• Emergency Protections in Place for Tenants and Homeowners in Response to COVID-19 Pandemic

    In recent days, the federal government, the state of California, and many local governments have taken action to provide tenant and homeowner protections in response to the COVID-19 pandemic.

    On March 18, President Trump announced a suspension of foreclosures and evictions by the Department of Housing and Urban Development through April 30. The moratorium will apply only to homeowners with mortgages insured by the Federal Housing Administration.

    Also on March 18, the Federal Housing Finance Agency directed Fannie Mae and Freddie Mac to suspend foreclosures and evictions for at least 60 days.

    At the state level, on March 16, 2020, California Governor Gavin Newsom issued Executive Order N-28-20 prohibiting rent hike evictions, authorizing local governments to implement further protections against evictions, delaying foreclosures by mortgage lenders, and monitoring customer service protections delivered by utility providers. Unless extended, the protections under the order are in effect until May 31, 2020 and are intended to address the challenges for many Californians to pay rent, mortgages, and utility bills as a result of the COVID-19 pandemic. A summary of protections included in the order is as follows:

    • It is unlawful to evict any residential tenant through May 31, 2020 (as may be extended) and subsequently rent or offer to rent to another person at a rental price greater than the evicted tenant could be charged. Landlords may continue an eviction process that was lawfully initiated prior to March 4, 2020.
    • Local governments may impose substantive limitations on residential or commercial evictions through May 31, 2020 (as may be extended) where the basis of the eviction is nonpayment of rent or a foreclosure, and the tenant or homeowner can demonstrate economic hardship caused by the COVID-19 pandemic.
    • Public housing authorities are requested to extend deadlines for housing assistance recipients and applicants to deliver documents.
    • Home and commercial mortgage lenders are requested to immediately place a moratorium on foreclosures and evictions that arise out of economic hardship caused by the COVID-19 pandemic.
    • The California Public Utilities Commission (CPUC) is requested to monitor and report the customer service protections provided by utility providers for electric, gas, water, internet, landline telephone, cell phone service, and other critical utilities, in response to COVID-19.

    The order contemplates that a quarantine or similar public health measure could also prohibit an eviction if it compels an individual to remain physically present in a particular residential property.

    The order does not relieve a tenant from its obligation to pay rent, nor does it restrict a landlord’s ability to recover rent.

    On March 17, 2020, the CPUC confirmed that, retroactive to March 4, 2020, utility companies under CPUC’s jurisdiction (including PG&E, AT&T and Comcast) will not be allowed to suspend service for customers who cannot pay their bills during the COVID-19 state of emergency.

    Cities in California that have moved to impose temporary moratoriums on evictions include San Francisco, Oakland, San Jose, Los Angeles, Santa Monica, San Diego, Santa Barbara, South Pasadena, and Suisun.

    • On March 13, San Francisco Mayor London Breed issued a 30-day moratorium on residential evictions related to financial impacts caused by the COVID-19 pandemic. Tenants will have up to six months after the end of the emergency declaration period to pay the total of their missed rent. Guidance for tenants and landlords, including tenant obligations to provide notice of inability to pay rent, can be viewed here.
    • On March 14, Santa Monica issued a temporary moratorium on evictions for non-payment of rent by residential tenants financially impacted by COVID-19 during the period of local emergency. A landlord also cannot pursue a no-fault eviction during the period of local emergency unless necessary for the health and safety of tenants, neighbors, or the landlord. On March 18, Santa Monica added a moratorium on commercial tenant evictions through April 30, 2020.
    • On March 15, Los Angeles Mayor Eric Garcetti issued a moratorium on residential evictions through March 31, 2020 where the tenant can demonstrate economic hardship caused by the COVID-19 pandemic. Tenants will have up to six months following the expiration of the local emergency period to repay any back due rent. The Mayor is considering a halt to commercial evictions as well.
    • A proposed ordinance for a residential eviction moratorium in Oakland will be considered at the Oakland City Council’s next meeting on April 7.
    • San Jose City Council is moving forward with a temporary ban on COVID-19-related residential evictions, which is expected to receive final approval in the next week. Council members will consider adding small businesses under commercial leases to the moratorium.
    • San Diego city leaders voted on March 17 to draft an emergency ordinance aimed at preventing residential rental evictions triggered by the COVID-19 pandemic.
    • Santa Barbara City Council will vote on a draft ordinance pausing evictions on March 24, 2020. It is undetermined whether the pause will extend to both residential and commercial evictions, or one or the other.
    • On March 18, South Pasadena considered a resolution that would establish special protections for residential and commercial tenants and property owners.
    • Suisun City Council is poised to pass a resolution that would prohibit any new residential or commercial evictions due to financial impacts caused by the COVID-19 pandemic.

    The situation and responses are evolving quickly, and other local jurisdictions are considering similar controls. The Governor’s Office may also provide additional guidance on this issue. We will continue to monitor these developments.

     

  • We’re Getting Closer: AG Releases New Modified CCPA Draft Regulations

    California Attorney General Xavier Becerra wasted no time in issuing new modified draft regulations for the California Consumer Privacy Act (“CCPA”), announcing new draft regulations on March 11, 2020 – just two weeks after the public comment period expired on the prior draft regulations. While the March 2020 changes are more limited than the February 2020 modifications to the original October 2019 draft regulations, the new changes have an immediate impact on all businesses currently working to comply with the CCPA’s requirements. Selected provisions of the newest draft regulations are set forth below:

