Category: CCPA

When Do Vendors Count as Service Providers Under the California Consumer Privacy Act?

With just a few months remaining before the California Consumer Privacy Act comes into effect, companies throughout the Golden State and beyond are scrambling to figure out how to comply with some of the CCPA’s more confusing and demanding requirements. However, another subset of companies are facing a different question: does the law even apply to us?

The question arises because the CCPA draws an important distinction between “service providers” and “third parties.” A service provider, a company that provides analysis or processing services to another company, must agree by contract to uphold certain protections of the CCPA but is left free of the most arduous requirements of the CCPA, such as fielding user requests for disclosure of data. What companies want to avoid are situations where they believe they are signing up to be service providers but unintentionally put themselves in a position to comply with the entire CCPA.

Read More

How Could the Ninth Circuit’s Decision in a Facebook Facial Recognition Lawsuit Affect California?

A new decision out of the Ninth Circuit Court of Appeals could be a bellwether for future privacy cases under the California Consumer Privacy Act. On Thursday, the Ninth Circuit held that the plaintiffs in a class-action lawsuit against Facebook alleging violation of an Illinois biometrics law had standing, allowing the case to move forward.

Given the similarities between the Illinois law and the relevant portions of the CCPA, the Ninth Circuit’s decision may dramatically expand standing in future cases under the CCPA for similar biometric violations.

Read More

Will the California Consumer Privacy Act Force Businesses to Disclose Marketing Secrets?

Welcome to 2019, where almost every product, service, and website tracks every bit of data it can about us and creates a giant profile it can use to make inferences and predict our every move and desire. Even if a company doesn’t sell our data, so many companies in our society today rely on the mass aggregation of data to inform their marketing decisions.

These systems can be pretty frighteningly precise. We’ve all heard about the time Target figured out that a high school girl was pregnant and began marketing maternity items to her before her parents knew, creating some…awkward discussions at home. As a white man of Jewish heritage in his 30s, who likes the San Francisco Giants and Shawshank Redemption, maybe I’m more likely to buy a Toyota that gets at least 40 MPG or less likely to drink spiced rum. Somebody out there probably knows.

One of the most interesting but unpredictable parts of the California Consumer Privacy Act is the portion of the law that requires companies to share not just the information collected about consumers, but also the inferences they’ve made based on this data. This requirement could potentially implicate companies’ marketing strategy or even trade secrets.

Read More

What Does the California Consumer Privacy Act Mean for Data Aggregation?

Data aggregation has long been an important part of business analysis, from collecting information on past consumer trends to predicting the next big hit. Recently, the California Consumer Privacy Act’s provisions on data aggregation have become a warzone between privacy advocates and businesses concerned with the law’s scope.

AB 873, which is working its way through the committee process, would make two prominent changes that privacy advocates say would dramatically weaken the effectiveness of the CCPA.

Read More

Would the California Consumer Privacy Act Have Protected Us From FaceApp?

The privacy scandal du jour revolves around FaceApp, an app for iOS and Android that allows users to automatically digitally alter their photographs to look older, younger, change hairstyles, facial hair, glasses, or more. In order to make FaceApp work, users had to grant the app access to their photos, either from their devices’ camera roll or social media account. Then the magic happens, multiplied by the 100 million or so people who have downloaded the app so far.

I would love to look this good when I’m 100 years old

However, recent examinations into FaceApp’s policies raise new and troubling questions about what FaceApp can and will do with our photos, and whether there’s anything we can do to stop them. Well, these questions may be troubling but they aren’t new: FaceApp first went viral back in 2017, before the Internet forgot it exists just like everything else.

This most recent freakout comes amid the realization that FaceApp is owned by a Russian company and that their terms of use essentially grant FaceApp the right to access and use our photos, as well as the “perpetual, irrevocable” right to use any photos that they processed for us. This, paired with the fact that FaceApp uploads the photos being processed to their server, sparked fear and outrage just as quickly as the old-age photos dominated social media.

Read More

How Could the California Consumer Privacy Act Affect Facial Recognition Technology?

California’s newest privacy law may soon protect more than just our personal information. If a proposed amendment to the California Consumer Privacy Act ends up passing, the legislature will add new protections to the CCPA that restrict the use of facial recognition technology by California companies.

Proposed amendment AB 1281 would make it mandatory for all businesses that use facial recognition technology to post “clear and conspicuous” signs at the entrance of every location that uses such technology.

Read More

How Much Will the Attorney General Actually Enforce the California Consumer Privacy Act?

As we creep closer to January 1, 2020, one of the major plotlines in the Legislature’s fine-tuning of the California Consumer Privacy Act is to see how exactly the law will be enforced when all is said and done. As it stands, it looks as though Californians are going to need to rely on the Attorney General and local governments to do most of the actual legwork to make sure companies abide by the new law. Whether that reliance is justified remains to be seen.

As we have discussed, SB 561, which would have granted a private right of action to allow individuals to sue for any violation of the CCPA, was summarily defeated. Similarly, early attempts to make improper use of facial recognition software a violation of unfair competition laws (and therefore privately enforceable) died an early death in committee. As it stands, the only private right of action remaining is for data breaches.

Read More

How Will the California Consumer Privacy Act Affect Loyalty Programs?

Loyalty programs are everywhere. A Starbucks gold card might get you a free shot of syrup or refill on coffee. Your hotel gives you free upgrades and snacks for being a loyal member. When I buy a salad from the cafe downstairs from my office, I punch in my phone number and collect points that, someday, I will cash in for a free roast beef panini and large fountain soda. But now, there’s some concern that such loyalty programs will go the way of the dinosaur under the CCPA.

Read More

Will the California Consumer Privacy Act Survive Big Tech?

It should come as no surprise that many in the tech industry are not happy about the California Consumer Privacy Act. As we speed toward January 1, 2020, industry lobbyists and business-geared legislators are pushing a number of amendments that could severely limit the effectiveness and reach of the CCPA.

Todd Weaver and Brendan Eich recently wrote an op-ed in the Mercury News about the generational shift in tech companies’ approach to privacy: while new, smaller tech companies see the appeal and necessity of privacy regulation, Big Tech is digging in its heels.

Read More

Potential Amendments to the California Consumer Privacy Act – AB 25 and AB 1564

With the California Consumer Privacy Act just six months from implementation, the California legislature is hard at work refining and amending the CCPA. While some of the proposed amendments seek to clarify ambiguous terms, others would limit or expand the reach of the law, representing the divide between privacy advocates and the tech industry.

Note: this post was updated following the June 28, 2019 changes to AB 25.

Over the course of the next several months, this blog will detail several of the most interesting and impactful debates surrounding the CCPA. Today, let’s discuss AB-25 and AB-1564.

Read More