Search results for: CCPA

On September 25, the California Privacy Protection Agency (CPPA) Board advanced OAL-approved updates to the California Consumer Privacy Act (CCPA), the process of which we covered in detail here and here, that include long-awaited regulations on cybersecurity audits, risk assessments, and automated decision-making technology (ADMT). The CPPA Board also approved a $1.35 Million settlement with Tractor Supply Company, officially announced this week. At last week’s meeting, staff reported that there were hundreds of investigations and enforcement actions in progress, many of which were at a stage that the applicable businesses were not yet aware that they are a target. 2026 will bring new privacy obligations for businesses and greater repercussions for half-baked compliance efforts.

So, California businesses, brace yourselves: the CCPA has undergone a major update at the same time the CPPA is turning up the heat on businesses. Following years of civic discussion, multiple hearings, and hundreds of public comments, the CPPA Board has adopted a batch of regulations impacting businesses’ data privacy obligations. On September 23, the California Office of Administrative Law (OAL) approved new regulations on cybersecurity audits, risk assessments, ADMT, and edits to existing CCPA regulations, which the CPPA Board confirmed last week.  These regulations impose new obligations on businesses to comply with strengthened consumer privacy rights, some of which will phase in over time:

  • Cybersecurity Audits

Businesses required to complete annual cybersecurity audits must submit certifications to the CPPA by:

  1. April 1, 2028, if the business makes over $100 million;
  2. April 1, 2029, if the business makes between $50 million and $100 million; or
  3. April 1, 2030, if the business makes less than $50 million.
  • Risk Assessments

Businesses subject to risk assessment requirements must conduct assessments that meet the regulations’ exacting requirements prior to beginning any new processing activities on or after January 1, 2026, though they have until December 31, 2027, to do so for processing activities that began before January 1, 2027, but which thereafter are continuing. By April 1, 2028, they must submit to the CPPA:

  1. An attestation that required risk assessments were completed in compliance with the regulations, and
  2. A summary of their risk assessment information for 2026 and 2027 (and thereafter annually).

California now joins Colorado with very detailed obligations for how assessments must be conducted and documented, which unfortunately have material differences from the Colorado mandates.

  • Automated Decisionmaking Technology (ADMT)

Businesses that use ADMT to make significant decisions must comply with the ADMT requirements beginning January 1, 2027. While the final regulations are far less burdensome than originally proposed, they bring new considerations and obligations and include material differences from other states.

  • Substantive Changes Unrelated to Cybersecurity Audits, Risk Assessments, and ADMT go into effect Jan. 1, 2026.

The CPPA is also making it clear that existing regulations will be vigorously enforced.  We have covered the evolution of CCPA enforcement here, here and here.  The latest case addresses issues that have proven to be of particular concern to regulators:  properly effectuating opt-out of sale/share for cookies and other tracking technologies that facilitate targeted advertising or are otherwise not qualifying as a service provider, enabling browser privacy control signals to automatically convey and implement such opt-outs, and having contracts in place with service providers, contractors and third parties that include CCPA-mandated contract provisions appropriate for the nature of the processing relationship. We have already delved into how to meet these requirements in detail here.  Interestingly, Tractor Supply is the first published enforcement action that addresses CCPA compliance in the context of job applicants and current and former employees. California is the only state consumer privacy law that applies in the human resources and business-to-businesses contexts. The CPPA also brought claims for failing to update the posted privacy notice annually and not clarifying that the description of privacy practices in the notice reflected processing activities for the 12 months prior to the effective date. As businesses prepare for their year-end notice updates, they should assess overall compliance, with particular attention on the issues that have led to recent enforcement actions.

To help you prepare, we follow with a summary of the changes for businesses under the new and revised CCPA regulations:

CCPA Regulatory Updates – ADMT, Cybersecurity Audits, and Risk Assessments

Automated Decision-making Technology (ADMT)

Scope

The regulations define ADMT as “any technology that processes personal information and uses computation to replace… or substantially replace human decision making.” Section 7001(e). This includes a business’s use of the technology’s output to make a decision without meaningful human involvement, including through profiling. Section 7001(e)(1) and (2). Profiling is defined as any form of automated personal information (PI) processing to evaluate, analyze, or predict personal aspects concerning—among others—a consumer’s intelligence, ability, aptitude, performance at work, economic situation, health (including mental health), interest, behavior, and location. Section 7001(ii).

The use of ADMT is regulated insofar as it is used to make a significant decision, defined as a decision that results in the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services. Section 7001(ddd).

Notably, the final regulations departed from prior efforts to regulate ADMT that was used to merely facilitate significant decisions, and the scope of significant decisions was significantly narrowed from what had been proposed. However, other states take a broader approach to both issues. Despite calls to track Colorado’s detailed regulations on profiling, California’s ADMT regulations are in some way more, and in other ways less, burdensome. Accordingly, companies will need to either take a high-water-mark approach, or address ADMT and profiling on a state-by-state basis.

