The Consumer Finance Podcast

Recent Developments in California Privacy Laws

Episode Summary

Please join Troutman Pepper Partner Chris Willis and his colleague Kim Phan as they discuss the new California Privacy Rights Act (CPRA) and the creation of the California Privacy Protection Agency (CPPA).

Episode Notes

Please join Troutman Pepper Partner Chris Willis and his colleague Kim Phan as they discuss the new California Privacy Rights Act (CPRA) and the creation of the California Privacy Protection Agency (CPPA), California's first state agency focused exclusively on privacy. They also dive into the CPPA's recent amendments to the California Consumer Privacy Act (CCPA), discussing the timeline, overview, and technical guidance for companies. And with 23 topical areas of regulation — what we can expect from the CPRA's next set of rules.

Episode Transcription

The Consumer Finance Podcast – Recent Developments in California Privacy Laws
Host: Chris Willis
Guest: Kim Phan
Date Aired: July 27, 2023

Chris Willis:

Welcome to The Consumer Finance Podcast. I'm Chris Willis, the co-leader of Troutman Pepper's Consumer Financial Services Regulatory Practice, and I'm really glad you've joined us. Today, we're going to be talking about some interesting and to me, somewhat confusing recent developments in California privacy law.

But before we jump into that, let me remind you to visit our blogs. We have two of them. We have troutmanpepperfinancialservices.com that provides insights across the entire span of the financial services industry. And we have our well-known consumer financial services podcast, consumerfinancialserviceslawmonitor.com. And don't forget about our other podcasts besides this one. We have lots of them. We have the FCRA Focus all about credit reporting, The Crypto Exchange, which is about all things crypto. We have Unauthorized Access, which is our privacy and data security podcast, and our newest podcast, Payments Pros, which is all about payments developments in the payments industry. And speaking of those, they're available on all the popular podcast platforms. And if you like this podcast, let us know. Leave us a review on your favorite podcast platform and let us know how we're doing.

Now, since we're talking about privacy today, we obviously aren't going to be able to rely on my expertise, which I have none. So that's why I have one of my partners, Kim Phan, on with me today, who's a member of our Privacy and Cyber group based in our Washington, D.C. office. And she knows a lot about California privacy law, unlike the zero that I know. So Kim, welcome to the podcast today to talk about the new developments in California privacy law.

Kim Phan:

Thanks, Chris. It's my pleasure to be here.

Chris Willis:

California seems to me to have been at the forefront of privacy law on a state level for the past several years, but even now there's some new developments going on in the state, so bring the audience up to speed. What's going on?

Kim Phan:

California has absolutely been at the forefront of what's happening on the state level and starts all the way back in 2018. Back in 2018, the European Union's General Data Protection Regulation went into effect, and I think California just got jealous. So, in record-breaking time, six legislative days in fact, the California Consumer Privacy Act was introduced and enacted into law.

It went into effect back in 2020. So, it has been around for a couple of years, but as you noted, there's always a new development happening in California. The California Attorney General, which under the original version of the CCPA had regulatory authority, issued the first set of CCPA regulations back in August of 2020. But at the beginning of this year, there was a new statute, the California Privacy Rights Act, which amended the CCPA and that went into effect on January 1st and will actually be enforceable starting on July 1st, in a few weeks.

The CPRA created a brand new agency, the California Privacy Protection Agency, which California lauded as the first ever state agency focused exclusively on privacy. The CPRA, which again amended the CCPA, gave the new CPPA, the new agency rulemaking authority in 23 different topical areas. They essentially took this away from the Attorney General, which I think the Attorney General's office was happy about because they're an enforcement entity, not rulemaking. And it was incredibly painful for them to issue that first set of rules. But the new agency has now moved forward with its own rules and is in that process right now.

Chris Willis:

Okay. And I feel like I remember from listening to you that the original set of rules under the California Privacy Statute were supposed to be released by the California AG, and they took a really long time to come out as I recall. Is that the case with these new rules that you're talking about as well?

Kim Phan:

It is. And to the California Attorney General's credit, again they're an enforcement body. The Attorney General actually had to hire entirely new staff to help write those original set of rules. And they were late. As I noted, the California Consumer Privacy Act went into effect at the beginning of 2020, but the Attorney General's office wasn't able to release that first set of rules until August.

