Cookies and Amendments and Regulations, Oh My!
October has been a busy month for data privacy. Things kicked off on October 1st when the CJEU issued a landmark ruling on that clarifies consent requirements for cookies. Not to be outdone, California Governor Gavin Newsom signed six CCPA amendments and a related bill requiring data brokers to register with California’s Attorney General. Within days, California’s Attorney General released much-anticipated regulations establishing requirements for implementing the CCPA.
Now that the dust is starting to settle, companies are taking stock of what these developments mean for their business. For many, the new regulations have business leaders breathing a sigh of relief , while simultaneously scratching their heads. Although the statutory definition of a sale is famously broad in scope, the regulations are vexingly short on specific criteria for determining which disclosures constitute a sale of personal information or how to calculate the value of personal information for financial incentive and loyalty rewards programs.
Companies hoping for a break in implementing the new requirements are also likely to be disappointed. In some cases, the regulations are more stringent than the language of the CCPA statute. For example, businesses that use a consumer’s personal information for a purpose that is different from the ones established at the time of collection are now required to obtain the consumer’s explicit consent. If adopted, this requirement would make the CCPA even stricter than the GDPR.
However, the regulations are not set in stone. The Attorney General has opened a period of public comment set to close on December 6, 2019. During this period, concerned parties can submit written feedback or attend one of four hearings to provide public comment. Held in San Francisco, Sacramento, Fresno, and Los Angeles, the public meetings will carry equal weight with written feedback in shaping any changes to the regulations.
The amendments signed by Governor Newsom contained few surprises, but they do include some wins for businesses worried about how to put the CCPA into practice. One of the biggest areas of contention has been the private right of action for CCPA violations. Although the fees for a single incident are nominal, they add up quickly when you factor in incidents involving thousands of records. The amendments have addressed business concerns by limiting the private right of action to violations involving data breaches.
Other notable amendments include AB 25, which exempts employment data collected on job applicants, contractors, and employees from CCPA requirements for one year. Companies that collect data for B2B transactions got a similar reprieve. However, businesses shouldn’t get too comfortable, because both of these amendments are set to expire in 2021.
Across the pond, the CJEU issued a much-anticipated ruling in Planet49 GmbH. The case involved a German-based company that presented consumers with the opportunity to participate in a lottery if they consented to collection of their personal data. The CJEU was asked to rule on whether the use of a pre-ticked box was sufficient to obtain valid consent for placing cookies on a user’s device. The CJEU was also asked to determine whether service providers need to give users information about the retention of cookies and access by third parties.
The CJEU held that consent requires affirmative action by data subjects and that pre-ticked boxes do not meet this standard. The CJEU also ruled that consent requirements apply to the processing and storage of information that is not personal data and that users must receive information on cookie duration and access by third parties. In the wake of the ruling, companies have raced to revise their cookie notices and privacy policies. As a result, users will be doing more clicking and pointing to consent to cookies when they visit websites.
Like the CCPA regulations, the Planet49 clarified some questions and left others open for further deliberation. While the ruling requires data controllers to specify the retention period for cookies, it did not specify a maximum retention period. The ruling also left open the question of whether cookie walls are permissible under the ePrivacy Directive or GDPR. Nor did the law clarify which user actions would qualify as affirmative consent. Is clicking out of a cookie notice sufficient evidence of an affirmative action or is clicking an Accept button required?
Companies hoping for clarification on these issues will need to wait for the long-awaited ePrivacy Regulation. Originally scheduled to take effect in May 2018 with the GDPR, the timeline for implementation was postponed to resolve issues regarding telecom requirements. The regulation is now set to take effect sometime in 2019.
For companies wrestling with data privacy requirements, none of the recent developments provide definitive answers. However, they do move the business community toward greater clarity. The important lesson here is to stay on top of evolving requirements and get involved in giving feedback and advocacy when the opportunity arises.