Chanley Howell
Foley & Lardner, LLP
Updated: January 25, 2022
Disclaimer. This summary is intended solely for informational purposes and is not intended to constitute legal advice or to create an attorney-client relationship between Foley & Lardner and any recipient or reader of this summary. This is not intended to be an exhaustive summary of all issues and requirements relating to the topics discussed. If you have any questions about any of these issues you should contact your legal counsel.
Introduction. Using existing technology (referred to herein as a “Technology”), companies are able to obtain email addresses of visitors to websites who have not and do not disclose their email address to the website owner. This Summary discusses some of the legal issues relating to use of this technology.
Topics covered here include:
CAN-SPAM
OPT-OUT AND COMPLYING WITH THE CAN-SPAM ACT
Chanley Howell
Foley & Lardner, LLP
Disclaimer. This summary is intended solely for informational purposes and is not intended to constitute legal advice or to create an attorney-client relationship between Foley & Lardner and any recipient or reader of this summary. If you have questions about complying with the CAN-SPAM Act you should contact your legal counsel.
Section 7704(a)(3)[1] of the Act requires that marketing messages contain an opt-out or unsubscribe mechanism:
* * *
(3) Inclusion of return address or comparable mechanism in commercial electronic mail
Section 7704(a)(4) of the Act states the opt out requirements:
* * *
(4) Prohibition of transmission of commercial electronic mail after objection
* * *
[1] 15 USC § 7704(a)(3)
[2] https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business
California Privacy Rights Act (CPRA) amending the California Consumer Privacy Act (CCPA)
Disclaimer. These Summaries and FAQs regarding the California Privacy Rights Act (CPRA), amending and renaming the California Consumer Privacy Act (CCPA) are intended solely for informational purposes and is not intended to constitute legal advice or to create an attorney-client relationship between Foley & Lardner and any recipient or reader of this summary. This is not intended to be an exhaustive summary of all requirements of the CPRA. If you have questions about complying with the CPRA, you should contact your legal counsel.
The CPRA, a ballot initiative passed by voters in November 2020, amends the CCPA and renames the CCPA to the CPRA. The CPRA includes additional privacy protections for consumers as discussed below.
FREQUENTLY ASKED QUESTIONS REGARDING THE CALIFORNIA CONSUMER PRIVACY ACT
Chanley Howell
Foley & Lardner, LLP
Updated: March 18, 2021
Disclaimer. These FAQs regarding the California Privacy Rights Act (CPRA), amending and renaming the California Consumer Privacy Act (CCPA) are intended solely for informational purposes and is not intended to constitute legal advice or to create an attorney-client relationship between Foley & Lardner and any recipient or reader of this summary. This is not intended to be an exhaustive summary of all requirements of the CPRA. If you have questions about complying with the CPRA, you should contact your legal counsel.
The CPRA, a ballot initiative passed by voters in November 2020, amends the CCPA and renames the law. Frequently asked questions relating to the CPRA are discussed below.
The CPRA applies to any business— a for-profit legal entity — that collects and sells consumer “personal information”, with a few exemptions discussed below. The law sets a floor in terms of revenue and the number of consumer records being processed for the CPRA to kick in. A company has to meet one or more of the following for the CPRA to apply:
There are few entity exemptions under the CPRA, limited only to:
If you collect personal information from residents of the State of California while they are in California you are likely doing business in California. Thus the law would apply to you if your company satisfies any of the applicability triggers discussed above.
The CPRA defines personal information broadly to include information that can identify, relate to, describe, be associated with, or be reasonably capable of being associated with, or could reasonably be linked, directly or indirectly with a particular consumer or household. The CPRA’s private right of action provision relating to data breaches incorporates a narrower definition of personal information (discussed below).
The law identifies a non-exhaustive list of categories of personal information, including:
The definition also pulls in inferences from personal information used to create a profile about a consumer that would reflect the person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. Thus, for example, businesses that leverage artificial intelligence (AI) to help determine consumer preferences or identify preferred job candidates must look more carefully at what personal information they may maintain about their consumers (including employees) for purposes of CPRA.
Personal information does not include de-identified or aggregate consumer information.
Personal information does not include protected health information (PHI) governed by HIPAA or medical information under California’s Medical Information Act (CMIA). Additionally, the CPRA exempts an organization that “maintains patient information in the same manner” as PHI under HIPAA. Thus, to the extent the data involved includes were arguably could include any PHI or medical information under the CMIA.
Employee (including independent contractor) related data is excluded from most provisions of the CPRA until January 1, 2023. Employers do, however, need to provide a brief privacy notice to employees regarding the nature of personal information collected, for what purposes, and a general description of who it is disclosed to (e.g. service providers).
The new rights under the CPRA are similar to many contained in the EU’s General Data Protection Regulation. The CPRA gives California residents the right to request that a business:
Probably; if the law applies to you. The CPRA has added several new substantive elements to the required disclosures that must be included in a privacy notice or policy. In addition to the information that must be included under the existing California laws or provided pursuant to California’s “Shine the Light” law, online privacy policies must include:
A “sale” of personal information under the CPRA is defined broadly to include the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means” the personal information of a Consumer to another business or third party “for monetary or other valuable consideration.”