    1. Personal Information Reverts to the Statutory Definition – There was a lot of excitement in February about the modification to the definition of “personal information” under the statute, including in what contexts certain information not explicitly linked to an individual or household (such as IP addresses collected from website visits) would or would not be considered “personal information.” As we noted in a previous article, the problem with that modification was that it created ambiguity regarding when certain personal information collected or disclosed by the business may be “capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household” when combined with other available information, even if the business itself makes no effort to create such a  link or identification. The newest draft regulations have accordingly deleted this attempt at narrowing the definition of “personal information,” essentially reverting back to the broad definition in the statute. Thus, as currently defined, essentially every piece of information that is reasonably capable of being related to a California resident or household, including IP addresses or other information not currently linked to an individual or household, constitutes collection of personal information under the CCPA.
    2. Businesses That Do Not Collect Information Directly Do Not Need To Provide Notice At Collection – Although this appeared to be the case based on statutory language and previous regulations, the March 2020 modifications added back in the provision that a business that does not collect personal information directly from a consumer does not need to provide a notice at collection if it does not sell consumers’ personal information.
    3. The Opt-Out Button And Logo Is Gone – The proposed Opt-Out Button and Logo released with the February 2020 modifications has been entirely deleted in the March 2020 modifications. It remains to be seen whether a new button or logo will be forthcoming or what it will look like.
    4. Responses to Request to Know Specific and Sensitive InformationThe February 2020 modifications clarified that businesses are restricted from disclosing certain sensitive information such as driver’s license number or other government-issued identification numbers, social security number, financial account number, health insurance or medical identification number, account password, security questions and answers, and biometric data, in response to consumer requests to know specific pieces of information collected about them. However, the new modifications explain that businesses must still disclose with “sufficient particularity” the type of sensitive information collected without disclosing the actual information. For example: if a business collects biometric data, it must respond that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.
    5. Notice of Employment-related Information – A business collecting employment-related information still needs to provide notice at collection to employees and job applicants but does not need to include a link to a business’s main privacy policy in that notice.
    6. Privacy Policy Right To Know Description– Although the description of personal information required to be disclosed in a business’s privacy policy appeared to be somewhat relaxed by the February 2020 modifications, the new modifications clarify that a privacy policy must identify not only the categories of personal information collected about consumers in the previous 12 months, but also the categories of sources from which personal information is collected and the business or commercial purposes for collecting and selling the personal information (in addition to the previous requirement of identifying the categories of personal information sold or disclosed to third parties and –for each category – the categories of third parties to whom information was sold or disclosed).
    7. Information Of Minors – If a business has actual knowledge that it sells personal information of minors under 16 years of age, it must include a description of the affirmative opt-in consent process required for selling personal information of minors in its privacy policy.
    8. Opt-Out Privacy Controls – The February 2020 modifications prohibited businesses from providing pre-selected opt-outs in user-enabled privacy controls and required consumers to affirmatively exercise their choice to out-opt.  However, the March 2020 regulations deleted this affirmative selection requirement leaving the possibility of pre-selected settings. Moving forward, how businesses handle opt-outs in privacy controls will depend on a variety of factors including the industry the business operates in, target audience, and the value of the collected data to the business.

    Despite all of this new information and guidance, it is important to remember that these modifications are still in draft form and will undergo further revisions until finalized later this year.  It remains to be seen how many more modifications will come between now and July, and businesses are already frustrated at the moving target of compliance presented by the ever-changing regulations.  While it is helpful to get periodic glimpses into the AG’s thought process and see where the regulations are heading, additional draft modifications – including adding and then removing requirements, or removing them and then adding them back in, as well as making other substantive changes – will likely incentivize businesses to stop taking any further steps toward compliance until final regulations are released.  The good news is the recent changes are less extensive, indicating that we are hopefully getting closer and closer to the final product.

    For further information on how the modified regulations or the CCPA impacts your business, contact Cybersecurity & Data Privacy attorney Scott Hall (shall@coblentzlaw.com).  You can also review additional CCPA articles and resources in our CCPA Resource Center.

  • CCPA Reality Check: 10 Key Questions to Evaluate Compliance

    With the CCPA (California Consumer Privacy Act) in effect as of January 1, but regulations still being revised and finalized, businesses are struggling to know what they need to do now to comply. If your business has not yet taken steps to comply with the CCPA or is still uncertain about the precise steps to take, now is the time.  We raise and respond to 10 questions below that every business should be asking itself to assess its current status and next steps for CCPA compliance.

    1. Is My Business Subject To The CCPA?

    The relevant factors for determining whether a business is subject to the CCPA have remained the same despite the shifting draft regulations.  Namely, if: (1) you are a company (excluding non-profit and government entities) that (2) collects personal information – or on whose behalf such information is collected – that alone or jointly determines the purposes and means of processing that information, and (3) you do business in the State of California, then you are subject to the CCPA if: (a) you have gross annual revenue (not limited to CA) of more than $25 million; or (b) you collect the personal information of 50,000 or more California residents, households or devices annually; or (c) 50% or more of your annual revenues are derived from selling consumers’ personal information.

    Whether you are “doing business” in California is somewhat ambiguous, but will likely be determined by factors indicating intentional, repeated economic activity in the state (i.e., not an unintended or isolated transaction).  A physical presence in the state is not necessary, as repeated transactions remotely or online will likely suffice, as could soliciting or advertising to California consumers.  Moreover, the 50,000-consumer/device/household threshold may capture a significant number of businesses since IP addresses, geolocation information, or other internet-collected information is defined as personal information under the statute.  Although the new draft regulations state that IP addresses that cannot reasonably be linked to a consumer or household would not constitute personal information, it remains somewhat unclear under what circumstances information such as IP addresses can or cannot be reasonably linked or associated with a specific consumer or household in light of, or in combination with, other available information.

