Insights
Publications

Data Scraping Under the Revised CCPA Regulations

March 18, 2020 Blog

On March 11, 2020, California Attorney General Xavier Barrera released a second revision to the draft California Consumer Privacy Act (CCPA) regulations. The new draft contains a number of important changes to the regulatory landscape under the CCPA. One very specific change—concerning data scraping—caught my eye. Since the CCPA has been discussed and, indeed, even earlier in connection with the GDPR, there has been an open question of whether entities that pull personal data from public sources (e.g., from the publicly available LinkedIn pages) were required to provide notice to the individuals whose data had been collected. The new regulations answer the question, at least in part.

Specifically, §999.305(d) as revised provides that “[a] business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information.”

Thus, a data scraper who does not sell the scraped information would not have to provide notice at collection. Where the company scrapes information for its own use, even to market to the identified consumers, it would not have to provide notice. My Farella colleague, Deepak Gupta asked “what if they collect the data, de-identify it, and sell the de-identified collection of data?” As the regulations are currently written, such a business is not subject to the notice requirements because it is not selling collections of personal information.”

On the other hand, a scraper that creates and sells collections of scraped data including personal information would not be exempted from the reporting requirement, and would need to provide notice “at collection,” though it is still not clear what that specifically means. That is, what is the timing of such notice and what form does it need to take? What would happen, for example, if a scraper that sells such collections of personal information does not collect any contact information? Would that data scraper be required to scrape contact information as well?

Not surprisingly, there are still questions to be answered. Of course, these regulations are still not final, so we could get more answers as we go forward. And more questions.

Firm Highlights

Publication

Zoom Successfully Addresses New York’s Privacy and Security Concerns

A few weeks ago on this blog, we addressed some of the legal issues that have arisen for Zoom , as it becomes a significant part of American daily life during the COVID-19 pandemic. ...

Read More
Publication

Senate Democrats Release Competing COVID-19 Privacy Bill

Democratic Senators Richard Blumenthal and Mark Warner have introduced the  Public Health Emergency Privacy Act  in response to  the bill of the same subject released by Senate Republicans  (the  COVID-19 Consumer Data Protection Act...

Read More
Publication

Reopening Plans and Recommended Protocols Beg New Privacy Issues

While far from getting us back to any kind of normal that predated the COVID-19 pandemic, states have begun to relax lockdown requirements and some previously closed “nonessential” businesses are returning to operations. With...

Read More
Publication

Federal “COVID-19 Consumer Data Protection Act” Proposed

A group of Republican senators has proposed a new privacy law to govern the collection and use of certain personal information thought to be both important and at risk during the current coronavirus crisis...

Read More
News

In Novel Case, Insurer Sues Own Law Firm After Data Breach

Tyler Gerking was quoted in the Law360 article "In Novel Case, Insurer Sues Own Law Firm After Data Breach." In the article Tyler said, "This case shows some of the hazards that all companies face...

Read More
Publication

Reopening Businesses Must Consider Employee and Consumer Privacy

While we’re far from returning to the “normal” that predated the COVID-19 pandemic, states have begun to relax lockdown requirements and some previously “nonessential” businesses are returning to operations. Along with these openings, governmental...

Read More
Publication

Trademark Office Deadlines and Coronavirus-Related Delays (Updated)

With all of the business interruption caused by the COVID-19 pandemic, many worldwide trademark offices have taken steps to recognize the issues caused by the crisis. The offices in which applicants from the U.S...

Read More
Publication

A Roadmap to Litigating Privacy Claims? A Look at a Recent Order From the Google Assistant Privacy Litigation

As privacy-related litigation continues to heat up, Judge Beth Freeman (ND Cal.) recently laid out in In re Google Assistant Privacy Litigation (Case No. 19-cv-04286) [1] a potential roadmap for surviving or winning a...

Read More
Publication

Signatures Submitted for Inclusion of New California Privacy Law on November Ballot

Californians for Consumer Privacy has announced that it has secured and submitted enough signatures to qualify its California Privacy Rights Act (“CPRA”) for inclusion on California’s November 2020 ballot. Alistair Mactaggart, the architect behind...

Read More
News

GDPR in 2020: What You Need to Know

In the article "GDPR in 2020: What You Need to Know," Nate Garhart discussed the newly clarified guidelines for extraterritorial application of GDPR. Read the full article on Toolbox , here .

Read More