CCPA Archives - The National Law Forum

Exploring the Future of Information Governance: Key Predictions for 2024

Information governance has evolved rapidly, with technology driving the pace of change. Looking ahead to 2024, we anticipate technology playing an even larger role in data management and protection. In this blog post, we’ll delve into the key predictions for information governance in 2024 and how they’ll impact businesses of all sizes.

Embracing AI and Automation: Artificial intelligence and automation are revolutionizing industries, bringing about significant changes in information governance practices. Over the next few years, it is anticipated that an increasing number of companies will harness the power of AI and automation to drive efficient data analysis, classification, and management. This transformative approach will not only enhance risk identification and compliance but also streamline workflows and alleviate administrative burdens, leading to improved overall operational efficiency and effectiveness. As organizations adapt and embrace these technological advancements, they will be better equipped to navigate the evolving landscape of data governance and stay ahead in an increasingly competitive business environment.
Prioritizing Data Privacy and Security: In recent years, data breaches and cyber-attacks have significantly increased concerns regarding the usage and protection of personal data. As we look ahead to 2024, the importance of data privacy and security will be paramount. This heightened emphasis is driven by regulatory measures such as the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR). These regulations necessitate that businesses take proactive measures to protect sensitive data and provide transparency in their data practices. By doing so, businesses can instill trust in their customers and ensure the responsible handling of personal information.
Fostering Collaboration Across Departments: In today’s rapidly evolving digital landscape, information governance has become a collective responsibility. Looking ahead to 2024, we can anticipate a significant shift towards closer collaboration between the legal, compliance, risk management, and IT departments. This collaborative effort aims to ensure comprehensive data management and robust protection practices across the entire organization. By adopting a holistic approach and providing cross-functional training, companies can empower their workforce to navigate the complexities of information governance with confidence, enabling them to make informed decisions and mitigate potential risks effectively. Embracing this collaborative mindset will be crucial for organizations to adapt and thrive in an increasingly data-driven world.
Exploring Blockchain Technology: Blockchain technology, with its decentralized and immutable nature, has the tremendous potential to revolutionize information governance across industries. By 2024, as businesses continue to recognize the benefits, we can expect a significant increase in the adoption of blockchain for secure and transparent transaction ledgers. This transformative technology not only enhances data integrity but also mitigates the risks of tampering, ensuring trust and accountability in the digital age. With its ability to provide a robust and reliable framework for data management, blockchain is poised to reshape the way we handle and secure information, paving the way for a more efficient and trustworthy future.
Prioritizing Data Ethics: As data-driven decision-making becomes increasingly crucial in the business landscape, the importance of ethical data usage cannot be overstated. In the year 2024, businesses will place even greater emphasis on data ethics, recognizing the need to establish clear guidelines and protocols to navigate potential ethical dilemmas that may arise. To ensure responsible and ethical data practices, organizations will invest in enhancing data literacy among their workforce, prioritizing education and training initiatives. Additionally, there will be a growing focus on transparency in data collection and usage, with businesses striving to build trust and maintain the privacy of individuals while harnessing the power of data for informed decision-making.

The future of information governance will be shaped by technology, regulations, and ethical considerations. Businesses that adapt to these changes will thrive in a data-driven world. By investing in AI and automation, prioritizing data privacy and security, fostering collaboration, exploring blockchain technology, and upholding data ethics, companies can prepare for the challenges and opportunities of 2024 and beyond.

Jim Merrifield, Robinson+Cole’s Director of Information Governance & Business Intake, contributed to this report.

What’s in the American Data Privacy and Protection Act?

Congress is considering omnibus privacy legislation, and it reportedly has bipartisan support. If passed, this would be a massive shake-up for American consumer privacy, which has been left to the states up to this point. So, how does the American Data Privacy and Protection Act (ADPPA) stack up against existing privacy legislation such as the California Consumer Privacy Act and the Virginia Consumer Data Protection Act?

The ADPPA includes a much broader definition of sensitive data than we’ve seen in state-level laws. Some notable inclusions are income level, voicemails and text messages, calendar information, data relating to a known child under the age of 17, and depictions of an individual’s “undergarment-clad” private area. These enumerated categories go much further than recent state laws, which tend to focus on health and demographic information. One asterisk though – unlike other state laws, the ADPPA only considers sexual orientation information to be sensitive when it is “inconsistent with the individual’s reasonable expectation” of disclosure. It’s unclear at this point, for example, if a member of the LGBTQ+ community who is out to friends would have a “reasonable expectation” not to be outed to their employer.