Consumer Rights

Consumers will have the following rights with respect to ADMT:

  • Right to opt out of ADMT: businesses must provide consumers with the ability to opt out of the use of ADMT to make a significant decision concerning the consumer. Section 7221. However, this right is limited as follows:
    • If an appeal right is provided (see below); or
    • For certain educational and human resources decisions, if the ADMT (i) works as intended and (ii) does not discriminate. Section 7221(b)(2) and (3)
  • Right to access ADMT: upon request, businesses must provide the consumer information about the business’ use of ADMT, including information about the logic used and how the ADMT processed PI to generate an output with respect to them and what specific outputs were used, as well as information about the outcome of the decision and the role of human involvement in reaching the decision.  Section 7222.
  • Request to appeal ADMT: if the businesses provides consumers a process to appeal the business’ use of ADMT for a significant decision to a human reviewer, with authority to change the outcome, it may avoid providing the opt-out right. Section 7221(b)(1).
  • A previously proposed notice of adverse decision requirement was abandoned and is not part of the current regulatory scheme.

Pre-Use Notice

Additionally, businesses using ADMT must provide consumers with a prominent and conspicuous Pre-Use Notice informing consumers about the specific purpose for the business’ use of ADMT, their rights to opt-out (if appeal rights are not provided and excepting the HR and educational uses exempt from opt-out) and access ADMT, and the prohibition on retaliating against consumers for exercising those rights. Sections 7010(d), 7220 and 7221. The Pre-Use Notice must also contain an opt-out link for ADMT use, if opt-out is required.

HR Context

As mentioned above, the use of ADMT to make a significant decision about a consumer includes employment or independent contracting opportunities or compensation, though certain exceptions to opt-out apply. These updates to the CCPA are one part of a larger effort to regulate the use of AI in the employment context, including regulations by the California Civil Rights Council (CCR) addressing employment discrimination resulting from the use of AI, effective October 1, 2025. These regulations expand the reach of existing law—such as the California Fair Employment and Housing Act (FEHA)—to cover AI employment tools, opening the door for plaintiffs seeking to allege harms from algorithmic discrimination. We analyzed the impact of these regulations on employers processing data for HR purposes and the interplay between the CCPA and CCR regulations in this report.

Cybersecurity Audits

To comply with the new cybersecurity regulations, businesses must: (1) conduct an annual cybersecurity audit; (2) submit an audit report; and (3) certify completion of the audit.

Audit

A business whose processing of consumers’ PI presents a significant risk to consumer (including HR and B-to-B) PI security is required to complete an annual audit of its cybersecurity program. Along with assessing a business’ cybersecurity program overall, the audit must assess specific components, including authentication, encryption of PI, account management and access controls, hardware and software security, vulnerability scans and, importantly, systems to inventory and maintain all PI and hardware and software that processes PI. This last requirement essentially mandates data mapping and management, following Minnesota’s approach.

Report

The audit must produce a report with certain information, such as a description of the business’s information system, audit criteria, evidence examined to make the assessments, and the policies, procedures, and practices assessed by the audit.

Certify

After completing the annual audit, businesses must submit a written certification of completion to the state no later than April 1 of the following year.

Risk Assessments

In addition to conducting a cybersecurity audit, a business whose processing of consumers’ PI presents a significant risk to consumers’ privacy is required to conduct a risk assessment before initiating that processing. Section 7150(a). This includes sale/sharing of PI, processing of sensitive PI, profiling, the use of ADMT for significant decisions concerning a consumer, and the use of PI to train ADMT or biometric data technology. Section 7150(b).

Businesses engaging in these activities must prepare and maintain a “risk assessment report” documenting much of the required assessment process.  Significantly, the risk/benefit analysis that the regulations require be part of the assessment process need not be included in the published report, a welcome departure from the approach of other states. Certainly, this is an attempt to avoid First Amendment compelled speech challenges that brought down the California Age-Appropriate Design Act assessment requirements. The report must include the business’ purpose for processing consumers’ PI, categories of PI to be processed, the operational elements of the processing (including seven specific types of operational details, that for ADMT includes the logic used and the intended usage of outputs produced), safeguards to address potential negative impacts, the persons involved in the assessment, whether the activity will be initiated and who approved that determination and when. Section 7152. An aggregate summary of assessments for each calendar year, accompanied by a certification of completion, are to be filed annually with the CPPA. Section 7157(c). 

Finally, businesses must review and update their risk assessments at least once every three years. Section 7155(a)(2). Reports, and updates, are to be retained for as long as the processing continues, or five years after completion, whichever is longer.  Section 7155(c). The individual reports, and updates, are subject to inspection.  Section 7157(e).

