Advertising Law Tool Kit - Ninth Edition | 2021

Venable / 21 20 / Venable California Consumer Privacy Act A few key steps will help ensure compliance with the CCPA and prepare for the new CPRA. • Take stock of your data collection to determine what information you collect and whether it is personal information or sensitive personal information, to inform how you apply CCPA and CPRA requirements. • Assess how you are sending personal information to other entities. Any transfer of personal information, in exchange for something of value, can be a “sale” requiring an opt-out. Under the CPRA, transfers of personal information for “cross-contextual behavioral advertising” may constitute “sharing” personal information requiring an opt-out. • Affiliates with different branding, or that are not parents or subsidiaries, may be considered separate businesses under the CCPA and CPRA, so assess how you are sharing personal information with affiliates. • Consider whether updates to your privacy policies and websites are needed. Both the CCPA and CPRA require businesses to make specific disclosures and provide links on home pages enabling Californians to effectuate certain rights. • Ensure that you are able to respond to consumer rights requests in a timely and compliant manner. Regulations implementing the CCPA prescribe detailed requirements for processing such requests. • Collecting and selling personal data about children under 13 and/or teenagers aged 13-15 triggers special consent requirements under CCPA and CPRA; moreover, businesses need to meet these requirements in a way that aligns with the federal Children’s Online Privacy Protection Act. • Ensure that your business does not discriminate against consumers who exercise rights under the law, particularly by evaluating any incentive or loyalty programs. • The CCPA and CPRA require constant vigilance on data security, and companies should undertake a review of their cyber insurance coverage policies, data security practices, and ways to mitigate liability exposure. • Stay up to date on CCPA and CPRA developments, as well as federal data privacy developments. The basic contours of the CCPA are not likely to change, but important updates could come from a variety of sources, including ongoing regulatory activity by the California attorney general. Additionally, the CPRA creates an entirely new data privacy agency in California to issue new regulations and to enforce the law alongside California’s attorney general. Staying abreast of CCPA and CPRA news will help your company adapt to the evolving data privacy landscape in California. Please contact the authors for additional information on how to help ensure your company’s privacy health. Any company that collects data about California residents may be subject to the California Consumer Privacy Act of 2018 (CCPA), which became operative on January 1, 2020. Compliance with the EU General Data Protection Regulation (GDPR) does not satisfy the CCPA. The CCPA generally applies to businesses (a) with over $25 million in annual gross revenues; (b) that receive or share personal information for 50,000 or more California consumers, households, or devices; or (c) that derive more than half of their annual revenues from consumer data sales. In November 2020, California voters approved a ballot initiative (Proposition 24) called the California Privacy Rights Act of 2020 (CPRA), which materially amends the CCPA. Most of the CPRA’s terms will become operative on January 1, 2023. Among other elements, the CCPA granted sweeping new consumer rights over personal information – such as access and deletion upon request. The CPRA maintains the consumer rights created by CCPA and adds more, such as the right to correct personal information and limit the use and disclosure of “sensitive” personal information. Additionally, under both CCPA and CPRA, vendor contracts must contain specific provisions. Your business should assess whether it needs to amend existing contracts and update standard terms for CCPA and/or CPRA compliance. Julia Tama +1 202.344.4738 Tara Sugiyama Potashnik +1 202.344.4363