Webinar Recap – CCPA Update: What You Need to Know About CPRA & July 1st Enforcement

As part of the Privacy Insight Series, TrustArc presented the webinar “CCPA Update: What You Need to Know about CPRA & July 1st Enforcement” last week with speakers Teresa Troester-Falk, President and Founder of BlueSky Privacy, and K Royal, Associate General Counsel at TrustArc. This blog post will give a brief summary of that webinar addressing the California Consumer Privacy Act (CCPA), its new regulations and the ballot initiative, the California Privacy Rights Act (CPRA); you can listen to the entire webinar and download the slides here.

Definitions 

With the possibility of a July 1 enforcement date quickly approaching, there was a lot to cover in this webinar. K and Teresa discussed the current status of the consumer privacy acts in California, how the CCPA regulations compare to the CPRA, what to expect on July 1st, how to prepare for all possible scenarios and provided resources to ensure compliance by July 1st and beyond. They expanded upon the various definitions for terms within the CCPA regulations and CPRA. For the CCPA, the definition of “business” was clarified in the regulations that the revenue prong of $25M applies to all revenue, and not simply revenue within California. This was a point of confusion for business leaders trying to interpret the often vague text of the CCPA. 

July 1 Enforcement 

In regards to enforcement, K and Teresa discussed the recent communications from the California AG’s office: “The OAG has determined that any delays in implementation of the regulation will have a detrimental effect on consumer privacy as more and more Californians are using online resources to shop, work, and go to school.” Despite the COVID-19 pandemic, it is clear that the AG’s office is serious about protecting Californian’s personal data and unlikely to waiver on the impending enforcement date.

One of the hot topics in California privacy has been whether or not the use of Cookies on websites constitute a “sale” as defined by the CCPA. The attorney general’s comments in the “Final Statement of Reasons” confirm that the office considers this determination to be highly fact-specific and recommends that companies should seek clarification from counsel. However, under the CPRA, there is a new definition of “sharing” that addresses the cookie scenarios – 

“Share,” “shared,” or “sharing” means sharing, renting, releasing, disclosing, disseminating, making oval/able, transferring, or otherwise communicating orally, In writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and o third party for cross-context behavioral advertising for the benefit of a business In which no money is exchanged. (§1798.140(ah)(1)).

TrustArc CCPA “Opt-Out” Solution  

One of the main aspects of CCPA compliance is fulfilling consumer rights requests as consumers have the right to opt-out of the sale of their personal information. As such, the ability for consumers to exercise this right must be found in an easy-to-find location on your website. With TrustArc Cookie Consent Manager now integrated with TrustArc Individual Rights Manager, you can display the “Do Not Sell My Personal Information” link on your cookie banner, providing transparency and improved user experience to your consumers.

In addition, TrustArc Cookie Consent Manager allows you to configure the consent experience based on any geographical compliance requirements as different regulations have different rules. Utilizing TrustArc Cookie Consent Manager allows you to display the applicable consent banner based on the location of the website visitor. For example, you can display a GDPR opt-in notice banner to EU residents and a CCPA notice-only banner to California residents. 

Companies are understandably in varying stages of preparedness, and with less than a month to go, prioritizing compliance elements is key. Wherever you are in your CCPA compliance journey, TrustArc can offer support at any stage of your compliance plan.

For more information on how TrustArc can help, visit TrustArc.com or contact us here.

The California Privacy Rights Act of 2020

Background

Alastair Mactaggart, the driver behind the current California Consumer Privacy Act (CCPA) in 2018 (CCPA, published a new version of a consumer privacy act in September 2019). Since then, it has been modified and is being submitted to California county governments for inclusion on the California ballot for voting. In California Elections Code, Article 3, Section 9035 requires that initiative measures for statutes be presented to the Secretary of State with a minimum number of signatures, at least 5 percent of the total numbers of registered voters in the most recent gubernatorial election, in this case, no less than 623,212. 