    2. Is My Privacy Policy Sufficient?

    The old days of privacy policies that merely provide general and broad descriptions of data collection and use practices, or that limit disclosures to online or website data collection practices only, are over.  Under the CCPA, businesses that collect personal information from consumers must have a privacy policy that provides a comprehensive description of the business’s online and offline practices regarding the collection, use, disclosure, and sale of personal information and the rights of consumers regarding their personal information.  Specifically, businesses must disclose how the business collects and discloses certain categories of personal information with enough detail to provide consumers with a “meaningful understanding.”  This means that privacy policies must explicitly list categories of information collected in the past 12 months, and third parties to which the information has been sold or disclosed in the past 12 months, with requisite specificity (e.g., advertising networks, data analytics providers, social networks, data brokers, etc.).

    Privacy policies must also describe the various consumer rights under the CCPA, including the right to request to know what information has been collected, the right to request deletion of information collected, and the right to opt-out of sale of personal information, as well as providing instructions on how consumers can submit requests and describing the process for verifying consumers’ identities in connection with such requests.  Businesses must also include a consumer’s right to not be discriminated against for exercising rights under the CCPA, provide information regarding requests made by authorized agents, and include contact information for the business and the date the privacy policy was last updated.

    Privacy policies should be posted through a conspicuous link using the word “Privacy” on the business’s website homepage and in the settings menu of a mobile application.  Privacy policies also need to be easy to read and understand, capable of being printed, and accessible to consumers with disabilities, including by following Web Content Accessibility Guidelines, version 2.1 from the World Wide Web Consortium.

    3. What Other Notices Or Disclosures Are Required Under the CCPA? 

    Beyond the privacy policy, businesses must provide a “Notice At Collection” via a conspicuous link on the website homepage, a just-in-time notice or link on the mobile application download page or settings menu, or a notice given by telephone or printed forms, depending on the way your consumers primarily interact with your business.  The Notice At Collection should detail the categories of personal information collected by the business and the business or commercial purposes for which the information will be used with enough specificity to provide consumers with a “meaningful understanding.”  The Notice a Collection should also include a “Do Not Sell My Info” link if the business is selling data, as well as a link to the business’s main privacy policy.

    4. How Do I Know If I’m “Selling” Personal Information Under The CCPA? 

    By now, you probably know that “selling” personal information as defined in the CCPA encompasses more than simply selling personal data to third parties in exchange for money.  “Selling” under the CCPA is defined as any disclosure of personal information for valuable (not necessarily monetary) consideration and may encompass disclosures of personal information to service providers, use of data analytics tools, or other disclosures in the course of business relationships.  Mapping the data collection and sharing practices of your business is essential, and if you are disclosing data to a third party for any reason, you should consider whether it might constitute a sale and whether you need to disclose that sale and offer an opt-out right or whether you can avoid the disclosure being deemed a sale by entering into a written contract that restricts the further use of the information.

    5. Do I Have To Update My Vendor/Service Provider Contracts?

    The primary way to avoid the disclosure of personal information to a third-party service provider being deemed a “sale” under the CCPA is to enter into a written contract, certified by the service provider, that restricts the further use or disclosure of that data by the service provider for purposes other than providing your business with the relevant services.  All businesses covered by the CCPA should consider revising their vendor and service provider agreements to include restrictions and prohibitions on the service providers’ use or sale of personal information disclosed to them other than to provide services to the business.  The new draft regulations clarify that service providers may use information disclosed to them for internal use to build or improve the quality of their services, detect data security incidents and fraud or illegal activity, or to retain and employ other service providers as subcontractors if they meet the requirements, without the disclosure being deemed a “sale.”

    6. What Methods Must Be Offered For Submission Of Consumer Requests? 

    Most businesses must provide two or more methods for submitting consumer requests, including a toll-free number (mandatory for requests to know), an online interactive form (mandatory for requests to opt-out of sale), a designated email address, a form submitted through mail, or, where interaction is primarily in-person, a printed form or a computer portal.   Requests to opt-out of sale should require minimal steps and be easy for consumers to execute.  Note that businesses that operate “exclusively online” and have a direct relationship with their consumers need only provide an email address for submission of requests to know.  More than two methods of submission for consumer requests may be advisable, and businesses should consider the way they primarily interact with consumers when determining what methods to offer.

    Businesses will also need to provide a separate Notice to Opt-Out of Sale Of Personal Information if they are selling personal information, and/or a Notice of Financial Incentive if they are offering financial incentives to consumers to retain, disclose or sell their data.  These notices would typically be given via a link on the website homepage or mobile download page.  All notices should be easy to read and understand and accessible to persons with disabilities.

    7. How Much Time Do I Have to Respond To Consumer Requests?

    Businesses have 10 business days to acknowledge receipt of requests to know/delete and 45 calendar days to respond substantively to those requests (with an additional extension of 45 calendar days in some cases).  By contrast, businesses have only 15 business days to process and comply with requests to opt-out of the sale of information.  The new draft regulations excuse businesses from notifying all third parties to whom they have previously sold data about a consumer’s opt-out request, but businesses must still notify any third party to whom the business sells the consumer’s data after receiving the opt-out request (but before complying with request) and instruct that third party not to sell that consumer’s information.

    8. What Processes or Procedures Are Necessary Or Sufficient To Verify Consumer Identities?

    The guidance for how to verify consumer identities remains somewhat ambiguous.  In general, businesses are instructed to tailor a consumer identity verification process to the sensitivity and risk of the personal information at issue.  The regulations provide that no business should disclose certain sensitive categories of personal information (i.e., the data breach categories mentioned in No. 10 below) in response to a consumer request.  But aside from a couple of clear rules, the verification process is largely left to the business.  Businesses with password-protected accounts for their users are fortunate because they can use such accounts to verify identities by having consumers re-enter their credentials for the account.  Businesses without such accounts for their users, however, must match either 2 or 3 pieces of personal information maintained by the business with information provided by the consumer and, in some cases, require the consumer to provide a signed affidavit under penalty of perjury that they are the consumer who is the subject of the data request.  Because businesses are discouraged from collecting additional information in order to verify identities, but must also ensure that the process is sufficiently stringent for the data involved, businesses will need to determine what pieces of personal information can be used to sufficiently and accurately identify consumers.  For businesses that maintain customer purchase information, the regulations suggest that verifying the consumer’s identity might involve requiring the consumer to identify items recently purchased or dollar amounts of recent purchases.  In any event, the regulations require that a business deny requests to know specific pieces of personal information if the business cannot verify the identity of the requestor to the required level of certainty.  However, businesses that have no sufficient method to verify identities of consumer requestors may be subject to greater regulatory scrutiny.

