of a security breach that affects specified categories of personal information, such as social security number; driver’s license number; account number, credit or debit card number, in combination with access code; or medical information and health insurance information. The business must be able to prove that it has met its duty to implement and maintain “reasonable security procedures and practices appropriate to the nature of the information to protect the personal information” as required by California’s Civil Code Section 1798.81.5. Liquidated damages may reach up to seven hundred and fifty ($750) dollars per consumer per incident.

Next Steps

While it is not clear at this time what the California or US privacy law landscape will look like by the end of the 2019, it is certain that a consumer privacy law will govern at least a significant percentage of companies that do business with California residents. Those potentially affected entities should start evaluating their current data handling practices and, at a minimum, collect sufficient information to establish a data map of their activities related to personal information so that they can easily identify, with specificity, the categories of personal information that the business collects, the sources from which the personal information is collected; and the third parties with whom the business shares personal information. Business should also be able to identify whether they sell or share personal information with third parties, and for what purpose, as well as the recipients of this information.

CCPA grants California resident numerous rights. It likely that the next privacy law that will apply to California residents, whether CCPA or a federal law, will grant “privacy rights” to California resident. These rights will allow individuals to request copies of personal information about and at times modification or erasure. Responding to these requests is frequently costly and time consuming. Business that are within the jurisdiction of the CCPA should start evaluating how they would address individuals’ access and other requests concerning personal information about them.

 

Posted in California, US Law
Comments Off on CCPA – California Consumer Privacy Act – A Primer

Amendments to California Security Breach Law

Posted by fgilbert on October 19th, 2015

The Fall season often brings changes to California laws, and this year is no exception. Once again, the California Security Breach Disclosure Laws have been amended. During the first half of October, California Governor Jerry Brown signed three bills amending the State’s Security Breach Disclosure Laws. These amendments will be effective as of January 1, 2016.

New Category of Protected Information

The amendment resulting from the signature of SB 34 adds license plate information – specifically, “information or data collected through the use or operation of an automated license plate recognition system” – to the list of information deemed “personal information” protected under the Security Breach Disclosure Laws codified as Civ. Code Sections 1798.29 and 1798.82.

The amendment also creates Civ. Code Sections 1798.90.50 to 1798.90.55. New Section 1798.90.50 will require “automated license plate recognition end-users” or “ALPR end-users” to implement a usage and privacy policy in order to ensure that the collection, use, maintenance, sharing and dissemination of the ALPR information is consistent with California’s respect for individuals’ privacy and civil liberties. The resulting usage and privacy policy must be made available to the public in writing, and be posted conspicuously on the website (if any) of the ALPR end-user.

SB 34 identifies minimum requirements for the content of the required privacy policy. Among other things, the privacy policy must identify the methods used to ensure the security of the information and compliance with privacy laws.  Individuals who have been harmed by violations of these provisions, including breach of security and unauthorized access to, or use of, their information, are granted a private cause of action giving them the right to bring civil action against any person who knowingly caused the harm.

Definition of Encryption

Assembly bill AB 964, also signed into law by Governor Jerry Brown in early October, clarifies the meaning and scope of the term “encryption” used in the Security Breach Disclosure Laws. This is a welcome clarification, thirteen years after the enactment of the original law. During that period, the most common interpretation of the term “encryption” in the context of security breach disclosure laws was that it was intended to mean “strong encryption” as opposed to the use of passwords to limit access to a server.

The term “encrypted”data, under the AB 964 amendment, is defined as data that is “rendered unusable, unreadable or undecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” There is no indication of what criteria will be used to determine the extent to which a particular technology or methodology will be deemed “generally accepted” in the field of information security. Companies may consider turning to relevant publications by NIST, the US National Institute of Standards and Technology or standards established by well known organizations such as the International Organization for Standardization (ISO), an international standard setting body.

Required Format for Breach Notices

Finally, SB 570 amends the California Security Breach laws to require that a specific outline be used when preparing a Breach Disclosure Notices. While prior amendments to the California Security Breach Laws did specify the type of information that should be included in a breach notice, this amendment focuses on the readability of the document, provides a sequence in which the information must be provided, and the titles to be used for each section of the disclosure. The notice must be titled “Notice of Data Breach”. It must be broken into prescribed sections titled:

  • “What happened”;
  • “ What information was involved”;
  • “What we are doing”;
  • “ What you can do “; and
  • “For more information”.

The affected entities are given the freedom to supplement this information.

The amendment also requires, among other things, that the format of the notice be designed to call attention to the nature and significance of the information that it contains. The font used must be not smaller than 10-point type. A sample form is provided in the bill.

