The California Office of the Attorney General issued its first opinion interpreting the California Consumer Privacy Act (CCPA) on March 10, 2022, addressing the issue of whether a consumer has a right to know the inferences that a business holds about the consumer. The AG concluded that, unless a statutory exception applies, internally generated inferences that a business holds about the consumer are personal information within the meaning of the CCPA and must be disclosed to the consumer, upon request. The consumer has the right to know about the inferences, regardless of whether the inferences were generated internally by the business or obtained by the business from another source. Further, while the CCPA does not require a business to disclose its trade secrets in response to consumers’ requests for information, the business cannot withhold inferences about the consumer by merely asserting that they constitute a “trade secret.”
The California Consumer Privacy Act (“CCPA”), which went into full effect on January 1, 2020, has seen robust enforcement efforts by the office of the California Department of Justice. In late January, California Attorney General Rob Bonta announced an investigative sweep of businesses operating loyalty programs in California and sent notices alleging noncompliance with the CCPA to major corporations in the retail, home improvement, travel, and food services industries. In addition, Attorney General Bonta has encouraged consumers to know and express their privacy rights through an online platform that allows them to directly notify businesses of potential violations.
Continue Reading Enforcement of The California Consumer Privacy Act Via Letters Noticing Noncompliant Loyalty Programs and Online Tool for Consumers to Notify Businesses of Potential Violations
At the end of 2021, the California Statewide Commission on Recycling Markets and Curbside Recycling (the “Commission”) sent a letter to The California Department of Resources Recycling and Recovery, also known as CalRecycle, and California Attorney General Rob Bonta, asking them to investigate illegal labeling of plastic bags as recyclable by retailers. The Commission is alleging that businesses in the state are falsely implying that their bags are capable of being recycled through curbside collection with the “chasing arrows” logo and words such as “recyclable” and “recycle.” The Commission believes this labeling is impeding the curbside recycling process.
Continue Reading California Recyclability Labeling Scrutiny Poised to Increase Retailers’ Liability Risk
In a major move by California that may be but a harbinger of a dramatic sea change in banning or severely restricting the inclusion of hundreds of chemicals present in every-day consumer goods, California just imposed upon the consumer product industry (culminating, at least most likely for 2021, right before the end of October), a sweeping range of bans that likely will fundamentally disrupt the California consumer product economy.
Continue Reading No Treats, Too Many Tricks, For PFAS This Halloween
On November 3, 2020, California voters approved California Proposition 24, also known as the California Privacy Rights Act of 2020, or CPRA. The CPRA expands protections afforded to personal information, building off of the California Consumer Privacy Act (CCPA), which took effect in January of this year. While some of the CPRA changes will take effect immediately, most will not become enforceable until July 1, 2023, and apply only to personal information collected after January 1, 2022.
Key Changes to CA Privacy Law
At 54 pages long, the CPRA makes numerous changes to the CCPA, ranging from minor revisions to the introduction of new concepts and the creation of several new consumer rights. Some of the most impactful changes are discussed below. A series of future client alerts will explore the nuances of these changes in greater detail.
Sensitive Personal Data
The CPRA establishes new rules for a category of “sensitive personal information,” which includes, for example, genetic data and religious or philosophical beliefs, and is defined as personal information that reveals:
- a consumer’s social security, driver’s license, state identification card, or passport number;
- a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
- a consumer’s precise geolocation;
- a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership;
- the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication; and
- a consumer’s genetic data; and
- the processing of biometric information for the purpose of uniquely identifying a consumer;
- personal information collected and analyzed concerning a consumer’s health; or
- personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.
This definition is among the most impactful changes in the CPRA, given the breadth of data that it sweeps in, along with the creation of new disclosure and opt-out rights associated with “sensitive personal information.” These changes will likely require covered businesses to dive into their data, map it, and ensure they are compliant.
In addition, the CPRA creates a right for consumers to “limit use and disclosure of sensitive personal information.” Similar to existing CCPA opt-out rights, beginning in 2023, consumers may direct businesses that collect sensitive personal information to limit its use to that “which is necessary to perform the services or provide the goods reasonably expected by an average consumer” or to perform a small subset of specifically identified exempt services. Significantly, exemptions to the opt-out will include short-term, transient advertising, and “performing services on behalf of the business,” but not general advertising and marketing, nor long-term profiling or behavioral marketing technologies.
Continue Reading CCPA 2.0? California Adopts Sweeping New Data Privacy Protections
The number of states who have banned the use of microbeads in personal care products is growing, with California being the most recent to join the trend. California and New Jersey laws expand their bans to include biodegradable microbeads; Johnson & Johnson and Proctor & Gamble both opposed the California law. The Personal Care Products…
Many experts agree the California public has become immune to the warnings on goods and premises required by Proposition 65, the Safe Drinking Water and Toxic Enforcement Act of 1986. Instead of educating the public, the more notable outcome is a burgeoning cottage industry of plaintiff attorneys bringing frivolous “bounty hunter” enforcement lawsuits against businesses for minor or illusory violations of the statute. As a forthcoming report from the California Attorney General shows, 73 percent of all private settlement payments—totaling $12.7 million—went toward private enforcers’ attorney’s fees and costs in Prop 65 lawsuits settled in 2013. This trend prompted Gov. Brown to declare in May 2013 that Proposition 65 reform was necessary to end these “frivolous shakedown lawsuits.”
In response, California’s Office of Environmental Health Hazard Assessment issued proposed amendments to the regulation on March 7, 2014. Under these notional reforms, businesses operating or selling products in California would need to substantially change their warnings if their products or premises contain certain chemicals listed as “known” carcinogens or reproductive toxicants. OEHHA has claimed — with little support — that these changes will provide “more clarity to the Proposition 65 warning requirements and more specificity regarding the minimum elements for providing a ‘clear and reasonable’ warning for exposures that occur from a consumer product, including foods and exposures that occur in occupational or environmental settings.”
The opposite is likely to occur.…