Published on Mar 25, 2020 While the rest of the world has been grappling with the COVID-19 pandemic, the California Attorney General published on March 11, 2020, the second set of
revisions to its proposed regulations for the California Consumer Privacy Act. As the March regulations bring further clarity (and, some in instances, confusion) to the CCPA landscape, litigation is also beginning to shape the CCPA. Consumer rights lawsuits have been filed in California federal courts that could clarify and test the limitations of the CCPA’s private right of action.
Three Key Changes to Proposed CCPA Regulations
The new changes to the proposed regulations (“March regulations”), while
not as sweeping and comprehensive as the last round issued in February (“February regulations”), are still significant, particularly with the July 1, 2020 deadline for finalizing those regulations quickly approaching. Among the substantive and stylistic changes, three key modifications are highlighted below.
1. Removal of the Opt-Out Button
The AG’s office has taken a rollercoaster ride with the opt-out button provision. The originally proposed regulations released in October 2019 first offered businesses the option to use an “opt-out button or logo . . . in addition to posting the notice of right to opt-out.” The February regulations then provided specific direction on the use, look, and feel of the opt-out button.
[1] The proposed button—
—had little chance for survival, though.
Professor Eric Goldman, a leading expert on Internet Law, examined
the problems with the opt-out button design:
At least three problems with this design: (1) the mixed metaphor (dot to enable and X to cancel) makes it unclear to consumers if they need to take any action; (2) the red color signals a warning to stay away; and (3) clicking on the button doesn’t actually take any action–it just links to a page with more information, and consumers might not realize that they must take more steps to complete an opt-out.
[2] The appearance of the ill-fated button not surprisingly lasted all of a month, with the AG’s office striking it, along with the recommendation that companies even consider adopting such a concept, in the March regulations.
2. Removal of IP Address “Link” Requirement
The CCPA defines “personal information” broadly to include information that could be reasonably identified with a consumer or a consumer’s “household.”
[3] The CCPA reinforced this broad construction by including “internet protocol address” in the definition of personal information, which allows CCPA protections to extend beyond a particular consumer to any individuals who “reside at the same address” and use an electronic device with the consumer’s same IP address.
[4] The February regulations placed a reasonable limitation on the use of an IP address for this purpose, declaring that an IP address would not be considered personal information if the regulated business “does not link the IP address to any particular consumer or household.”
[5] Nevertheless, the March regulations eliminate this limitation
without any explanation,
[6] thus reinforcing the notion that the definition of personal information is unbounded.
3. Additional Required Disclosures to Consumers in the Privacy Policy
The CCPA requires that regulated businesses publish a privacy policy delineating for consumers what businesses do with personal information and what rights consumers have vis-à-vis businesses regarding their personal information. The March regulations add new disclosure requirements for the privacy policy including a mandate that regulated businesses specify the “categories of sources from which the personal information is collected” and describe the categories so consumers can reasonably understand what information is being collected.
[7] Businesses must also detail the “business or commercial purpose for collecting or selling personal information” and discuss the reason for doing so in reasonably understandable terms to the consumer.
[8]
CCPA Litigation
With the CCPA now effective for nearly three months, it is not surprising that consumer rights lawsuits have been filed to address CCPA violations. Litigation arising from the CCPA will likely fall into two general categories. The first category will seek damages under the CCPA’s limited private right of action for personal data breaches while the second will test the bar the CCPA has imposed on private rights of action to address other CCPA violations.
Barnes v. Hanna Andersson is an example of the first category. In this putative class action, plaintiffs seek, among other things, damages arising from defendants’ alleged failures to implement reasonable security procedures and practices, which led to the claimed breach of unencrypted and unredacted personal information belonging to California consumers.
[9] If such a matter were litigated through dispositive motion practice and trial, it could provide clarity on a myriad of vague issues (e.g., what are “reasonable security procedures and practices”) from the CCPA on which the AG’s office has refused to provide guidance.
An example of the second category is found in Burke v. Clearview AI, which seeks various forms of relief under California’s Unfair Competition Law (“UCL”) for violations of the CCPA.
[10] Burke does not seek damages under the CCPA’s data breach private right of action but instead relies on defendant’s alleged violations of other CCPA provisions as predicate acts to establish liability under the UCL. Other consumer rights lawsuits have adopted this tactic and successfully bypassed statutory bars to private rights of action by relying on the UCL.
[11] Burke could provide clarity on whether courts will uphold the legislative proscription on private rights of action relating to other CCPA violations or instead open an entirely new area of consumer rights litigation.
CCPA Webinar
We welcome you to watch our CCPA webinar that addreses these developments. In this webinar,
data privacy expert Martin Tully of Actuate Law and I discuss consumer rights under the CCPA, the corresponding obligations of regulated businesses, and practice tips for CCPA compliance.
[1] CCPA Proposed Regs., §999.306(f) (Feb. 10, 2020).
[2] CCPA Proposed Regs., §999.306(f) (Mar. 11, 2020).
[3] Cal. Civ. Code § 1798.140(o)(1).
[4] Cal. Civ. Code § 1798.140(o)(1)(A); CCPA Proposed Regulations, §999.301(k) (Feb. 10, 2020).
[5] CCPA Proposed Regs., §999.302(a) (Feb. 10, 2020).
[6] CCPA Proposed Regs.,§999.302 (Mar. 11, 2020).
[7] CCPA Proposed Regs., §999.308(c)(1)(e) (Mar. 11, 2020).
[8] CCPA Proposed Regs., §999.308(c)(1)(f) (Mar. 11, 2020).
[9] Barnes v. Hanna Andersson, No.: 3:20-cv-00812 (N.D. Cal. Mar. 9, 2020), ECF No. 30 (First Amended Class Action Complaint).
[10] Burke v. Clearview AI, Inc., 20-cv-0370 (S.D. Cal. Feb. 27, 2020), ECF No. 1 (Class Action Complaint).
[11] See Zhang v. Super. Ct., 57 Cal.4th 364 (2013).
