As Online Shopping Grows, California Extends the Scope of its Privacy Laws (Again)

2020 has seen the acceleration of existing trends in online retail, with social distancing measures and travel restrictions resulting from the COVID-19 pandemic leading to a marked increase in online shopping. Even in the midst of a challenging economy, the National Retail Federation predicted 2020 holiday sales to increase by 3.6-5.2 percent over 2019, with an expected increase in online and other non-store sales of between 20 and 30 percent.

In light of these trends, retailers must intensify their efforts to identify and market to prospects online, or risk being left behind as shoppers continue to migrate from physical to virtual shopping experiences. At the same time, lawmakers and regulators are taking increasingly assertive steps to protect consumer privacy in the face of sophisticated online marketing tools and tactics, including initiating anti-trust lawsuits against advertising giants Facebook and Google.

California Leads The Way in Privacy Regulations
The state of California continues to be at the vanguard of consumer privacy regulation in the United States. Just last year, the California Consumer Privacy Act (CCPA) took effect, though California’s Attorney General was only authorized to enforce the CCPA since July 1, 2020. At the time of its passage, the CCPA was the most significant piece of consumer privacy legislation in the United States, and companies have devoted considerable resources to building and implementing systems for compliance.

Despite the relative newness of the CCPA, Californians nevertheless voted in November to adopt another consumer privacy law, the California Privacy Rights Act (CPRA). Sellers now must continue their efforts to comply with the CCPA, while preparing for the CPRA, which will take effect on January 1, 2023.

Personal Information Further Protected by CPRA
The CPRA modifies and strengthens the CCPA in a number of significant areas, including a modification and expansion of the consumer rights provided by the CCPA. At present, the CCPA provides California consumers with a right to access personal information a covered business has collected about them in the previous 12 months, a right to request the deletion of their personal information, and a right to opt out of the “sale” of their personal information.

For information collected on or after January 1, 2022, the CPRA will expand consumers’ right-to-know rights beyond the current 12-month lookback period. The CPRA will also provide California consumers with the additional right to correct inaccurate personal information held by a covered business.

In addition, the CPRA adds a new category of “sensitive personal information” subject to heightened protections, including usage limitations and transparency requirements. Sensitive personal information includes social security numbers, and financial information, as well as precise location, and information pertaining to religious beliefs, genetic or health information, and sex life or sexual orientation information. Covered businesses that collect sensitive personal information should ensure that they have put in place security measures appropriate to protect this more highly confidential category of personal information.

CPRA Resolves Cross-Context Behavioral Advertising Debate
One of the most outwardly visible impacts of the CPRA is likely to be the clarification it provides about consumer rights as they relate to cross-context behavioral advertising – targeting advertising to a consumer based on personal information obtained from the consumer’s activity with respect to other activities or businesses.

The CCPA currently requires companies to give consumers a right to opt-out of the “sale” of their personal information. Since the statute’s adoption, however, there has been some debate about whether the common practice of using cookies, scripts and other technology from third party advertising networks to serve personalized advertising to internet users on various websites across the internet constituted a “sale” of personal information subject to a California consumer’s opt-out.

The CPRA resolves that debate by explicitly providing consumers with the right to opt out of the sharing of their personal information for cross-context behavioral advertising.

As a way of implementing this consumer right, many websites have begun to add simple, but functional pop-up menus to their websites, requesting that user consent to the use of different types of cookies, including advertising cookies, and providing the opportunity to opt out of sharing personal information for those purposes. This kind of consent mechanism will become more common, and appears to have the blessing of the California Attorney General, whose office proposed amendments to the CCPA regulations in December 2020, which would establish a standardized icon for websites to use in order to honor consumers’ opt-out rights.

What Should Businesses Be Doing
The CPRA does not take effect until January 1, 2023, but this is no reason for complacency, especially because the CCPA, which the CPRA amends and enhances, is already in effect. At present, businesses should make good use of the two years between now and the effective date of the CPRA by continuing to improve their privacy practices consistent with the CCPA, while laying the groundwork for compliance with the new provisions of the CPRA. Steps businesses should consider include:

  • Review and update privacy disclosures;
  • Provide effective notice of a right to opt–out of sharing of personal
  • information, including for cross–context behavioral advertising;
  • Refine systems for honoring customer data requests, including requests for access to personal information, requests to correct personal information, and requests to delete personal information;
  • Ensure that data security practices and protections are in place, including data incident response planning;
  • Consider cyber liability insurance coverage as part of an overall strategy of preparedness.

About Brann & Isaacson

Founded in the 1920s, Brann & Isaacson is a Maine-based, nationally recognized law firm that represents over 100 online and multichannel companies across the country. Most notably, the firm represented Wayfair in the landmark South Dakota v. Wayfair Supreme Court case. Relevant practice areas include online and multichannel marketing, intellectual property, privacy and data security, and consumer protection. Nat Bessey is a partner whose practice includes advising online and catalog retailers in areas crucial to their business, including state and local tax issues, regulatory compliance, copyright and trademark, and data privacy and security. Nat is also a co–author of “Eyes on eCom Law,” a blog that reports on legal developments of interest to direct marketers and online sellers.