The Office of the Attorney General released the title and summary of the initiative back in December 2019 as one of the first steps in a ballot initiative. On May 4, 2020, the Californians for Consumer Privacy announced that it was submitting over 900,000 signatures for qualification of the California Privacy Rights Act of 2020 (CPRA) as a ballot initiative and is now submitting the petitions to all counties for inclusion on the ballots in November.  If passed, the CPRA would take effect January 2023 with a one-year look back to January 2022. Some provisions, however, are presented for 2021, such as a new state privacy agency responsible for implementing and enforcing the CCPA.

Previously, this same group sponsored CCPA to be on the November 2018 ballot. However, the California Legislature passed its version of the CCPA in June 2018, which was signed into law – and has been amended twice since then. To date, the regulations to implement the CCPA have not been issued, yet enforcement is slated to begin July 1, 2020.

About the CPRA

The CPRA’s intent is to amend the CCPA by adding new definitions, new individual rights, and broadening the enforcement elements of the CCPA. Key provisions include:

  • Enhanced obligations on third parties, including service providers and contractors
    • Providing notice where data is collected (businesses acting as third parties) 1798.100(b)
    • Contractual obligations to comply with the law and to provide certain levels of privacy protection Section 1798.100(d) 
    • Cooperate on consumer requests, including deletion and flowdown obligations 1798.105(c)(3)
  • Explicit security provisions (reasonable as appropriate to nature of information) 1798.100(e)
  • New right of correction 1798.106
  • New right to limit use and disclosure of sensitive personal information 1798.121
  • Addition of definitions of “consent,” “contractor,” “sensitive personal information,” and “share” (as proposed §1798.145(h), (j), (ae), and (ah) respectively). Each of which carries new or enhanced obligations. A summary of these new definitions are listed here, with the exception of “sensitive personal information” which is provided in full below.
    • “Consent” must be freely given, specific, informed and unambiguous, with a clear affirmative action or statement and includes what does not indicate consent, such as acceptance of general terms or muting or closing a piece of content. (h)
    • “Contractor” is very similar to a service provider.(j)
    •  “Sensitive personal Information” means: (1) personal Information that reveals (A) a consumer's social security, driver's license, state Identification card, or passport number; {B) a consumer's account log-In, financial account, debit .card, or credit card number In combination with any required security or access code, password, or credentials allowing access to an account; (C) a consumer's precise geolocat/on; (D) a consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer's mall, email and text messages, unless the business Is the Intended recipient of the communication; (F) a consumer's genetic data; and (2}(A) the processing of biometric Information for the purpose of uniquely identifying a consumer; (B) personal Information collected and analyzed concerning a consumer's health; or {C) personal Information collected and analyzed concerning a consumer's sex life or sexual orientation. Sensitive personal Information that Is “publicly available” pursuant to paragraph {2) of subdivision (v) of Section 1798.140 shall not be considered sensitive personal Information or personal information. (ae)
    • “Share,” “shared,” or “sharing” is very much like selling, but in regards to cross-context behavioral advertising. (ah)
  • Additional element of data sharing to the definition of “business” for those who share control and branding with a business subject to the CCPA, Section 1798.140(d)(2) 
  • Creation of a California Consumer Protection Agency. Section 1798.199
  • Requiring an annual cybersecurity audit for businesses whose processing of personal information presents a significant risk to consumers – and submitting risk assessments to the new Consumer Privacy Protection Agency. Section 1798.185(a)(15)
  • Subjecting violations involving the personal information of individuals known to be under the age of 16 to the increased penalty level of $7,500 each violation. Section 1798.155(a)

These are certainly not all of the changes proposed by the CPRA and one should read the complete text to understand the potential impact.

