California Privacy Updates

Background

Earlier this year, amendments to the California Consumer Privacy Act (“CCPA”) enacted in the California Privacy Rights Act came into effect, and the California Privacy Protection Agency (“CPPA”) adopted its first set of rules implementing the changes to the CCPA.[1]  Despite these sweeping new rules, California is not done with regulating privacy.  In this alert, we highlight four bills that Governor Newsom recently signed into law, as well as recent activities at the CPPA as the new agency continues to address the key issues delegated to it by the CCPA.

California’s New Privacy Laws

Recently, California enacted four new privacy laws that, respectively:

• Expand regulation of data brokers and permit consumers to delete all personal information held by data brokers with a single request;
• Broaden the definition of “sensitive personal information” to include a consumer’s citizenship or immigration status;
• Clarify that consumer personal information includes information related to accessing abortion and reproductive health care services; and
• Require manufacturers and dealers of cars equipped with one or more in-vehicle cameras to prominently inform users or purchasers about the in-vehicle camera, and restrict the use of the data collected by such camera.

Specifically:

The Delete Act (SB 362) gives consumers new rights vis-à-vis data brokers

• Background: California and Vermont currently require all data brokers to register with the state, pay a fee, and provide certain information every year, which is made accessible to the public.  Failure to register can bring civil penalties.
• What is a data broker? A data broker is any business that knowingly collects and sells consumer personal information to third parties when the business does not have a direct relationship with the consumer.  It excludes insurance companies and other entities covered by the Fair Credit Reporting Act (“FCRA”) and Gramm-Leach-Bliley Act (“GLBA”).  There are currently approximately 500 data brokers registered in California.
• What does this new law do?
  • Requires California’s new CPPA to establish a mechanism by which a consumer can make a single request to have all personal information deleted across all registered data brokers;
  • Requires data brokers to regularly log into the mechanism and purge that consumer’s data from their systems every 45 days on a recurring basis, and to confirm that their service providers and others with whom they shared or sold data have also purged the data;
  • Mandates outside independent audits of data brokers every three years to verify compliance with this law, and requires copies of the audits to be submitted to CPPA upon request within five days;
  • Authorizes CPPA to issue regulations and charge fees to data brokers for accessing the deletion mechanism.  Fines and fees collected may be used by CPPA for enforcement, amongst other things; and
  • Requires more detailed reporting to CPPA and public disclosures on data brokers’ websites.
• Effective Date: January 1, 2026.  The audit requirement takes effect January 1, 2028.
• Fees and Fines: Failure to register may result in fines of at least $200 per day; failure to delete data will be subject to a fine of $200 per deletion request for each day the data broker fails to comply.

AB 947 expands “Sensitive Personal Information” to include citizenship/immigration status

• The CCPA, as amended by the CPRA, gives consumers the right to limit businesses’ use and disclosure of their “sensitive personal information,” such as precise geolocation data, racial or ethnic origin, and Social Security numbers.
• AB 947 expands the definition of “sensitive personal information” by adding a consumer’s citizenship or immigration status as covered data elements, increasing privacy protections for such personal information.[2]

AB 1194 expands the definition of Personal Information to include reproductive services

• The CCPA and CPRA require businesses to delete personal information when requested by the consumer except for certain circumstances, such as when a deletion request restricts a business’s ability to comply with federal, state, or local laws or to comply with a court order to provide information.
• AB 1194 clarifies that the definition of consumer’s personal information includes information related to “accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including, but not limited to, abortion services.” A business must comply with the CCPA with respect to this specific personal information even when an exception would typically apply, unless the personal information is only retained in aggregated and deidentified form and is not sold or shared.[3]  This bill is part of a series of state bills aimed at better protecting reproductive health care information.