    9. What Is Required For Employee Data? 

    An October 2019 amendment to the CCPA provided for a one-year exemption to employee or job applicant data (used only in the employment or application context) from full coverage of the CCPA.  This means that employees cannot make consumer requests to know or delete to their employers regarding their personal information collected as part of their employment.  Businesses are still required to provide employees and job applicants with notice regarding the collection, use, and disclosure of their personal information, however, and employees will still be able to bring a private right of action in the event of a data breach.

    10. What Are Reasonable Security Procedures And Practices?

    One of the most dreaded aspects of the CCPA for businesses is the private right of action, with statutory damages, arising from the unauthorized access to (i.e., breach of) certain sensitive categories of personal information (e.g., driver’s license, social security number, account number in combination with security code or password, medical or health insurance information, automated license plate recognition data, email address in combination with password or security question, or biometric data).  As a preliminary matter, the private right of action is limited to unauthorized access to this data in nonencrypted and nonredacted form, so businesses should store all such data in encrypted or redacted form.  Additionally, businesses should review their security practices and procedures for consistency with industry standards for security, including the Center for Internet Security (CIS) Top 20 Controls, the International Organization for Standardization (ISO) 27001 standards, and the National Institute of Standards and Technology (NIST) framework, among others.  While the CCPA does not identify a single standard as sufficient to be reasonable, following industry-standard guidelines for security is a safe bet.

    Summary

    This list is not intended to be comprehensive of all legal requirements and obligations under the statute and regulations.  For example, there are various statutory and subject matter exemptions to the statute (e.g., exemptions for certain personal health and financial information governed by other statutes and exceptions to the requirement to delete consumer data when needed for specified business purposes).  Additionally, there are special rules applicable to personal information of minors and to businesses that collect personal information of more than 10 million consumers annually or that offer financial incentives to allow them to use, retain, or sell consumer information.  You should consult legal counsel regarding compliance requirements for your specific business and practices.  However, the questions set forth above address many of the basic compliance questions companies may have about the CCPA as its enforcement data approaches.

    For further information, contact Coblentz Cybersecurity & Data Privacy attorney Scott Hall (shall@coblentzlaw.com). You can also review additional CCPA articles and resources in our CCPA Resource Center.

    Categories: Publications
  • Attorney General Releases Modified CCPA Draft Regulations: Key Changes Your Business Should Know

    On Friday, February 7, and Monday, February 10, 2020, the California Attorney General released proposed modified regulations in connection with the California Consumer Privacy Act (“CCPA”). The modified regulations provide businesses with some clarity, and arguable relief, from certain of the prior onerous regulatory obligations. Despite the modifications, however, there is still ambiguity about many aspects of the regulations, and the CCPA remains the most stringent privacy compliance law in effect in any state in the United States.

    Below is a short summary of some of the more prominent changes to selected provisions of the regulations that may have an immediate effect on businesses. This summary is not meant to be an exhaustive list of the proposed modifications. These regulations are not final regulations, and additional changes may be made in the next few months as they are finalized. The deadline to submit written comments to the proposed modifications is February 25, 2020.

    Changes to Definitions

    Personal Information” – Whether or not information collected by businesses is personal information now depends on how the business maintains the information. If the business maintains information in a manner that “identifies, relates to, describes, or is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household,” the information is “personal information.” So, according to the regulations, if a business only collects IP addresses of visitors to its website but does not link or could not link the IP address to a particular consumer or household, the IP address would not be “personal information.”

    This new definition tries to narrow the scope of “personal information” but remains ambiguous as to what information “could be” linked to a consumer or household. For example, collection of data through automated technology such as cookies, pixels, and web beacons is arguably anonymous and not linked to a consumer at the time of collection, but this data, when combined with enough other data points, could be reasonably linked to a particular consumer or household. For instance, if a consumer is logged into Facebook and browsing a website with the Facebook analytics tool called Facebook pixel in the same session, information collected on the website (including IP address, click patterns, etc.) may be attributed to the consumer’s Facebook profile.  In this scenario, the collected data would presumably be “personal data.” Businesses will have to continue to analyze the types and amount of data they collect and how such data is used to determine if linkage to a consumer or household could reasonably be accomplished.

    Categories of “Sources” and “Third Parties” – Businesses are now required to describe how the business collects personal information about consumers, and who it discloses the information to, with enough particularity to provide consumers with a “meaningful understanding.” Simply stating that the business collects information from or discloses information to “third parties” will not suffice. Businesses will have to explicitly list sources of the collected personal information and the types of third parties it shares that information with, such as advertising networks, internet service providers, data analytics providers, operating systems and platforms, social networks, government entities, and data brokers.

    Household” – Household means a person or group of people who: 1) reside at the same address; 2) share a common device or the same service provided by a business; and 3) are identified by the business as sharing the same group account or unique identifier.

    Signed” – The definition of “signed” means written attestation, declaration, or permission that is physically or electronically signed.

    Changes to Consumer Rights and Requests Under the CCPA

    Requests to Delete” – The two-step process to confirm that a consumer wishes to delete his or her information is no longer required and is merely optional.

