Sarah Guerrero

Subscribe to Sarah Guerrero's Posts
Follow: Email

Earlier this month the California Privacy Protection Agency (CPPA) held its inaugural public meeting.  The CPPA was created under Proposition 24, the California Privacy Rights Act (CPRA), which was approved by California voters on November 3, 2020.
Continue Reading California Privacy Protection Agency Holds First Meeting, Preparing for Upcoming Rulemaking

This week, Senators Ed Markey (D-Mass.) and Bill Cassidy (R-La.) introduced the Children and Teens’ Online Privacy Protection Act, which would update the Children’s Online Privacy Protection Act (COPPA).  COPPA is the comprehensive federal children’s privacy law enacted in 1998 that regulates the collection, use, and disclosure of personal information online from children under 13.
Continue Reading Senators Markey and Cassidy Introduce Bill to Update the Children’s Online Privacy Protection Act

Judge Freeman of the U.S. District Court for the Northern District of California dismissed a class action against Google and several YouTube channel owners alleging various violations under California state law.  Plaintiffs alleged Defendants infringed their children’s privacy and consumer rights by collecting personal information and delivering targeted advertisements while they viewed child-directed YouTube videos.  However, the court found that Plaintiffs’ claims were expressly preempted by the federal Children’s Online Privacy Protection Act (“COPPA”), and dismissed the case with leave to amend.
Continue Reading California District Court Tosses Kids’ Data Collection Suit, Finds COPPA Preempts State Law

The FTC recently updated Complying with COPPA: Frequently Asked Questions, the set of FAQs meant to provide informal guidance for complying with the Children’s Online Privacy Protection Act and the Commission-issued COPPA Rule.  In an accompanying blog post, the FTC staff emphasized that the revisions to the FAQs “don’t raise new policy issues” and that they were implemented primarily to streamline and reorganize the content “to make the document easier to use.”  While the new FAQs generally only reinforce concepts from recent key settlements, enforcement policy positions, and separately-issued regulatory guidance, some of the updates also provide helpful additional context around specific issues such as mixed audience sites and services, age gates, and common consent mechanisms.
Continue Reading Federal Trade Commission Updates, Streamlines COPPA FAQs

Senators Jeff Merkley (D-Merkley) and Bernie Sanders (I-Vermont) recently introduced the National Biometric Information Privacy Act (NBIPA), which would require private entities to obtain consumers’ and employees’ written consent prior to collecting their biometric information and expand nationwide individuals’ access rights and rights to request additional information from businesses.  The bill also would grant a private right of action.  Unlike other proposals that focus on regulating the use and funding of biometric surveillance technology by government entities, the NBIPA regulates private entities’ use of biometrics.
Continue Reading Bill Restricting Companies’ Use of Biometrics and Expanding California’s Right To Know Nationwide Introduced in Senate

On March 5, Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT) introduced the Kids Internet Design and Safety (KIDS) Act.  The bill, which covers online platforms directed to children and teenagers under 16 years old, aims to curb the time spent by these minors on such platforms and could dramatically affect advertising and influencer content on kids’ channels.

The bill would prohibit platforms directed to minors from implementing features that encourage users to spend more time online, such as “auto-play” settings that automatically load a new video once the selected one finishes playing, push alerts that encourage users to engage with the platform, and the display of positive feedback received from other users.  It would also ban badges or other visual incentives and rewards based on engagement with the platform.

Additionally, the KIDS Act would prohibit platforms from recommending or amplifying certain content involving sexual, violent, or other adult material, including gambling or “other dangerous, abusive, exploitative, or wholly commercial content.”  The bill would require the implementation of a mechanism for users to report suspected violations of content requirements.
Continue Reading New Bill Seeks to Impose Design Restrictions on Kids’ Online Content and Marketing

On January 30, House Rep. Kathy Castor (D-FL) introduced the Protecting the Information of our Vulnerable Children and Youth (“PRIVCY”) Act, a bill that promises to be a significant overhaul of the Children’s Online Privacy Protection Act (“COPPA”).

