This has been a big year in the data protection world, with the headline-grabbing General Data Protection Regulation (GDPR) occupying most of the spotlight with its plethora of privacy-related requirements and potential for high fines for violators. While companies (justifiably) may be focused on the GDPR at the moment, it’s also important to keep an eye on new privacy laws on the horizon in order to avoid last-minute scrambles for compliance as effective dates near. Foremost among these new laws is the California Consumer Privacy Act of 2018. The Act was introduced and signed quickly in order to prevent voters from facing a similar ballot initiative in the November election. This post provides an overview of the new law, which will go into effect beginning January 1, 2020.

On February 12, 2009, the FTC issued its long-anticipated Staff Report on Self-Regulatory Principles for Online Behavioral Advertising. The revised Self-Regulatory Principles are the result of a year of study of the more than 60 comments provided by industry, advocacy organizations, academics, and individual consumers in response to the FTC’s proposed self-regulatory principles issued in late 2007.

Behavioral tracking of consumers online in order to deliver relevant advertising is a privacy issue that is receiving a lot of attention, and one that has been the focus of Federal Trade Commission and consumer group scrutiny. On September 25th, the United States Senate Commerce Committee held a hearing on online privacy and received commitments from the three industry representatives (from AT&T, Verizon and Time Warner Cable) that if they do deploy technologies that are able to track consumer online behavior in order to tailor advertising, that consumers will have clear notice and a full opportunity to provide affirmative consent. None of the companies currently use such technologies in their roles as Internet Service Providers. The broadband providers challenged the rest of the online industry, including web site operators and application providers such as Google, to provide the same protections to consumers. Essentially, the witnesses called for an end to “opt out” when it comes to online advertising.

On September 4, 2008, in American Bankers Association v. Lockyer, No. 05-17163, 2008 WL 4070308 (9th Cir. Sept. 4, 2008), the Ninth Circuit Court of Appeals revived part of the California Financial Information Privacy Act (“S.B. 1”), allowing consumers to opt-out of certain information-sharing activities between financial institutions and their affiliates. Previously, in the 2005 case American Bankers Ass’n. v. Gould, 412 F.3d 1081 (9th Cir. 2005), the Ninth Circuit ruled that the state statute was preempted by provisions of the Fair Credit Reporting Act (“FCRA”) regarding affiliate sharing of “consumer report” information.  The recent 2-1 decision preserves consumers’ rights under California law to restrict affiliate data-sharing related to non-consumer report information.

Section 214 of Fair and Accurate Credit Transactions Act (“FACTA”) was enacted to amend the Fair Credit Reporting Act (the “Act”) to give consumers the right to restrict certain entities from using certain information received from their affiliates to make solicitations to that consumer unless the consumer has been provided (1) “clear and conspicuous” notice that the consumer’s information will be shared for such purposes, and (2) an opportunity to opt out of having such information shared for such purposes.
On November 7, 2007, the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Office of Thrift Supervision and the National Credit Union Administration issued a joint final rule (along with the Federal Trade Commission (FTC) and the Securities and Exchange Commission(SEC), which separately adopted and proposed, respectively, similar regulations) under the amended Act (the “Affiliate Marketing Rule” or “Final Rule,” codified at 12 C.F.R. Parts 41, 222, 334, 571 and 717) governing the use of specific consumer information obtained by covered entities from their affiliates for certain marketing purposes.
The Affiliate Marketing Rule became effective on January 1, 2008, and compliance by covered entities is required by October 1, 2008.