These amendments will be effective as of January 1, 2016. That leaves ten weeks to companies subject to California disclosure laws to update their security incident response plans and forms, and adjust their practices to the new amendments.

 

Posted in California
Comments Off on Amendments to California Security Breach Law

New California Right of Erasure

Posted by fgilbert on January 2nd, 2015

The “Privacy Rights for California Minors in the Digital World Act” came into effect as of January 1, 2015. Business & Professions Code §22581 creates a “right of erasure” which has numerous similarities with the “right to be forgotten” or “right of erasure” that is written into the proposed EU Data Protection Regulation.

The California law requires an operator of an internet website, online service, online or mobile application (web service) who has actual knowledge that minors are using its service to permit a minor who is a registered user of that web service to request and obtain the removal of content or information posted on the web service by that user.

The web service must inform its users of this right to remove or obtain the removal of content or information and provide clear instructions on how a user may remove or request and obtain the removal of such content or information.

The law only applies to content or information that the user has posted on the web service. It does not address content or information posted by a third party. Only content posted by users themselves can be removed at the request of the user.

The law does not address content posted by third parties, such as “revenge porn.” The law provides for several exceptions to this right of erasure. They include, among others, where the content has been anonymized, where the minor has received compensation or consideration for providing the content, and where applicable law requires the web service to maintain the content or information.

A web service is deemed compliant with the law if it renders the content or information no longer visible to other users, even if the content or information remains on the web service’s servers in some form.

Posted in California, Children
Comments Off on New California Right of Erasure

New Disclosures Required under Cal. AB 370

Posted by fgilbert on December 31st, 2013

 

At the end of September 2013, California’s governor, Jerry Brown, signed into law a series of bills that will significantly alter California’s privacy landscape, and are likely to affect, as well, the remainder of the United States. Among these bills, California’s Assembly Bill AB 370, sponsored by the California State Attorney General, becomes effective as of January 1, 2014.

Assembly Bill AB 370 amends the California Online Privacy Protection Act (CalOPPA), codified as Cal. Bus. & Prof. Code §§22575-22579, which, since 2004 has required each operator of a commercial website, mobile application or other online service that collects personal information of California residents  (“Online Service”) to post a privacy statement and provide specified information in that privacy statement. The provisions added by AB 370, to be codified as Cal Bus. & Prof. Code §22575(b)(5) to (b)(7), require additional disclosures. As a result, most privacy notices posted on Online Services directed at California residents will have to be revised.

Under the current version of CalOPPA, an Online Service must conspicuously display a privacy statement that discloses:

  • The categories of personally identifiable information that the operator collects;
  • The categories of third-parties with whom the operator may share that personally identifiable information;
  • The process, if any, that the operator maintains for an individual to review and request changes to the information so collected;
  • The process by which the operator notifies individuals of material changes to its privacy policy; and
  • The effective date of the privacy statement.

AB 370 increases the currently existing mandate under CalOPPA to require, in addition, the disclosure of:

  • How the Online Service responds to a browser’s do-not-track signal regarding the collection of information about online activities over time and across third party online services; and
  • Whether third parties may collect information about online activities over time and across different online services.
Clarity and Definitions Missing

On its face, AB 370 seems simple. Actually, its pithy provisions are especially difficult to interpret because of a lack of definitions. As written, the three additional sections are very broad. Despite extensive dialog between the digital marketing industry and the legislators, AB 370 ends up failing to address the specific issue of online behavioral advertising (OBA), a concern to many, while imposing on companies a set of confusing new rules.

AB 370 does not require companies to provide consumers with the ability to exercise choice regarding the collection of information about their online activities for advertising or other commercial purpose. Instead, it asks companies to indicate whether and how they respond to a “do not track” signal, but fails to specify what this “do not track” signal is. As a result, it is likely to burry the real issue of OBA amongst unnecessary disclosures that are likely to burden companies and clutter privacy notices without accomplishing the original goal of consumer protection.

The California State Attorney General is developing a set of “best practices” on how to respond to CalOPPA as amended, to be published in mid to late January. However, according to representatives of its office (with whom we met in early December) who are working on the document, this document will only identify “best practices”, which are likely to go beyond the actual requirements of the law, but will not clarify the meaning or scope of AB 370. The office of the California State Attorney General pointed that their role is not to interpret the law but to provide guidance to entities subject to the law. Unfortunately, since the document will only be published by mid to late January 2014, companies are left guessing what these “best practices” might be, and will not know clearly what they are expected to do or to disclose. A confidential, working draft of the Best Practices document has been released for comments, but its content may not be shared publicly.

Subsection (b)(5) Do Not Track Disclosure

The entire “do not track” section of AB 370 is only a few lines long and does not include any definitions other than those already existing in the original CalOPPA. Specifically, new Cal Bus. & Prof. Code §22575(b)(5) requires Online Services to disclose:

“how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third party Web sites or online services, if the operator engages in that collection.”