Next steps

Under the previous initiative, which became the CCPA, negotiations were held to enact state law in lieu of the ballot initiative proceeding. It is unknown whether similar discussions are being held about the CPRA. As permitted under California Constitutional Law, the CPRA will be listed on the ballot in November as long as the remaining requirements are met.\

 

Webinar Recap – US Quarterly Privacy Update: Consumer Privacy Law

blank

As part of the TrustArc Privacy Insight Series, TrustArc Associate General Counsel – Privacy Intelligence K Royal, and TrustArc Privacy Legal Specialist Christina Fratschko presented the webinar “US Quarterly Privacy Update: Consumer Privacy Law” last week. This blog post will give a brief summary of that webinar; you can listen to the entire webinar and download the slides here.

In this quarterly session, the panelists provided:

An overview on updates to Consumer Privacy Law for each of the states, and mentioned which legislatures have killed their bills due to substantive issues or slating them for further study. Also discussed were commonalities between bills among states with regards to rights to access, correct and delete personal information, and right to opt-out of sale of personal information.

A review of three federal bills proposing consumer rights: 1) United States House of Representative Draft Law Discussion Bill – new safeguards around how companies can collect and use identifiable consumer data, 2) Consumer Online Privacy Rights Act (“COPRA”) – entities subject to the U.S. Federal Trade Commission jurisdiction must comply with individual rights, and 3) Consumer Data and Security Act – establishing a clear federal standard for data privacy protection, giving businesses a uniform standard rather than a patchwork of confusing state laws.

What employers and educational institutions need to know during this growing pandemic of the novel coronavirus around the world. The panelists recapped several guidances issued by regulatory authorities. The Office for Civil Rights, which enforces the Health Insurance Portability and Accountability Act (“HIPAA”)  published an advisory regarding Telehealth in which healthcare providers can communicate to patients and provide Telehealth services through communication technologies. The U.S. Department of Education issued guidance on how and when educational institutions may share student personal information if a student has COVID-19. In addition, the U.S. Equal Employment Opportunity Commission published some guidance on how employers can handle information of a COVID-19 case among their employees and protect their employees from COVID-19.

Watch this on-demand webinar to stay up-to-date on consumer privacy laws in the US. TrustArc also has a robust library of on-demand webinars available here

Join us for the next webinar in the Privacy Insight Series: “COVID-19 – What are the Potential Impacts on Data Privacy?” with TrustArc SVP, Privacy Intelligence and General Counsel, Hilary Wandall on 4/8 at 9am PT. Register for the webinar here.

The TrustArc Privacy Insight Series is a set of live webinars featuring renowned speakers, presenting cutting edge research, tips, and tools. Events are free and feature informative discussions, case studies and practical solutions to today’s tough privacy challenges.

CCPA Update: March Regulation Proposed Revisions

blank

The Department of Justice of California published yet another round of draft CCPA (California Consumer Privacy Act) regulations on March 7, 2020 with comments due March 27, 2020.

As stated in the notice, there were “around 100 comments received in response” to the previous draft regulations.

In the most recent version, the “redlined” version is color-coded to easily identify the original draft regulations, the first set of modifications, and this second set of modification. The redlined and clean versions are published online.

According to the rule-making process, if changes are made to the proposed regulations, the changes will be published for the public to submit comments. These comments would be reviewed and based on the comments, either revise or accept the published draft. Comments will also be responded to at the publication of the final regulations.   The Office of the Attorney General previously provided guidance that if changes are “substantial and sufficiently related,” the changes will be published with an abbreviated comments period of 15 days (this modification and the last one met these requirements). If changes are not made or are “nonsubstantial and sufficiently related,” no publication for comments will occur. Only “major changes” would require a full 45-day comment period.

