The new decade started off with a flurry of emails informing us of updated privacy notices being posted on websites in response to the California Consumer Privacy Protection Act (“CCPA”). While most people began their new year resolutions or happily watching football on January 1, 2020, some of us were busy peeling through these updated privacy notices. What our review reveals is that companies are handling the CCPA in many different ways. Some take a strict approach to the letter of the law and proposed regulations, while others outright challenge the CCPA’s broad definitions and sweeping requirements by flouting language suggesting that their original privacy policy already disclosed everything it needed to, but, paraphrasing, “we now also have to disclose the same thing this way just because of CCPA.”
From our perspective, some companies are getting it “right” and some are not, but generally speaking – and judging from the high number of comments to the proposed regulations – most are hoping for some finality from the Attorney General with a final set of regulations. While some businesses may not have paid proper attention to the CCPA proposed regulations, which introduced new and more detailed practical obligations, and some are simply adopting a wait-and-see approach, other large entities can take the risk of challenging the law in their disclosures and take on large fines that are sure to come once the California Attorney General begins its enforcement efforts. And they already are. In fact, one very large social media giant that is no stranger to regulators in the U.S. and abroad takes the questionable position that it is not “selling” personal information despite the extremely broad definition in the CCPA. Actually, several internet titans have taken this approach.
CCPA “Sale”
Under the CCPA, “sale” or “selling” is to be interpreted broadly. It is NOT limited to what we think of colloquially as a real purchase for money. In fact, a CCPA “sale” includes releasing, disclosing, disseminating, making available, transferring, selling, renting, or otherwise communicating (in any manner or allowing them to collect through cookies) personal information by the business to another business or a third party for monetary or other valuable consideration (including a promise or commitment). In other words, if a business discloses personal information to any other person or entity that may use it for its own commercial gain or purposes (e.g., internal analytics, or disclosure to other parties for commercial gain) and thus not solely in order to fulfill a business purpose as a true service provider, this would likely be considered a sale. There are only limited exceptions, and the proposed regulations have made this even clearer. The definition is key when evaluating a business’s vendor relationships – in particular adtech services.
As such, unless the California Attorney General adjusts the definition in its final regulations, if said social media company uses personal information collected, in particular from certain of its adtech products, for its own purposes and other than to provide ads on behalf of its customers, it cannot be considered a service provider and would be deemed to sell personal information. It will be interesting to see how this position will be justified.
GAFA aside, we have also found a large Q&A site, as well as many other smaller companies, get it wrong on the issue of sale. On the one hand, these companies initially indicate that they are not “selling” personal information under the CCPA, yet they also include a seemingly conflicting “Let the Sunshine In” disclosure under a separate – but related – California privacy law. The disclosure indicates that they are providing your personal information to third parties for the third parties to use for their own marketing purposes. Going back to the CCPA “sale” definition, these companies cannot possibly be providing your personal information to third parties solely as service providers if the third parties can use the personal information for their own purposes. This could potentially raise a big red flag once enforcement comes around.
“Do Not Sell My Information”
Another observation is that the much reviled “Do Not Sell My Information” button – for which the Attorney General has yet to provide more information as promised in the proposed regulations – is notably absent from the homepages of many companies that do in fact sell personal information. Rather, the opt-out links are generally buried in the privacy notices, making them far less obvious than what the law had contemplated. One large media company got its “Do Not Sell My Information” right, with a link on the homepage that takes you directly to a banner that looks a lot like the cookie banners for the EU – only with an opt-out.
Categories
The CCPA also requires businesses to specifically list each defined category of personal information that is collected and disclosed and/or sold in the prior 12 months, as well as categories of recipients. While many companies are using the CCPA mandated terminology, others are simply referring back to their standard privacy disclosures without reference to the itemized categories set forth in the CCPA’s definition of personal information. It is questionable if this approach will suffice in the eyes of the Attorney General. Notably, many companies have included tables laying out the various categories of information that must be disclosed, presumably for easier reading, another requirement mapped out in the proposed regulations.
What Next?
With the Attorney General’s CCPA regulations still to be finalized, we expect that companies will continue to update their privacy notices throughout this year based on the market and what others are doing. Indeed the CCPA mandates that such notices are updated annually to ensure that they remain current and accurate reflect a company’s evolving privacy practices.
Importantly, although full enforcement is not expected to begin until July of this year, Attorney General Becerra announced mid-December that even prior to July, his team would be monitoring for potential violations on a large scale that involve the “sensitive, critical data” of California residents, and will prosecute cases as necessary, particularly as regards children. It should also be noted that the Attorney General sought earlier this year to increase the protections of the CCPA. The bill ultimately failed, but it should come as no surprise that Becerra, who is considered by many as having a “pro-privacy” penchant, is more likely than not to zealously seek enforcement of the CCPA once the regulations are finalized. So while we have seen many posts across the internet encouraging companies to sit back and relax until July 2020, we believe that this is probably not the best advice. Much like EU regulators prior to GDPR’s May 2018 deadline, Becerra himself has stated that making a good faith effort to comply is one thing, but ignorance of the law is not an excuse.
For now, our attention turns to whether Californians actually exercise their rights en masse, and how… In the meantime, it’s clear that companies across the board are still figuring out the ins and outs of the CCPA while eagerly awaiting a final set of regulations. And hoping that they are not the first company to be dragged into the limelight with a highly publicized class action following a security incident.
Stay tuned for more…