In recent months, there has been increased chatter about “dark patterns” in user interfaces, and it’s only getting louder. When we think of dark patterns, we often think of features that make it more difficult to cancel subscriptions, or that (mis)lead us to sign up for a product or service despite our best intentions. However, dark patterns also impact data privacy in a number of ways.
Continue Reading How Dark Patterns May be Chipping Away at Your Company’s Privacy Compliance Efforts

During a recent keynote presentation with the IAPP following the July 1 enforcement deadline of the CCPA, Stacey Schesser, Supervising Deputy Attorney General for the State of California (“Deputy AG”), provided a bit of a roadmap for CCPA enforcement actions from the California Attorney General (“AG”) that are both currently underway and expected in the near future.
Continue Reading CCPA Enforcement: What to Expect Next

The California Attorney General’s final proposed regulations under CCPA (“Regulations”) have been submitted, and pending approval by the California Office of Administrative Law, will soon become enforceable by law. One often overlooked requirement of the CCPA is the obligation of covered businesses to provide notices that are “reasonably accessible.” All drafts of the Regulations have provided more detail about the accessibility requirement contained in the CCPA, and the final Regulations make clear that for notices provided online, businesses must follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 (WCAG) from the World Wide Web Consortium. While companies have largely focused on updating the language or substance of their notices to comply with CCPA, this requirement as to form has, by and large, slipped through the cracks, but is certain to generate some discussion (if not litigation) in coming months.

By way of background, the Americans with Disabilities Act (ADA) requires, among other things, that places of “public accommodation” remove barriers to access for individuals with disabilities. While this has long been considered the rule for physical establishments, including privately-owned, leased or operated facilities like hotels, restaurants, retail merchants, health clubs, sports stadiums, movie theaters, and so on, virtual accessibility has been much less consistent, and generally the exception rather than the norm. In fact, web accessibility hardly ever appears on businesses’ radars, due perhaps to a very short-sighted perception of what, in fact, qualifies as a disability as well as a lack of overall guidance.

Web accessibility means ensuring that websites, mobile applications, and other virtual platforms can be used by everyone, including those with disabilities, such as impaired vision. However, what exactly is required is a source of confusion. In 2019, the Department of Justice (DOJ), which is responsible for establishing regulations pursuant to the ADA, withdrew regulations that had been drafted for website accessibility, and has since yet to promulgate any such regulations. This has left courts with the task of determining how and to what extent web accessibility is required under the ADA when it comes to businesses that offer goods and services online, with varying results.
Continue Reading CCPA and Web Accessibility

As if businesses did not already have enough to address with the COVID-19 pandemic and compliance with the California Consumer Privacy Act (the “CCPA”), businesses need to consider the California Privacy Rights Act (the “CPRA”), which will almost certainly be on the November ballot. Structured as an amendment to the CCPA and also known as “CCPA 2.0”, the CPRA ballot initiative was spawned by Alastair Mactaggart. You may recall Mr. Mactaggart as the real estate developer who submitted a ballot initiative that resulted in a negotiation with the state legislature to replace the initiative with the CCPA. If the CPRA is passed and becomes law, it would be effective and enforceable January 1, 2023, with certain provisions having a look-back provision.

The CPRA would establish a new category of “sensitive data” that is reminiscent of the GDPR’s definition of special categories of data but it is much broader. The definition is overly-inclusive, spanning from race, religion, and sexual orientation to financial account information and government identifiers (e.g., social security numbers). Consumers could choose to limit the use, sale and sharing of their sensitive data. Additional links on business websites may be required to “Limit the Use of My Sensitive Personal Information” in addition to the current “Do Not Sell My Personal Information” link that some businesses must now include under the CCPA.
Continue Reading The California Privacy Rights Act: CCPA Part Two

As cities and states gradually open up, companies have begun to assess under what circumstances they can re-open the workplace – and in particular, what health-related personal information can and should be collected. When it comes to monitoring employees, generally speaking, privacy and employment law are increasingly overlapping as more stringent laws are adopted, and COVID-19 has brought this overlap to the forefront. Our employment team at Hopkins & Carley has provided a number of resources and webinars on the employment-related issues of COVID-19 and what can and cannot be done (available here). Here we will focus on the intertwined privacy implications of allowing individuals – employees and non-employees – back into offices and facilities, particularly with respect to the California Consumer Privacy Act (CCPA).

What are the CCPA’s notice requirements?
Continue Reading Returning to Work: CCPA Considerations

I recently co-wrote the following client alert with one of my colleagues, Monique Jewett-Brewster. Monique advises creditors, commercial landlords and tenants, and asset purchasers in business bankruptcies and in all other aspects of insolvency law.


As we move closer to a global recession caused by the current pandemic, some companies will find themselves in the unfortunate position of having to seek bankruptcy relief. This may have some important and often overlooked privacy implications. There is no question that in this day and age, one of a business’ most valuable assets is the personal information that it has collected from its customers and/or end-users – often more so than any of its tangible assets. Increasingly, as business shifts online, this is true not only of technology companies but also of “brick and mortar” companies.

However, when a business becomes a debtor, the sale of personal information can be problematic. Section 363(b) of the US Bankruptcy Code provides that a debtor that has a privacy notice prohibiting the transfer of personally identifiable information (“personal information”) may not use, sell or lease such information other than in the ordinary course of business unless (1) the use, sale or lease is consistent with the terms of the privacy notice or (2) after the appointment of a consumer privacy ombudsman (“CPO”) the court finds, after giving due consideration to the facts, circumstances, and conditions, that the sale or lease would not violate applicable non-bankruptcy law. These restrictions only apply if the debtor disclosed to its customers a privacy notice prohibiting the transfer of personal information to persons not affiliated with the debtor and the policy was in effect on the date of the bankruptcy filing.
Continue Reading Privacy Issues in Bankruptcy Sales