Currently, COPPA applies only to personal information collected from children under 13 years old.  The PRIVCY Act would greatly expand COPPA’s scope by making any personal information – including biometric, geolocation, and inferred information, whether collected from the child or not – subject to the law’s requirements.  It also brings a new group of “young consumers” – individuals aged 12 to 18 years old – under the law’s umbrella.  The PRIVCY Act would obligate online sites and services that have actual or constructive knowledge that they “process” personal information about children or young consumers to provide notice to, and obtain consent from, those children’s parents or from those young consumers.  The bill also provides for rights to access, correction, and deletion of children’s and young consumers’ personal information, and it imposes limits on the ability of operators to disclose personal information to third parties.

Additionally, the privacy bill would completely repeal COPPA’s safe harbor provision, which enables covered operators to rely on a safe harbor if their privacy practices have been certified by FTC-approved organizations.  Currently, seven safe harbor organizations have been approved by the FTC.
Continue Reading Kids’ Privacy Bill Allowing for Private Suits Introduced in House

Last week, after months of negotiation and speculation, the California legislature passed bills amending the California Consumer Privacy Act (“CCPA”).  This marked the last round of CCPA amendments before the legislature adjourned for the year—and before the CCPA takes effect on January 1, 2020.  California Governor Gavin Newsom has until October 13 to sign the bills into law.  Separately, the Attorney General’s office is expected to release a draft of proposed CCPA regulations for public input later this Fall.

  • Exemption for employees and job applicants: AB 25 (Chau) generally exempts from the CCPA—for one year—personal information collected from job applicants, employees, owners, directors, officers, medical staff members, or contractors, as well as their emergency contacts and their beneficiaries.  However, employers must provide these individuals with general notice of the types of personal information collected about them and the purposes for which the information is used.  Employers may be liable if certain types of unredacted or unencrypted personal information are breached due to unreasonable data security.
  • Exemption for business customers and other technical corrections: AB 1355 (Chau) exempts from the CCPA—also for one year—personal information reflecting a communication or transaction with a natural person who is acting as an employee, owner, director, officer or contractor of another company or legal entity in most circumstances.  This language generally creates an exemption for personal information about business customers.  The bill clarifies that the CCPA’s private right of action does not apply if personal information is either encrypted or redacted.  The bill also makes certain technical corrections, including revising the exemption for activities involving consumer reports that are regulated under the Fair Credit Reporting Act and clarifying that de-identified or aggregate consumer information is excluded from the definition of “personal information.”
  • Definitions of “personal information” and “publicly available information:” AB 874 (Irwin) includes several helpful clarifications with respect to the scope of “personal information” regulated under the statute.  Previously, “personal information” was defined to include all information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  The amended definition of “personal information” clarifies that information must be “reasonably capable of being associated with” a particular consumer or household.  Separately, the bill clarifies that “publicly available information” means information that is lawfully made available from federal, state, or local records, regardless of whether the data is used for a purpose that is compatible with the purpose for which the data was made publicly available.  Further, the bill revises the definition of “personal information” to clarify that it does not include de-identified or aggregate information.
  • Required methods for receiving consumer requests: The CCPA provides that a covered business is required to make available to consumers two or more reasonably accessible methods for submitting requests under the CCPA, including, at a minimum, a toll-free telephone number, and, if the business maintains an internet website, a website address.  AB 1564 (Berman) would amend this requirement to provide that a business which (1) operates exclusively online and (2) has a direct relationship with the customer from whom it collects personal information needs to provide only an email address.  If the business also maintains a website, the bill requires the business to make the website available to consumers to submit requests.  Finally, the bill expressly permits a business to require a consumer who maintains an account with the business to submit a request through the account.
  • Exemption for vehicle warranty/recall purposes: AB 1146 (Berman) exempts, from the CCPA’s right to opt out and right to delete, vehicle or owner information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer for the purposes of vehicle repair covered by a warranty or recall.


Continue Reading California Legislature Passes CCPA Amendments and Privacy Bills