Now, after the rules were released, there was some grace period with regard to their effectiveness. The California Privacy Protection Agency similarly had to get itself stood up. It was a brand new agency, had to hire staff, had to hire everyone essentially, and they also missed their deadline for issuing rules dramatically. So the first set of rules by the new agency were actually due last July, almost a year ago. And the new agency has only first gotten its new rules out as of March of this year. So they missed it by about nine months.

Chris Willis:

You mentioned a grace period on the AG's rules that came out a while ago. Is there a grace period for these new CPPA rules that just came out?

Kim Phan:

There is not. The agency chose, even though they missed their deadline dramatically, chose to make those rules go into effect immediately. And this started on March 29th, 2023.

Now the new agency has already been sued by the California Chamber of Commerce, which has I think a pretty fair argument to make under the original timeline for the CPRA's new regs. If the regs had come out on July 1st, by statute those would've gone into effect on January 1st of this year. Businesses would've had six months to get up to speed and come into compliance with any of those rules. Again, that would have been released by July 1st. They would have at least six months. Now that the agency has missed their deadline by about nine months and chosen to make the rules effective of immediately the Chamber of Commerce is arguing that they should at least have six months, the original statutory timeline, in order to get into compliance with these new rules before they should go into effect.

Chris Willis:

Sure, that makes sense. And speaking about coming into compliance, can you give the audience just a bit of an overview of what's in the newly released rules that came out in March?

Kim Phan:

Keep in mind that this is just the first set of CPPA rules. Again, I mentioned there's 23 different topical areas of regulation, and this covers some of them. Some of the things that they cover are essentially just technical corrections to the original California AG regulations. The reality is that the CPRA made quite a few changes to the CCPA.

So the new agency went through the process of just technically changing things, like definitions, updating various provisions, as well as putting into regulations some of the new rules and rights that were created by the CPRA. For example, under the old statute, there was a right for consumers to opt out of the sale of their information. The new law created a new right to opt out, the right to opt out of sharing, which is under the law defined very narrowly to be cross contextual behavioral advertising sharing for that purpose. So the new regs are essentially correcting the old regs with regard to the right to opt out of sales to include the right to opt out of sales and sharing of data.

Adding new language about the new right to correct, which is also a new right in addition to the right to know and the right to delete, implementing new language around data minimization. This is again a new requirement under the amendment with regard to restricting the ability of businesses in California to collect and use personal information and limiting that to what is reasonably necessary and proportionate.

And now the new agency is not necessarily coming up with all of this on their own. They, to their credit, provide a lot of illustrative examples for businesses for the many requirements they're laying out in the new regs. And one of the examples they provide with regarding data minimization tracks very closely to a consent order that the FTC entered into with a flashlight app.

Essentially, the flashlight app was exactly what it sounds like, an app on your phone. It allows you to turn on the light. However, the operators of that app were also accessing your phone's contacts and other information, which seemed not necessarily reasonable and proportionate with regard to the alleged functionality of that app.

Those are some of the examples that the agency provides. They also give a lot of technical guidance to companies about how they're, the new agency will be expecting them to deploy some of the new obligations that are placed on them. For example, opt out preference signals. This is a signal that your browser sends out on behalf of a consumer to operators of websites that says, "Hey, don't track me or otherwise collect my information." There's at length many provisions that talk about how to deploy that.

There's also technical requirements with regard to privacy disclosures. And these are things you'll probably have seen on the larger national scale, making sure that those privacy disclosures are in the same languages that a business is using with regard to contracts or marketing products and services, making sure that any privacy disclosures are ADA accessible to those who may have a disability.

And what I think will probably be one of the more painful aspects of the new regs is new requirements about technical measures to obtain consumer consent. And I wanted to highlight two specific things that the new agency expects that there be symmetry in choice when obtaining consumer consent. Essentially the old regime where you would have a huge green button that says, "Yes, I consent," versus a tiny little gray button underneath that says, "No," right? That would no longer be acceptable in California because it's not symmetry of choice. They have to be equal options in the new agency's eyes.

Chris Willis:

Got it. By the way, let me just interject there. That seems like sort of a direct response to the FTC's Dark Patterns report that came out in September of 2022 that specifically highlighted the asymmetry of website cookie choices, with one being more prominent or easier to select than the other.

Kim Phan:

While they don't give the FTC credit, they do specifically talk about dark patterns and how they don't want businesses again in California to design their websites or mobile applications in a way that is impairing or otherwise impacting a consumer's ability to make choices about the privacy of their personal information.

Chris Willis:

Tell you what, that dark patterns name has really caught on, hasn't it?

