California Privacy Update | Wilmer Hale

[co-author: Tamar Pinto]

The California Consumer Privacy Act (CCPA) may seem like old news, especially now that Virginia and Colorado have also passed comprehensive privacy laws, but businesses should continue to pay attention to California if they want to stay ahead. above their potential compliance obligations. This blog post highlights key updates to California privacy law that will impact businesses in the coming year and how businesses can respond.

  1. CCPA application is in progress.

    Beginning July 1, 2020, the first day CCPA enforcement began, the California Office of the Attorney General (“OAG”) began sending notices of alleged non-compliance to the CCPA. Target industries are wide-ranging and include online marketing, social media, online dating and advertising, consumer electronics, retailers, and more. Once notified, companies have thirty days to remedy or repair the alleged violation before enforcement continues. Common fixes include updating privacy policies and changing service provider contracts with CCPA addenda and adding “Do Not Sell My Personal Information” links.

  2. Companies operating loyalty programs are also advised.

    As part of its investigation, on January 28, 2022, the OAG also sent notices to companies operating loyalty programs in California. Under the CCPA, companies that offer financial incentives, such as promotions, discounts, free items or other rewards, in exchange for personal information must provide notice to consumers. This financial notice must clearly describe the material terms of the financial incentive program to the consumer before they enroll in the program. Major companies in the retail, home improvement, travel and restaurant industries have received notices of alleged violations of the financial notice of their loyalty programs.

  3. CPRA rulemaking is also in full effect.

    In November 2020, California voters approved Proposition 24, the California Privacy Rights Act of 2020 (CPRA) which establishes many updates to the CCPA. A new agency, the California Privacy Protection Agency (CPPA or “Agency”), governed by a five-member board, is responsible for implementing and enforcing the law.

    On September 22, 2021, the Agency opened comments on eight main topics:

    1. Risks: What type of processing poses a significant risk to consumer privacy or security? These are the companies that will be subject to cybersecurity audits and risk assessments carried out by companies
    2. Automated decision-making: What activities consist of “automated decision-making” technology? Consumers will be able to opt out of automated decision-making technologies and/or profiling.
    3. Authority of the Agency: What authority and scope should the Agency have to audit? CPRA will give the Agency the power to audit companies against this defined scope.
    4. Consumer Rights: CPRA adds a new right: the right to request the correction of inaccurate personal information What should be the scope of the new consumer information correction rules?
    5. Opt-out rights: what rules should be established for consumers to limit the use and sale of sensitive information and how to define the opt-out preference? Businesses may need to redefine the functionality associated with opting out of the sale of personal information and create rules to limit the use of sensitive personal information.
    6. Sensitive Information: ACPL expands data categories to include sensitive personal information. What is the scope of “sensitive personal information” and what would sensitive disclosure be? Companies will need to include provisions regarding sensitive data.
    7. 12-Month Consumer Information Period: Upon access request, CPRA will ask companies to provide consumer information for a period of 12 months. Requests made after January 1, 2022 may require companies to disclose information beyond the 12-month window. Comments on this topic include what would constitute a “disproportionate effort” for companies to provide requested data to consumers.
    8. Definitions and categories: The Agency is also seeking comments on the definitions section. Businesses should be on the lookout for changes to definitions such as “personal information,” “precise geolocation,” “specific training items obtained from the consumer,” “designated methods for submitting claims,” and others.

    After the lengthy two-month comment period, the Agency released nearly 900 pages of comments on December 14, 2021. Formal rulemaking will begin once information gathering is complete. With the CPRA coming into force on January 1, 2023, companies now have less than a year to complete their CPRA compliance program.

  4. The future of B2B and employee data exemptions under California law is unclear.

    CPRA extends cross-company exemptions and employee information in the CCPA until January 1, 2023 (subject to certain restrictions). Companies that previously relied on these exemptions for their California data will need to assess their potential compliance obligations once these exemptions expire. It’s possible that the California legislature will try to expand these exemptions further (or make them permanent in law, like the privacy laws in Virginia and Colorado), but it’s unclear to what extent the CPRA enables them to make that change.

  5. Meanwhile, California passed the Genetic Information Privacy Act.

    In addition to the CCPA/CPRA updates, the California legislature last year passed the Genetic Information Privacy Act (“GIPA”), which went into effect January 1, 2022. GIPA targets companies with a “direct to consumer” for genetic testing. To qualify as a direct-to-consumer (“DTC”) entity and fall under GIPA, a business must engage in one of the following activities: (1) directly sell, market, perform or offer products or consumer-initiated genetic testing services to consumers; (2) analyze genetic data obtained from a consumer. Interestingly, those licensed in the healing arts for the diagnosis or treatment of a medical condition are exempt; or (3) collect, use, store, or disclose genetic data collected or derived from a genetic testing product or service directly to the consumer.

    GIPA governs all data that results from the analysis of a consumer’s genetic material. The genetic material can be deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications of DNA or RNA or single nucleotide polymorphisms. Genetic material may also be data extrapolated, derived or inferred from genetic analysis. In particular, anonymized data is excluded from the scope of the law.

    Under GIPA, DTCs must provide notice, consent, and adhere to certain data security standards. DTCs must clearly provide information regarding their privacy practices and the use and maintenance of genetic data, as well as a disclosure that de-identified genetic or phenotypic information may be shared with third parties. For service providers in particular, DTCs must include a contract with them that limits what they can do with the genetic data they process on behalf of the DTCs. DTCs must also obtain express consent from consumers to use, store or transfer genetic data to a third party. DTCs must further develop, implement and maintain a comprehensive security program to protect a consumer’s genetic data from unauthorized access, use or disclosure. Finally, DTCs must offer consumers access to their genetic data, as well as the ability to delete their account and their genetic data.

    There is no private right of action under GIPA. It can be executed exclusively by the MPC, a district attorney, a county attorney, a municipal attorney or a municipal attorney. Negligent violations of the law can result in fines of up to $1,000 per violation, and willful violations are enforceable up to $10,000 per violation.

About Anne Wurtsbach

Check Also

Chinese brands outnumber foreign brands among Singles’ Day bestsellers

BEIJING, Nov 12 (Reuters) – Chinese consumers tightened their wallets on this year’s Singles Day …