Other Substantive Changes to the CCPA Regulations

The CPPA also revised the existing regulations and made material changes, often revisiting issues it had originally considered in prior rulemaking but pulled back to give businesses time to adapt.  Other changes reflect concerns regarding implementation and attempt to avoid ambiguity or more clearly establish consumer protection intent.

Symmetry of Choice

The new regulations refine consent requirements by illustrating asymmetry of choice in more detail, an issue that has been raised in enforcement actions. According to Section 7004(a)(2), a consumer’s path to a more privacy-protective option should not be longer, more difficult, or more time-consuming than the path to a less privacy-protective option. The regulations detail that the number of steps to opt-out of sale/sharing should be the same or fewer than the number of steps to opt-in. Similarly, a “yes” button that is more prominent than a “no” button—whether in size or color—is not an equal or symmetrical choice. Significantly, the regulations which had clarified that there would not be requisite symmetry if opting-in after having opted out required more steps, have been amended to apply such principle to an opt-in request in the first instance, not just where opt-out is being overridden. Section 7004(a)(2)(A). This reflects concerns regarding configuration of cookie banners that have been raised in enforcement actions.

Businesses must also abide by new design requirements to avoid consumer confusion about choice. For instance, the regulations prohibit businesses from using double negatives, misleading statements or omissions, or deceptive language when asking for consent. Businesses are also prohibited from obtaining consumer consent without affirmative action or by silence. Finally, businesses are prohibited from designing their choices in a way that impairs the consumer’s ability to provide freely given, specific, informed, and unambiguous consent. For instance, businesses cannot rely on a consumer’s acceptance of general or broad terms of use to constitute consent for a particular purpose. Section 7004(a)(4)(C).

Confirmation of Opt-Out Processing

Section 7026(g) will now require businesses to “provide a means by which the consumer can confirm that their request to opt out of sale/sharing has been processed by the business.” The regulations also now require the same with respect to honoring of opt-out preference signals. See Section 7025(g)(6). Previously, these were optional. The regulations provide that the same example notice can suffice to meet both requirements: “For example, the business may display on its website “Opt-Out Request Honored” … and display in the consumer’s privacy settings through a toggle or radio button that the consumer has opted out of the sale/sharing of their personal information.”

Timing of Processing Sale/Sharing Opt-Outs

Section 7026(f) requires businesses to cease selling and sharing PI with third parties “as soon as feasibly possible, but no later than 15 business days from the date the business receives the request.” It also requires notifying all third parties to whom the business has sold or shared the consumer’s PI, after the consumer submits the request to opt-out of sale/sharing and before the business complies with that request, that the consumer has made a request to opt-out of sale/sharing (along with directing them to comply and forward the request downstream).

The regulations provide helpful examples interpreting these obligations, addressing advertising/marketing use cases – one involving “programmatic advertising technology” on a website that can “restrict the transfer of personal information instantaneously” where the regulations state taking 15 business days to comply would not be compliant – and another involving the disclosure of PI lists to a marketing company that addresses the timing and notification requirements.

Colors of the Opt-Out Icon

There was previously a lack of clarity regarding whether the blue and white opt-out icon could be changed according to a website’s branding or otherwise. The regulations now state, “Businesses may adjust the color of the icon to ensure that the icon is conspicuous. For example, if the webpage background is the same color of blue as the icon, the business may invert or change the colors of the icon to ensure visibility.” Section 7015(b)(3).

Privacy Policy Requirements

The amended regulations include several changes to the required accessibility and content of privacy policies.

First, mobile apps must now include a link to their privacy policy. Previously, it was optional to include a link to the “privacy policy” in the mobile application settings menu. It will now be required as of Jan. 1, 2026. The defined term “privacy policy” refers specifically to the CCPA’s required disclosures; as a result, companies should consider including a direct link to their CCPA or state-specific privacy notice in their app settings menu, if they have not already done so. Section 7011(d).

Second, businesses must comply with the following requirements regarding the content of their privacy policies:

  • When identifying categories of sources and categories of third party (sale/sharing recipients), the regulations clarify that the categories “shall be described in a manner that provides consumers a meaningful understanding of” where the information is collected and the parties to whom the information is sold or shared, respectively. Section 7011(e)(1)(B) and (E).
  • Previously, businesses were required to associate the specific business or commercial purpose for disclosing PI to service providers as to each category of PI collected. Businesses no longer need to associate the purposes with specific categories of PI. See Section 7011(e)(1)(I).
  • Instead of referring to the right “not to receive discriminatory treatment,” businesses now must state that consumers have the right “not to be retaliated against for exercising privacy rights conferred by the CCPA, including when a consumer is an applicant to an educational program, a job applicant, a student, an employee, or an independent contractor.” Section 7011(e)(2)(H).

New Categories of Sensitive PI

The definition of “sensitive personal information” has been expanded to PI of consumers that the business has actual knowledge are less than 16 years of age. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age. This means that the processing of PI of consumers less than 16 years of age is subject to the right to limit. For sale/sharing of such data, however, consent of the consumer is required.