    Methods to Submit Request to Know and Requests to Delete” – Exclusively online businesses that have a direct relationship with consumers from whom they collect personal information only need to provide an email address for submitting requests to know. All other businesses must provide two methods, including a mandatory 1-800 number. For requests to delete, all businesses are still required to designate two or more acceptable methods. An interactive webform is an acceptable option but is no longer required for any consumer request.

    Businesses that primarily interact with consumers in person should provide in-person methods such as printed forms that can be mailed, a tablet or computer portal for an online form, or a toll-free number to submit requests to know and delete.

    Right to Opt-Out” – If a business does not have proper notice of right to opt-out posted, it cannot sell personal information collected during that time unless it obtained affirmative authorization from the consumer.

    Request to Opt-Out” – A request to opt-out may now be made via global privacy controls or device settings. Any privacy control developed must clearly communicate or signal that a consumer intends to opt-out, so a pre-selected setting will not suffice. Consumers must affirmatively select their choice to opt-out. In case of a conflict with a consumer’s existing business-specific privacy setting or participation in a financial incentive program, the business shall respect the global privacy control but may notify the consumer of the conflict and give the consumer the choice to confirm the business-specific privacy setting or participation in the financial incentive program. Similarly, if a consumer initiates a transaction or attempts to use a product or service that requires the sale of information, a business can inform the consumer that the action requires the sale of personal information and provide instructions on how the consumer can opt-in.

    Opt-Out Button” – If a business chooses to include the optional opt-out button, it must appear to the left of the “Do Not Sell My Personal Information” link, be approximately the same size as other buttons on the webpage, and explicitly look like this:

     

     

    An example of a compliant opt-out button looks like:

     

     

    Methods to Submit Requests to Opt-Out” – Businesses should make Requests to Opt-Out easy for consumers and require minimal steps. Businesses cannot use a method that is designed with the purpose or substantial effect of subverting or impairing a consumer’s decision to opt-out.

    Time limits to Respond to Requests to Know and Requests to Delete and Opt-Out of Sale” – Businesses have some extra time to confirm receipt of consumer requests. Businesses must confirm receipt within 10 business days and can do so in the same manner in which the request was received. Similarly, businesses must now comply with a request to opt-out within 15 business days. The time to respond to requests to Know and Requests to Delete remains 45 calendar days from receipt of the request.

    Responding to Requests to Know” – A business does not need to search for personal information if: 1) it does not maintain the personal information in a searchable or reasonably accessible format; 2) it maintains the personal information only for legal or compliance purposes; 3) it does not sell information and does not use it for any commercial purpose; and 4) it describes to the consumer the categories of records that may contain personal information that it did not search because it met the above conditions. Note that all four of the above conditions must be met for the exception to apply.

    Responding to Requests to Delete” – Businesses no longer need to treat all requests to Delete as Requests to Opt-Out of Sale. However, if a business sells personal information and a consumer has made a request to delete, but not a request to opt-out, the business must ask the consumer if they would like to opt-out of sale of their personal information and will include a link to the right to opt-out or the contents of the notice of right to opt-out.

    Complying with a Request to Opt-Out” – Businesses that sell personal information no longer need to contact third parties to whom they sold a consumer’s personal information within 90 days prior to the business’s receipt of the consumer request. Instead, businesses now only need to notify those third parties that it sold personal information to after the consumer submitted the request but before the business complied with that request. Businesses must direct those third parties to not sell that consumer’s information.

    Notice Requirements

    Notice At Collection – For businesses that collect information online, the Notice at Collection may be given by a conspicuous link to the notice that must be posted on the introductory website page and on all webpages where personal information is collected.  Businesses that collect information by telephone or in-person can provide the notice orally. For mobile users, a link to the notice must be provided on the download page and within the application such as within the settings menu. Mobile devices also require a “just-in-time” notice containing a summary of the categories of personal information being collected and a link to the full notice if the personal information collected is for a purpose that the consumer would not reasonably expect.

    Notice of Right to Opt-Out of Sale of Personal Information – A business must explain the opt-out right and state whether or not it sells personal information. If it sells personal information, it must provide a link to the Notice of Opt-Out Right.

    Notice of Financial Incentive – If a business does not offer a financial incentive or price difference related to disclosure, deletion, or sale of personal information, it does not have to provide notice of financial information. For businesses that do offer financial incentives, the business must explain to the consumer the material terms of the incentive the business is offering to allow the consumer to make an informed decision on whether to participate, and the notice must be readily available where consumers will encounter it before opting into the offered financial incentive. The notice must now include a description of the value of the consumer data.

    Non-Discrimination Business Practices and Requests to Delete or Opt-out” – Businesses must ensure that any financial incentive they offer is reasonably related to the value of the consumer data or the price difference would be considered discriminatory. If a business cannot calculate in good faith the value of consumer data or show that the financial incentive is reasonably related to the value of the consumer data, it shall not offer the financial incentive. To calculate the value of the data, a business can consider the value to all natural persons, not just consumers.

    Businesses can deny a consumer’s request to delete information if the information is necessary to the business’s financial offering and is reasonably anticipated within the context of the business relationship between the parties. For example, if a business offers a loyalty program whereby consumers receive a $5 coupon via email for every $100 spent and a consumer submits a request to delete information and informs that business he or she wants to continue participating in the loyalty program, assuming the $5 is worth the value of the consumer data collected, the business may deny the request to delete the email address and amount spent by the consumer. This information is necessary and is reasonably anticipated within the context of the business relationship between the parties. This practice would not be considered discriminatory.  However, if the business were offering discounts to consumers through a browser pop-up window while the consumer uses the website and the consumer were to submit a request to delete the email address on file, the business cannot deny the request because the email address is not necessary or reasonably aligned with the expectations of the consumer based on the parties’ business relationship. This practice would be discriminatory.

