CCPA and Beyond: Mandating Data Protection by Regulation Creates Confusion
A hallmark of U.S. administrative law is that policy decisions are made by the Legislature, with gaps filled in via regulation. Administrative agencies are given discretion and courts show special deference to an agency's area of expertise. In the arena of data protection, this separation of powers is being put to the test and causing confusion for businesses seeking to comply with data protection duties.
March 31, 2020 at 02:30 PM
8 minute read
It is a hallmark of U.S. administrative law that policy decisions are made by the Legislature, with gaps filled in via regulation. See Med. Soc'y v. Serio, 100 N.Y.2d 854, 865 (2003). Administrative agencies are given wide discretion in this regard and courts show special deference in relation to matters within an agency's area of expertise. See Wembly Mgmt. Co. v. New York State Div. of Hous. & Cmty. Renewal, 205 A.D.2d 319, 319 (1st Dept. 1994). An administrative agency cannot, however, create policy on its own or otherwise promulgate rules not generally authorized by the Legislature.
California Consumer Privacy Act
In the arena of data protection, this separation of powers is being put to the test and, in certain cases, causing confusion for the millions of U.S. businesses seeking to comply with newly created data protection duties. Case in point, the California Consumer Privacy Act (CCPA), which famously came into effect on Jan. 1, 2020 with no regulations in place to fill in conspicuous gaps found in the law. CCPA itself was a reaction to a popular ballot initiative which, if passed, would have significantly tied the California Legislature's hands in relation to future amendments. See Cal. Const., art. II, §10 (70% legislative majority required to amend adopted ballot initiative). Instead of restricting its ability to change the initiative, the Legislature decided to swallow the bitter pill of CCPA, leaving much of the detail concerning CCPA compliance to the California attorney general, who is required to promulgate CCPA-related regulations no later than July 1, 2020. These regulations must include, inter alia, specific rules for the uniform "Do Not Sell My Personal Information" button required under the statute, verification of consumer data requests, and the very definition of "personal information" on which the whole of CCPA is based.
The California attorney general issued notice of such regulations on Oct. 11, 2019, which opened a comment period that closed on Dec. 6, 2019. In response to the comments received, the attorney general proposed revised regulations on Feb. 10, 2020, opening a truncated 15-day comment period that ended on Feb. 25, 2020. The attorney general then proposed a second set of revisions on March 11, 2020, opening another 15-day comment period that ended on March 27, 2020. It is unclear whether the attorney general will further revise the proposed regulations, which would in turn open yet another 15-day comment period, or whether the attorney general will adopt this regulatory "version 3.0" as currently proposed.
The problem with this process is that without any statutorily created ramp-up period, organizations subject to data protection laws such as CCPA must develop extensive compliance programs before any regulatory guidance is in place. By way of contrast, the European Union's General Data Protection Regulation became effective as of April 14, 2016 but gave organizations until May 25, 2018 to comply. The lack of such a ramp-up period leads to the often expensive and inefficient circumstance of an organization guessing where proposed or anticipated regulations may end up once adopted, but ultimately guessing wrong.
Selling Personal Information
Case in point, the CCPA requirement that organizations that sell personal information obtained from third parties provide notice to the consumers whose information they are selling of the details of such sale. In the originally proposed regulations, the California attorney general offered a creative solution, not present anywhere in the statutory language of CCPA. Specifically, before a business subject to CCPA could sell personal information obtained from a third party, the business would either have to provide notice of the sale directly to the consumers at issue or obtain an attestation from the original seller of the information, stating that that seller had already provided appropriate notice at or before the point of data collection. See Cal. Code Regs. tit. 11, §999.305(d) (as proposed, Oct. 11, 2019).
This attestation option was both efficient and welcomed among businesses that sold personal information obtained from others. Accordingly, certain organizations began the process of obtaining such attestations, predicting that this aspect of the proposed regulations would not change in any material respect.
Both the first and second set of revised regulations, however, jettisoned the attestation option and replaced it with a safe harbor for businesses selling personal information obtained from others if: (1) the business registers with the attorney general as a data broker, pursuant to Cal. Civ. Code §1798.99.80, and (2) "includes in its registration submission a link to its online privacy policy that includes instructions on how a consumer can submit a request to opt-out." See Cal. Code Regs. tit. 11, §999.305(e) (as modified, March 11, 2020).
