Big California Privacy News: Legislative and Enforcement Updates

Privacy never sleeps in California.  In recent days and as California’s legislative session comes to a close, there have been a number of significant legislative and regulatory developments in the state, each of which will likely (again) change the privacy landscape in California and, by extension, the rest of the country.  For businesses operating in California or whose websites, products or services reach California residents, these changes mean new compliance obligations, some of which could require significant investments of time and resources.  The impact of these changes highlight once again how the United States lacks a consistent national policy on privacy that could be set by a comprehensive federal privacy law.  Highlights of the developments are summarized below, accompanied by a deeper dive into CCPA-related developments:

  • In a surprise to many observers, the California legislature failed to extend the employee- and B2B-exemptions.  The exemptions will now expire at the end of 2022 and require businesses to extend CCPA rights to all California residents whose personal information they collect, without regard to their employment status.
  • The California Attorney General issued its first CCPA fine based on a company’s alleged failure to provide sale opt-outs for third-party advertising cookies and not recognize the Global Privacy Control signal.  News of the first public enforcement action was accompanied by OAG guidance highlighting enforcement priorities around the Global Privacy Control, loyalty programs and financial incentives, and privacy policies that are both easy to read and functional.
  • The California legislature passed the California Age-Appropriate Design Code Act (AADCA) which, if signed into law (as many expect will be the case), will impose a variety of obligations and restrictions on businesses that develop and provide online services, products or features that minors under 17 are “likely to access.” Modeled after a similar law in the UK, the AADCA would first come into effect on July 1, 2024 and would require businesses to configure privacy settings to high levels of privacy, and restrict their ability to profile minors and collect geolocation information.  Data protection impact assessments would also be required, including for products in existence when the law would come into effect.  Just like the original version of CCPA, the Attorney General has sole enforcement powers (e.g., no private right of action) and statutory penalties are authorized (up to $7,500 per “affected child”).  Unlike CCPA, there is a mandatory 90-day cure period for businesses that are in “substantial compliance” with the law.
  • The California legislature also passed another bill that would classify providers of mental health apps as healthcare providers under the California Confidentiality of Medical Information Act (CMIA).  As a provider subject to CMIA, mental health apps would be subject to HIPAA-like constraints on their ability to use and share data collected and will have increased litigation exposure, as CMIA includes a private right of action.  Passage of the bill comes on the heels of US Congressional inquiries about the use and protection of health data collected by mental health apps and an uptick in private litigation in the area.  If this bill becomes law, it will be effective beginning January 1, 2023.

Governor Newsom has until September 30th to sign theses bills into law, let them become law without his signature, or issue a veto.  There is no indication a veto is anticipated on any of the bills highlighted above.

Below we take a deeper dive into CCPA-specific developments.

CCPA Employee and B2B Exemptions Will Expire on December 31, 2022

In news that surprised many, labor and business interests were not able to reach consensus to codify or extend the exemptions in the California Consumer Privacy Act (CCPA) that apply to employees, independent contractors, job applicants (“employee data”), or individuals who are acting as representatives of companies that do business with California businesses subject to CCPA (“B2B data”).  This means all of the CCPA consumer rights will now be available in full to California residents acting in the employment/job applicant role. Business will need to make CCPA-required disclosures in privacy policies regarding employee and B2B data.  Data minimization and restrictions on secondary use of personal information introduced by amendments to CCPA coming into effect on January 1, 2023 will now apply to such data.  Moreover, contractual requirements for service providers, contractors and third parties required by CCPA (including those required by new amendments to the law) will now also apply to employment and B2B data that is disclosed, sold or shared with other entities.

The employee- and B2B-extensions have been in a tenuous position since 2019, when legislators first passed amendments to CCPA carving out these categories of data with a two-year sunset clause, which was intended to allow labor and business interests to work out a compromise about how to provide some level of transparency and data rights with respect to employee and B2B data without burdening businesses.  Amendments to CCPA passed by voters at the end of 2020 through the California Privacy Rights Act (CPRA) extended the sunset date an additional year through the end of 2022.   Indeed, consumer privacy laws in Virginia, Colorado, Connecticut and Utah that will come into effect in 2023 all explicitly recognize these differences and broadly exempt all employment and commercial data (e.g., B2B data).

It is possible the California Privacy Protection Agency (CPPA) could issue draft regulations that address these differences as part of their CPRA rulemaking which is underway.  CPRA expressly recognizes that while privacy interests of employees should be protected, there are “differences in the relationship” between employees and businesses as compared to the relationship between consumers and businesses.  CPPA did not take a position on whether the employee or B2B exemptions should or should not have been extended, and the first tranche of proposed regulations certainly contemplates that the legislature could change the law to codify the exemptions or at least treat employee and B2B data differently than consumer data.