This broad definition suggests that if personal information is provided as part of a larger business relationship, a “sale” may have occurred even if no amounts are paid directly for the data itself. In addition, a website may be “selling” personal information by passing such information to third-party ad networks through cookies.
The law provides a non-exhaustive list of examples which would not be considered a sale of personal information:
“Sharing” of personal information under the CPRA is defined broadly to include the “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, In writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business In which no money is exchanged.”
“Cross-context behavioral advertising” means the targeting of advertising to a consumer based on the consumer’s personal Information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally Interacts.
The new definition of “sharing” makes it clear that the disclosure of personal information (including unique identifiers in cookies) for targeted advertising with or without consideration will be subject to the rights of a consumer to opt-out of such a disclosure.
The law provides limited exclusions from “sharing” under the CPRA, including:
Colorado Privacy Act (“CPA”)
Disclaimer. This summary regarding the Colorado Privacy Act (CPA) is intended solely for informational purposes and is not intended to constitute legal advice or to create an attorney-client relationship between Foley & Lardner and any recipient or reader of this summary. This is not intended to be an exhaustive summary of all requirements of the CPA. If you have questions about complying with the CPA, you should contact your legal counsel.
On July 7, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (“CPA”) into law. The law is likely subject to significant changes both before and after it goes into effect on July 1, 2023.
The CPA applies to businesses that intentionally target Colorado consumers and that collect and store data on at least 100,000 consumers or earn revenue from selling data of at least 25,000 consumers. Notably absent is any revenue threshold.
Key Takeaways:
• Consumers gain five key rights under the CPA: right of access, right to opt out, right to correct, right to delete, and right to data portability. They also gain a right to appeal.
• Businesses have multiple new obligations including a duty of transparency, duty to avoid secondary use, duty of data minimization, duty of care regarding data security, and a duty to obtain consent before processing a consumer’s sensitive data.
• The CPA is enforced by the attorney general and district attorneys. There is no private right of action.
• The law will take effect July 1, 2023.
• The Colorado Governor has already requested that the legislature amend the CPA, which may significantly alter the law’s obligations and requirements.
Applicability and Exemptions
The CPA as currently enacted applies to any business (a “controller”) that “conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado” and meets one or both of the following thresholds:
The current CPA only applies to information about consumers, which are defined as Colorado residents acting only in an individual or household context. It does not apply to information about individuals acting in a commercial or employment context (including as a job applicant, or as a beneficiary of another individual acting in the employment context). In contrast, both employment and business-to-business information will be subject to California’s CPRA once the temporary exclusions for these types of data expire on January 1, 2023, unless the temporary exclusions are extended or another law is passed to cover this information.
The law applies to a controller’s processing of “personal data,” which the law defines as “information that is linked or reasonably linkable to an identified or an identifiable individual.” However, the definition explicitly excludes de-identified information or publicly available information. “Publicly available information” is a bit broader of an exclusion than found in laws like the CPRA, and includes not only information lawfully made available from government records, but also information that the controller has a reasonable basis to believe that the consumer has lawfully made available to the general public. This likely includes information posted on social media, however it is unclear whether information posted on social media to a limited audience will be deemed to be publicly available.
The CPA provides Colorado consumers with the following rights regarding their personal data:
In addition to permitting consumers to exercise their rights, the CPA imposes multiple new affirmative duties on controllers.
Disclaimer. This summary regarding the Consumer Data Protection Act (CDPA) is intended solely for informational purposes and is not intended to constitute legal advice or to create an attorney-client relationship between Foley & Lardner and any recipient or reader of this summary. This is not intended to be an exhaustive summary of all requirements of the CDPA. If you have questions about complying with the CDPA, you should contact your legal counsel.
On March 2, 2021 Virginia’s governor signed the Consumer Data Protection Act (“CDPA”) into law. The CDPA contains elements of both the newly passed California Privacy Rights Act (“CPRA”), which revised the California Consumer Protection Act of 2018 (“CCPA”), and the European General Data Protection Regulation (“GDPR”). Even businesses who are compliant with the current CCPA and/or GDPR will find that there are a few nuances in the CDPA that will require a few adjustments to their privacy practices to address the nuances between those laws and the new CDPA.
CPDA AT-A-GLANCE
Scope of the CDPA
Since a consumer under the CDPA is only a Virginia resident, and there is no broad CCPA-like revenue trigger (businesses must comply with the CCPA if they have over $25 million in revenue per year), the CDPA applies much more narrowly than the CCPA. The practical effect is that fewer smaller and mid-size businesses may be subject to the CDPA; however, certain industries which rely on the sale of personal data will be subject to the CDPA regardless of the size of the entity.
CDPA Consumer Rights
The CDPA provides the following rights to consumers:
New Controller Requirements
New Processor Requirements
Enforcement
Retention.com
We are building a privacy-first, intent-based advertising network that serves consumers, brands, and publishers with mutually beneficial products.
© Retention.com. All rights reserved.