It is not clear what “do not track” or “other mechanisms that provide consumers the ability to exercise choice” is intended to mean or cover. This lack of definition is especially important because there have been otherwise extensive efforts to develop a definition of “do not track” or “tracking preference exception”, and that definition is still in development.

Indeed, for the past two years, the Tracking Protection Working Group of the World Wide Web Consortium (W3C) – the international organization that established international standards such as XML or HTML – has been convening regular meetings to which notable global organizations, such as Apple, Microsoft, Mozilla, Nielsen, Yahoo, and the Digital Advertising Association have been participating. In early November 2013, however, W3C announced its inability to establish a standard definition of “do not track” or “Tracking Preference Exception” (in W3C lingo). As a result, there is not yet a commonly accepted definition of “do not track”.

Without a proper definition of “do not track”, it is difficult to interpret California’s AB 370. For example, does “targeting” cover specific targeting (e.g. “interested in a new car”) or only general profile categories (e.g.,” interested in cars”)? Is “tracking” limited to the use of information in connection with online behavioral advertising, or does it also include the tracking technologies that are used for other purposes, that are less privacy intrusive, such as analytics or fraud detection?

Other crucial definitions are missing, as well, such as that of “other parties.” Does “other parties” include affiliates and subsidiaries in addition to service providers and business partners? Is a subsidiary an “other party”, such that, for example, eBay cannot share its information with PayPal, or Zappos with Amazon?

Representatives of the California State Attorney General’s office in meetings held in December 2013 indicated that, in their view, the term “tracking” is intended to include all forms of tracking – while concurrently stating that they have no authority to interpret the new law, and can only suggest best practices.

An interpretation of AB 370 in this manner – i.e. including, without discrimination all forms of tracking, such as tracking for fraud detection or analytics purposes – would unnecessarily complicate the disclosure required by AB 370. It would require longer, more complex disclosures, which would lengthen privacy statements, making them more difficult to comprehend for the average consumer. The recent implementation of the “Cookie Laws” in Europe provides an example of the confusion, wasted time, and lengthy disclosures that can result when a law is too broad, and companies scramble to interpret it. Let us hope that the same confusion does not result from the implementation of AB 370 on this side of the ocean.

Subsection (b)(7) – Safe Harbor

New Cal Bus. & Prof. Code §22575(b)(7) creates a safe harbor or an alternative to Subsection (b)(5). New subsection (b)(7) provides that the operator of an Online Service may satisfy the requirement above by providing a clear and conspicuous hyperlink in its privacy statement to “a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice” (i.e., the ability to make a choice regarding the collection of personally identifiable information about the individual’s online activities over time or across third party Web sites or online services).

In other words, Subsection (b)(7) offers Online Services the ability not to disclose whether they respond to a – yet-to-be-defined – “do not track” signal by providing users of their service a method for opting-out of the tracking.

At this point, Subsection (b)(7) might be the most elegant and practicable alternative for companies, but it may require extensive programming and development of new application to address in a user friendly manner the numerous choices that might to be made available to users. Indeed, user friendly designs and interfaces will likely be needed so that an Online Service can shape its interaction with a user to allow the user to make granular choices while the Online Service retains the ability to conduct the collection and analysis that it needs to remain profitable and continue to receive the necessary level of traffic to generate revenues.

Subsection (b)(6) – Third Party Tracking Disclosure

The other change brought by the enactment of AB 370 focuses on third party tracking mechanisms. So far, privacy statements posted on Online Services have generally disclosed the existence of cookies or other tracking technologies such as tags, but many have failed to clearly disclose the existence or effect of third parties tracking. When they do make these disclosures, some of these statements indicate that the use of third party tracking technologies is subject to third parties privacy policies over which the Online Service has no control.

Starting on January 1, 2014, Online Services must also disclose in their privacy notices:

 “Whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different websites when a consumer uses the operator’s Web site or service”

This provision, to be added to the existing law as Cal Bus. & Prof. Code §22575(b)(6), is unnecessarily broad, does not distinguish between website analytics and behavioral advertising, and in the absence of proper guidance from the legislator or the enforcers, is likely to give rise to litigation.

Interestingly, or unfortunately, this additional provision regarding third-party tracking technologies is not balanced by a safe harbor provision as is the case for the “do-not-track” disclosure under new Subsection (b)(5). Thus, the disclosure is required whether or not the Online Service offers users information about opting-out of the collection of information by third parties.

