Three New Changes to the Revised CCPA Regulations and New CCPA Lawsuits
As March regulations bring further clarity (and, some in instances, confusion) to the California Consumer Privacy Act landscape, litigation is also beginning to shape the CCPA.
March 24, 2020 at 10:00 AM
6 minute read
While the rest of the world has been grappling with the COVID-19 pandemic, the California attorney general published on March 11 a second set of revisions to its proposed regulations for the California Consumer Privacy Act (CCPA). As the March regulations bring further clarity (and, some in instances, confusion) to the CCPA landscape, litigation is also beginning to shape the CCPA. Consumer rights lawsuits have been filed in California federal courts that could clarify and test the limitations of the CCPA's private right of action.
|3 Key Changes to Proposed CCPA Regulations
The new changes to the proposed regulations, while not as sweeping and comprehensive as the last round issued in February, are still significant, particularly with the July 1 deadline for finalizing those regulations quickly approaching. Among the substantive and stylistic changes, three key modifications are highlighted below.
1. Removal of the Opt-Out Button
The AG's office has taken a rollercoaster ride with the opt-out button provision. The originally proposed regulations released in October 2019 first offered businesses the option to use an "opt-out button or logo . . . in addition to posting the notice of right to opt-out." The February regulations then provided specific direction on the use, look, and feel of the opt-out button. The proposed button——had little chance for survival, though.
Professor Eric Goldman, a leading expert on internet law, explained the problems with the opt-out button design:
At least three problems with this design: (1) the mixed metaphor (dot to enable and X to cancel) makes it unclear to consumers if they need to take any action; (2) the red color signals a warning to stay away; and (3) clicking on the button doesn't actually take any action–it just links to a page with more information, and consumers might not realize that they must take more steps to complete an opt-out.
The appearance of the ill-fated button not surprisingly lasted all of a month, with the AG's office striking it, along with the recommendation that companies even consider adopting such a concept, in the March regulations.
2. Removal of IP Address "Link" Requirement
The CCPA defines "personal information" broadly to include information that could be reasonably identified with a consumer or a consumer's "household." The CCPA reinforced this broad construction by including "internet protocol address" in the definition of personal information, which allows CCPA protections to extend beyond a particular consumer to any individuals who "reside at the same address" and use an electronic device with the consumer's same IP address.
The February regulations placed a reasonable limitation on the use of an IP address for this purpose, declaring that an IP address would not be considered personal information if the regulated business "does not link the IP address to any particular consumer or household." Nevertheless, the March regulations completely eliminated this limitation without any explanation, thus reinforcing the notion that the definition of personal information is unbounded.
3. Additional Required Disclosures to Consumers in the Privacy Policy
The CCPA requires that regulated businesses publish a privacy policy delineating for consumers what businesses do with personal information and what rights consumers have vis-à-vis businesses regarding their personal information.
The March regulations add new disclosure requirements for the privacy policy including a mandate that regulated businesses specify the "categories of sources from which the personal information is collected" and describe the categories so consumers can reasonably understand what information is being collected. Businesses must also detail the "business or commercial purpose for collecting or selling personal information" and discuss the reason for doing so in reasonably understandable terms to the consumer.
|CCPA Litigation
With the CCPA now effective for nearly three months, it is not surprising that consumer rights lawsuits have been filed to address CCPA violations. Litigation arising from the CCPA will likely fall into two separate categories. The first category will seek damages under the CCPA's limited private right of action for personal data breaches while the second will test the bar the CCPA has imposed on private rights of action to address other CCPA violations.
Barnes v. Hanna Andersson is an example of the first category. In this putative class action, plaintiffs seek, among other things, damages arising from defendants' alleged failures to implement reasonable security procedures and practices, which led to the claimed breach of unencrypted and unredacted personal information belonging to California consumers. If such a matter were litigated through dispositive motion practice and trial, it could provide clarity on a myriad of vague issues (e.g., what are "reasonable security procedures and practices") from the CCPA on which the AG's office has refused to provide guidance.
An example of the second category is found in Burke v. Clearview AI, which seeks various forms of relief under California's Unfair Competition Law (UCL) for violations of the CCPA. Burke does not seek damages under the CCPA's data breach private right of action, but instead relies on defendant's alleged violations of other CCPA provisions as predicate acts to establish liability under the UCL. Other consumer rights lawsuits (such as Zhang v. Super. Ct.) have adopted this tactic and successfully bypassed statutory bars to private rights of action by relying on the UCL. Burke could provide clarity on whether courts will uphold the legislative proscription on private rights of action for other CCPA violations or instead open an entirely new area of consumer rights litigation.
Philip Favro is a consultant for Driven, Inc. where he advises organizations and their counsel on issues relating to the discovery process and information governance. To address these developments relating to the CCPA, Driven has scheduled a webinar for April 1, 2020. In that webinar, data privacy expert Martin Tully of Actuate Law will join Favro as they discuss consumer rights under the CCPA, the corresponding obligations of regulated businesses, and practice tips for CCPA compliance. Registration details are available here.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrump Win Ignites Global Legal Market: Lawyers Prepare for High Demand and Uncertainty
Russia-Linked Deepfakes Are Hitting the US Election. Will It Spur Congress to Act?
AI Gives Legal Departments New Leverage to Demand Speed, Efficiency From Law Firms
3 minute readTrending Stories
- 1Infant Formula Judge Sanctions Kirkland's Jim Hurst: 'Overtly Crossed the Lines'
- 2Election 2024: Nationwide Judicial Races and Ballot Measures to Watch
- 3Guarantees Are Back, Whether Law Firms Want to Talk About Them or Not
- 4How I Made Practice Group Chair: 'If You Love What You Do and Put the Time and Effort Into It, You Will Excel,' Says Lisa Saul of Forde & O'Meara
- 5Abbott, Mead Johnson Win Defense Verdict Over Preemie Infant Formula
- 6How Much Does the Frequency of Retirement Withdrawals Matter?
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250