Some of the key changes include:

  • Removal of § 999.302 which was added in the last version addressing that an IP address that is otherwise not associated with identifying information is not personal data. No sections were added or modified in the newest version to address IP addresses.
  • Addition of § 999.305(d) clarifying that “[a] business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information.”
  • An addition was made that if a business that denies a consumer’s request to delete sells personal information and the consumer has not already made a request to opt-out, the business shall ask the consumer if they would like to opt out of the sale of their personal information and shall include either the contents of, or a link to, the notice of right to opt-out in accordance with section 999.306. (§ 999.313(d)(7)).
  • Clarification that the notice provided at the collection of employment-relation information does not need to contain a link to the business’s privacy policy.
  • Additional clarifications were added around information provided in response to consumers’ requests to know (§ 999.305(f)(2)), what to publish about selling minors’ data (§ 999.308(c)(9)), a description of biometric data that is to be provided where the biometric data itself cannot be provided in response to a request to know (§ 999.314(c)(4)), and descriptions of categories of sources and business purposes in the privacy policy (§ 999.308(c)(1)(e) and (f).

Where are we now?

The comment period ends on March 27, 2020. Per guidance and history, any changes made to this version will result in publication of a new round of proposed regulations.

Once we reach a version wherein there are no changes made, according to the “Information about the rulemaking process,” the Office of the Attorney General will prepare and submit the final rulemaking record to the Office of Administrative Law (“OAL”) for approval, including the summaries and responses to each public comment received. The OAL has 30 working days to determine if all of the procedural requirements are met and if so, the regulations will be filed with the Secretary of State. 

Will enforcement start July 1, 2020?

At this time, enforcement remains slated to start on July 1, 2020. TrustArc will keep you posted on updates. To speak with a privacy expert about the California Consumer Privacy Act and how to comply, schedule a consultation today.

Webinar Recap – CCPA: Countdown to Enforcement

blank

As part of the TrustArc Privacy Insight Series, TrustArc Senior Privacy Consultant Beth Sipula, TrustArc Privacy Counsel Edward Hu, and TrustArc Director Privacy Intelligence Development Joanne Furtsch presented the webinar “CCPA: Countdown to Enforcement” last week. This blog post will give a brief summary of that webinar; you can listen to the entire webinar and download the slides here.

The CCPA is set to be the toughest privacy law in the United States. It broadly expands the rights of consumers and requires companies within scope to be significantly more transparent about how they collect, use, and disclose personal information. The CCPA is effective January 1, 2020, and enforcement is slated to begin no later than July 1, 2020.

During this webinar, the panelists discussed the current hot topics surrounding the CCPA, such as: notice, service providers, browser controls, identity verification, and the right to deletion. Regarding the right to deletion, Beth went into detail on the proposed regulations’ two step process: the first step allows the individual to submit the request for deletion; and the second step separately confirms the personal information will be deleted. Furthermore, Beth explained that when denying requests, businesses must provide the consumer with a notice stating the reasons for denial, including any applicable exceptions, delete any information not subject to exception, and not use the retained personal information for any purpose not provided for by a relevant exception. 

The panel went on to discuss the recent CCPA public hearings, as Joanne attended the Sacramento hearing and Edward attended the San Francisco hearing. They touched on the variety of speakers during both hearings, which showed the wide range of use cases that the speakers brought forth, and the sizable impact of the CCPA. There were many similarities in both hearings, such as requests for model notices from the AG’s office in order to help streamline notice compliance requirements. 

With the January 1, 2020 effective date quickly approaching, Edward provided several action items for companies, such as: 

  • Inventorying your data
  • Putting a consumer request process in place
  • Reviewing vendor contracts to determine who is a service provider
  • Updating privacy notices
  • Making a determination about whether using third-party ad tech cookies constitutes a “sale”

To learn more about the CCPA, view the on-demand Privacy Insight Series webinar here.  TrustArc has a robust library of on-demand webinars available here. You can learn more about the CCPA look back requirement, automating privacy managing, GDPR compliance, and many other hot topics.

The TrustArc Privacy Insight Series is a set of live webinars featuring renowned speakers, presenting cutting edge research, tips, and tools. Events are free and feature informative discussions, case studies and practical solutions to today’s tough privacy challenges.

div>