    Privacy Policy – The privacy policy does not need to disclose the commercial purpose for which each category of information was collected. Rather, the privacy policy must only identify the categories of personal information collected in the preceding 12 months and identify the categories of personal information disclosed or sold to third parties in the preceding 12 months and, for each category of personal information sold or disclosed, provide the categories of third parties to whom the information was sold or disclosed.

    The modified regulations also clarify that the privacy policy need only describe the consumer request verification process “generally.”

    Purpose of Information Collected – Businesses cannot use a consumer’s personal information for any purpose materially different than those disclosed in the notice of collection. The addition of the terms “materially different” will limit the situations in which a business must provide notice and seek explicit consent when it has departed from using the information as previously disclosed.

    Reasonable Accessibility to Consumers with Disabilities – Online notices must follow industry standards such as the Web Content Accessibility Guidelines, version 2.1 from the World Wide Consortium. These Guidelines provide accessibility guidance for consumers with cognitive or learning disabilities, low vision, and disabilities on mobile devices.

    Collection of Employment-related Information – A business collecting employment-related information does not need to include a “Do Not Sell My Info” link, and may include a link to a business’s privacy policy for job applicants, employees or contractors in lieu of a link to the privacy policy for consumers.

    Other Requirements

    Personal Information Collected By Data Brokers – Businesses that buy information from data brokers registered with the State of California no longer need to perform due diligence about whether the business provided appropriate notice to the consumer and obtain signed attestations from the broker about how notice was given to consumers and request an example of the notice.

    Service Providers – A business that collects information on behalf of another business may still fall under the “service provider” exemption of the CCPA if it uses the personal information collected for internal use to build or improve the quality of services provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source.

    This provides much-needed relief for service providers especially in the cloud industry, that rely on access to such data to improve their services and product offerings. Service providers can also use personal information to retain and employ another service provider as a subcontractor (if the subcontractor meets the service provider requirements under the CCPA), as well as to detect data security incidents, protect against fraudulent or illegal activity, or to perform the services specified in the contract. However, Service Providers cannot sell data on behalf of a business when a consumer has opted out of the sale of their personal information with the business.

    Service providers also no longer have the burden to respond to a consumer request to know or delete.  Service providers can choose to do so on behalf of the business, or they can inform the consumer that the request cannot be completed because it was sent to the service provider.

    Authorized Agent – A business’s privacy policy must now provide instructions on how an authorized agent can make requests under the CCPA (as opposed to instructing consumers how they can appoint an authorized agent, as required under the previous version of the regulations). Request to opt-out made by an authorized agent on behalf of a consumer must provide the authorized agent with written permission signed by the consumer. A business can also request the customer to directly confirm with the business that they provided the authorized agent permission to submit the request. An authorized agent now has the burden to implement and maintain reasonable security procedures and practices to protect consumer information and cannot use a consumer’s information for any purposes other than to fulfill the request, verification or fraud prevention.

    Security – Businesses must implement and maintain reasonable security procedures and practices in maintaining records of consumer requests and how the business responded to such requests for at least 24 months. Such information shall only be maintained for record-keeping purposes except to review and modify the business’s compliance procedures. This information cannot be shared with any third party.

    Identity Verification – A business may not require a consumer to pay a fee for the verification of the consumer’s request to know or delete. For example, a business may not require a consumer to submit a notarized affidavit to verify their identity unless the business compensates the consumer for the cost of notarization. If a business has no reasonable method by which it can verify the identity of a consumer, the business shall explain why it has no reasonable verification method in its privacy policy. The business must also evaluate and document on a yearly basis whether a reasonable method can be established.

    If a business maintains personal information in a manner that is not associated with a named actual person, it may verify the request by asking the consumer to provide information that only the person associated with the information would know, including, if information is collected from a mobile application, requiring that the consumer respond to a notification sent to their device.

    Consumer Metrics – Businesses that buy, receive, sell or disclose for a commercial purpose the personal information of over 10 million consumers in a calendar year must compile and disclose certain metrics regarding consumer requests in their privacy policies. This more than doubles the 4 million-consumer threshold triggering the metrics requirement under the previous version of the regulations.

    Conclusion

    Overall, the regulations provide some clarification and relief in terms of notice requirements, use of service providers, and submission of consumer requests. However, the modified regulations do not address many of the ambiguities regarding when sharing of personal information among businesses in the analytics or digital advertising context will be deemed a “sale” under the statute, nor has further guidance been provided regarding a uniform and sufficient process by which all businesses can securely and efficiently verify the identity of individuals making consumer requests. Although we may see some final tweaks before the July enforcement of the CCPA, businesses will likely have to continue to do the best they can to comply based on the current guidance.

    For further information on how the modified regulations or the CCPA impacts your business, contact Cybersecurity & Data Privacy attorney Scott Hall at shall@coblentzlaw.com.

    Categories: Publications
  • SF’s Proposition E Links Office Allocation to Housing Production

    On March 3, San Francisco voters will consider Proposition E (“San Francisco Balanced Development Act”)[1], which links the City’s “Proposition M” office allocation scheme, originally approved by voters in 1986, to affordable housing production. Proposition M currently limits the amount of office space that the City may approve annually, with 875,000 square feet added to the allocation for large office projects (50,000 square feet or more) each year in October. When a large office project is approved, its square footage is deducted from the available allocation. The Planning Department’s most recent Proposition M report identifies 786,993 square feet of large project office allocation available, as compared to a large office entitlements pipeline of over 6 million square feet, plus additional demand from other projects that were approved with allocation priority. Proposition E would change both the method for calculating how much annual office square footage is available and how that space is allocated.

