Insights
Publications

Data Scraping Under the Revised CCPA Regulations

March 18, 2020 Blog

On March 11, 2020, California Attorney General Xavier Barrera released a second revision to the draft California Consumer Privacy Act (CCPA) regulations. The new draft contains a number of important changes to the regulatory landscape under the CCPA. One very specific change—concerning data scraping—caught my eye. Since the CCPA has been discussed and, indeed, even earlier in connection with the GDPR, there has been an open question of whether entities that pull personal data from public sources (e.g., from the publicly available LinkedIn pages) were required to provide notice to the individuals whose data had been collected. The new regulations answer the question, at least in part.

Specifically, §999.305(d) as revised provides that “[a] business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information.”

Thus, a data scraper who does not sell the scraped information would not have to provide notice at collection. Where the company scrapes information for its own use, even to market to the identified consumers, it would not have to provide notice. My Farella colleague, Deepak Gupta asked “what if they collect the data, de-identify it, and sell the de-identified collection of data?” As the regulations are currently written, such a business is not subject to the notice requirements because it is not selling collections of personal information.”

On the other hand, a scraper that creates and sells collections of scraped data including personal information would not be exempted from the reporting requirement, and would need to provide notice “at collection,” though it is still not clear what that specifically means. That is, what is the timing of such notice and what form does it need to take? What would happen, for example, if a scraper that sells such collections of personal information does not collect any contact information? Would that data scraper be required to scrape contact information as well?

Not surprisingly, there are still questions to be answered. Of course, these regulations are still not final, so we could get more answers as we go forward. And more questions.

Firm Highlights

Publication

Privacy Policy Best Practices for Nonprofits

Welcome to EO Radio Show – Your Nonprofit Legal Resource . I’m happy to have my colleague Nate Garhart back for a discussion on privacy laws and how they affect website content development and online...

Read More
Publication

Platform Ecosystems: Computer Fraud and Abuse Act and Other Scraping Law Developments (Webinar)

Erik Olson and Stephanie Skaff discuss "Platform Ecosystems: Computer Fraud and Abuse Act and Other Scraping Law Developments." Web scraping has existed as long as the World Wide Web has, and as data has...

Read More
Publication

hiQ’s Groundbreaking Injunction Against LinkedIn Reaffirmed: Scraping of Publicly Available Data Likely Does Not Violate CFAA

The U.S. Court of Appeals for the Ninth Circuit has affirmed its prior decision , holding that LinkedIn could not block hiQ, a scraping entity, from scraping public LinkedIn profiles. The court found it was...

Read More
Publication

Platform Ecosystems – The Landscape of US and EU Legislation (Webinar)

Stephanie Skaff and Nate Garhart discuss "Platform Ecosystems – The Landscape of US and EU Legislation." Several new bills targeting online platform companies are making their way through state and federal legislative bodies in the...

Read More
Publication

Cybersecurity Regulation: Key Takeaways From an Unusual FTC Order That Will Follow CEO for a Decade

The FTC recently issued a proposed order that would settle an enforcement action against Drizly, LLC and its co-founder and CEO, James Rellas, arising from data breaches in 2018 and 2020 that affected over...

Read More
Publication

I Always Feel Like AI Is Watching Me: Artificial Intelligence and Privacy

ChatGPT got the early press, and every day we learn of new generative artificial intelligence products that can create new and creative visual and text responses to human input. Following on ChatGPT’s fame, Google’s...

Read More
Publication

Nonprofit Websites and Terms of Use - Best Practices and Common Pitfalls

Welcome to EO Radio Show – Your Nonprofit Legal Resource . Happy New Year, everyone!  In episode 26, Cynthia Rowland and her guest Nate Garhart discuss websites and terms of use and the legal concepts...

Read More
Publication

California Passes Landmark Privacy Protections for Children With Big Implications for Online Providers

Governor Newsom recently signed into law AB 2273 , the California Age-Appropriate Design Code Act (CA AADCA), making California the first state to pass broad privacy protections for children. The CA AADCA is modeled...

Read More
Publication

What Recent Rulings in 'hiQ v. LinkedIn' and Other Cases Say About the Legality of Data Scraping

LinkedIn obtained a permanent injunction on Dec. 6 in its six-year-old lawsuit against data scraping company hiQ Labs, which LinkedIn quickly cheered as a “final, decisive victory” that established an “important legal precedent.” While...

Read More
Publication

California Attorney General Announces Enforcement Sweep of Mobile Applications

Shortly before Privacy Day, California Attorney General (Cal AG) Rob Bonta  announced  a California Consumer Privacy Act (CCPA) enforcement sweep that targeted mobile applications. The sweep focused on popular apps in the retail, travel...

Read More