Like the European Union’s General Data Protection Regulation, the ADPPA includes a duty of data minimization on covered entities (the ADPPA borrows the term “covered entity” from HIPAA). There is a laundry list of exceptions to this rule, including one for using data collected prior to passage “to conduct internal research.” Companies used to kitchen-sink analytics practices may appreciate this savings clause as they adjust to making do with less access to consumer data.

Another innovation is a tiered applicability, in which all commercial entities are “covered entities,” but “large data holders” – those making over $250,000,000 gross revenue and that process either 5,000,000 individuals’ data or 200,000 individuals’ sensitive data – are subject to additional requirements and limitations, while “small businesses” enjoy additional exemptions. Until now, state consumer privacy laws have made applicability an all-or-nothing proposition. All covered entities, though, would be required to comply with browser opt-out signals, following a trend started by the California Privacy Protection Agency’s recent draft regulations. Additionally, individuals have a private right of action against covered entities to seek monetary and injunctive relief.

Finally, and controversially, the ADPPA explicitly preempts all state privacy laws. It makes sense – the globalized nature of the internet means that any less-stringent state law would become the exception that kills the rule. Still, companies that only recently finalized CCPA- and CPRA-compliance programs won’t appreciate being sent back to the drawing board.

Read the bill for yourself here.

Article By Blair Robinson, a non-lawyer intern in the Data Privacy & Cybersecurity Practice Group at Robinson & Cole LLP

For more data privacy and cybersecurity legal news, click here to visit the National Law Review.

As the California Attorney General Focuses on Loyalty Programs, What Do Companies Need to Remember?

The California attorney general (AG) celebrated data privacy day by doing an “investigative sweep” of the loyalty programs of retailers, supermarkets, home improvement stores, travel companies, and food service companies, and sending out notices of non-compliance to businesses that the AG’s office believes might not be fully compliant with the CCPA. As the AG focuses its attention on loyalty programs, the following provides a reminder of the requirements under the CCPA.

What is a loyalty program?

Loyalty programs are structured in a variety of different ways. Some programs track dollars spent by consumers; others track products purchased. Some programs are free to participate in; others require consumers to purchase membership. Some programs offer consumers additional products; other programs offer prizes, money, or products from third parties. Although neither the CCPA nor the regulations implementing the CCPA define a “loyalty program,” as a practical matter most, if not all, loyalty programs have two things in common: (1) they collect information about consumers, and (2) they provide some form of reward in recognition of (or in exchange for) repeat purchasing patterns.[1]

What are the general obligations under the CCPA?

Because loyalty programs collect personal information about their members, if a business that sponsors a loyalty program is itself subject to the CCPA, then its loyalty program will also be subject to the CCPA. In situations in which the CCPA applies to a loyalty program, the following table generally describes the rights conferred upon a consumer in relation to the program:

Right	Applicability to Loyalty Program
Notice at collection	A loyalty program that collects personal information from its members should provide a notice at the point where information is being collected regarding the categories of personal information that will be collected and how that information will be used.[2]
Privacy notice	A loyalty program that collects personal information of its members should make a privacy notice available to its members.[3]
Access to information	A member of a loyalty program may request that a business disclose the “specific pieces of personal information” collected about them.[5]
Deletion of information	A member of a loyalty program may request that a business delete the personal information collected about them. That said, a company may be able to deny a request by a loyalty program member to delete information in their account based upon one of the exceptions to the right to be forgotten.
Opt-out of sale	A loyalty program that sells the personal information of its members should include a “do not sell” link on its homepage and permit consumers to opt-out of the sale of their information. To the extent that a consumer has directed the loyalty program to disclose their information to a third party (e.g., a fulfillment partner) it would not be considered a “sale” of information.
Notice of financial incentive	To the extent that a loyalty program qualifies as a “financial incentive” under the regulations implementing the CCPA (discussed below), a business should provide a “notice of financial incentive.”[4]

Are loyalty programs always financial incentive programs?

