• CCPA Reality Check: 10 Key Questions to Evaluate Compliance

    With the CCPA (California Consumer Privacy Act) in effect as of January 1, but regulations still being revised and finalized, businesses are struggling to know what they need to do now to comply. If your business has not yet taken steps to comply with the CCPA or is still uncertain about the precise steps to take, now is the time.  We raise and respond to 10 questions below that every business should be asking itself to assess its current status and next steps for CCPA compliance.

    1. Is My Business Subject To The CCPA?

    The relevant factors for determining whether a business is subject to the CCPA have remained the same despite the shifting draft regulations.  Namely, if: (1) you are a company (excluding non-profit and government entities) that (2) collects personal information – or on whose behalf such information is collected – that alone or jointly determines the purposes and means of processing that information, and (3) you do business in the State of California, then you are subject to the CCPA if: (a) you have gross annual revenue (not limited to CA) of more than $25 million; or (b) you collect the personal information of 50,000 or more California residents, households or devices annually; or (c) 50% or more of your annual revenues are derived from selling consumers’ personal information.

    Whether you are “doing business” in California is somewhat ambiguous, but will likely be determined by factors indicating intentional, repeated economic activity in the state (i.e., not an unintended or isolated transaction).  A physical presence in the state is not necessary, as repeated transactions remotely or online will likely suffice, as could soliciting or advertising to California consumers.  Moreover, the 50,000-consumer/device/household threshold may capture a significant number of businesses since IP addresses, geolocation information, or other internet-collected information is defined as personal information under the statute.  Although the new draft regulations state that IP addresses that cannot reasonably be linked to a consumer or household would not constitute personal information, it remains somewhat unclear under what circumstances information such as IP addresses can or cannot be reasonably linked or associated with a specific consumer or household in light of, or in combination with, other available information.

    2. Is My Privacy Policy Sufficient?

    The old days of privacy policies that merely provide general and broad descriptions of data collection and use practices, or that limit disclosures to online or website data collection practices only, are over.  Under the CCPA, businesses that collect personal information from consumers must have a privacy policy that provides a comprehensive description of the business’s online and offline practices regarding the collection, use, disclosure, and sale of personal information and the rights of consumers regarding their personal information.  Specifically, businesses must disclose how the business collects and discloses certain categories of personal information with enough detail to provide consumers with a “meaningful understanding.”  This means that privacy policies must explicitly list categories of information collected in the past 12 months, and third parties to which the information has been sold or disclosed in the past 12 months, with requisite specificity (e.g., advertising networks, data analytics providers, social networks, data brokers, etc.).

    Privacy policies must also describe the various consumer rights under the CCPA, including the right to request to know what information has been collected, the right to request deletion of information collected, and the right to opt-out of sale of personal information, as well as providing instructions on how consumers can submit requests and describing the process for verifying consumers’ identities in connection with such requests.  Businesses must also include a consumer’s right to not be discriminated against for exercising rights under the CCPA, provide information regarding requests made by authorized agents, and include contact information for the business and the date the privacy policy was last updated.

    Privacy policies should be posted through a conspicuous link using the word “Privacy” on the business’s website homepage and in the settings menu of a mobile application.  Privacy policies also need to be easy to read and understand, capable of being printed, and accessible to consumers with disabilities, including by following Web Content Accessibility Guidelines, version 2.1 from the World Wide Web Consortium.

    3. What Other Notices Or Disclosures Are Required Under the CCPA? 

    Beyond the privacy policy, businesses must provide a “Notice At Collection” via a conspicuous link on the website homepage, a just-in-time notice or link on the mobile application download page or settings menu, or a notice given by telephone or printed forms, depending on the way your consumers primarily interact with your business.  The Notice At Collection should detail the categories of personal information collected by the business and the business or commercial purposes for which the information will be used with enough specificity to provide consumers with a “meaningful understanding.”  The Notice a Collection should also include a “Do Not Sell My Info” link if the business is selling data, as well as a link to the business’s main privacy policy.

    4. How Do I Know If I’m “Selling” Personal Information Under The CCPA? 

    By now, you probably know that “selling” personal information as defined in the CCPA encompasses more than simply selling personal data to third parties in exchange for money.  “Selling” under the CCPA is defined as any disclosure of personal information for valuable (not necessarily monetary) consideration and may encompass disclosures of personal information to service providers, use of data analytics tools, or other disclosures in the course of business relationships.  Mapping the data collection and sharing practices of your business is essential, and if you are disclosing data to a third party for any reason, you should consider whether it might constitute a sale and whether you need to disclose that sale and offer an opt-out right or whether you can avoid the disclosure being deemed a sale by entering into a written contract that restricts the further use of the information.

    5. Do I Have To Update My Vendor/Service Provider Contracts?

    The primary way to avoid the disclosure of personal information to a third-party service provider being deemed a “sale” under the CCPA is to enter into a written contract, certified by the service provider, that restricts the further use or disclosure of that data by the service provider for purposes other than providing your business with the relevant services.  All businesses covered by the CCPA should consider revising their vendor and service provider agreements to include restrictions and prohibitions on the service providers’ use or sale of personal information disclosed to them other than to provide services to the business.  The new draft regulations clarify that service providers may use information disclosed to them for internal use to build or improve the quality of their services, detect data security incidents and fraud or illegal activity, or to retain and employ other service providers as subcontractors if they meet the requirements, without the disclosure being deemed a “sale.”

    6. What Methods Must Be Offered For Submission Of Consumer Requests? 

    Most businesses must provide two or more methods for submitting consumer requests, including a toll-free number (mandatory for requests to know), an online interactive form (mandatory for requests to opt-out of sale), a designated email address, a form submitted through mail, or, where interaction is primarily in-person, a printed form or a computer portal.   Requests to opt-out of sale should require minimal steps and be easy for consumers to execute.  Note that businesses that operate “exclusively online” and have a direct relationship with their consumers need only provide an email address for submission of requests to know.  More than two methods of submission for consumer requests may be advisable, and businesses should consider the way they primarily interact with consumers when determining what methods to offer.