Additionally, “sensitive personal information” now includes a consumer’s neural data, or information generated by measuring the activity of a consumer’s central or peripheral nervous system.

Updated Notice of Right to Limit

The Notice of Right to Limit requirements have been updated largely to align with the Notice of Right to Opt-Out (e.g., how to present the notice when interacting with consumers online vs. offline). Section 7014(e)(3).

Expansion of Access Rights Trailing Period

Under Section 7024(h), businesses are only required to “provide all the personal information it has collected and maintains about the consumer during the 12-month period preceding the business’s receipt of the consumer’s request.” However, reflecting CPRA changes, a consumer may request PI from beyond such period, as long as it was collected on or after January 1, 2022. The prior regulations did not require notifying consumers of that right.

Businesses now must “include a means by which the consumer can request that the business provide personal information collected prior to the 12-month period preceding the business’s receipt of the consumer’s request. For example, the business may ask the consumer to select or input the date range for which the consumer is making the request to know or present the consumer with an option to request all personal information the business has collected about the consumer.” Section 7020(e).

Authorized Agent Requirements

The regulations now explicitly prohibit, in connection with obtaining proof that the consumer gave the agent signed permission, businesses from requiring consumers to resubmit their request in their individual capacity. Section 7063(a).

Conduct Year-end Updates and Compliance Checks and Develop  2026 Project Plans and Budgets

Prior to year-end, business should (1) confirm PI practices and update their privacy notices to reflect practices from the prior 12 months; (2) update policies and procedures, especially regarding consumer choice, to reflect amendments to the regulations and issues raised in enforcement actions; (3) become prepared to implement a data processing risk assessment program that meets the new regulations’ requirements for new 2026 processing activities before they are initiated, and develop a roadmap for assessing ongoing processing prior to December 31, 2027; and (4) develop a project and plan to prepare for the upcoming ADMT and cybersecurity audit (including data mapping) requirements. To help you do so, we have developed guidance materials, including a data processing risk assessment tool kit. More information is available here, or by contact the authors of your Squire Patton Boggs relationship partner.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

In another settlement of a cookie-related state consumer privacy law enforcement action, California reinforces contract requirements for making personal information available and raises questions about the scope of purpose limitation requirements, especially where the nature of the data and/or its use could run counter to consumer expectations. 

On July 1, 2025, the California Office of the Attorney General (OAG) announced a settlement against Healthline, which included the largest CCPA settlement to date – $1.55 million – and many “firsts” for public CCPA enforcement: the first involving a publisher, the first health information-related enforcement action, and the first time the purpose limitation principle has been invoked by California’s (or any other state’s) regulators in a public regulatory enforcement context. This enforcement action came just a week before Connecticut’s attorney general announced an $85,000 settlement under the Connecticut state privacy law explored in more detail here.

Continue Reading California AG Issues Highest Fine to Date for CCPA Violations

As we have previously detailed here, the latest generation of regulations under the California Consumer Privacy Act (CCPA), drafted by the California Privacy Protection Agency (CPPA), have advanced beyond public comments are closer to becoming final. These include regulations on automated decision-making technology (ADMT), data processing evaluation and risk assessment requirements and cybersecurity audits. Recently, Privacy World’s Alan Friel spoke at the California Lawyer’s Association’s Annual Privacy Summit at UCLA in Westwood, California (Go Bruins!) on the evaluation and assessment proposals. Separately, Privacy World’s Lydia de la Torre, a CPPA Board Member until recently, spoke on artificial intelligence laws and litigation. A transcript of Alan’s presentation follows:

Continue Reading Data Processing Evaluation and Risk Assessment Requirements Under California’s Proposed CCPA Regulations

As we previously reported, on March 8, 2024 the California Privacy Protection Agency (CPPA) Board voted to advance draft regulations toward official rulemaking. 

New draft regulations were proposed by the CPPA staff and considered but not approved by the CPPA board in Q4 of 2023.  In February 2024 further revised draft regulations were released and considered on March 8 by the CCPA board, which voted 5 to 0 to move forward with amendments to the existing regulations and, after a spirited debate, 3 (Urban, Le and Worthe for) to 2 (de la Torre and Mactaggert against) to also move forward with new draft regulations on data risk assessments and data-driven technologies, with a direction to staff to add to the requirements for filing abridged assessments with the CPPA a discussion on what safeguards were employed to mitigate risks (with an exception for when disclosure would be a security risk).  In each case the staff was authorized to prepare the materials necessary under administrative procedures laws and regulations to publish a notice of prepared rulemaking, the publication which would be subject to a further Board vote after reviewing the rule-making package.  The staff was also authorized to make further edits to the draft regulations to clarify the text or conform with the law.  Although the motions did not set a firm date for staff to complete that work, the discussions contemplated that it would be done by the July 2024 Board meeting at the latest.