Whether a loyalty program constitutes a “financial incentive” program as that term is defined by the regulations implementing the CCPA depends on the extent to which the loyalty program’s benefits “relate to” the collection, retention, or sale of personal information.”[6] While the California Attorney General has implied that all loyalty programs “however defined, should receive the same treatment as other financial incentives,” a strong argument may exist that for many loyalty programs the benefits provided are directly related to consumer purchasing patterns (i.e., repeat or volume purchases) and are not “related” to the collection of personal information.[7] If a particular loyalty program qualifies as a financial incentive program, a business should consider the following steps (in addition to the compliance obligations identified above):

Notify the consumer of the financial incentive.[8] The regulations implementing the CCPA specify that the financial incentive notice should contain the following information:

- A summary of the financial incentive offered.[11] In the context of a loyalty program a description of the benefits that the consumer will receive as part of the program would likely provide a sufficient summary of the financial incentive.

- A description of the material terms of the financial incentive. [12] The regulation specifies that the description should include the categories of personal information that are implicated by the financial incentive program and the “value of the consumer’s data.”[13]

- How the consumer can opt-in to the financial incentive.[14] Information about how a consumer can opt-in (or join) a financial incentive program is typically conveyed when a consumer reviews an application to join or sign-up with the program.

- How the consumer can opt-out, or withdraw, from the program. [15] This is an explanation as to how the consumer can invoke their right to withdraw from the program.[16]

- An explanation of how the financial incentive is “reasonably related” to the value of the consumer’s data.[17] While the regulations state that a notice of financial incentive should provide an explanation as to how the financial incentive “reasonably relates” to the value of the consumer’s data, the CCPA requires only that a reasonable relationship exists if a business intends to discriminate against a consumer “because the consumer exercised any of the consumer’s rights” under the Act.[18] Where a business does not intend to use its loyalty program to discriminate against consumers that exercise CCPA-conferred privacy rights, it’s not clear whether this requirement applies. In the event that a reasonable relationship must be shown, however, the regulations require that a company provide a “good-faith estimate of the value of the consumer’s data that forms the basis” for the financial incentive and that the business provide a “description of the method” used to calculate that value.[19]

Obtain the consumer’s “opt in consent” to the “material terms” of the financial incentive,[9] and
Permit the consumer to revoke their consent “at any time.”[10]

FOOTNOTES

[1] FSOR Appendix A at 273 (Response 814) (including recognition from the AG that “loyalty programs” are not defined under the CCPA, and declining invitations to provide a definition through regulation).

[2] Cal. Civ. Code § 1798.100(a) (West 2021); Cal. Code Regs. tit. 11, 999.304(b), 305(a)(1) (2021).

[3] Cal. Code Regs. tit. 11, 999.304(a) (2021).

[5] Cal. Civ. Code § 1798.100(a).

[4] CAL. CODE REGS. tit. 11, 999.301(n); 304(d); 307(a), (b).

[6] CAL. CODE REGS. tit. 11, 999.301(j) (2021).

[7] FSOR Appendix A at 75 (Response 254).

[8] Cal. Civ. Code § 1798.125(b)(2) (West 2021).

[11] CAL. CODE REGS. tit. 11, 999.307(b)(1) (2021).

[12] CAL. CODE REGS. tit. 11, 999.307(b)(2) (2021).

[13] CAL. CODE REGS. tit. 11, 999.307(b)(2) (2021).

[14] CAL. CODE REGS. tit. 11, 999.307(b)(3) (2021).

[15] CAL. CODE REGS. tit. 11, 999.307(b)(4) (2021).

[16] Cal. Civ. Code § 1798.125(b)(3) (West 2021).

[17] CAL. CODE REGS. tit. 11, 999.307(b)(5) (2021).

[18] Cal. Civ. Code § 1798.125(a)(1), (2) (West 2021).

[19] CAL. CODE REGS. tit. 11, 999.307(b)(5)(a), (b) (2021).

[9] Cal. Civ. Code § 1798.125(b)(3) (West 2021).

[10] Cal. Civ. Code § 1798.125(b)(3) (West 2021).

Article By David A. Zetoony & Jena M. Valdetero with Greenberg Traurig LLP.

For more articles about data privacy, visit the NLR Cybersecurity, Media & FCC section.

New Poll Underscores Growing Support for National Data Privacy Legislation

Over half of all Americans would support a federal data privacy law, according to a recent poll from Politico and Morning Consult. The poll found that 56 percent of registered voters would either strongly or somewhat support a proposal to “make it illegal for social media companies to use personal data to recommend content via algorithms.” Democrats were most likely to support the proposal at 62 percent, compared to 54 percent of Republicans and 50 percent of Independents. Still, the numbers may show that bipartisan action is possible.