This change, although perhaps even easier to comply with than the attestation option, creates three sets of related problems. First, for businesses that have already obtained attestations from their sources of personal information, those attestations are now moot, although they may have involved detailed negotiations, contract amendments, and attorney time. Second, a business that has not yet registered as a data broker in California must now do so to obtain the benefit of this caveat. This brings with it risk, however, because the deadline to register as a data broker in California ran on Jan. 31, 2020, and failure to register can lead to fines and enforcement. See Cal. Civ. Code §1798.99.82(c) ($100.00 per day potential fine for failure to register). Indeed, as the attorney general makes clear on the data broker registration website, "[a] data broker that has not registered by the January 31 statutory deadline should register as soon as possible and may be liable for civil penalties for each day the data broker fails to register." The definition of "data broker" under §1798.99.80 is not coterminous with the definition of "business" under CCPA, however.
Hence, many CCPA businesses that sell personal information obtained from third parties may have determined that they were not "data brokers" under §1798.99.80, therefore deciding not to register before the deadline. If any such business now decides to register to take advantage of the caveat in the modified version of §999.305(e), it faces the unenviable risk of having to explain to the California attorney general that it is actually not a data broker, if the attorney general ultimately seeks to impose a penalty for late registration. And this risk increases if the business decides to wait and see whether the modified version of §999.305(e) is ultimately adopted.
Another significant issue subject to potential change in the CCPA regulations is the "Do Not Sell My Personal Information" button. In the first set of revised regulations, the attorney general required a red slider, which was to be "approximately the same size as other buttons on the business's web page." See Cal. Code Regs. tit. 11, §999.306(f)(1)-(2) (as proposed, Feb. 10, 2020). In the second set of revised regulations, however, the attorney general removed this red slider completely. And importantly, the attorney general omitted any guidance on the button or slider in the originally proposed regulations, thereby shortening the time for potential comment from 45 days under the originally proposed regulations to 15 days under the revised regulations. An opt-out button or slider appearing on a business's home page is no small matter, however, and often cannot be implemented without significant effort.
For large entities with many websites, they must determine where to place the button, how to size it in relation to other buttons, how to match the button with the specific color ultimately chosen by the Attorney General, as well as implement a change management procedure to accomplish all this. For smaller entities without in-house web development teams, they must find a vendor with capacity to implement these changes. But web development vendor capacity may be scarce in this era of COVID-19-related virtualization and the rush to implement these and other changes required under CCPA. And the seesaw effect felt under the shifting regulations only increases this tension, with potential risk to organizations that may get their information concerning CCPA compliance from second-hand, outdated sources.
Other Regulatory Regimes
This regulatory confusion and potential for change does not end with or CCPA. Maryland's Online Consumer Protection Act, for example, which is currently before the Maryland General Assembly, calls for administrative rules creating exemptions under the Act as well as revisions to crucial Act definitions as may be required from time to time. Other regulatory regimes, such as 23 N.Y.C.R.R. Part 500, which creates sweeping cybersecurity requirements for organizations around the globe regulated by the New York State Department of Financial Services, have seen similar rounds of regulatory revision, and may undergo further change in the future. The one constant in this arena will be fluidity and potential disruption, as legislatures rush to pass data protection laws without including ramp-up periods, with implementing regulations lagging significantly behind, or even changing midstream as organizations try to anticipate the ultimate form such regulations may take.
F. Paul Greene is a partner and chair of the Privacy and Data Security practice group at Harter Secrest & Emery, a full-service business law firm with offices throughout New York. He can be reached at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All'So Many Firms' Have Yet to Announce Associate Bonuses, Underlining Big Law's Uneven Approach
5 minute readTik Tok’s ‘Blackout Challenge’ Confronts the Limits of CDA Section 230 Immunity
6 minute readEnemy of the State: Foreign Sovereign Immunity and Criminal Prosecutions after ‘Halkbank’
10 minute readGovernment Attorneys Are Flooding the Job Market, But Is There Room in Big Law?
4 minute readLaw Firms Mentioned
Trending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250