The staff has met that timeline and The CPPA Board is now scheduled to consider that process at its July 16 meeting.  The package documents are here:

Interestingly, although not part of what the Board previously advanced, the draft rules on cybersecurity audits (Article 9) are included. 

PrivacyWorld will report back on what advances out of the Board meeting.

Hundreds of lawyers and several privacy regulators from California, Washington State, Oregon, Colorado, Connecticut, and the Federal Trade Commission gathered in Los Angeles last week for the second annual California Lawyers Association Privacy Summit (“Summit”). Among many engaging sessions on pressing topics, the panels with privacy regulators stood out discussions on enforcement priorities and administrative fines and injunctions, along with punchy and newsworthy statements – including that they are “plotting” and that considering the typical investigation presents “hundreds or thousands of violations,” potential fines are “significant.”

Perhaps even more newsworthy is that due to a California Court of Appeal order laid down as the Summit wound down on Friday, the stay in enforcement of the CCPA regulations was lifted. This happened as many companies were treating March 29, 2024, the end of the stay period, as the effective and enforcement date of regulations promulgated under the CPRA’s amendments by the California Privacy Protection Agency. The appeals order also nullifies the year delay in effectiveness of issued CCPA regulations that the trial court had required, making almost certain that CCPA regulations on risk assessments, cybersecurity assessments, and automated decision-making and profiling will be promulgated and in effect sometime this year, perhaps as early as Q2 or Q3.

Will 2024 be the year of privacy enforcement? In view of signaling from California regulators and those in other jurisdictions, and in view of several upcoming effective dates and regulatory deadlines, ongoing enforcement by regulators in California and beyond, and an impending uptick in privacy enforcement, it just might be. Stay tuned for future posts on these issues. Keep reading for more detailed takeaways regarding the Summit.

Continue Reading Potential CCPA Fines “Significant”, California AG’s Office “Plotting” and Other Takeaways From Privacy Regulators during Privacy Summit in Los Angeles

On Friday, February 9, the Court of Appeal of the State of California sided with the California Privacy Protection Agency (“CPPA” or “Agency”), finding that a California Superior Court judge erred when he issued an order staying the Agency’s enforcement of the regulations promulgated pursuant to the CPRA’s amendments to the CCPA until March 29, 2024. As a result of the Court of Appeal’s order, the previously delayed regulations go into effect as of Friday, February 9, and any future regulations promulgated by the Agency – including the forthcoming regulations on cybersecurity and risk assessments, and automated decision-making technology – will not be subject to a future delay.

The order was announced as the second annual California Lawyers Association Privacy Summit in Los Angeles was wrapping up on Friday afternoon. A number of California regulators were in attendance at the event, including CPPA Executive Director Ashkan Soltani, Deputy Director of Enforcement Michael Macko, and Stacy Schesser, Supervising Deputy Attorney General for the Privacy Unit in the Consumer Protection Section.

Executive Director Soltani provided remarks while Deputy AG Schesser and Deputy Director Macko spoke on a panel together. Among the enforcement priorities announced by the regulators, including a focus beyond front-end, public-facing compliance, perhaps the punchiest statement from the Summit came from Deputy AG Schesser during a Thursday morning session: “We are plotting.”

Stay tuned for more on this from Privacy World in the coming days, and buckle up!

Last week, California Attorney General Rob Bonta announced an investigative sweep of providers of streaming services to determine whether these businesses are complying with California Consumer Privacy Act (“CCPA”) opt-out requirements for businesses that sell or share consumer personal information.

“From watching live sporting events to blockbuster movies, families increasingly use streaming platforms for entertainment, and we must make sure that their personal information is protected. Today, we are taking a close look at how these streaming services are complying with requirements that have been in place since 2020,” said Attorney General Bonta.

Continue Reading California Attorney General Announces Industry Investigative Sweep into CCPA Compliance

On March 29, 2023, the California Office of Administrative Law (OAL) approved the regulations implementing the California Consumer Privacy Act (CCPA). The regulations were approved by the California Privacy Protection Agency (CPPA) during its February 3rd meeting (see our report here) and filed with the OAL on February 14, 2023. The regulations are effective as of March 29, 2023. As soon as they are processed through the OAL, the CPPA will post the officially final regulations here.

The March 29th regulations are the first substantive regulations produced by the CPPA but are not complete. On February 10, 2023, the CPPA invited comments from the public on Cybersecurity Audits, Risk Assessments, and Automated Decision making as required by CCPA (Cal Civ Code § 1798.185(a)(15)-(16)). Comments were due on March 27. (See Privacy World’s discussion of these topics here, here and here.)