The poll is indicative of American’s increasing data privacy awareness and concerns. Colorado, Virginia, and California all passed or updated data privacy laws within the last year, and nearly every state is considering similar legislation. Additionally, Congress held several high-profile hearings last year soliciting testimony from several tech industry leaders and whistleblower Frances Haugen. In the private sector, Meta CEO Mark Zuckerberg has come out in favor of a national data privacy standard similar to the EU’s General Data Protection Regulation (GDPR).

Politico and Morning Consult released the poll results days after Senator Ron Wyden (D-OR) accepted a 24,000-signature petition calling for Congress to pass a federal data protection law. Senator Wyden, who recently introduced his own data privacy proposal called the “Mind Your Own Business Act,” said it was “past time” for Congress to act.

He may be right: U.S./EU data flows have been on borrowed time since 2020. The GDPR prohibits data flows from the EU to countries with inadequate data protection laws, including the United States. The U.S. Privacy Shield regulations allowed the United States to circumvent the rule, but an EU court invalidated the agreement in 2020, and data flows between the US and the EU have been in legal limbo ever since. Eventually, Congress and the EU will need to address the situation and a federal data protection law would be a long-term solution.

This post was authored by C. Blair Robinson, legal intern at Robinson+Cole. Blair is not yet admitted to practice law. Click here to read more about the Data Privacy and Cybersecurity practice at Robinson & Cole LLP.

For more data privacy and cybersecurity news, click here to visit the National Law Review.

CCPA for Lawyers: Notice Of Collection Needed for Third-Party Subpoenas & Discovery Req?

CCPA Illogic: Do lawyers have to give notices of collection before sending out third party subpoenas?

A law firm may be considered a service provider under the CCPA to the extent that a written contract between the law firm and its client (e.g., an engagement letter) prohibits the law firm from using, retaining, and disclosing personal information except to the extent permitted by the client. As the CCPA only requires that a “business that collects a consumer’s personal information” provide a notice at collection,¹ if a law firm is a service provider it would not be required to provide a notice at collection to individuals from whom it is attempting to collect personal information.

If, on the other hand, a law firm is considered a business it is possible that it is exempt from the requirement to provide a notice at collection. Specifically, businesses are exempt from any obligations under the CCPA to the extent that they “restrict a business’s ability to . . . exercise or defend legal claims.”² A court might determine that requiring a law firm to provide a notice at collection restricts the law firm’s ability to exercise or defend legal claims on behalf of clients, or restricts clients ability to have their claims exercised or defended by the law firm.

Even if a law firm is not exempt from the obligation to provide a notice at collection, assuming that the target of the subpoena is a California consumer the subpoena itself may implicitly satisfy the obligation to provide a notice at collection. Specifically, a notice at collection should include the following information:

A list of the categories of personal information that will be collected;
The business or commercial purpose for which the information is being collected;
Information on how to opt-out of the sale of personal information (if information is being sold); and
Information on how to find the company’s complete privacy notice.³

A third party subpoena, by its nature, specifies the type of personal information that is being sought, and that the information will be used within the context of the identified litigation. While a subpoena does not specify how a recipient can opt out of the sale of their personal information, discovery and ethics rules prevent a law firm from attempting to sell personal information received in discovery. While most subpoenas do not specifically indicate how a subpoena recipient can find a copy of the law firm’s privacy notice, if a recipient is represented by counsel, it would be difficult to argue that their counsel would not know how to locate a law firm’s online privacy notice to the extent that one has been posted. The net result is that most, if not all, of the information required by a notice at collection may be contained within a subpoena.⁴

CCPA Illogic: Do lawyers have to give notices of collection before sending out discovery requests?

A law firm may be considered a service provider under the CCPA to the extent that a written contract between the law firm and its client (e.g., an engagement letter) prohibits the law firm from using, retaining, and disclosing personal information except to the extent permitted by the client. The CCPA only requires that a “business that collects a consumer’s personal information” provide a notice at collection.⁵ As a result, if a law firm is a service provider, it would not be required to provide a notice at collection to individuals from whom it is attempting to collect personal information.

If, on the other hand, a law firm is considered a business, it is possible that it is exempt from the requirement to provide a notice at collection. Specifically, businesses are exempt from any obligations under the CCPA to the extent that they “restrict a business’s ability to . . . exercise or defend legal claims.”⁶ A court might determine that requiring a law firm to provide a notice at collection restricts the law firm’s ability to exercise or defend legal claims on behalf of clients, or restricts clients ability to have their claims exercised or defended by the law firm.