Under Subsection (b)(6), Online Services must only disclose the existence of third parties tracking tools. They are not required to describe the purpose for which the third parties may use the collected information, i.e., whether these uses are limited to those disclosed in the privacy statement of the Online Service itself, or whether other uses might be possible under the separate privacy policies of these third parties.

It will be up to companies to decide the extent of the disclosures or explanation they want to provide about the scope of the activities of the third parties that they invite or allow to collect information on their Online Service. It remains to be seen whether companies will opt for a generic sentence such as “third parties may be conducting activities over time and across different websites”, or will provide more specific, user-friendly disclosures.

What Personal Information is at Stake?

The disclosures required above apply to the collection of “personally identifiable information”, a term that is defined in CalOPPA, Cal bus. & Prof. Code §22577(a) to include (1) first and last name; (2) physical address; (3) e-mail address; (4) telephone number; (5) social security number; (6) Any other identifier that permits the physical or online contacting of a specific individual; and (7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described above.

While the first part of the definition – subsections (a)(1) to (5) – is clear and specific, the second part – subsections (a)(6) and (7) is a catchall provision that could be interpreted broadly. So far, the extent of these subsections has not been fully tested. There is little information about the meaning and scope of the term “identifier that permits the physical or online contacting of a specific individual.” In an era where most devices are personal to a user, and each instance of use is labeled with cookies, tags, IP addresses, and in many cases, location, Subsection (a)(6) might be interpreted very broadly. Does the ability to post advertisements on a user’s screen based on cookies that identify that specific user – without knowing the user’s actual identity – fit within the scope of the new provision? In the new AB 370 era, we should expect the plaintiff’s bar to argue that it does.

The passage of AB 370 reopens the door to the interpretation of the definition of “personally identifiable information” under CalOPPA. Unfortunately, the definition has not been sufficiently tested previously, and it may have aged as technology has evolved significantly in the ten years that have elapsed since CalOPPA’s enactment in 2004. An unintended consequence of the passage of CalOPPA might be the expansion of CalOPPA’s definition of “personally identifiable information” to a concept that be closer to the definition of “personal data” under the data protection laws of the European Union Member States.

Enforcement

AB 370 does not contain new provisions regarding the enforcement of these amendments. The current enforcement provisions of CalOPPA remain untouched. CalOPPA allows operators of Online Services 30 days to correct deficiencies after receiving a notice of non-compliance before the Attorney General can take action. (Cal. Bus. & Prof. Code §22575(a)). Failure to comply with the CalOPPA requirements or the provisions of the posted privacy policy, if knowing and willful, or negligent and material, is actionable under California’s Unfair Competition Law and may result in penalties of up to $2,500 for each violation.

Conclusion

California’s AB 370 does not prohibit tracking. It only requires that operators of Online Services disclose how they respond to a do-not-track signal, and whether third party service providers have the ability to collect personal information from individuals during their visit of that Online Service and follow that individual over time and on other Online Services. The new law has been criticized for its lack of clarity, and it is our hope that the California State Attorney General will provide practical guidance on how to implement this new requirement. In the meantime, the new provisions fail to define what is intended by “do not track,” or to clarify the type of “personally identifiable information” that is to be protected.

While the new requirement under AB 370 focuses only on the “mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information,” it fails to recognize the many forms and the different uses of tracking, some of which are beneficial to the users. AB 370 is also based on a pre-existing definition of “personally identifiable information” that is broad and not yet fully tested, which may create further confusion.

At this point, we are left with provisions that are difficult to interpret, lack definition, and are so broad that they have the potential of causing significant harm to companies and burden users with unnecessary disclosures that might be hard to decipher. It is likely that the meaning and scope of the AB 370 amendments to CalOPPA will remain uncertain until courts are called upon to interpret the new provisions.

Posted in California
Comments Off on New Disclosures Required under Cal. AB 370

California Privacy Enforcement and Protection Unit Created

Posted by fgilbert on July 19th, 2012

California will increase its privacy and data protection enforcement efforts with the creation of the Privacy Enforcement and Protection Unit, announced by California’s Attorney General, Kamala D. Harris on July 19, 2012. The Privacy Unit, which will be housed in the eCrime Unit of the California Department of Justice, will combine the various privacy functions of the Department of Justice into a single enforcement and education unit with privacy expertise.

Joanne McNabb, currently Chief of the California Office of Privacy Protection, will serve as the Director of Privacy Education and Policy, and will oversee the Privacy Unit’s education and outreach efforts.

Travis LeBlanc, Special Assistant Attorney General for Technology for California will head up the enforcement division.  Six prosecutors will concentrate on enforcement of the laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government, including laws relating to cyber privacy, health privacy, financial privacy, identity theft, government records and data breaches.

Posted in California
Comments Off on California Privacy Enforcement and Protection Unit Created