Meanwhile, on March 30th, the California Chamber of Commerce filed a lawsuit in Sacramento Superior Court against the CPPA and the California Attorney General. The CalChamber wants complete and final regulations and prohibitions on any civil or administrative CCPA enforcement until 12 months after regulations are adopted. The CalChamber asserts that California voters provided a one-year period for businesses to comply with CCPA, noting that the regulations approved on March 29th are an “incomplete set of regulations”. The CalChamber wants the court to order the CCPA to “adopt final regulations and abide by the timelines for enforcement that were approved by the voters.” No doubt businesses covered by CCPA would welcome the clarity of final regulations and assurance that CCPA enforcement will be delayed. Stay tuned for more on the next round of rule-making.

With much less hoopla, Iowa Governor Kim Reynolds signed Iowa’s comprehensive privacy law on March 28, 2023, noting that Iowa is the sixth US state to enact a general privacy law. Click here for our prior coverage on what we dubbed the Iowa Privacy Law, which goes into effect on January 1, 2025.

A busy end to March, indeed.

2022 saw cases continue to be filed under the California Consumer Privacy Act (“CCPA”), although perhaps reflecting the increasing reliance of the plaintiffs’ bar on negligence and tort-based privacy claims concerning a defendant’s alleged failure to maintain “reasonable security,” the number of cases of CCPA based claims declined. Read on for Privacy World’s highlights of the year’s most significant events concerning the CCPA, as well as our predictions for what 2023 may bring.

Background

The CCPA went into effect on January 1, 2020, with the vast majority of its provisions applying to entities that qualify as “businesses.”

As a recap, what entities qualify as a business under the CCPA? The statute defines a business as a for-profit, private entity that (1) collects “personal information”, (2) determines the purposes and means of processing that personal information, (3) does business in California, and (4) meets certain revenue thresholds (>$25 million global gross revenue annually) and/or data collection/selling/sharing thresholds.

In addition to imposing numerous compliance obligations* on businesses, CCPA covered businesses are also subject to the law’s limited private right of action for certain security breaches.

*While the majority of this post focuses on the private right of action and enforcement-related issues, for those interested in the CCPA’s compliance obligations, effectiveness of the California Privacy Rights Act (“CPRA,”* which substantially amends the CCPA and became effective as of Jan. 1 this year), applicability of the CCPA to human resources and business-to-business data, and information on other state privacy laws, please see our recent post Are You Ready for the 2023 Privacy Laws? *References to CPRA in the remainder of this article mean the CCPA as amended by the CPRA, unless otherwise indicated.

Back to the private right of action, Section 1798.150(a)(1) of the CCPA provides a private right of action to “[a]ny consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure” due to a business failing to satisfy “the duty to implement and maintain reasonable security procedures and practices….” (emphasis supplied).

Damages available for a private right of action under Section 1798.150(a)(1) include a statutory amount of between $100 and $750 “per consumer per incident or actual damages, whichever is greater”, as well as injunctive or declaratory relief and “any other relief the court deems proper” (emphasis supplied).

CCPA Litigation Activity in 2022

Since the CCPA came into effect, nearly 300 cases have been filed by plaintiffs alleging violations of the statute.  The majority of these have been filed in California federal court (Northern and Central Districts of California being the most favored jurisdiction for such filings), with some also being brought in California state court and in other jurisdictions.

Although the number of CCPA filings declined from 2021, this may be due to the plaintiffs’ bar shifting towards alleging negligence and tort-based privacy claims in the wake of a data event.  This can be explained in part that such claims typically (although not always) are less burdensome to plead for them to survive past the motion to dismiss stage.  By contrast, it appears that based on at least rulings thus far courts have attempted to narrowly construe the CCPA’s limited private right of action.

Courts have consistently dismissed CCPA claims when it is clear from the face of the complaint that Plaintiff’s allegations do not concern a security breach as required to plead a civil cause of action under the CCPA.  Additional rulings this year reinforced the temporal requirements of the statute (that it must involve conduct arising as of the CCPA’s date of enactment, not before) and that the CCPA could not be relied upon by a defendant as a basis for refusing to comply with its discovery obligations in litigation.  Although many CCPA litigations involve software based claims and the tech industry in the wake of a data breach, healthcare and financial services entities, among others, have also been targeted.

CCPA Claims, Article III standing and Settlement Activity

As longtime readers of the blog are aware, Article III standing in the context of data privacy cases is in a constant state of flux—particularly in the Ninth Circuit.

When a CCPA claim is asserted in federal court, it must meet that “irreducible minimum,” as it is frequently described.  Article III standing consists of 1) suffering some actual or threatened injury; 2) fairly traceable to the defendant; which 3) is likely to be redressed by a favorable decision.  The injury must be concrete, rather than abstract, and particularized, meaning that it affects the plaintiff in a personal and individual way.  Spokeo, Inc. v. Robins, 578 U.S. 330, 339 (2016).  But as the Supreme Court held in 2021, “an injury in law is not an injury in fact,” and a plaintiff must do more than show a bare statutory violation for a claim to exist. TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2205 (2021).

