Insights
Publications

Data Scraping Under the Revised CCPA Regulations

March 18, 2020 Blog

On March 11, 2020, California Attorney General Xavier Barrera released a second revision to the draft California Consumer Privacy Act (CCPA) regulations. The new draft contains a number of important changes to the regulatory landscape under the CCPA. One very specific change—concerning data scraping—caught my eye. Since the CCPA has been discussed and, indeed, even earlier in connection with the GDPR, there has been an open question of whether entities that pull personal data from public sources (e.g., from the publicly available LinkedIn pages) were required to provide notice to the individuals whose data had been collected. The new regulations answer the question, at least in part.

Specifically, §999.305(d) as revised provides that “[a] business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information.”

Thus, a data scraper who does not sell the scraped information would not have to provide notice at collection. Where the company scrapes information for its own use, even to market to the identified consumers, it would not have to provide notice. My Farella colleague, Deepak Gupta asked “what if they collect the data, de-identify it, and sell the de-identified collection of data?” As the regulations are currently written, such a business is not subject to the notice requirements because it is not selling collections of personal information.”

On the other hand, a scraper that creates and sells collections of scraped data including personal information would not be exempted from the reporting requirement, and would need to provide notice “at collection,” though it is still not clear what that specifically means. That is, what is the timing of such notice and what form does it need to take? What would happen, for example, if a scraper that sells such collections of personal information does not collect any contact information? Would that data scraper be required to scrape contact information as well?

Not surprisingly, there are still questions to be answered. Of course, these regulations are still not final, so we could get more answers as we go forward. And more questions.

Firm Highlights

Publication

Continuing Use of CGL Policies to Cover Data Breach Losses

Our lives and the products and devices we use become more dependent on data by the day. As a result, cyberattacks and data breaches present everchanging risks to companies and individuals, and the importance...

Read More
Publication

The War Exclusion in a Time of War

The “war” exclusion has gotten more attention over the past couple of weeks in light of Russia’s invasion of Ukraine. For good reason. This exclusion, common in property and liability policies alike, typically eliminates...

Read More
Publication

How to Guard Against 3 Cannabis Cyber Attack Risks

Cyber attacks are now commonplace. Ransomware attacks, in particular, have skyrocketed in frequency and size. High-profile data breaches have cost businesses in the United States millions of dollars in losses and incalculable reputational harm...

Read More
Publication

hiQ’s Groundbreaking Injunction Against LinkedIn Reaffirmed: Scraping of Publicly Available Data Likely Does Not Violate CFAA

The U.S. Court of Appeals for the Ninth Circuit has affirmed its prior decision , holding that LinkedIn could not block hiQ, a scraping entity, from scraping public LinkedIn profiles. The court found it was...

Read More
News

Janice Reicher Named a 2022 Leadership Council on Legal Diversity Fellow

Farella Braun + Martel is proud to announce that Janice Reicher has been named a member of the 2022 class of Leadership Council on Legal Diversity (LCLD) Fellows. Janice joins a select group of...

Read More
News

LinkedIn Loses Data Appeal

Erik Olson was quoted in the article "LinkedIn Loses Data Appeal" in CDR Magazine . In the article, Erik said: We are pleased to see that the Ninth Circuit has again affirmed, in light...

Read More