Even if a law firm is not exempt from the obligation to provide a notice at collection, assuming that the opposing party is a California consumer a discovery request may implicitly satisfy the obligation to provide a notice at collection. Specifically, a notice at collection should include the following information:

A list of the categories of personal information that will be collected;
The business or commercial purpose for which the information is being collected;
Information on how to opt-out of the sale of personal information (if information is being sold); and
Information on how to find the company’s complete privacy notice.⁷

A discovery request (e.g., interrogatives, document requests, or a deposition request) specifies the type of personal information that is being sought, and implicit in the discovery request is that the information will be used within the context of the litigation. While a discovery request does not specify how an opposing party can opt out of the sale of their personal information, discovery and ethics rules often prevent a law firm from attempting to sell personal information received in discovery.⁸ While most discovery requests do not specifically indicate how an opposing party can find a law firm’s complete privacy notice, if an opposing party is represented by counsel it would be difficult to argue that opposing counsel would not know how to locate a law firm’s privacy notice to the extent that it is publicly posted online. The net result is that most, if not all, of the information required by a notice at collection may be contained in a discovery request itself.9

¹ Cal. Civ. Code 1798.100(b) (Oct. 2020) (emphasis added).
² Cal. Civ. Code 1798.145(a)(5).
³ CCPA Reg. 999.305(b)(1)-(4).
⁴ Note that as of January 1, 2023, a notice at collection would also need to include the “length of time” that the business intends to retain each category of personal information. Cal. Civ. Code 1798.100(a)(3). In the context of civil litigation, the length of time that information will be kept is often conveyed to the opposing party through other means such as a negotiated protective order that discusses the return or destruction of documents at the end of the litigation.

⁵ Cal. Civ. Code 1798.100(b) (Oct. 2020) (emphasis added).
⁶ Cal. Civ. Code 1798.145(a)(5).
⁷ CCPA Reg. 999.305(b)(1)-(4).
⁸ For example, ABA Model Rule of Professional Ethics 4.4(a) prohibits a lawyer from using any method of obtaining evidence that would “violate the legal rights” of a third party.
⁹ Note that as of January 1, 2023, a notice at collection would also need to include the “length of time” that the business intends to retain each category of personal information. Cal. Civ. Code 1798.100(a)(3). In the context of civil litigation, the length of time that information will be kept is often conveyed to the opposing party through other means such as a negotiated protective order that discusses the return or destruction of documents at the end of the litigation.

ARTICLE BY David A. Zetoony of Greenberg Traurig, LLP

For more, visit the NLR Law Office Management section

Temperature Checks: Three Things to Know Before Screening Employees and Customers

As businesses begin the calculated process of re-opening their doors to employees and customers, many are considering implementing temperature checks to monitor for at least one known COVID-19 symptom – the fever.

Beyond nailing down the logistics of temperature checks (e.g., who will perform them, has that person been trained, do employees need to be paid while waiting in line, how will social distancing be maintained, etc.) there are several significant legal considerations that should be evaluated before implementation.

The Illinois Biometric Privacy Act

Some temperature screening devices utilize facial-recognition technology to quickly identify those with fever so that they can be promptly tracked down and removed from the facility. While these systems provide logistical advantages, especially to large employers and retailers, they likely implicate provisions of the Illinois Biometric Privacy Act (BIPA) which can lead to costly litigation and result in stiff penalties for anyone who violates the statute, even unwittingly.

According to BIPA, businesses utilizing this type of facial-recognition technology must obtain advance, written consent from the individuals to be scanned, and must also maintain a publicly available policy that specifies information regarding the collection, use, storage, and destruction of individuals’ biometric information. And, again, these policies and consents must be executed and implemented before temperature screenings begin. It is, therefore, critical to determine whether your temperature screening devices perform facial recognition scans or capture other biometric information.

Confidentiality of Employee Information

Employers screening employee temperatures must also remember they are conducting a “medical examination,” as defined by the Equal Employment Opportunity Commission (EEOC) and would be wise to adhere to the EEOC’s guidance on the issue. This means information collected about employees’ temperature, such as the temperature readings themselves, or the fact that an employee had or has a fever, must be treated as confidential medication information and maintained in a confidential file separate from an employee’s personnel file. Employers should also take care to not divulge the identity of any employee sent home with fever, absent consent from the employee to share that information with other personnel, or a strict need-to-know among involved supervisor(s) or members of human resources.