    California state law requires that cities and counties plan for housing needs at varying income levels through a Regional Housing Needs Allocation (RHNA) process. As part of the RHNA, the State determines the total amount of new housing that is needed by income level and assigns a share of that need to each local entity. Proposition E would tie Proposition M’s annual limit on large office projects to the City’s affordable housing production—if the City falls short in meeting its combined affordable housing goals for the very low, low and moderate income categories, then the available annual allocation would go down by the same percentage as the RHNA shortfall. The 2015-2023 RHNA eight-year need allocation in the specified categories is 16,333 units, or 2,042 units per year. If the City produced, for example, about 1,021 qualifying units in a given year, then the Proposition M allocation for the coming year would be reduced by 50% to 437,500 square feet. The October 2020 allocation would be reduced to reflect the entire 2015-2019 RHNA shortfall (total qualifying units produced during the period calculated against a need of 10,210 units), and thereafter the allocation would be adjusted annually.

    The Planning Commission would have the authority to grant two new exceptions from the large office limit. The first is for projects subject to a development agreement that includes affordable housing, either on-site or off-site within a designated economically disadvantaged community, at a ratio of at least 809 units per 1 million square feet of new office space. The second is for large office projects in Central SoMa (defined as the boundaries of the Central SoMa Special Use District in Planning Code Section 249.78) for which a Preliminary Project Application was submitted before September 11, 2019, where the project includes qualifying space as follows: SoMa property to be conveyed to the City for affordable housing, a space of at least 10,000 square feet for community arts or neighborhood-serving retail at reduced rents, or a public safety facility. The Central SoMa exception would be limited to a total of 1.7 million square feet, and until 15,000 new housing units are produced (approved and first construction document issued) in the broader SoMa neighborhood, it could only be granted if the project would not cause the total amount of large office projects approved in Central SoMa after January 1, 2019 to exceed 6 million square feet. Office space approved using these exceptions could cause the allocation to effectively “go negative” and would be deducted from any available allocation evenly over the 10-year period following approval of each exempted project.

    Finally, Proposition E would revise the criteria for evaluating office development projects to delete references to General Plan objectives, policies, and design quality, and add provisions regarding affordable housing (for projects subject to a development agreement) and other specified community improvements.

    On January 27, the City’s Chief Economist published a report concluding that if past economic trends continue, Proposition E will put upward pressure on office rents, reduce employment, and result in less funding for affordable housing through the Jobs-Housing Linkage Fee.

    Proposition E’s proponents dispute the Chief Economist’s report. They assert that creating a link between office development and affordable housing may incentivize affordable housing production, and that in any event, slowing the pace of office development will help to reduce pressure on housing supply and home prices. Proposition E’s critics believe that the measure will adversely impact job creation and business retention and that the City’s path to reducing housing costs must focus on dramatically increasing housing production.

    [1] In December, Mayor Breed withdrew a competing ballot proposal that would have added converted office space back to annual space allocations, prioritized office space that also provides sites for affordable housing or other specified community benefits, and increased the square footage threshold for small office projects.

  • SB 50 Defeated in State Senate

    SB 50, Senator Scott Wiener’s bill to boost housing production near transit and job centers, has been defeated. The bill fell three votes short on Wednesday, and Wiener was unsuccessful in his reconsideration request today.

    The bill was stalled in the Senate last May when the Chair of the Appropriations Committee deferred action on the bill until 2020. On January 24, Senate President Pro Tempore Toni Atkins moved it to the Rules Committee, which she chairs, and Senator Wiener introduced amendments designed to address certain concerns regarding local control and potential impacts on low-income residents. The amendments included a “local flexibility plan” that would allow local agencies to create alternative housing plans that are designed to produce the same number of units as SB 50 compliance would. The amendments also added a neighborhood preference for 40% of new low, very low and extremely low income units developed under SB 50.

    Both Governor Newsom and Senator Atkins have indicated that regardless of the fate of SB 50, some form of legislation to increase housing production will be passed this year.

  • Major Increase to Jobs Housing Linkage Fee Takes Effect

    Effective December 16, costs for many office and laboratory projects in San Francisco are now higher. As we previously reported, the Board of Supervisors unanimously approved the more than doubling of the Citywide Jobs Housing Linkage Fee (JHLF) for such projects in November. The Mayor declined to veto the ordinance but instead returned it unsigned, expressing concern in an accompanying letter that the JHLF increase “must be done in a way that takes into account economic analysis, financial feasibility, and the different impacts experienced by our small businesses.” See our November and September blog posts for more information about the JHLF increase and the related nexus analysis and feasibility assessment.

  • SB 330 Seeks to Speed Up Housing Production

    The Housing Crisis Act of 2019 (Senate Bill No. 330; Senator Skinner) goes into effect on January 1, 2020 and expires on January 1, 2025. It aims to address the statewide housing crisis by limiting the number of public hearings for new housing developments and reducing the timeline for permit review, placing limits on permit processing, limiting fees and exactions, and making it more difficult for local jurisdictions to deny or modify housing projects. To summarize, the Act:

    1. Provides more certainty for housing developers by prohibiting local agencies from:
    • Requiring compliance with an ordinance, policy or standard adopted after a “preliminary application” is submitted, except under limited circumstances, such as where compliance is necessary to avoid or substantially lessen an otherwise significant impact under the California Environmental Quality Act (CEQA).
    • Imposing or enforcing design standards established on or after January 1, 2020, unless they qualify as objective (as defined in the Act).
    • Imposing new or increased development impact fees, unless an automatic annual adjustment based on an independently published cost index referenced in the legislation establishing the fee.
    1. Prohibits caps, moratoriums and density reductions by disallowing agencies from:
    • Reducing permitted housing density to below that allowed on January 1, 2018.
    • Imposing moratoriums (or similar restrictions) on new housing development unless the Department of Housing and Community Development agrees that it is necessary to protect against an imminent public health and safety threat.
    • Limiting the total number of housing units in a local jurisdiction, unless approved by the voters prior to 2005 for a “predominantly agricultural county.”
    1. Shortens the approval process
    • No more than five public hearings may be held on a housing project (if it complies with applicable objective general plan and zoning standards) and the overall timeframe for review and approval (or disapproval) under the Permit Streamlining Act is reduced.

