Home Home About Us Practice Areas Our Attorneys Press & Publications Events Diversity Pro-Bono Careers

Advertising, Marketing & Promotions:
7th Edition: Trends in Marketing Communications Law

Privacy & Data: California Consumer Privacy Act >> CCPA: A Privacy Conundrum

October 6, 2020

After much anticipation, the California Consumer Privacy Act (CCPA) took effect on January 1, 2020, becoming the most comprehensive privacy law in the U.S. CCPA provides California residents rights regarding the collection, use and sale of their personal information (PI), as defined broadly under the CCPA. It also imposes burdensome requirements on entities that collect PI if they are a “business,” in order to provide greater transparency and control over the use of such PI.

Notwithstanding the CCPA effective date, businesses continue to struggle with compliance. Perhaps the biggest operational hurdle is implementing new consumer rights, including the right to: know what information is collected, request copies of that information, request that such information be deleted and opt-out of the “sale” of such information. Each has its own procedural requirements and, in some cases, the final proposed regulations exceed what is required by the plain language of the CCPA, such as recognizing user-enabled privacy controls for opt-out requests. The final proposed regulations provide more specificity regarding certain requirements, such as responding to consumer requests, and add new obligations, such as “just in time” pre-collection notice requirements for mobile applications.

Another obstacle many companies face is deciding how to categorize their role in a transaction involving PI. Determining whether an entity is a “business,” or a “service provider” or “third party” (whose obligations are more limited), is a material component to understanding compliance obligations. This is particularly true when assessing whether a transaction constitutes a “sale” of PI, implicating elaborate opt-out requirements. To complicate matters, an entity may be both a business and a service provider or another type of third party, as confirmed by the final proposed regulations, which specify that a business that processes PI on behalf of another business could qualify as a “service provider” of that business with respect to such processing, if it meets the requirements and obligations for a “service provider”.

The industry response has been mixed. Through new data sharing options, Google is helping businesses manage CCPA obligations, including by recognizing signals sent through the Interactive Advertising Bureau’s CCPA Compliance Framework, which allows participants to ensure PI exchanged between them for targeted advertising complies with CCPA’s notice and opt-out requirements. Google, via its “Restricted Data Processing” feature, also made additional tools available to its business users to assist in complying with certain CCPA obligations, such as consumer request verifications. Facebook has unveiled a “Limited Data Use” feature, which, when selected, will direct Facebook to process the PI of California residents as a service provider. Facebook announced that it would (unless otherwise requested by the applicable business) automatically implement this feature for such information through July 31st, after which businesses will need to affirmatively choose it.

In addition, among other updates, Amazon has made resources available to assist customers with CCPA compliance but has not taken a firm position regarding the “sale” issue. Instead, Amazon updated its advertising API terms to require users to comply with data protection laws including CCPA.

The industry had hoped for resolution by now of certain ambiguities in the CCPA; however, the implementing regulations submitted by the California Attorney General in early June indicate that many uncertainties are likely to remain until actual enforcement sets precedent and answers some of the remaining questions.

Finally, it is important to keep in mind that while enforcement officially began on July 1, regulators may attempt to apply the CCPA retroactively to the first six months of 2020.

Key Takeaways:

  • Companies must evaluate their internal privacy practices and consumer-facing disclosures with an eye towards compliance.
  • Implementing procedures to comply with consumer requests may prove burdensome, but companies that are diligent from the start may ease the burden.
  • Companies must conduct assessments of themselves and their providers to determine their roles under the CCPA.
  • Industry players are taking varied approaches and may place the onus of compliance on customers.