The California Consumer Privacy Act

California’s sweeping new privacy law, the California Consumer Privacy Act (CCPA), contains broad protection of consumers’ “personal information,” and requires businesses subject to the statute to, among other things, notify consumers when their personal information is being collected. Though body temperature is not explicitly mentioned in the statute, the definition of “personal information” is broad, and includes information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer …” It includes biometric information. Whether an individual’s temperature constitutes personal information is up for some debate, but debates often lead to costly litigation, and it is easy enough to amend CCPA notices to include temperature until that debate is resolved in an effort to avoid litigation altogether.

So, if a business is subject to the CCPA and intends to collect employee or customer temperatures (whether or not with the use of biometric technology), it should consider updating its CCPA notices to include “temperature” (and, if applicable, scans of face geometry) to the list of personal information collected.

ARTICLE BY Sheryl Jaffee Halpern, Nicholas P. Brankle and Laura A. Elkayam at Much Shelist, P.C.

For more employer COVID-19 guidance, see the National Law Review Coronavirus News section.

My Business Is In Arizona, Why Do I Care About California Privacy Laws? How the CCPA Impacts Arizona Businesses

Arizona businesses are not typically concerned about complying with the newest California laws going into effect. However, one California law in particular—the CCPA or California Consumer Privacy Act—has a scope that extends far beyond California’s border with Arizona. Indeed, businesses all over the world that have customers or operations in California must now be mindful of whether the CCPA applies to them and, if so, whether they are in compliance.

What is the CCPA?

The CCPA is a comprehensive data privacy regulation enacted by the California Legislature that became effective on January 1, 2020. It was passed on September 13, 2018 and has undergone a series of substantive amendments over the past year and a few months.

Generally, the CCPA gives California consumers a series of rights with respect to how companies acquire, store, use, and sell their personal data. The CCPA’s combination of mandatory disclosures and notices, rights of access, rights of deletion, statutory fines, and threat of civil lawsuits is a significant move towards empowering consumers to control their personal data.

Many California businesses are scrambling to implement the necessary policies and procedures to comply with the CCPA in 2020. In fact, you may have begun to notice privacy notices on the primary landing page for national businesses. However, Arizona businesses cannot assume that the CCPA stops at the Arizona border.

Does the CCPA apply to my business in Arizona?

The CCPA has specific criteria for whether a company is considered a California business. The CCPA applies to for-profit businesses “doing business in the State of California” that also:

Have annual gross revenues in excess of twenty-five million dollars; or
Handle data of more than 50,000 California consumers or devices per year; or
Have 50% or more of revenue generated by selling California consumers’ personal information

The CCPA does not include an express definition of what it means to be “doing business” in California. While it will take courts some time to interpret the scope of the CCPA, any business with significant sales, employees, property, or operations in California should consider whether the CCPA might apply to them.

How do I know if I am collecting a consumer’s personal information?

“Personal information” under the CCPA generally includes any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked” with a specific consumer. As the legalese of this definition implies, “personal information” includes a wide swath of data that your company may already be collecting about consumers.

There is no doubt that personal identifiers like name, address, email addresses, social security numbers, etc. are personal information. But information like biometric data, search and browsing activity, IP addresses, purchase history, and professional or employment-related information are all expressly included under the CCPA’s definition. Moreover, the broad nature of the CCPA means that other categories of data collected—although not expressly identified by the CCPA—may be deemed to be “personal information” in an enforcement action.

What can I do to comply with the CCPA?

If the CCPA might apply to your company, now is the time to take action. Compliance will necessarily be different for each business depending on the nature of its operation and the use(s) of personal information. However, there are some common steps that each company can take.

The first step towards compliance with the CCPA is understanding what data your company collects, how it is stored, whether it is transferred or sold, and whether any vendors or subsidiaries also have access to the data. Next, an organization should prepare a privacy notice that complies with the CCPA to post on its website and include in its app interface.

The most substantial step in complying with the CCPA is to develop and implement policies and procedures that help the company conform to the various provisions of the CCPA. The policies will need to provide up-front disclosures to consumers, allow consumers to opt-out, handle consumer requests to produce or delete personal information, and guard against any perceived discrimination against consumers that exercise rights under the CCPA.

The company will also need to review contracts with third-party service providers and vendors to ensure it can comply with the CCPA. For example, if a third-party cloud service will be storing personal information, the company will want to verify that its contract allows it to assemble and produce that information within statutory deadlines if requested by a consumer.

