Working at Home: A Survival Guide
March 19, 2020
Slack: Understanding and Addressing Discovery Challenges
April 2, 2020

Three New Changes to the Revised CCPA Regulations and New CCPA Lawsuits

revised CCPA regulations

While the rest of the world has been grappling with the COVID-19 pandemic, the California Attorney General published on March 11, 2020, the second set of revisions to its proposed regulations for the California Consumer Privacy Act. As the March regulations bring further clarity (and, some in instances, confusion) to the CCPA landscape, litigation is also beginning to shape the CCPA. Consumer rights lawsuits have been filed in California federal courts that could clarify and test the limitations of the CCPA’s private right of action.

Three Key Changes to Proposed CCPA Regulations

 The new changes to the proposed regulations (“March regulations”), while not as sweeping and comprehensive as the last round issued in February (“February regulations”), are still significant, particularly with the July 1, 2020 deadline for finalizing those regulations quickly approaching. Among the substantive and stylistic changes, three key modifications are highlighted below.

  1. Removal of the Opt-Out Button
  2. The AG’s office has taken a rollercoaster ride with the opt-out button provision. The originally proposed regulations released in October 2019 first offered businesses the option to use an “opt-out button or logo . . . in addition to posting the notice of right to opt-out.” The February regulations then provided specific direction on the use, look, and feel of the opt-out button. [1] The proposed button— proposed button—had little chance for survival, though. Professor Eric Goldman, a leading expert on Internet Law, examined the problems with the opt-out button design:

    At least three problems with this design: (1) the mixed metaphor (dot to enable and X to cancel) makes it unclear to consumers if they need to take any action; (2) the red color signals a warning to stay away; and (3) clicking on the button doesn’t actually take any action–it just links to a page with more information, and consumers might not realize that they must take more steps to complete an opt-out.

    The appearance of the ill-fated button not surprisingly lasted all of a month, with the AG’s office striking it, along with the recommendation that companies even consider adopting such a concept, in the March regulations. [2]

  3. Removal of IP Address “Link” Requirement
  4. The CCPA defines “personal information” broadly to include information that could be reasonably identified with a consumer or a consumer’s “household.” [3] The CCPA reinforced this broad construction by including “internet protocol address” in the definition of personal information, which allows CCPA protections to extend beyond a particular consumer to any individuals who “reside at the same address” and use an electronic device with the consumer’s same IP address. [4] The February regulations placed a reasonable limitation on the use of an IP address for this purpose, declaring that an IP address would not be considered personal information if the regulated business “does not link the IP address to any particular consumer or household.” [5] Nevertheless, the March regulations eliminate this limitation without any explanation, [6] thus reinforcing the notion that the definition of personal information is unbounded.

  5. Additional Required Disclosures to Consumers in the Privacy Policy
  6. The CCPA requires that regulated businesses publish a privacy policy delineating for consumers what businesses do with personal information and what rights consumers have vis-à-vis businesses regarding their personal information. The March regulations add new disclosure requirements for the privacy policy including a mandate that regulated businesses specify the “categories of sources from which the personal information is collected” and describe the categories so consumers can reasonably understand what information is being collected. [7] Businesses must also detail the “business or commercial purpose for collecting or selling personal information” and discuss the reason for doing so in reasonably understandable terms to the consumer. [8]

CCPA Litigation

With the CCPA now effective for nearly three months, it is not surprising that consumer rights lawsuits have been filed to address CCPA violations. Litigation arising from the CCPA will likely fall into two general categories. The first category will seek damages under the CCPA’s limited private right of action for personal data breaches while the second will test the bar the CCPA has imposed on private rights of action to address other CCPA violations.

Barnes v. Hanna Andersson is an example of the first category. In this putative class action, plaintiffs seek, among other things, damages arising from defendants’ alleged failures to implement reasonable security procedures and practices, which led to the claimed breach of unencrypted and unredacted personal information belonging to California consumers. [9] If such a matter were litigated through dispositive motion practice and trial, it could provide clarity on a myriad of vague issues (e.g., what are “reasonable security procedures and practices”) from the CCPA on which the AG’s office has refused to provide guidance.

An example of the second category is found in Burke v. Clearview AI, which seeks various forms of relief under California’s Unfair Competition Law (“UCL”) for violations of the CCPA. [10] Burke does not seek damages under the CCPA’s data breach private right of action but instead relies on defendant’s alleged violations of other CCPA provisions as predicate acts to establish liability under the UCL. Other consumer rights lawsuits have adopted this tactic and successfully bypassed statutory bars to private rights of action by relying on the UCL. [11] Burke could provide clarity on whether courts will uphold the legislative proscription on private rights of action relating to other CCPA violations or instead open an entirely new area of consumer rights litigation.

CCPA Webinar

We welcome you to watch our CCPA webinar that addreses these developments. In this webinar, data privacy expert Martin Tully of Actuate Law and I discuss consumer rights under the CCPA, the corresponding obligations of regulated businesses, and practice tips for CCPA compliance.

[1] CCPA Proposed Regs., §999.306(f) (Feb. 10, 2020).

[2] CCPA Proposed Regs., §999.306 (f) (Mar. 11, 2020).

[3] Cal. Civ. Code § 1798.140(o)(1).

[4] Cal. Civ. Code § 1798.140(o)(1)(A); CCPA Proposed Regulations, §999.301(k) (Feb. 10, 2020).

[5] CCPA Proposed Regs., §999.302(a) (Feb. 10, 2020).

[6] CCPA Proposed Regs., §999.302 (Mar. 11, 2020).

[7] CCPA Proposed Regs., §999.308(c)(1)(e) (Mar. 11, 2020).

[8] CCPA Proposed Regs., §999.308(c)(1)(f) (Mar. 11, 2020).

[9] Barnes v. Hanna Andersson, No.: 3:20-cv-00812 (N.D. Cal. Mar. 9, 2020), ECF No. 30 (First Amended Class Action Complaint).

[10] Burke v. Clearview AI, Inc., 20-cv-0370 (S.D. Cal. Feb. 27, 2020), ECF No. 1 (Class Action Complaint).

[11] See Zhang v. Super. Ct., 57 Cal.4th 364 (2013).

Philip Favro
Philip Favro
Philip Favro acts as a trusted advisor to organizations and law firms on issues surrounding discovery and information governance. Phil provides guidance on data preservation practices, litigation holds, data collection strategies, and ESI search methodologies. In addition, he offers direction to organizations on records retention policies and the need to manage dynamic sources of information found on smartphones, cloud applications, and social networks. Phil is available to serve as a special master on issues related to electronic discovery. Phil is a nationally recognized thought leader and legal scholar on issues relating to the discovery process. His articles have been published in leading industry publications and academic journals and he is frequently in demand as a speaker for eDiscovery education programs. Phil is a member of the Utah and California bars. He actively contributes to Working Group 1 of The Sedona Conference where he leads drafting teams and serves as the Steering Committee project manager. Prior to joining Driven, Phil practiced law in Northern California where he advised a variety of clients regarding business disputes and complex discovery issues. He also served as a Judge Pro Tempore for the Santa Clara County Superior Court based in Santa Clara, California.