Recent Developments in California Competition and Privacy Law

• Jurisdiction: California,United States
• Author: By Colleen E. Huschke
• Publication year: 2021
• Citation: Vol. 31 No. 1

RECENT DEVELOPMENTS IN CALIFORNIA COMPETITION AND PRIVACY LAW

By Colleen E. Huschke¹

I. COVID-19 INSPIRED LEGISLATION

A. California Clarifies Price Gouging Prohibitions

1. Price—Gouging-Penal Code § 396

Effective January 1, 2021, California Penal Code section 396 will now clearly apply in pandemic emergencies and to online and in person sales, in addition to traditional retail sales (both clarifications of existing law). The amended statute now also explicitly covers new sellers into the market and places a limit on the amount the seller may charge (50% above cost). Penal Code section 396 maintains the pricing restraints how much a previous seller of specified goods and services may raise their prices.

II. CALIFORNIA PRIVACY LAWS

A. California Enacts Comprehensive Consumer Privacy Law

1. California Consumer Privacy Act of 2018, Civ. Code, § 1798.100 Et Seq.

In 2018, in response to the worldwide consumer privacy movement represented by the European Union's General Data Protection Regulation (GDPR)² and to public demand for additional California privacy protections in the Internet Age, the state legislature passed and Governor Jerry Brown signed AB 375 (Chau), the California Consumer Privacy Act of 2018 (CCPA).³

Effective January 1, 2020, the CCPA provides comprehensive codification of consumer privacy rights and establishes remedies for violations of those rights.

Legislative intent. In its statement of intent, the California legislature described the purpose of the CCPA as "giving consumers an effective way to control their personal information by ensuring the following rights:

1. The right of Californians to know what personal information is being collected about them.
2. The right of Californians to know whether their personal information is sold or disclosed and to whom.
3. The right of Californians to say no to the sale of personal information.
4. The right of Californians to access their personal information.
5. The right of Californians to equal service and price, even if they exercise their privacy rights."⁴

[Page 1]

Definition of personal data. The CCPA defines personal information as information that "identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."⁵ This includes identifiers such as a "real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers."⁶

The CCPA provides examples of covered "personal information," including protected classifications under federal or state law, commercial information, biometric information, Internet activity, geolocation data, audio-visual information, professional or employment information, education information, and similar information used to draw a profile about a consumer.⁷

However, the CCPA specifies that "publicly available information" is not included in this definition, which category includes, among other exceptions, information lawfully available from government records and consumer information that is "deidentified or aggregate consumer information."⁸ In this regard, the CCPA definition differs from that of the GDPR, as the CCPA extends its definition to include households, while the GDPR classifies applicable personal consumer information as individual only.

Applicability. The CCPA applies to any "business," including any for-profit entity that collects consumers' personal data, does business in California, and satisfies at least one of the following thresholds: (1) has annual gross revenues in excess of $25 million; (2) possesses the personal information of 50,000 or more consumers, households, or devices; or (3) earns more than half of its annual revenue from selling consumers' personal information.⁹

Obligations of businesses. The CCPA provides a number of obligations for businesses that collect the personal information of consumers, including requirements to: (1) implement processes to obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years to data sharing for purposes;¹⁰ (2) provide a "Right to Say No to Sale of Personal Information" and provide guidance on methods to opt out of the sale of that information via "reasonably accessible" means, such as links on business websites;¹¹ (3) designate methods for submitting access requests including toll-free telephone numbers;¹² (4) update privacy policies with new information, including a description of California residents' rights;¹³ and (5) implement procedures to avoid requesting opt-in consent for 12 months after a California resident opts out.¹⁴

[Page 2]

Private remedies and public sanctions. Private remedies and public law enforcement sanctions are provided by the CCPA. Where notified businesses fail to cure violations within 30 days, the CCPA authorizes statutory damages in private civil actions for the data breach violations of $100 and $750 per California resident and per incident, or actual damages, whichever is greater, and any other relief a court deems proper, subject to the option of the California Attorney General's Office to supersede the private actions and prosecute civil law enforcement actions against the violations.¹⁵