California Attorney General Issues First CCPA Fine and Underscores Need to Comply with Global Privacy Control

While digesting news of the demise of the exemptions, businesses should also take note of news from the California Office of the Attorney General (OAG).  The OAG issued its first CCPA enforcement fine, updated CCPA enforcement examples on the OAG’s CCPA webpage, and made related statements to the press regarding what we can expect in the future from the OAG with respect to CCPA enforcement.  Taken as a whole, these developments put businesses on notice that they should review privacy policy disclosures about sales (especially when they involve the use of third-party advertising cookies), evaluate and monitor sale opt-outs including by addressing technical glitches, and consider processes to respond to global opt-out signals, such as the Global Privacy Control.  Ambiguity about whether the OAG would enforce requirements to observe global opt-out preference signals before CPRA regulations go into effect has lessened:  the OAG treats observance of the signals as mandatory and has initiated a new group of investigations focused on just this issue.  As businesses prepare to update service provider contracts to comply with new requirements under CPRA (and even before CPRA regulations are finalized), businesses will also want to make sure they have service provider/contractor contracts in place for all vendors that are processing personal information on behalf of a business.  The OAG has signaled it will be looking carefully to ensure such contracts are in place and, if they are not, it will treat transfers of personal information to such entities as CCPA sales.

State of California vs. Sephora – First CCPA Enforcement Action and Fine.  In the first CCPA enforcement action filed in court and the concurrently-filed proposed judgment reflecting the OAG’s settlement with the company, the OAG seeks a $1.2 million fine for the company’s alleged failure to provide sale opt-out rights to consumers and observe a global privacy control opt-out signal.  The sales at issue are Sephora’s alleged use of third party advertising and analytics tools that provided a benefit to Sephora while also allowing these third parties to collect and use website visitor data for their own purposes.  In the early days of CCPA, some questioned whether the use of cookies and trackers in this regard constituted a sale.  OAG addressed that issue in guidance issued last year and in this complaint states: “Both the trade of personal information for analytics and the trade of personal information for an advertising option constituted sales under the CCPA.”

The settlement provides an instructive roadmap about CCPA issues that are top of mind for the OAG.  In addition to $1.2 million in statutory penalties, the settlement requires the company to, among other things, update its privacy policy disclosures around sales, provide opt-out notice and recognize signals sent by user-enabled global privacy controls like the Global Privacy Control, and report, in writing, to the OAG annually for the next two years about its opt-out processes, including any technical difficulties it detects.  Additionally, the company has to demonstrate it knows where its personal information is being sold and under what terms, as it will be required to name each entity to which it sells personal information and document that it has service provider contracts in place with all entities the company claims are acting in that capacity.

New CCPA Enforcement Case Examples – Opt Outs, GPC, Clarity & Functionality Are Top of Mind.  On the same day the OAG filed the complaint against Sephora, it published a dozen new examples of “Enforcement Cases” on its CCPA webpage, reflecting anonymized examples of notices to cure issued by the OAG that were informally resolved to the OAG’s satisfaction. The examples provided show the OAG has been investigating businesses whose data we would expect to be largely exempt from CCPA.  Targets of OAG investigations included several entities in the healthcare space (HIPAA exemption), a financial services firm (GLBA exemption) and a medical device manufacturer (B2B exemption).

Substantively, the examples underscore the OAG’s focus on ensuring privacy policies are accurate and easy to understand, particularly with respect to opt outs and other data subject rights.  Other case examples showcase the OAG’s recent enforcement “sweeps” regarding compliance with financial incentive notices, demonstrate the OAG intends to hold businesses to account for technical glitches that interfere with consumers’ ability to exercise data subject rights, and highlight a potential new focus on notices at collection and making sure internal “deep links” are used to direct users to the relevant portions of a privacy policy.

Short-Term CCPA Compliance Tune Up.  Businesses that are subject to CCPA already have long to-do lists to prepare for implementation of expanded obligations under CPRA amendments, which will be further lengthened by the demise of the employee and B2B exemptions.  Nevertheless, these recent announcements from the OAG suggest the office is moving full steam ahead on CCPA enforcement, even before CPRA amendments come into effect.  Businesses may therefore want to consider conducting a CCPA compliance tune up in the months ahead.  Below is a list of potential areas to consider based on the OAG’s recent announcements:

  • Review privacy policy “sales” disclosures relating to  advertising and analytics cookies/trackers.
  • Review status of Service Provider agreements.
  • Consult with IT re Global Privacy Control signals. 
  • Review functionality of opt outs and other data subject request tools. 
  • Review financial incentive disclosures.
  • Monitor social media for comments about data subject rights. 

Sidley’s data privacy team is always here to help clients navigate complexities and nuances in compliance with CCPA and other data privacy laws, including amendments to CCPA and new U.S. state data privacy laws that will be coming into effect in 2023.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.