    Businesses will also need to provide a separate Notice to Opt-Out of Sale Of Personal Information if they are selling personal information, and/or a Notice of Financial Incentive if they are offering financial incentives to consumers to retain, disclose or sell their data.  These notices would typically be given via a link on the website homepage or mobile download page.  All notices should be easy to read and understand and accessible to persons with disabilities.

    7. How Much Time Do I Have to Respond To Consumer Requests?

    Businesses have 10 business days to acknowledge receipt of requests to know/delete and 45 calendar days to respond substantively to those requests (with an additional extension of 45 calendar days in some cases).  By contrast, businesses have only 15 business days to process and comply with requests to opt-out of the sale of information.  The new draft regulations excuse businesses from notifying all third parties to whom they have previously sold data about a consumer’s opt-out request, but businesses must still notify any third party to whom the business sells the consumer’s data after receiving the opt-out request (but before complying with request) and instruct that third party not to sell that consumer’s information.

    8. What Processes or Procedures Are Necessary Or Sufficient To Verify Consumer Identities?

    The guidance for how to verify consumer identities remains somewhat ambiguous.  In general, businesses are instructed to tailor a consumer identity verification process to the sensitivity and risk of the personal information at issue.  The regulations provide that no business should disclose certain sensitive categories of personal information (i.e., the data breach categories mentioned in No. 10 below) in response to a consumer request.  But aside from a couple of clear rules, the verification process is largely left to the business.  Businesses with password-protected accounts for their users are fortunate because they can use such accounts to verify identities by having consumers re-enter their credentials for the account.  Businesses without such accounts for their users, however, must match either 2 or 3 pieces of personal information maintained by the business with information provided by the consumer and, in some cases, require the consumer to provide a signed affidavit under penalty of perjury that they are the consumer who is the subject of the data request.  Because businesses are discouraged from collecting additional information in order to verify identities, but must also ensure that the process is sufficiently stringent for the data involved, businesses will need to determine what pieces of personal information can be used to sufficiently and accurately identify consumers.  For businesses that maintain customer purchase information, the regulations suggest that verifying the consumer’s identity might involve requiring the consumer to identify items recently purchased or dollar amounts of recent purchases.  In any event, the regulations require that a business deny requests to know specific pieces of personal information if the business cannot verify the identity of the requestor to the required level of certainty.  However, businesses that have no sufficient method to verify identities of consumer requestors may be subject to greater regulatory scrutiny.

    9. What Is Required For Employee Data? 

    An October 2019 amendment to the CCPA provided for a one-year exemption to employee or job applicant data (used only in the employment or application context) from full coverage of the CCPA.  This means that employees cannot make consumer requests to know or delete to their employers regarding their personal information collected as part of their employment.  Businesses are still required to provide employees and job applicants with notice regarding the collection, use, and disclosure of their personal information, however, and employees will still be able to bring a private right of action in the event of a data breach.

    10. What Are Reasonable Security Procedures And Practices?

    One of the most dreaded aspects of the CCPA for businesses is the private right of action, with statutory damages, arising from the unauthorized access to (i.e., breach of) certain sensitive categories of personal information (e.g., driver’s license, social security number, account number in combination with security code or password, medical or health insurance information, automated license plate recognition data, email address in combination with password or security question, or biometric data).  As a preliminary matter, the private right of action is limited to unauthorized access to this data in nonencrypted and nonredacted form, so businesses should store all such data in encrypted or redacted form.  Additionally, businesses should review their security practices and procedures for consistency with industry standards for security, including the Center for Internet Security (CIS) Top 20 Controls, the International Organization for Standardization (ISO) 27001 standards, and the National Institute of Standards and Technology (NIST) framework, among others.  While the CCPA does not identify a single standard as sufficient to be reasonable, following industry-standard guidelines for security is a safe bet.

    Summary

    This list is not intended to be comprehensive of all legal requirements and obligations under the statute and regulations.  For example, there are various statutory and subject matter exemptions to the statute (e.g., exemptions for certain personal health and financial information governed by other statutes and exceptions to the requirement to delete consumer data when needed for specified business purposes).  Additionally, there are special rules applicable to personal information of minors and to businesses that collect personal information of more than 10 million consumers annually or that offer financial incentives to allow them to use, retain, or sell consumer information.  You should consult legal counsel regarding compliance requirements for your specific business and practices.  However, the questions set forth above address many of the basic compliance questions companies may have about the CCPA as its enforcement data approaches.

    For further information, contact Coblentz Cybersecurity & Data Privacy attorney Scott Hall (shall@coblentzlaw.com). You can also review additional CCPA articles and resources in our CCPA Resource Center.

    Posted on: February 27, 2020 Tags: Categories: Publications

  • Attorney General Releases Modified CCPA Draft Regulations: Key Changes Your Business Should Know

    On Friday, February 7, and Monday, February 10, 2020, the California Attorney General released proposed modified regulations in connection with the California Consumer Privacy Act (“CCPA”). The modified regulations provide businesses with some clarity, and arguable relief, from certain of the prior onerous regulatory obligations. Despite the modifications, however, there is still ambiguity about many aspects of the regulations, and the CCPA remains the most stringent privacy compliance law in effect in any state in the United States.

    Below is a short summary of some of the more prominent changes to selected provisions of the regulations that may have an immediate effect on businesses. This summary is not meant to be an exhaustive list of the proposed modifications. These regulations are not final regulations, and additional changes may be made in the next few months as they are finalized. The deadline to submit written comments to the proposed modifications is February 25, 2020.

    Changes to Definitions

    Personal Information” – Whether or not information collected by businesses is personal information now depends on how the business maintains the information. If the business maintains information in a manner that “identifies, relates to, describes, or is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household,” the information is “personal information.” So, according to the regulations, if a business only collects IP addresses of visitors to its website but does not link or could not link the IP address to a particular consumer or household, the IP address would not be “personal information.”