Kim Phan:

It really has. It is something that I think has lit a fire in, let's say plaintiff's attorney's mind as well as regulators because it's sort of vague, right? I mean, what is a dark pattern? It's really, it's the sniff test. It's whatever a regulator decides they don't like and that consumers have complained about that they'll just argue is a problem and then becomes by de facto a violation of the law.

Chris Willis:

Got it. Now, you mentioned a minute ago, and I'm almost afraid to ask this question, but I feel like I must on behalf of the audience, that there's more rules coming from the CPPA. What else is left to come and what should we be expecting from those?

Kim Phan:

The new agency has already announced what's going to be in their next set of rules. And again, this is just the second set, right? We can expect that there'll be a third and fourth coming as well, but they're still very early in the process for this one.

So following the release of their March 2023 first set of rules, they announced that the next set of rules will cover three topical areas, and all of these are required under the New Amendments to the California Consumer Privacy Act. One is with regard to how to conduct cybersecurity audits. Another is with regard to conducting risk assessments. And the final one is with regard to automated decision making.

And it's the last one that I think will be of great interest to those in our audience who are financial institutions that utilize any sort of algorithms or consumer reports. And the reason I'm concerned about that, despite the fact that the California Consumer Privacy Act has a clear exemption for information that is requested from a consumer reporting agency compiled by a consumer reporting agency or used for a FCRA purpose, I'm just worried that, like the FTC that we've been seeing in recent days, the CFPB, that this new agency, the first of its kind, will be looking to make a splash and try to extend its rules and authority as far as it can.

And I can see automated decision making be an area where they might want to go above and beyond what the Federal Fair Credit Reporting Act already provides. And we already know that the CFPB has said that to the extent the state decides to go above and beyond what they call the floor of the FCRA rather than ceiling, that won't be preempted on a federal level. And they were very clear about that.

So it's an area that I'm a little nervous about with regard to banks and the underwriting process. But again, I don't know what the agency will ultimately do. They're at this stage just seeking information. And to their credit, I will say the new agency has been very deliberative about their rulemaking process. And the first set of rules, they went through various drafts and they made very clear updates and changes in response to public input that they received during the rulemaking process. So even though they're a bit late, they were working that whole time. So I will give them some credit for that.

Chris Willis:

Okay. Well, let's just hope when they release these new batches of regulations that you just mentioned that they'll give more than a 10-second implementation period for all the new requirements that may come out. Let's just have our fingers crossed on that.

But more seriously, I agree with you. It's important to keep an eye on what the CPPA may do with respect to algorithmic decision making. And it's become such a popular topic in the press, and therefore with regulators, that there's no telling what might happen in that regard.

Kim Phan:

Yeah, and I'm a little worried too. Right? Right now, the agency has been very much focusing all of its efforts on its rulemaking authority, which it should. It has a statutory obligation to issue those rules. But once they get all their rules out the door, they then also will have enforcement authority. Now they have not yet brought any enforcement actions, and they cannot until after July 1st. But once that date, the enforcement date passes, I am nervous to see what they do.

The California Attorney General under the old regs has only ever brought one enforcement action in the course of the last three years. Importantly, at the beginning of this year, there was a right to cure period that was, if the Attorney General gave a business any sort of notification that he believed that there was some alleged violation occurring, the business would have 30 days to cure that alleged violation before the Attorney General could move forward with any kind of enforcement action.

The new agency will not be similarly impaired. That right to cure has now gone away. So if the agency believes that there is a business that has violated any of these rules, which again went into immediate effect on March 29th, they could move forward with an enforcement action right away as well. I think that's something to be mindful of on a going forward basis.

Chris Willis:

Got it. Well, Kim, this is just fascinating. And the thing is, I expect that the developments in California privacy law and other states and federal privacy law will continue to unfold very rapidly as they have in recent years. So I'm hoping that you're going to be willing to come back on the podcast again and talk to us about those things as they happen. So thanks for being on the podcast today, and of course, thanks for our listeners for listening in to today's episode as well.

Don't forget to visit and subscribe to our blogs, troutmanpepperfinancialservices.com and consumerfinancialserviceslawmonitor.com. And why don't you come on over to troutman.com and visit us and add yourself to our Consumer Financial Services email list? That way you can get notices of the alerts that we send out as well as our industry only webinars. And of course, stay tuned every Thursday afternoon for another episode of this podcast. Thank you all for listening.

Copyright, Troutman Pepper Hamilton Sanders LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman Pepper does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper. If you have any questions, please contact us at troutman.com.