SB 296 requires car manufacturers and dealers to make certain disclosures about in-vehicle cameras and limits the use of data from such cameras

• SB 296 requires car manufacturers and dealers to disclose to the user or purchaser that an in-vehicle camera is installed in the car, and SB 296 further requires dealers to provide specific language in a written disclosure to the purchaser and obtain the purchaser’s signature on the disclosure.[4]
• SB 296 prohibits companies from using images and video recordings collected through in-vehicle cameras from being used for advertising, sold to a third party, shared with a third party absent informed consent of the user, or retained at any location other than the vehicle or accessed by a person or entity other than the user unless certain exceptions are met.

Implementing and Enforcing CCPA: The CPPA’s Agenda

While the legislature was busy adding new laws and amending existing privacy laws, California’s newest regulator, CPPA, was busy moving forward on implementing its directives.

In particular:

• Cybersecurity Audits and Risk Assessments: In August 2023, the CPPA released its initial draft regulations concerning cybersecurity audits[5] and risk assessments.[6]  The draft regulations for cybersecurity audits would require certain businesses to (1) perform such audits on an annual basis using a qualified, objective, and independent professional; (2) conduct a risk assessment if they process personal information in such a way that it presents a significant risk to a consumer’s privacy or security; and (3) require businesses to submit full risk assessments to the CPPA upon request, in addition to submitting abridged risk assessments to the CPPA annually.  After a robust discussion of the drafts at the September CPPA Board Meeting, the staff took back a number of recommendations and discussion points to potentially amend the draft proposals before they are officially released for public comment.  Only after a public comment period can any rules be finalized.
• Automated Decision-Making: The next area that CPPA must tackle is with respect to access and opt-out rights for consumers in the context of automated decision-making.  This will likely implicate a number of issues, including profiling and the use of artificial intelligence.  Draft regulations are expected to be issued prior to the CPPA’s next Board meeting in November.
• Enforcement Priorities: Ashkan Soltani, the executive director of the CPPA, explained during the International Association of Privacy Professionals Privacy, Security and Risk Conference that CPPA has begun sending hundreds of investigative letters out to companies that are not in compliance with the CCPA or its regulations.  Soltani confirmed earlier statements by CPPA Deputy Director of Enforcement Michael Macko that the agency will focus on: (1) connected cars; (2) businesses’ privacy notices and policies; (3) consumers’ right to deletion of their personal information, and (4) businesses’ implementation of consumer access and opt-out requests, including the Global Privacy Control.[7]

Looking Forward

California’s new laws impose new restrictions on businesses subject to the CCPA and on data brokers operating in California.  In particular, the Delete Act could shrink data brokers’ databases, depending on how frequently consumers access and use the CPPA’s deletion mechanism, which could make data monetization and targeted adverting less effective.  The CPPA is poised to have significant enforcement authority under these laws, in addition to its already broad regulatory and enforcement authority under the CCPA.  Data brokers and other businesses subject to the CCPA should review their personal information collection and processing, and assess their compliance with California’s new laws and developing regulations.

Click here to download this article.

[1]       For more information, see our previous client alert, available here.

[2]       Assembly Bill No. 947, available at https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240AB947.

[3]       Assembly Bill No. 1194, available at https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202320240AB1194.

[4]       Senate Bill No. 296, available at https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240SB296.

[5]       Draft Cybersecurity Audit Regulations for California Privacy Protection Agency September 8 2023 Board Meeting, California Privacy Protection Agency (Aug. 2023), https://cppa.ca.gov/meetings/materials/20230908item8.pdf.

[6]       Draft Risk Assessment Regulations for California Privacy Protection Agency September 8 2023 Board Meeting, California Privacy Protection Agency (Aug. 2023), https://cppa.ca.gov/meetings/materials/20230908item8part2.pdf.

[7]       Luke Sosnicki, New California Agency Sets Enforcement Priories for Privacy, Bloomberg Law (Aug. 25, 2023). https://www.bloomberglaw.com/product/blaw/bloomberglawnews/bloomberg-law-news/X7V462TS000000?#jcite.