    This new definition tries to narrow the scope of “personal information” but remains ambiguous as to what information “could be” linked to a consumer or household. For example, collection of data through automated technology such as cookies, pixels, and web beacons is arguably anonymous and not linked to a consumer at the time of collection, but this data, when combined with enough other data points, could be reasonably linked to a particular consumer or household. For instance, if a consumer is logged into Facebook and browsing a website with the Facebook analytics tool called Facebook pixel in the same session, information collected on the website (including IP address, click patterns, etc.) may be attributed to the consumer’s Facebook profile.  In this scenario, the collected data would presumably be “personal data.” Businesses will have to continue to analyze the types and amount of data they collect and how such data is used to determine if linkage to a consumer or household could reasonably be accomplished.

    Categories of “Sources” and “Third Parties” – Businesses are now required to describe how the business collects personal information about consumers, and who it discloses the information to, with enough particularity to provide consumers with a “meaningful understanding.” Simply stating that the business collects information from or discloses information to “third parties” will not suffice. Businesses will have to explicitly list sources of the collected personal information and the types of third parties it shares that information with, such as advertising networks, internet service providers, data analytics providers, operating systems and platforms, social networks, government entities, and data brokers.

    Household” – Household means a person or group of people who: 1) reside at the same address; 2) share a common device or the same service provided by a business; and 3) are identified by the business as sharing the same group account or unique identifier.

    Signed” – The definition of “signed” means written attestation, declaration, or permission that is physically or electronically signed.

    Changes to Consumer Rights and Requests Under the CCPA

    Requests to Delete” – The two-step process to confirm that a consumer wishes to delete his or her information is no longer required and is merely optional.

    Methods to Submit Request to Know and Requests to Delete” – Exclusively online businesses that have a direct relationship with consumers from whom they collect personal information only need to provide an email address for submitting requests to know. All other businesses must provide two methods, including a mandatory 1-800 number. For requests to delete, all businesses are still required to designate two or more acceptable methods. An interactive webform is an acceptable option but is no longer required for any consumer request.

    Businesses that primarily interact with consumers in person should provide in-person methods such as printed forms that can be mailed, a tablet or computer portal for an online form, or a toll-free number to submit requests to know and delete.

    Right to Opt-Out” – If a business does not have proper notice of right to opt-out posted, it cannot sell personal information collected during that time unless it obtained affirmative authorization from the consumer.

    Request to Opt-Out” – A request to opt-out may now be made via global privacy controls or device settings. Any privacy control developed must clearly communicate or signal that a consumer intends to opt-out, so a pre-selected setting will not suffice. Consumers must affirmatively select their choice to opt-out. In case of a conflict with a consumer’s existing business-specific privacy setting or participation in a financial incentive program, the business shall respect the global privacy control but may notify the consumer of the conflict and give the consumer the choice to confirm the business-specific privacy setting or participation in the financial incentive program. Similarly, if a consumer initiates a transaction or attempts to use a product or service that requires the sale of information, a business can inform the consumer that the action requires the sale of personal information and provide instructions on how the consumer can opt-in.

    Opt-Out Button” – If a business chooses to include the optional opt-out button, it must appear to the left of the “Do Not Sell My Personal Information” link, be approximately the same size as other buttons on the webpage, and explicitly look like this:

     

     

    An example of a compliant opt-out button looks like:

     

     

    Methods to Submit Requests to Opt-Out” – Businesses should make Requests to Opt-Out easy for consumers and require minimal steps. Businesses cannot use a method that is designed with the purpose or substantial effect of subverting or impairing a consumer’s decision to opt-out.

    Time limits to Respond to Requests to Know and Requests to Delete and Opt-Out of Sale” – Businesses have some extra time to confirm receipt of consumer requests. Businesses must confirm receipt within 10 business days and can do so in the same manner in which the request was received. Similarly, businesses must now comply with a request to opt-out within 15 business days. The time to respond to requests to Know and Requests to Delete remains 45 calendar days from receipt of the request.

    Responding to Requests to Know” – A business does not need to search for personal information if: 1) it does not maintain the personal information in a searchable or reasonably accessible format; 2) it maintains the personal information only for legal or compliance purposes; 3) it does not sell information and does not use it for any commercial purpose; and 4) it describes to the consumer the categories of records that may contain personal information that it did not search because it met the above conditions. Note that all four of the above conditions must be met for the exception to apply.

    Responding to Requests to Delete” – Businesses no longer need to treat all requests to Delete as Requests to Opt-Out of Sale. However, if a business sells personal information and a consumer has made a request to delete, but not a request to opt-out, the business must ask the consumer if they would like to opt-out of sale of their personal information and will include a link to the right to opt-out or the contents of the notice of right to opt-out.

    Complying with a Request to Opt-Out” – Businesses that sell personal information no longer need to contact third parties to whom they sold a consumer’s personal information within 90 days prior to the business’s receipt of the consumer request. Instead, businesses now only need to notify those third parties that it sold personal information to after the consumer submitted the request but before the business complied with that request. Businesses must direct those third parties to not sell that consumer’s information.

    Notice Requirements

    Notice At Collection – For businesses that collect information online, the Notice at Collection may be given by a conspicuous link to the notice that must be posted on the introductory website page and on all webpages where personal information is collected.  Businesses that collect information by telephone or in-person can provide the notice orally. For mobile users, a link to the notice must be provided on the download page and within the application such as within the settings menu. Mobile devices also require a “just-in-time” notice containing a summary of the categories of personal information being collected and a link to the full notice if the personal information collected is for a purpose that the consumer would not reasonably expect.

    Notice of Right to Opt-Out of Sale of Personal Information – A business must explain the opt-out right and state whether or not it sells personal information. If it sells personal information, it must provide a link to the Notice of Opt-Out Right.