At least you have some time!

The good news is that the CCPA includes a grace period until July 1, 2020 before the California Attorney General can bring enforcement actions. Thus, Arizona businesses that may have ignored the quirky California privacy law to this point have a window to bring their operations into compliance. However, Arizona companies that may need to comply with the CCPA should consult with counsel as soon as possible to begin the process. The attorneys at Ryley Carlock & Applewhite are ready to help you analyze your risk and comply with the CCPA.

ARTICLE BY Kevin Heaphy of Ryley Carlock & Applewhite, A Professional Corporation.

Learn more about the California Consumer Privacy Act (CCPA) on the National Law Review Communications, Media & Internet Law page.

Florida’s Legislature to Consider Consumer Data Privacy Bill Akin to California’s CCPA

Florida lawmakers have proposed data privacy legislation that, if adopted, would impose significant new obligations on companies offering a website or online service to Florida residents, including allowing consumers to “opt out” of the sale of their personal information. While the bill (SB 1670 and HB 963) does not go as far as did the recent California Consumer Privacy Act, its adoption would mark a significant increase in Florida residents’ privacy rights. Companies that have an online presence in Florida should study the proposed legislation carefully. Our initial take on the proposed legislation appears below.

The proposed legislation requires an “operator” of a website or online service to provide consumers with (i) a “notice” regarding the personal information collected from consumers on the operator’s website or through the service and (ii) an opportunity to “opt out” of the sale of certain of a consumer’s personal information, known as “covered information” in the draft statute.

The “notice” would need to include several items. Most importantly, the operator would have to disclose “the categories of covered information that the operator collects through its website or online service about consumers who use [them] … and the categories of third parties with whom the operator may share such covered information.” The notice would also have to disclose “a description of the process, if applicable, for a consumer who uses or visits the website or online service to review and request changes to any of his or her covered information. . . .” The bill does not otherwise list when this “process” would be “applicable,” and it nowhere else appears to create for consumers any right to review and request changes.

While the draft legislation obligates operators to stop selling data of a consumer who submits a verified request to do so, it does not appear to require a description of those rights in the “notice.” That may just be an oversight in drafting. In any event, the bill is notable as it would be the first Florida law to require an online privacy notice. Further, a “sale” is defined as an exchange of covered information “for monetary consideration,” which is narrower than its CCPA counterpart, and contains exceptions for disclosures to an entity that merely processes information for the operator.

There are also significant questions about which entities would be subject to the proposed law. An “operator” is defined as a person who owns or operates a website or online service for commercial purposes, collects and maintains covered information from Florida residents, and purposefully directs activities toward the state. That “and” is assumed, as the proposed bill does not state whether those three requirements are conjunctive or disjunctive.

Excluded from the definition of “operator” is a financial institution (such as a bank or insurance company) already subject to the Gramm-Leach-Bliley Act, and an entity subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Outside of the definition of “operator,” the proposed legislation appears to further restrict the companies to which it would apply, to eliminate its application to smaller companies based in Florida, described as entities “located in this state,” whose “revenue is derived primarily from a source other than the sale or lease of goods, services, or credit on websites or online services,” and “whose website or online service has fewer than 20,000 unique visitors per year.” Again, that “and” is assumed as the bill does not specify “and” or “or.”

Lastly, the Department of Legal Affairs appears to be vested with authority to enforce the law. The proposed legislation states explicitly that it does not create a private right of action, although it also says that it is in addition to any other remedies provided by law.

The proposed legislation is part of an anticipated wave of privacy legislation under consideration across the country. California’s CCPA took effect in January and imposes significant obligations on covered businesses. Last year, Nevada passed privacy legislation that bears a striking resemblance to the proposed Florida legislation. Other privacy legislation has been proposed in Massachusetts and other jurisdictions.

ARTICLE BY John E. Clabby, Joseph W. Swanson, Steven Blickensderfer and Patricia M. Carreiro of Carlton Fields.

For more on new and developing legislation in Florida and elsewhere, see the National Law Review Election Law & Legislative News section.