Where notified businesses fail to cure violations within 30 days, the CCPA authorizes civil penalties recoverable in actions in the name of the People of the State of California by the Attorney General under the Unfair Competition Law of up to $2,500 per violation, and under the CCPA of up to $7,500 per violation for intentional violations.¹⁶

B. California Attorney General Issues CCPA Regulations

1. California Consumer Privacy Act Regulations, 20 CCR § 999.300 Et Seq.

Civil Code section 1798.185 requires the Attorney General to adopt regulations addressing ten separate subject areas, including: updating the relevant categories of "personal information;" updating the definition of unique information identifiers; establishing exceptions needed to conform CCPA to federal or state law; establishing procedures for consumers to opt out of sales of personal information; adjusting the monetary thresholds for the CCPA definition of relevant "businesses;" and establishing rules and procedures for the required CCPA notices, financial incentive offerings, obtaining of the consumer's own information, and verification of consumer requests, among other topics.

On October 11, 2019, the California Attorney General's Office released its highly anticipated proposed regulations interpreting important aspects of the California Consumer Privacy Act, as required by the Act.¹⁷ Designated the "California Consumer Privacy Act Regulations," these new interpretations of the CCPA are codified at 20 CCR § 999.300 et seq. of the California Code of Regulations. On February 10, 2020 and March 11, 2020 certain modifications were proposed and revision made.

[Page 3]

On August 14, 2020, California's Office of Administrative Law approved the final version of the implementing regulations. Recently, on October 12, 2020 the Department of Justice proposed a third set of modifications with a public comment period open until October 28, 2020. The third set of proposed modifications to the regulations focuses on the Notice of the Right to Opt-Out of Sale of Personal Information;¹⁸ Requests to Opt-Out;¹⁹ Authorized Agent²⁰ and Notices to Consumers Under 16 Years of Age.²¹

III. CREATION OF THE CALIFORNIA DEPARTMENT OF FINANCIAL PROTECTION AND INNOVATION

A. California Consumer Financial Protection Law (CCFPL), Fin. Code § 90000 Et Seq.

On September 25, 2020 Governor Newsom signed AB 1864 enacting the California Consumer Financial Protection Law (CCFPL). The CCFPL shall be effective January 1, 2021. Below is an overview, not an exhaustive analysis, of the new law.

The newly enacted law renames the Department of Business Oversight (DBO), the Department of Financial Protection and Innovation (DFPI).

Legislative Intent. The purpose of the California Consumer Financial Protection Law shall be to promote consumer welfare, fair competition, and wealth creation in this state by doing all of the following:

1. Promoting nondiscriminatory access to responsible, affordable credit on terms that reasonably reflect consumers' ability to repay.
2. Promoting nondiscriminatory access to consumer financial products and services that are understandable and not unfair, deceptive, or abusive.
3. Protecting consumers from discrimination and unfair, deceptive, and abusive acts and practices in connection with financial practices and services.
4. Promoting nondiscriminatory consumer-protective innovation in consumer financial products and services.²²

Scope. The DFPI is modeled on the federal Consumer Financial Protection Bureau (CFPB) and the CCFPL is based, in part, on the federal Dodd-Frank Act Title X. The DFPI has broad jurisdiction over the financial services industry to protect consumers from "unlawful, unfair, deceptive, or abusive" acts.²³ The definition of "unfair" and "deceptive" acts is to be interpreted consistent with Business and Professions Code section 17200 and case law thereunder,²⁴ whereas "abusive" is to be interpreted consistent with Title X of the Dodd-Frank Act.²⁵ While the CCPL defines "covered person" broadly²⁶ there are important exemptions to coverage, including banks.²⁷ The CCFPL contemplates the issuance of rules regarding registration requirements for covered persons.²⁸ The CFCPL also contains a complaint response obligation by covered persons.²⁹

[Page 4]

In addition, the DFPI will establish a Financial Technology Innovation Office to investigate and report on markets for consumer financial products and services, to conduct outreach and educational programs for underserved communities and to implement initiatives to promote innovation.³⁰

Enforcement. The DFPI has broad power to bring administrative actions, or civil actions in...