    Notice of Financial Incentive – If a business does not offer a financial incentive or price difference related to disclosure, deletion, or sale of personal information, it does not have to provide notice of financial information. For businesses that do offer financial incentives, the business must explain to the consumer the material terms of the incentive the business is offering to allow the consumer to make an informed decision on whether to participate, and the notice must be readily available where consumers will encounter it before opting into the offered financial incentive. The notice must now include a description of the value of the consumer data.

    Non-Discrimination Business Practices and Requests to Delete or Opt-out” – Businesses must ensure that any financial incentive they offer is reasonably related to the value of the consumer data or the price difference would be considered discriminatory. If a business cannot calculate in good faith the value of consumer data or show that the financial incentive is reasonably related to the value of the consumer data, it shall not offer the financial incentive. To calculate the value of the data, a business can consider the value to all natural persons, not just consumers.

    Businesses can deny a consumer’s request to delete information if the information is necessary to the business’s financial offering and is reasonably anticipated within the context of the business relationship between the parties. For example, if a business offers a loyalty program whereby consumers receive a $5 coupon via email for every $100 spent and a consumer submits a request to delete information and informs that business he or she wants to continue participating in the loyalty program, assuming the $5 is worth the value of the consumer data collected, the business may deny the request to delete the email address and amount spent by the consumer. This information is necessary and is reasonably anticipated within the context of the business relationship between the parties. This practice would not be considered discriminatory.  However, if the business were offering discounts to consumers through a browser pop-up window while the consumer uses the website and the consumer were to submit a request to delete the email address on file, the business cannot deny the request because the email address is not necessary or reasonably aligned with the expectations of the consumer based on the parties’ business relationship. This practice would be discriminatory.

    Privacy Policy – The privacy policy does not need to disclose the commercial purpose for which each category of information was collected. Rather, the privacy policy must only identify the categories of personal information collected in the preceding 12 months and identify the categories of personal information disclosed or sold to third parties in the preceding 12 months and, for each category of personal information sold or disclosed, provide the categories of third parties to whom the information was sold or disclosed.

    The modified regulations also clarify that the privacy policy need only describe the consumer request verification process “generally.”

    Purpose of Information Collected – Businesses cannot use a consumer’s personal information for any purpose materially different than those disclosed in the notice of collection. The addition of the terms “materially different” will limit the situations in which a business must provide notice and seek explicit consent when it has departed from using the information as previously disclosed.

    Reasonable Accessibility to Consumers with Disabilities – Online notices must follow industry standards such as the Web Content Accessibility Guidelines, version 2.1 from the World Wide Consortium. These Guidelines provide accessibility guidance for consumers with cognitive or learning disabilities, low vision, and disabilities on mobile devices.

    Collection of Employment-related Information – A business collecting employment-related information does not need to include a “Do Not Sell My Info” link, and may include a link to a business’s privacy policy for job applicants, employees or contractors in lieu of a link to the privacy policy for consumers.

    Other Requirements

    Personal Information Collected By Data Brokers – Businesses that buy information from data brokers registered with the State of California no longer need to perform due diligence about whether the business provided appropriate notice to the consumer and obtain signed attestations from the broker about how notice was given to consumers and request an example of the notice.

    Service Providers – A business that collects information on behalf of another business may still fall under the “service provider” exemption of the CCPA if it uses the personal information collected for internal use to build or improve the quality of services provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source.

    This provides much-needed relief for service providers especially in the cloud industry, that rely on access to such data to improve their services and product offerings. Service providers can also use personal information to retain and employ another service provider as a subcontractor (if the subcontractor meets the service provider requirements under the CCPA), as well as to detect data security incidents, protect against fraudulent or illegal activity, or to perform the services specified in the contract. However, Service Providers cannot sell data on behalf of a business when a consumer has opted out of the sale of their personal information with the business.

    Service providers also no longer have the burden to respond to a consumer request to know or delete.  Service providers can choose to do so on behalf of the business, or they can inform the consumer that the request cannot be completed because it was sent to the service provider.

    Authorized Agent – A business’s privacy policy must now provide instructions on how an authorized agent can make requests under the CCPA (as opposed to instructing consumers how they can appoint an authorized agent, as required under the previous version of the regulations). Request to opt-out made by an authorized agent on behalf of a consumer must provide the authorized agent with written permission signed by the consumer. A business can also request the customer to directly confirm with the business that they provided the authorized agent permission to submit the request. An authorized agent now has the burden to implement and maintain reasonable security procedures and practices to protect consumer information and cannot use a consumer’s information for any purposes other than to fulfill the request, verification or fraud prevention.

    Security – Businesses must implement and maintain reasonable security procedures and practices in maintaining records of consumer requests and how the business responded to such requests for at least 24 months. Such information shall only be maintained for record-keeping purposes except to review and modify the business’s compliance procedures. This information cannot be shared with any third party.

    Identity Verification – A business may not require a consumer to pay a fee for the verification of the consumer’s request to know or delete. For example, a business may not require a consumer to submit a notarized affidavit to verify their identity unless the business compensates the consumer for the cost of notarization. If a business has no reasonable method by which it can verify the identity of a consumer, the business shall explain why it has no reasonable verification method in its privacy policy. The business must also evaluate and document on a yearly basis whether a reasonable method can be established.

    If a business maintains personal information in a manner that is not associated with a named actual person, it may verify the request by asking the consumer to provide information that only the person associated with the information would know, including, if information is collected from a mobile application, requiring that the consumer respond to a notification sent to their device.

    Consumer Metrics – Businesses that buy, receive, sell or disclose for a commercial purpose the personal information of over 10 million consumers in a calendar year must compile and disclose certain metrics regarding consumer requests in their privacy policies. This more than doubles the 4 million-consumer threshold triggering the metrics requirement under the previous version of the regulations.

