Data Scraping Under the Revised CCPA Regulations

Farella Braun + Martel LLP

Farella Braun + Martel LLPOn March 11, 2020, California Attorney General Xavier Barrera released a second revision to the draft California Consumer Privacy Act (CCPA) regulations. The new draft contains a number of important changes to the regulatory landscape under the CCPA. One very specific change—concerning data scraping—caught my eye. Since the CCPA has been discussed and, indeed, even earlier in connection with the GDPR, there has been an open question of whether entities that pull personal data from public sources (e.g., from the publicly available LinkedIn pages) were required to provide notice to the individuals whose data had been collected. The new regulations answer the question, at least in part.

Specifically, §999.305(d) as revised provides that “[a] business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information.”

Thus, a data scraper who does not sell the scraped information would not have to provide notice at collection. Where the company scrapes information for its own use, even to market to the identified consumers, it would not have to provide notice. My Farella colleague, Deepak Gupta asked “what if they collect the data, deidentify it, and sell the deidentified collection of data?” As the regulations are currently written, such a business is not subject to the notice requirements because it is not selling collections of personal information.”

On the other hand, a scraper that creates and sells collections of scraped data including personal information would not be exempted from the reporting requirement, and would need to provide notice “at collection,” though it is still not clear what that specifically means. That is, what is the timing of such notice and what form does it need to take? What would happen, for example, if a scraper that sells such collections of personal information does not collect any contact information? Would that data scraper be required to scrape contact information as well?

Not surprisingly, there are still questions to be answered. Of course, these regulations are still not final, so we could get more answers as we go forward. And more questions.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Farella Braun + Martel LLP | Attorney Advertising

Written by:

Farella Braun + Martel LLP

Farella Braun + Martel LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.