In Kirsten, 2022 WL 16894503, the Central District of California addressed a defendant’s contention that a plaintiff lacked standing to pursue a CCPA claim, among others, because they could not fairly trace instances of identity theft, fraudulent credit card charges, and inability to access online accounts to the data breach at issue.  The court rejected the defendant’s argument, holding instead that past injury from misappropriated personal information gave rise to a substantial risk of threatened injury in the future.  Particularly notable is the court’s premising standing both on the actual injuries the plaintiffs experienced and the injuries they might experience in the future.

In Hayden v. Retail Equation, Inc., 2022 WL 2254461 (reconsidered and vacated in part on other grounds), the Central District of California addressed the specific requirements necessary to give rise to an injury under the CCPA.  Plaintiffs, retail consumers, sued a variety of retailers for their use of a “risk scoring” system that collected and shared individualized personal data with a vendor in order to assess the risk of fraud when a consumer attempted a product return or exchange.

Plaintiffs sued under Cal. Civ. Code § 1798.150(a), which required them to show that “nonencrypted and nonredacted personal information” was “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”  The Court found that Plaintiffs had not asserted a claim under the CCPA because the disclosure of their information was not the result of a failure to implement and maintain reasonable security procedures and practices; rather, it was “a business decision to combat retail fraud.”  Plaintiffs’ failure to allege a violation of specific duties under the CCPA, as opposed to a more generalized complaint about the misuse of their data, could not support their claim.  The Hayden court also found that non-California residents lacked standing to bring suit under the CCPA.

The most significant CCPA settlement of 2022 was the $350 million T-Mobile settlement to resolve multidistrict litigation brought by T-Mobile customers whose data was allegedly exposed in a 2021 data breach.  In August 2021, T-Mobile disclosed that it had been the victim of a cyberattack that resulted in the compromise of some current, former and prospective customers’ SSN, name, address, date of birth and driver’s license/ID information the “Data Event”).  By T-Mobile’s account, no “customer financial information, credit card information, debit or other payment information” was exposed in the attack.  Nevertheless, over 40 putative class action claims were filed seeking damages for the improper disclosure of Plaintiffs’ personal information.

On July 22, 2022, Plaintiffs in the T-Mobile case filed an unopposed motion for preliminary approval of a proposed settlement to the class.  As part of the settlement, T-Mobile agreed to fund a non-reversionary $350 million settlement fund to pay class claims for out-of-pocket losses or charges incurred as a result of identity theft or fraud, falsified tax returns, or other alleged misuse of a class member’s personal information.  The settlement fund will then make payments to class members on a claims-made basis with a $25,000 aggregate claims cap per class member.  The proposed settlement also contemplates attorneys’ fees of no more than 30% of the settlement fund, approximately $105 million, and $2,500 individual service awards to class representatives.

2022: Continued Enforcement Activity by California OAG

As we predicted at the end of last year, 2022 saw continued enforcement activity at the state level. Headlines were ablaze in August with California’s Office of the Attorney General announcing its first settlement of a CCPA enforcement action.

Readers of the blog will know that the CA OAG’s CCPA enforcement efforts started in July 2020. While numerous cookie DNS and GPC cases were initially (and quietly) settled by the OAG without monetary penalty or public settlements, that all changed in August 2022 with the OAG announcing its required payment of $1.2 million from a retailer to settle claims of alleged CCPA violations.

The settlement marks a new era of CCPA enforcement in which real repercussions, including monetary penalties, may be imposed. In addition to the settlement, the OAG released “illustrative examples” of other non-public enforcement cases, including the types of violations, remediation activities carried out by the alleged violators, and the alleged violators’ type of business/industry (which included a number of industries that surprised many who thought they were perhaps not on the OAG’s radar for CCPA compliance, such as B2B-focused businesses and companies that are largely (but not fully) exempt from the CCPA, such as healthcare businesses and financial and insurance businesses.  For detailed analysis of the OAG’s settlement, see our blog post here.

Litigation and Enforcement in 2023 and Beyond

Litigation

The CPRA’s amendments to the CCPA brought some changes to the private right of action for certain security breaches, namely an expansion of the private right of action where a breach involves data in the form of an email address in combination with a password or security question and an answer that would permit access to an account. In addition, the CPRA’s amendments provide that that remediation of vulnerabilities post-breach are an insufficient cure to preclude statutory damages.

There is not otherwise a private right of action for non-security breach related violations under the CPRA; however, the CPRA opens the possibility of enforcement by all California county district attorneys and the four largest city district attorneys (though that is up for debate). In addition, despite the clarity that the private right of action is limited to certain types of security incidents, it is conceivable that an incomplete or inaccurate response to a consumer request might also give rise to an independent deception claim, and plaintiffs’ lawyers are expected to otherwise test the scope of the limitation on private consumer and class action relief. There is no private right of action for violations of the Virginia Consumer Data Protection Act (“VCDPA”), Colorado Privacy Act (“CPA”), Utah Consumer Privacy Act (“UCPA”), or Connecticut Act Concerning Personal Data Privacy and Online Monitoring (referred to as the “CTPA” herein). Put another way, this means there is not a private right of action for security breaches or security-breach related violations under those laws.