    Conclusion

    Overall, the regulations provide some clarification and relief in terms of notice requirements, use of service providers, and submission of consumer requests. However, the modified regulations do not address many of the ambiguities regarding when sharing of personal information among businesses in the analytics or digital advertising context will be deemed a “sale” under the statute, nor has further guidance been provided regarding a uniform and sufficient process by which all businesses can securely and efficiently verify the identity of individuals making consumer requests. Although we may see some final tweaks before the July enforcement of the CCPA, businesses will likely have to continue to do the best they can to comply based on the current guidance.

    For further information on how the modified regulations or the CCPA impacts your business, contact Cybersecurity & Data Privacy attorney Scott Hall at shall@coblentzlaw.com.

    Posted on: February 10, 2020 Tags: Categories: Publications

  • SF’s Proposition E Links Office Allocation to Housing Production

    On March 3, San Francisco voters will consider Proposition E (“San Francisco Balanced Development Act”)[1], which links the City’s “Proposition M” office allocation scheme, originally approved by voters in 1986, to affordable housing production. Proposition M currently limits the amount of office space that the City may approve annually, with 875,000 square feet added to the allocation for large office projects (50,000 square feet or more) each year in October. When a large office project is approved, its square footage is deducted from the available allocation. The Planning Department’s most recent Proposition M report identifies 786,993 square feet of large project office allocation available, as compared to a large office entitlements pipeline of over 6 million square feet, plus additional demand from other projects that were approved with allocation priority. Proposition E would change both the method for calculating how much annual office square footage is available and how that space is allocated.

    California state law requires that cities and counties plan for housing needs at varying income levels through a Regional Housing Needs Allocation (RHNA) process. As part of the RHNA, the State determines the total amount of new housing that is needed by income level and assigns a share of that need to each local entity. Proposition E would tie Proposition M’s annual limit on large office projects to the City’s affordable housing production—if the City falls short in meeting its combined affordable housing goals for the very low, low and moderate income categories, then the available annual allocation would go down by the same percentage as the RHNA shortfall. The 2015-2023 RHNA eight-year need allocation in the specified categories is 16,333 units, or 2,042 units per year. If the City produced, for example, about 1,021 qualifying units in a given year, then the Proposition M allocation for the coming year would be reduced by 50% to 437,500 square feet. The October 2020 allocation would be reduced to reflect the entire 2015-2019 RHNA shortfall (total qualifying units produced during the period calculated against a need of 10,210 units), and thereafter the allocation would be adjusted annually.

    The Planning Commission would have the authority to grant two new exceptions from the large office limit. The first is for projects subject to a development agreement that includes affordable housing, either on-site or off-site within a designated economically disadvantaged community, at a ratio of at least 809 units per 1 million square feet of new office space. The second is for large office projects in Central SoMa (defined as the boundaries of the Central SoMa Special Use District in Planning Code Section 249.78) for which a Preliminary Project Application was submitted before September 11, 2019, where the project includes qualifying space as follows: SoMa property to be conveyed to the City for affordable housing, a space of at least 10,000 square feet for community arts or neighborhood-serving retail at reduced rents, or a public safety facility. The Central SoMa exception would be limited to a total of 1.7 million square feet, and until 15,000 new housing units are produced (approved and first construction document issued) in the broader SoMa neighborhood, it could only be granted if the project would not cause the total amount of large office projects approved in Central SoMa after January 1, 2019 to exceed 6 million square feet. Office space approved using these exceptions could cause the allocation to effectively “go negative” and would be deducted from any available allocation evenly over the 10-year period following approval of each exempted project.

    Finally, Proposition E would revise the criteria for evaluating office development projects to delete references to General Plan objectives, policies, and design quality, and add provisions regarding affordable housing (for projects subject to a development agreement) and other specified community improvements.

    On January 27, the City’s Chief Economist published a report concluding that if past economic trends continue, Proposition E will put upward pressure on office rents, reduce employment, and result in less funding for affordable housing through the Jobs-Housing Linkage Fee.

    Proposition E’s proponents dispute the Chief Economist’s report. They assert that creating a link between office development and affordable housing may incentivize affordable housing production, and that in any event, slowing the pace of office development will help to reduce pressure on housing supply and home prices. Proposition E’s critics believe that the measure will adversely impact job creation and business retention and that the City’s path to reducing housing costs must focus on dramatically increasing housing production.

    [1] In December, Mayor Breed withdrew a competing ballot proposal that would have added converted office space back to annual space allocations, prioritized office space that also provides sites for affordable housing or other specified community benefits, and increased the square footage threshold for small office projects.

  • SB 50 Defeated in State Senate

    SB 50, Senator Scott Wiener’s bill to boost housing production near transit and job centers, has been defeated. The bill fell three votes short on Wednesday, and Wiener was unsuccessful in his reconsideration request today.

    The bill was stalled in the Senate last May when the Chair of the Appropriations Committee deferred action on the bill until 2020. On January 24, Senate President Pro Tempore Toni Atkins moved it to the Rules Committee, which she chairs, and Senator Wiener introduced amendments designed to address certain concerns regarding local control and potential impacts on low-income residents. The amendments included a “local flexibility plan” that would allow local agencies to create alternative housing plans that are designed to produce the same number of units as SB 50 compliance would. The amendments also added a neighborhood preference for 40% of new low, very low and extremely low income units developed under SB 50.

    Both Governor Newsom and Senator Atkins have indicated that regardless of the fate of SB 50, some form of legislation to increase housing production will be passed this year.

  • Major Increase to Jobs Housing Linkage Fee Takes Effect

    Effective December 16, costs for many office and laboratory projects in San Francisco are now higher. As we previously reported, the Board of Supervisors unanimously approved the more than doubling of the Citywide Jobs Housing Linkage Fee (JHLF) for such projects in November. The Mayor declined to veto the ordinance but instead returned it unsigned, expressing concern in an accompanying letter that the JHLF increase “must be done in a way that takes into account economic analysis, financial feasibility, and the different impacts experienced by our small businesses.” See our November and September blog posts for more information about the JHLF increase and the related nexus analysis and feasibility assessment.

