Publications

Data Scraping Under the Revised CCPA Regulations

March 18, 2020 Blog

On March 11, 2020, California Attorney General Xavier Barrera released a second revision to the draft California Consumer Privacy Act (CCPA) regulations. The new draft contains a number of important changes to the regulatory landscape under the CCPA. One very specific change—concerning data scraping—caught my eye. Since the CCPA has been discussed and, indeed, even earlier in connection with the GDPR, there has been an open question of whether entities that pull personal data from public sources (e.g., from the publicly available LinkedIn pages) were required to provide notice to the individuals whose data had been collected. The new regulations answer the question, at least in part.

Specifically, §999.305(d) as revised provides that “[a] business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information.”

Thus, a data scraper who does not sell the scraped information would not have to provide notice at collection. Where the company scrapes information for its own use, even to market to the identified consumers, it would not have to provide notice. My Farella colleague, Deepak Gupta asked “what if they collect the data, de-identify it, and sell the de-identified collection of data?” As the regulations are currently written, such a business is not subject to the notice requirements because it is not selling collections of personal information.”

On the other hand, a scraper that creates and sells collections of scraped data including personal information would not be exempted from the reporting requirement, and would need to provide notice “at collection,” though it is still not clear what that specifically means. That is, what is the timing of such notice and what form does it need to take? What would happen, for example, if a scraper that sells such collections of personal information does not collect any contact information? Would that data scraper be required to scrape contact information as well?

Not surprisingly, there are still questions to be answered. Of course, these regulations are still not final, so we could get more answers as we go forward. And more questions.

Firm Highlights

Publication

Nonprofits’ Use of Artificial Intelligence Systems: Intellectual Property and Data Privacy Concerns

In today's rapidly changing technological landscape, artificial intelligence (AI) is making headlines and being discussed constantly. To be sure, AI provides a powerful tool to nonprofits in creating content and exploiting for countless cost-effective...

Read More
Publication

California Proposes New AI & Automated Decision-Making Technology Regulations

The California Privacy Protection Agency (CPPA) released its draft  regulatory framework for automated decision-making technology (ADMT) on November 27. These regulations are a preview of what new requirements may look like for companies currently...

Read More
Publication

Top 5 Privacy Cases To Watch, From Chatbots to Geolocation

Litigation — and threats of litigation — related to privacy law violations have been on the rise recently. While some judges have pushed back on the theories set forth by plaintiffs, new privacy lawsuits...

Read More
Publication

BIPA Liability: Existing CGL Coverage May Provide a Lifeline for Policyholders

Developments in the law have increased the potential liability that companies could face under the Illinois Biometric Information Privacy Act (BIPA), but fortunately for policyholders, Illinois case law has also solidified coverage for BIPA...

Read More
Publication

California Appeals Court Empowers Privacy Agency to Immediately Enforce CCPA Regulations

In  California Privacy Protection Agency et al. v. The Superior Court of Sacramento County  (case number C099130), the Third Appellate District of the California Court of Appeal returned authority to the California Privacy Protection...

Read More
Publication

Enforcement of CPRA Regulations Delayed

Shortly before the California Privacy Right Act (CPRA) modifications to the California Consumer Privacy Act (CCPA) were set to become enforceable on July 1, 2023, a Sacramento Superior Court judge issued a ruling on...

Read More
Publication

It Wasn’t Me, It Was the AI: Intellectual Property and Data Privacy Concerns With Nonprofits’ Use of Artificial Intelligence Systems

In today's rapidly changing technological landscape, artificial intelligence (AI) is making headlines and being discussed constantly. To be sure, AI provides a powerful tool to nonprofits in creating content and exploiting for countless cost-effective...

Read More
Publication

California AI Proposal Rethinks Consumer Scope and Recordkeeping

The California Privacy Protection Agency will revisit its  draft  regulations for automated decision-making technology on March 8, including use of artificial intelligence to process personal information. Comment periods should be coming soon in 2024...

Read More
Publication

Thomson Reuters v. Ross Intelligence: AI Copyright Law and Fair Use on Trial

On Sept. 25, 2023, Judge Stephanos Bibas (sitting by designation in the District of Delaware), determined that fact questions surrounding issues of fair use and tortious interference required a jury to decide media conglomerate...

Read More