    The Act adds and amends various California Government Code sections, including the Permit Streamlining Act (Cal. Gov’t Code Section 65920 et. seq.) and the Housing Accountability Act (Cal. Gov’t Code Section 65589.5 et. seq.). It applies to “housing developments,” which include mixed-use projects with two-thirds or more of the square footage dedicated to residential use. Protection is limited under the Act. The vesting protections lapse if construction is not commenced within two and a half years from the date of final project approval (which period would be stayed during litigation) and/or the residential square footage or number of units is increased by 20 percent or more after the preliminary application is submitted, exclusive of any increase resulting from a density bonus. See the full text of the Act for additional provisions not summarized here (e.g., relocation assistance requirements).

  • SF Board of Supervisors Approves Major Increase to Jobs Housing Linkage Fee

    Costs for many office and laboratory projects in San Francisco are poised to increase. On November 5, 2019, the Board of Supervisors unanimously approved a proposed ordinance that would more than double the Citywide Jobs Housing Linkage Fee (JHLF) rate for such projects. The ordinance now moves to the Mayor for consideration.

    As amended by the Board on October 29, 2019, the increased fees would be phased in from the current fee of $28.57 to:

    • $52.20 per gross square foot (gsf) where the project was approved on or before September 10, 2019 with a condition of approval requiring payment of any higher JHLF rate in effect prior to issuance of either the certificate of occupancy or final completion for the project. If such certificate of occupancy or completion is not issued as of the effective date of the ordinance, then the project would be required to pay the incremental difference between the fees assessed at building or site permit issuance and $52.20. This provision only applies to “large capital” office projects (50,000 gsf or more).

    This rate would also apply where a complete Preliminary Project Assessment (PPA) application was filed on or before September 10, 2019, except where a building or site permit is issued as of the effective date of the ordinance, in which case the project would be “grandfathered” and the current fee rate would apply, unless the project is a large capital project subject to a special condition as described above. The fee rate for “small capital” office projects (49,999 gsf or less) under this provision would be $46.98 rather than $52.20.

    • $60.90 per gsf ($54.81 for small capital projects) where a complete Development Application (as defined under Planning Code Section 102) is filed between September 11, 2019 and January 1, 2021, except where the project is grandfathered (see above).
    • $69.60 per gsf ($62.64 for small capital projects) where a Development Application is filed after January 1, 2021.

    For laboratory uses, the same phasing requirements would apply (with the exception of the special condition provision described above), with increases from $19.04 per gsf to $31.43, $34.90 and $38.37 per gsf, respectively.

    See our September blog post for information about the related nexus analysis and feasibility assessment for the proposed fee increase.

  • California Passes Rent Cap and Eviction Protections with AB 1482

    In September, the California Legislature approved AB 1482, the Tenant Protection Act of 2019. Governor Newsom signed the bill on October 8, making California the third state this year to impose statewide residential rent control, behind Oregon and New York. The legislation also includes “just cause” eviction provisions.

    Until its repeal date of January 1, 2030, AB 1482 limits rent increases for many residential buildings. For covered buildings, during any 12-month period, the bill prohibits a landlord from increasing a tenant’s rent by an amount that is the lesser of: (a) 5% plus the percentage increase in the cost of living based on the regional CPI (for the Bay Area, roughly 4% or a total of about a 9% increase based on the 2019 CPI), or (b) 10%. The cap applies to rent increases imposed after March 15, 2019, and for existing tenants, a landlord may not increase the rent more than twice in a 12-month period.

    In an effort to address the impacts of the rent cap on new construction, the Legislature included an exemption for housing constructed in the past 15 years. AB 1482 also exempts certain affordable housing, college dormitories, single-family homes, and owner-occupied duplexes and condominiums (except where the owner is a REIT, corporation or limited liability company where at least one member is a corporation). The bill does not apply to housing that is already subject to local rent control measures. The City of San Francisco currently imposes rent control on buildings constructed before June 13, 1979. The San Francisco Rent Ordinance caps annual increases in residential rents based on a specific formula tied to the regional CPI. Since the 1980s, the effective rate cap has ranged from 0.1% to 7.0%, and the current cap in effect through February 29, 2020 is 2.6%. These protections will continue to apply. The AB 1482 rent cap provisions will apply to buildings that received certificates of occupancy between June 13, 1979 and December 31, 2004. A building constructed in or after 2005 will not be subject to the new AB 1482 rent caps until the building is at least 15 years old.

    The legislation also imposes “just cause” eviction procedures, which apply to tenants who have continuously and lawfully occupied a residential property for at least 12 months (or at least 24 months in the case of one or more new adult tenants), unless the eviction results from an “at-fault” or “no-fault” just cause, as defined in the bill. For a “no-fault” eviction, such as an owner move-in or substantial renovation, the landlord must provide tenants with relocation assistance or a rent waiver in the amount of one month’s rent. The exemptions are similar to those for rent caps, and also include dormitories for K-12 schools, housing associated with a nonprofit hospital, religious facilities, extended care or licensed residential care facilities, hotels, and individual rooms or accessory dwelling units rented out by a homeowner. Local just cause ordinances such as San Francisco’s prevail, provided they were either in effect on or before September 1, 2019, or are adopted thereafter but are more protective than the state legislation.

    The bill faced substantial opposition, led by the California Apartment Association – which ultimately dropped its opposition – and the California Association of Realtors. Opponents raised concerns that the bill would chill housing production, curtail economic development, and complicate the eviction process.

    While many tenants’ rights groups supported the legislation, others remain critical of certain provisions, including the lack of vacancy control and longer-term tenant protections. Bay Area Mayors London Breed, Libby Schaaf and Sam Liccardo endorsed the measure.