  • SB 330 Seeks to Speed Up Housing Production

    The Housing Crisis Act of 2019 (Senate Bill No. 330; Senator Skinner) goes into effect on January 1, 2020 and expires on January 1, 2025. It aims to address the statewide housing crisis by limiting the number of public hearings for new housing developments and reducing the timeline for permit review, placing limits on permit processing, limiting fees and exactions, and making it more difficult for local jurisdictions to deny or modify housing projects. To summarize, the Act:

    1. Provides more certainty for housing developers by prohibiting local agencies from:
    • Requiring compliance with an ordinance, policy or standard adopted after a “preliminary application” is submitted, except under limited circumstances, such as where compliance is necessary to avoid or substantially lessen an otherwise significant impact under the California Environmental Quality Act (CEQA).
    • Imposing or enforcing design standards established on or after January 1, 2020, unless they qualify as objective (as defined in the Act).
    • Imposing new or increased development impact fees, unless an automatic annual adjustment based on an independently published cost index referenced in the legislation establishing the fee.
    1. Prohibits caps, moratoriums and density reductions by disallowing agencies from:
    • Reducing permitted housing density to below that allowed on January 1, 2018.
    • Imposing moratoriums (or similar restrictions) on new housing development unless the Department of Housing and Community Development agrees that it is necessary to protect against an imminent public health and safety threat.
    • Limiting the total number of housing units in a local jurisdiction, unless approved by the voters prior to 2005 for a “predominantly agricultural county.”
    1. Shortens the approval process
    • No more than five public hearings may be held on a housing project (if it complies with applicable objective general plan and zoning standards) and the overall timeframe for review and approval (or disapproval) under the Permit Streamlining Act is reduced.

    The Act adds and amends various California Government Code sections, including the Permit Streamlining Act (Cal. Gov’t Code Section 65920 et. seq.) and the Housing Accountability Act (Cal. Gov’t Code Section 65589.5 et. seq.). It applies to “housing developments,” which include mixed-use projects with two-thirds or more of the square footage dedicated to residential use. Protection is limited under the Act. The vesting protections lapse if construction is not commenced within two and a half years from the date of final project approval (which period would be stayed during litigation) and/or the residential square footage or number of units is increased by 20 percent or more after the preliminary application is submitted, exclusive of any increase resulting from a density bonus. See the full text of the Act for additional provisions not summarized here (e.g., relocation assistance requirements).

  • SF Board of Supervisors Approves Major Increase to Jobs Housing Linkage Fee

    Costs for many office and laboratory projects in San Francisco are poised to increase. On November 5, 2019, the Board of Supervisors unanimously approved a proposed ordinance that would more than double the Citywide Jobs Housing Linkage Fee (JHLF) rate for such projects. The ordinance now moves to the Mayor for consideration.

    As amended by the Board on October 29, 2019, the increased fees would be phased in from the current fee of $28.57 to:

    • $52.20 per gross square foot (gsf) where the project was approved on or before September 10, 2019 with a condition of approval requiring payment of any higher JHLF rate in effect prior to issuance of either the certificate of occupancy or final completion for the project. If such certificate of occupancy or completion is not issued as of the effective date of the ordinance, then the project would be required to pay the incremental difference between the fees assessed at building or site permit issuance and $52.20. This provision only applies to “large capital” office projects (50,000 gsf or more).

    This rate would also apply where a complete Preliminary Project Assessment (PPA) application was filed on or before September 10, 2019, except where a building or site permit is issued as of the effective date of the ordinance, in which case the project would be “grandfathered” and the current fee rate would apply, unless the project is a large capital project subject to a special condition as described above. The fee rate for “small capital” office projects (49,999 gsf or less) under this provision would be $46.98 rather than $52.20.

    • $60.90 per gsf ($54.81 for small capital projects) where a complete Development Application (as defined under Planning Code Section 102) is filed between September 11, 2019 and January 1, 2021, except where the project is grandfathered (see above).
    • $69.60 per gsf ($62.64 for small capital projects) where a Development Application is filed after January 1, 2021.

    For laboratory uses, the same phasing requirements would apply (with the exception of the special condition provision described above), with increases from $19.04 per gsf to $31.43, $34.90 and $38.37 per gsf, respectively.

    See our September blog post for information about the related nexus analysis and feasibility assessment for the proposed fee increase.

  • California Passes Rent Cap and Eviction Protections with AB 1482

    In September, the California Legislature approved AB 1482, the Tenant Protection Act of 2019. Governor Newsom signed the bill on October 8, making California the third state this year to impose statewide residential rent control, behind Oregon and New York. The legislation also includes “just cause” eviction provisions.

    Until its repeal date of January 1, 2030, AB 1482 limits rent increases for many residential buildings. For covered buildings, during any 12-month period, the bill prohibits a landlord from increasing a tenant’s rent by an amount that is the lesser of: (a) 5% plus the percentage increase in the cost of living based on the regional CPI (for the Bay Area, roughly 4% or a total of about a 9% increase based on the 2019 CPI), or (b) 10%. The cap applies to rent increases imposed after March 15, 2019, and for existing tenants, a landlord may not increase the rent more than twice in a 12-month period.

    In an effort to address the impacts of the rent cap on new construction, the Legislature included an exemption for housing constructed in the past 15 years. AB 1482 also exempts certain affordable housing, college dormitories, single-family homes, and owner-occupied duplexes and condominiums (except where the owner is a REIT, corporation or limited liability company where at least one member is a corporation). The bill does not apply to housing that is already subject to local rent control measures. The City of San Francisco currently imposes rent control on buildings constructed before June 13, 1979. The San Francisco Rent Ordinance caps annual increases in residential rents based on a specific formula tied to the regional CPI. Since the 1980s, the effective rate cap has ranged from 0.1% to 7.0%, and the current cap in effect through February 29, 2020 is 2.6%. These protections will continue to apply. The AB 1482 rent cap provisions will apply to buildings that received certificates of occupancy between June 13, 1979 and December 31, 2004. A building constructed in or after 2005 will not be subject to the new AB 1482 rent caps until the building is at least 15 years old.