2020 Predictions for Data Businesses

It’s a new year, a new decade, and a new experience for me writing for the HeyDataData blog. My colleagues asked for input and discussion around 2020 predictions for technology and data protection. Dom has already written about a few. I’ve picked out four:

Experiential retail

Stores will offer technology-infused shopping experience in their stores. Even today, without using my phone, I can experience a retailer’s products and services with store-provided technology, without needing to open an app. I can try on a pair of glasses or wear a new lipstick color just by putting my face in front of a screen. We will see how creative companies can be in luring us to the store by offering us an experience that we have to try. This experiential retail type of technology is a bit ahead of the Amazon checkout technology, but passive payment methods are coming, too. [But if we still don’t want to go to the store, companies will continue to offer us more mobile ordering—for pick-up or delivery.]

Consumers will still tell companies their birthdays and provide emails for coupons (well, maybe not in California)

We will see whether the California Consumer Privacy Act (CCPA) will meaningfully change consumers’ perception about giving their information to companies—usually lured by financial incentives (like loyalty programs, coupons, etc. or a free app). I tend to think that we will continue to download apps and give information if it is convenient or cheaper for us and that companies will think it is good for business (and their shareholders, if applicable) to continue to engage with their consumers. This is an extension of number 1, really, because embedding technology in the retail experience will allow companies to offer new (hopefully better) products (and gather data they may find a use for later. . . ). Even though I think consumers will still provide up their data, I also think consumer privacy advocates try harder to shift their perceptions (enter CCPA 2.0 and others).

More “wearables” will hit the market

We already have “smart” refrigerators, watches, TVs, garage doors, vacuum cleaners, stationary bikes and treadmills. Will we see other, traditionally disconnected items connect? I think yes. Clothes, shoes, purses, backpacks, and other “wearables” are coming.

Computers will help with decisions

We will see more technology-aided (trained with lots of data) decision making. Just yesterday, one of the most read stories described how an artificial intelligence system detected cancer matching or outperforming radiologists that looked at the same images. Over the college football bowl season, I saw countless commercials for insurance companies showing how their policy holders can lower their rates if they let an app track how they are driving. More applications will continue to pop-up.

Those are my predictions. And I have one wish to go with it. Those kinds of advances create tension among open innovation, ethics and the law. I do not predict that we will solve this in 2020, but my #2020vision is that we will make progress.

ARTICLE BY Taylor Ey of Womble Bond Dickinson (US) LLP.

For more on data use in retail & health & more, see the National Law Review Communications, Media & Internet law page.

CCPA Notice of Collection – Are You Collecting Geolocation Data, But Do Not Know It?

Businesses subject to the California Consumer Privacy Act (“CCPA”) are working diligently to comply with the CCPA’s numerous mandates, although final regulatory guidance has yet to be issued. Many of these businesses are learning that AB25, passed in October, requires employees, applicants, and certain other California residents to be provided a notice of collection at least for the next 12 months. These businesses need to think about what must be included in these notices.

A Business Insider article explains that iPhones maintain a detailed list of every location the user of the phone frequents, including how long it took to get to that location, and how long the user stayed there. The article provides helpful information about where that information is stored on the phone, how the data can be deleted, and, perhaps more importantly, how to stop the tracking of that information. This information may be important for users, as well as companies that provide iPhones to their employees to use in connection with their work.

AB25 excepted natural persons acting as job applicants, employees, owners, directors, officers, medical staff members, and contractors of a CCPA-covered business from all of the CCPA protections except two: (i) providing them a notice of collection under Cal. Civ. Code Sec. 1798.100(b), and (ii) the right to bring a private civil action against a business in the event of a data breach caused by the business’s failure to maintain reasonable safeguards to protect personal information. The notice of collection must inform these persons as to the categories of personal information collected by the business and how those categories are used.

The CCPA’s definition of personal information includes eleven categories of personal information, one of which is geolocation data. As many businesses think about the categories of personal information they collect from employees, applicants, etc. for this purpose, geolocation may be the last thing that comes to mind. This is especially true for businesses with workforces that come into the office every day, and which do not have a business need to know where their employees are, such as transportation, logistics, and home health care businesses. But, they still may provide their workforce members a company-owned iPhone or other smart device with similar capabilities, although not realizing all of its capabilities or configurations.

As many who have gone through compliance with the General Data Protection Regulations in the European Union, the CCPA and other laws that may come after it in the U.S. will require businesses to think more carefully about the personal information they collect. They likely will find such information is being collected without their knowledge and not at their express direction, and they may have to communicate that collection (and use) to their employees.

ARTICLE BY Joseph J. Lazzarotti of Jackson Lewis P.C.

For more on the CCPA, see the National Law Review Communications, Media & Internet law section.

Tag: CCPA