Enforcement

The enforcement risk will certainly increase under the CPRA in 2023 with the California Privacy Protection Agency, or CPPA, enforcing the CPRA alongside the OAG starting on July 1, 2023. In addition to California, Virginia’s privacy law came into effect and was enforceable as of January 1, and privacy laws in Colorado, Connecticut, and Utah will become effective throughout the year (see chart below).

  CPRA VCDPA CPA UCPA CTPA
Effective Date Jan. 1, 2023 Jan. 1, 2023 July 1, 2023 Dec. 31, 2023 July 1, 2023
Enforcement Date July 1, 2023 Jan. 1, 2023 July 1, 2023 Dec. 31, 2023 July 1, 2023
Enforcement Details 30-Day Notice and Cure Provision will remain in effect indefinitely for security breach violations only. 30-Day Notice and Cure Provision will remain in effect indefinitely. 60-Day Notice and Cure Provision will remain in effect until January 1, 2025 30-Day Notice and Cure Provision will remain in effect indefinitely. 30-Day Notice and Cure Provision will remain in effect until December 31, 2024.

Enforcement of the CPRA is delayed until July 1, 2023 and, unlike the CCPA between its effective and enforcement dates, there is an explicit grace period between January 1 and July 1, 2023. However, the CCPA’s provisions (without the CPRA’s amendments) will remain effective and enforceable between January 1 and July 1, and the required 30-day cure period no longer exists. Importantly, this means that the full scope of the CCPA also currently applies to HR and B2B data, and there is no delay in enforcement with respect to the same.

Under the CPRA, both agencies can seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation or violations involving the data of minors. Violations may be potentially calculated based on each applicable piece of data or consumer, and, thus, exposure could be substantial. The existing requirement in the CCPA to provide notice of violation and give a 30-day cure period before bringing an enforcement action is eliminated by the CPRA, but the law permits the agencies to consider good faith cooperation efforts by the business when calculating the fine, and prosecutorial discretion is not limited. Further, CPPA actions are subject to a probable cause hearing prior to commencement of an administrative enforcement proceeding.

In Virginia, Utah, and Connecticut, the Attorney General has exclusive enforcement authority. The Virginia Attorney General may seek injunctive relief and civil penalties of $7,500 per violation. In Colorado, the state Attorney General or District Attorneys may bring an action for injunctive relief and civil penalties under the Colorado Consumer Protection Act, which provides for civil penalties of $500 per violation, actual damages, or three times actual damages if bad faith is shown. In Utah, the Attorney General may bring an action for actual damages to consumers and civil penalties of up to $7,500 per violation. In Connecticut, the Attorney General may treat a violation of CTPA as an unfair trade practice under the Connecticut Unfair Trade Practices Act (“CUTPA”); however, the private right of action and class action provisions of CUTPA dot not extend to violations of the CTPA. Nevertheless, remedies available for violations of CUTPA include restraining orders; actual and punitive damages, costs, and reasonable attorneys’ fees; and civil penalties of up to $5,000 for willful violations and $25,000 for restraining order violations.

However, like the CCPA (but unlike the CPRA), the respective Attorneys General of Virginia and Utah must provide a controller or processor with 30 days’ written notice of any violation of the VCDPA/UCPA, specifying the provisions that the Attorney General alleges have been violated. In Virginia and Utah, a controller or processor can avoid statutory damages if, within this 30-day cure period, it cures the noticed violation and provides the Attorney General with an express written statement that the alleged violations have been cured and that no further violations will occur. Under Connecticut and Colorado’s laws, their respective AGs must provide violators with notice of alleged violations and an opportunity to cure any such violations within a 60-day period following delivery of the notice. The requirement to allow for a cure period in Colorado sunsets on January 1, 2025 (though, the AG would almost certainly have prosecutorial discretion to allow for a cure). In Connecticut, the cure requirement becomes discretionary on January 1, 2025, as well.

Check back often for our continued updates on privacy litigation and enforcement trends and updates.  Privacy World will be there to keep you in the loop.

California Attorney General Rob Bonta announced today an investigative sweep of mobile apps, focused on popular apps in the retail, travel, and food service industries that fail to comply with the California Consumer Privacy Act (CCPA). According to a press release, the sweep is focused on apps that allegedly fail to comply with consumer opt-out requests or do not offer any mechanism for consumers who want to stop the sale of their data. The press release also highlights enforcement in relation to handling of agent requests, namely through an agent service created by Consumer Reports called “Permission Slip.”

Continue Reading California AG Announces CCPA Compliance Sweep of Mobile Apps ahead of Data Privacy Day