    The legislation also imposes “just cause” eviction procedures, which apply to tenants who have continuously and lawfully occupied a residential property for at least 12 months (or at least 24 months in the case of one or more new adult tenants), unless the eviction results from an “at-fault” or “no-fault” just cause, as defined in the bill. For a “no-fault” eviction, such as an owner move-in or substantial renovation, the landlord must provide tenants with relocation assistance or a rent waiver in the amount of one month’s rent. The exemptions are similar to those for rent caps, and also include dormitories for K-12 schools, housing associated with a nonprofit hospital, religious facilities, extended care or licensed residential care facilities, hotels, and individual rooms or accessory dwelling units rented out by a homeowner. Local just cause ordinances such as San Francisco’s prevail, provided they were either in effect on or before September 1, 2019, or are adopted thereafter but are more protective than the state legislation.

    The bill faced substantial opposition, led by the California Apartment Association – which ultimately dropped its opposition – and the California Association of Realtors. Opponents raised concerns that the bill would chill housing production, curtail economic development, and complicate the eviction process.

    While many tenants’ rights groups supported the legislation, others remain critical of certain provisions, including the lack of vacancy control and longer-term tenant protections. Bay Area Mayors London Breed, Libby Schaaf and Sam Liccardo endorsed the measure.

  • California Consumer Privacy Act Update: Less Than Three Months To Go For Compliance

    Recent Amendments and Regulations Set the Stage for the Statute’s Scope and Enforcement

    October has been an exciting time for anyone keeping an eye on developments involving the California Consumer Privacy Act (“CCPA”), scheduled to go into effect on January 1, 2020. On October 10, California Attorney General Xavier Becerra released a draft of the long-awaited CCPA regulations, and the very next day Governor Gavin Newsom signed seven CCPA amendments into law. Although the draft regulations are subject to upcoming public comment and further revisions, the proposed regulations and amendments provide a near-final view of what the CCPA will ultimately require of businesses when it goes into effect on January 1, 2020, and when it is enforced by the Attorney General’s office starting July 1, 2020. You can read our previous overview of the duties and obligations businesses have under the CCPA here.

    CCPA Amendments

    Governor Newsom signed seven amendments that clarify various provisions and requirements of the CCPA: 

    • AB 25 – Excludes personal information collected from employees, job applicants, owners, directors, officers, or contractors to the extent the information is used solely within the employment context. However, employees must still be provided certain notice regarding the collection of personal information, and the employment exception to the CCPA only lasts until January 1, 2021, at which time the legislature is expected to have enacted a more comprehensive law regarding employee privacy rights.
    • AB 874 – Redefines “personal information” to mean information that is “reasonably capable of being associated with a particular consumer or household.” Excludes deidentified or aggregate consumer information from the definition of “personal information.” Clarifies exclusion of “publicly available information.”
    • AB 1130 – Expands categories of personal information that trigger data breach notification obligations to include unique biometric data (fingerprint, retina, iris, facial recognition, etc.), tax identification numbers, passport numbers, military identification numbers, and unique identification numbers on government documents.
    • AB 1146 – Exempts personal information necessary to fulfill the terms of a warranty or product recall, or personal information shared between a new car dealer and a vehicle manufacturer for repairs related to warranty or recall, from consumers’ rights to request deletion or opt-out of the sale of such information, as long as the information is not used for any other purpose.
    • AB 1202 – Requires data brokers to register with and provide certain information to the Attorney General. Data brokers are businesses “that knowingly collect and sell to third parties the personal information of a consumer with whom the business does not have a direct relationship.”
    • AB 1355 – Makes various corrections to the statute. Prohibits discrimination against consumers for exercising rights under the statute except if the differential treatment is “reasonably related” to value provided to the business by the consumer’s data. Clarifies that a consumer’s right of private action for a data breach requires that the information accessed be nonencrypted and  Exempts, for one year, personal information in connection with communications or transactions between a business and a consumer where the consumer is acting on behalf of a company or agency in the context of due diligence or providing or receiving a product or service (the “B2B” exemption).
    • AB 1564 – Clarifies that businesses that operate exclusively online and have a direct relationship with customers from whom they collect personal information are required only to provide an email address for submission of consumer requests. All other businesses must have two methods for requests, one of which must be a toll-free phone number and, if the business maintains a website, the business is also required to make their internet website address available to consumers to submit requests.

    Proposed CCPA Regulations

    Attorney General Becerra released proposed draft regulations under the following categories:

    • Notices to Consumers– The proposed regulations identify four different “notices” to be provided to consumers, including: (1) notice at collection; (2) notice of the right to opt-out of sale of personal information; (3) notice of financial incentive; and (4) the privacy policy. The proposed regulations detail the purpose of each notice and describe the general format and content for the notices, including that they must all be easy for consumers to access, read, and understand.

      The notice at collection is more limited than the privacy policy but must take into account the way a business interacts with consumers, including that, if the business collects personal information offline, it may need to use printed forms to provide notice or use posted signage directing consumers to the notice.

      A business need not provide a notice of the right to opt-out of the sale of personal information if it does not and will not sell personal information and so states in its privacy policy.

      The notice of financial incentive must explain to consumers the reason for any incentive or price or service differential offered in exchange for the retention or sale of consumers’ personal information, including that the business must provide a good faith estimate of the value of the consumers’ data that forms the basis for the incentive or price or service differential.

    • Consumer Requests – The proposed regulations provide guidance to businesses for handling the various types of consumer requests under the statute, namely: (1) Requests to Know; (2) Requests to Delete; and (3) Requests to Opt-Out. In general, businesses must provide two or more methods for submitting requests, including, at a minimum, a toll-free telephone number and, if the business maintains a website, an interactive web form accessible through their website or mobile application. Businesses are instructed to consider additional methods that reflect the way the business primarily interacts with consumers.

