California Consumer Privacy Act

The International Association of Privacy Professionals (IAPP) has put together a helpful tracker of CCPA amendments.

There are currently five amendments in play, including amending the definition of de-identification and extending the employee and B2B carve outs until January 2022 if the California Privacy Rights Act (CPRA), which is on the CA ballot, doesn’t pass.

Commentors on the final California Consumer Privacy Act regulation queried: “Are session cookies a “unique personal identifier?”

The California Attorney General replied: Maybe, depending on the context.

  • A “unique personal identifier” is a persistent identifier that can be used to recognize a consumer.
  • If a session cookie cannot be used to recognize a consumer, family

Commenters to the final California Consumer Privacy Act (CCPA) regulations asked if it is possible to provide information about, and access to the “Do not Sell” link and/or opt out opportunity in the privacy notice?

The California Attorney General’s answer: No.

  • The notice of right to opt out is a separate obligation from the CCPA’s

Commenters on the final California Consumer Privacy Act (CCPA) regulations asked if a company gives you a product without charge but in consideration for your information,  could that still be deemed a financial incentive requiring the company to calculate and disclose the value of the consumer’s data?

The California Attorney General’s answer: Yes.

  • If you

Compliance takeaways from the International Association of Privacy Professionals (IAPP) California Consumer Privacy Act (CCPA) Enforcement Keynote Session:

  • It is important for businesses to understand the law. It is complex and has many nuances.
  • Your customers are looking, your competitors, your employees are looking, and the CA AG is looking at the private class actions

Comments to the final California Consumer Privacy Act regulations asked if the  CCPA carve-out regarding the Gramm Leach Bliley Act (GLBA), the data protection law governing US financial institutions, applies to:

  1. Financial institutions under GLBA
  2. Service providers that must comply with GLBA
  3. Sources of information that are subject to GLBA
The California Attorney General’s Answer:

Comments on the final California Consumer Privacy Act (CCPA) regulations asked if data brokers should be required to identify the factors they use in algorithmic decision making practices that affect the consumer, such as consumer scores?

The California Attorney General responded:
  • Inferences derived from personal information to create a profile about a consumer are personal

Comments to the California Consumer Privacy Act (CCPA) final regulations asked: “If you get an access request and you know that the underlying motive for it is to conduct discovery for the purpose of contemplated litigation, do you have to comply with the access request?”

The California Attorney General’s Response: Yes. There is no exception