While the rest of the world has been grappling with the COVID-19 pandemic, the California attorney general published on March 11 a second set of revisions to its proposed regulations for the California Consumer Privacy Act (CCPA). As the March regulations bring further clarity (and, some in instances, confusion) to the CCPA landscape, litigation is also beginning to shape the CCPA. Consumer rights lawsuits have been filed in California federal courts that could clarify and test the limitations of the CCPA's private right of action.

3 Key Changes to Proposed CCPA Regulations

The new changes to the proposed regulations, while not as sweeping and comprehensive as the last round issued in February, are still significant, particularly with the July 1 deadline for finalizing those regulations quickly approaching. Among the substantive and stylistic changes, three key modifications are highlighted below.

1. Removal of the Opt-Out Button

The AG's office has taken a rollercoaster ride with the opt-out button provision. The originally proposed regulations released in October 2019 first offered businesses the option to use an "opt-out button or logo . . . in addition to posting the notice of right to opt-out." The February regulations then provided specific direction on the use, look, and feel of the opt-out button. The proposed button——had little chance for survival, though.

Professor Eric Goldman, a leading expert on internet law, explained the problems with the opt-out button design:

At least three problems with this design: (1) the mixed metaphor (dot to enable and X to cancel) makes it unclear to consumers if they need to take any action; (2) the red color signals a warning to stay away; and (3) clicking on the button doesn't actually take any action–it just links to a page with more information, and consumers might not realize that they must take more steps to complete an opt-out.

The appearance of the ill-fated button not surprisingly lasted all of a month, with the AG's office striking it, along with the recommendation that companies even consider adopting such a concept, in the March regulations.

2. Removal of IP Address "Link" Requirement

The CCPA defines "personal information" broadly to include information that could be reasonably identified with a consumer or a consumer's "household." The CCPA reinforced this broad construction by including "internet protocol address" in the definition of personal information, which allows CCPA protections to extend beyond a particular consumer to any individuals who "reside at the same address" and use an electronic device with the consumer's same IP address.

The February regulations placed a reasonable limitation on the use of an IP address for this purpose, declaring that an IP address would not be considered personal information if the regulated business "does not link the IP address to any particular consumer or household." Nevertheless, the March regulations completely eliminated this limitation without any explanation, thus reinforcing the notion that the definition of personal information is unbounded.

3. Additional Required Disclosures to Consumers in the Privacy Policy

The CCPA requires that regulated businesses publish a privacy policy delineating for consumers what businesses do with personal information and what rights consumers have vis-à-vis businesses regarding their personal information.

The March regulations add new disclosure requirements for the privacy policy including a mandate that regulated businesses specify the "categories of sources from which the personal information is collected" and describe the categories so consumers can reasonably understand what information is being collected. Businesses must also detail the "business or commercial purpose for collecting or selling personal information" and discuss the reason for doing so in reasonably understandable terms to the consumer.

CCPA Litigation

With the CCPA now effective for nearly three months, it is not surprising that consumer rights lawsuits have been filed to address CCPA violations. Litigation arising from the CCPA will likely fall into two separate categories. The first category will seek damages under the CCPA's limited private right of action for personal data breaches while the second will test the bar the CCPA has imposed on private rights of action to address other CCPA violations.

Barnes v. Hanna Andersson is an example of the first category. In this putative class action, plaintiffs seek, among other things, damages arising from defendants' alleged failures to implement reasonable security procedures and practices, which led to the claimed breach of unencrypted and unredacted personal information belonging to California consumers. If such a matter were litigated through dispositive motion practice and trial, it could provide clarity on a myriad of vague issues (e.g., what are "reasonable security procedures and practices") from the CCPA on which the AG's office has refused to provide guidance.

An example of the second category is found in Burke v. Clearview AI, which seeks various forms of relief under California's Unfair Competition Law (UCL) for violations of the CCPA. Burke does not seek damages under the CCPA's data breach private right of action, but instead relies on defendant's alleged violations of other CCPA provisions as predicate acts to establish liability under the UCL. Other consumer rights lawsuits (such as Zhang v. Super. Ct.) have adopted this tactic and successfully bypassed statutory bars to private rights of action by relying on the UCL. Burke could provide clarity on whether courts will uphold the legislative proscription on private rights of action for other CCPA violations or instead open an entirely new area of consumer rights litigation.

Philip Favro is a consultant for Driven, Inc. where he advises organizations and their counsel on issues relating to the discovery process and information governance. To address these developments relating to the CCPA, Driven has scheduled a webinar for April 1, 2020. In that webinar, data privacy expert Martin Tully of Actuate Law will join Favro as they discuss consumer rights under the CCPA, the corresponding obligations of regulated businesses, and practice tips for CCPA compliance. Registration details are available here.