      Businesses must confirm receipt of Requests to Know or Requests to Delete within ten days and respond substantively within 45 days. Requests to Opt-Out must be acted upon within 15 days, and businesses are required to notify all third parties with whom they have shared the consumer’s personal information within the 90 days prior to the opt-out request.

      Businesses must also keep documentation of consumer requests and the response to those requests for 24 months and ensure that all personnel handling consumer requests are informed of all CCPA rights and how to direct consumers to exercise those rights.

    • Verification of Consumer Requests – The proposed regulations provide guidance regarding how businesses should attempt to verify consumer requests, noting that businesses should avoid, if possible, requesting or collecting new or additional personal information in order to verify a consumer. In general, businesses are instructed to consider the sensitivity of the data and the risk of fraud or harm to the consumer in determining how stringent the verification process for any request should be. The more sensitive the data, the more stringent the process should be. The proposed regulations state that, in no event, should a business disclose sensitive personal information such as social security number, driver’s license number, financial account number, health information, account password, or security questions and answers.

      Where a business maintains a password-protected account with its consumers, the business may verify a consumer’s identity through the existing authentication practices for that account. Where a business or consumer does not have a password-protected account, the business must verify the consumer’s identity to a “reasonable degree of certainty” or a “reasonably high degree of certainty,” depending on the type of data involved, which may require matching up at least 2 or 3 pieces of personal data provided by the consumer with information maintained by the business. If the business cannot verify the consumer’s identity to the required level of certainty, it must deny the request and inform the consumer why the request was denied.

    • Rules Regarding Minors – The proposed regulations provide certain additional requirements for businesses that have actual knowledge that they are collecting or maintaining the personal information of minors, including affirmative authorization for any sale of such information by the minor (if between ages 13-16) or by the parent or guardian (if under age 13).
    • Non-Discrimination – The proposed regulations provide further details and guidance regarding when financial incentives or price or service differences violate or do not violate the statute, and also provide various methods by which businesses can estimate the value of consumers’ data for purposes of the financial incentive notice. Businesses can use any of the enumerated methods or any other “practical and reliable” method of calculation used in good faith.

    Prepare Now

    Although the proposed regulations are subject to further revision following public comment, the current draft provides enough guidance for businesses to take necessary steps now to be in compliance by January 1, 2020. Please contact Litigation and Data Privacy partner Scott Hall at shall@coblentzlaw.com or 415.772.5798 to discuss the CCPA’s requirements in greater detail and how we can help your business comply.

    The information provided herein is informative only and not intended to be relied on as legal advice. Please contact us to discuss specific legal or compliance questions or concerns.

    Posted on: October 18, 2019 Tags: Categories: Publications

  • SF Planning Commission Approves Major Increase to Jobs Housing Linkage Fee

    Costs for many non-residential developments in San Francisco are poised to increase. On September 19, 2019, the Planning Commission approved a proposed ordinance that would more than double the City-wide Jobs Housing Linkage Fee (JHLF) rate for office and laboratory development. The ordinance now moves to the Board of Supervisors for consideration.

    The key provision is a substantial hike in fees for office and laboratory development. The ordinance would increase the JHLF rate per gross square foot (gsf) for office uses from $28.57 to $69.90 and for laboratory uses from $19.04 to $46.43. With the proposed changes, a 100,000 gsf office building would be required to pay a nearly $7 million JHLF.

    The proposed ordinance does not include a grandfathering clause so pipeline projects and certain approved projects would be subject to the JHLF changes. The JHLF is normally calculated and due at the time of issuance of the first construction document for a project, which is typically a site or building permit. The proposed ordinance provides that certain projects approved by the Planning Commission (or Planning Department, if applicable) on or before the end of the year (December 31, 2019) will be subject to the higher fee. This applies only if the proposed ordinance is in effect when the JHLF is normally due or a condition of approval is imposed requiring payment of any higher JHLF rate in effect prior to issuance of either the certificate of occupancy or final completion for the project. Such a condition was imposed on at least one already approved Central SoMa project in anticipation of the proposed ordinance.

    The proposed ordinance would also change the options for developers to satisfy the JHLF requirement. Compliance through payment to a residential developer would no longer be allowed, but land could still be dedicated in lieu of payment of the JHLF (or in combination therewith) if specified requirements are met. That option would be expanded under the proposed ordinance to all projects, not just Central SoMa projects.

    Under state law, the development impact fee must bear a reasonable relationship or “nexus” to the actual impacts of new development and the costs of mitigating those impacts. The City retained consultants to prepare a May 2019 Jobs Housing Nexus Analysis (“Nexus Analysis”) and a June 2019 Jobs Housing Linkage Fee Update Development Feasibility Assessment (“Feasibility Assessment”). The Nexus Analysis examined the connection between employment growth and affordable housing demand in the City and concluded that for each job created, the demand for housing and cost of producing it is substantially higher than what was identified in the original 1997 nexus analysis. It did not include a maximum recommended rate. The Feasibility Assessment examined various office development prototypes and concluded that for some product types and under certain conditions, a JHLF increase of up to $10 per gsf would be feasible. The Feasibility Assessment did not address laboratory space.

    The staff report to the Planning Commission recommended approval of the proposed ordinance with modifications to conform to the Feasibility Assessment: a $10 per gsf increase for office uses, and no increase for laboratory uses. The Planning Commission considered testimony regarding the proposed rates and analysis and, in deliberations, generally expressed support for the ordinance while acknowledging that additional work needed to be done to confirm the appropriate maximum increase. The approval was in support of the ordinance without modifications.

    We will continue to track this proposed ordinance. It has not yet been scheduled at the Land Use and Transportation Committee of the Board of Supervisors, which is the next step before final consideration by the full Board.