Tuesday, October 25, 2022

Privacy Recap: Regulatory Developments in California, Colorado

As the promising-but-flawed American Data Privacy and Protection Act awaits a House floor vote and the revised deadline for comments on the FTC's highly problematic privacy Advance Notice of Proposed Rulemaking looms, state activity continues to fill the federal void.

In California, the only state where a comprehensive data privacy law has gone into effect, enforcement is underway – while, simultaneously, efforts to adopt rules implementing the Golden State's second privacy statute near the finish line. And in Colorado, the rulemaking process relating to its privacy law is just getting started.

In August, California Attorney General Rob Bonta announced a $1.2 million settlement with Sephora, Inc. regarding several alleged violations of the California Consumer Privacy Act (CCPA), which became valid law at the beginning of 2020.

According to the complaint, Sephora "did not tell consumers that it sold their personal information," "did not provide consumers with an easy-to find 'Do Not Sell My Personal Information' link," and did not configure its website "to detect or process any global privacy control signals, such as the 'Global Privacy Control' (GPC)."

As explained in the GPC website FAQs, the GPC "is a proposed specification designed to allow Internet users to notify businesses of their privacy preferences, such as whether or not they want their personal information to be sold or shared. It consists of a setting or extension in the user's browser or mobile device and acts as a mechanism that websites can use to indicate they support the specification."

Under the CCPA, the enabling of a universal opt-out mechanism such as the GPC has the same legal effect as clicking on a "Do Not Sell My Personal Information" link.

While the Sephora settlement is the first of its kind, it is by no means the only enforcement action undertaken by the California Attorney General's office. As noted in the Press Release, "[s]ince July 1, 2020, the Attorney General has issued notices to a wide array of businesses alleging noncompliance with the CCPA. Notices to cure have been issued to major corporations in the tech, healthcare, retail, fitness, data brokerage, and telecom industries, among others."

In addition, and as I detailed in "California Voters Approve the California Privacy Rights Act: A Detailed Analysis of Its Requirements and Impact," a November 2020 Perspectives from FSF Scholars, the Consumer Privacy Rights Act of 2020 (CPRA), which builds upon and modifies the CCPA, created the California Privacy Protection Agency (CPPA), the nation's first (and, at present, only) state agency dedicated to consumer privacy.

Once established, the CPPA assumed privacy-related rulemaking responsibilities from the office of the Attorney General. On May 27, 2022, the CPPA released draft CPRA regulations. Publication of a Notice of Proposed Rulemaking on July 8, 2022, formally started the process. The comment period closed on August 23, 2022.

On October 17, 2022, the CPPA released a modified draft of the CPRA regulations, as well as an explanation of the modified text. The CPPA Board will discuss, and potentially adopt some or all of the proposed rules, at virtual meetings this Friday and Saturday.

Per the CPPA's website, "[t]he proposed regulations (1) update existing CCPA regulations to harmonize them with CPRA amendments to the CCPA; (2) operationalize new rights and concepts introduced by the CPRA to provide clarity and specificity to implement the law; and (3) reorganize and consolidate requirements set forth in the law to make the regulations easier to follow and understand."

Colorado was the third state out of five so far – the others are California, Virginia, Utah, and Connecticut – to adopt a comprehensive data privacy statute. I summarized the major provisions of the Colorado Privacy Act (CPA) in an April 2021 post to the Free State Foundation's blog.

The CPA, which is scheduled to go into effect on July 1, 2023, authorizes the Colorado Attorney General to craft rules generally "for the purpose of carrying out" the CPA as well as a specific rule regarding "the technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer's affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data."

On October 10, 2022, Colorado Attorney General Phil Weiser's office published a Notice of Proposed Rulemaking (NPRM). Comments are due on or before February 1, 2023 – but earlier deadlines apply if they are to "inform the stakeholder meetings" scheduled for November 10, 15, and 17, or are to be considered at the rulemaking hearing on February 1, 2023.

Specific topics addressed in the NPRM include: the substantive requirements for privacy notices, the scope of the consumer rights established by the CPA and the processes by which those rights are exercised, specifications for universal opt-out mechanisms, the duties of businesses ("controllers") that collect personal information, and the method by which consent is obtained ("including the prohibition against obtaining agreement through the use of Dark Patterns").