CCPA Alert: California Attorney General Releases Draft Regulations

On October 10, 2019, the California Attorney General released the highly anticipated draft regulations for the California Consumer Privacy Act (CCPA). The regulations focus heavily on three main areas: 1) notices to consumers, 2) consumer requests and 3) verification requirements. While the regulations focus heavily on these three topics, they also discuss special rules for minors, non-discrimination standards and other aspects of the CCPA. Despite high hopes, the regulations do not provide the clarity many companies desired. Instead, the regulations layer on new requirements while sprinkling in further ambiguities.

The most surprising new requirements proposed in the regulations include:

  • New disclosure requirements for businesses that collect personal information from more than 4,000,000 consumers
  • Businesses must acknowledge the receipt of consumer requests within 10 days
  • Businesses must honor “Do Not Sell” requests within 15 days and inform any third parties who received the personal information of the request within 90 days
  • Businesses must obtain consumer consent to use personal information for a use not disclosed at the time of collection

The following are additional highlights from each of the three main areas:

1. Notices to consumers

The regulations discuss four types of notices to consumers: notice at the time of collection, notice of the right to opt-out of the sale of personal information, notice of financial incentives and a privacy policy. All required notices must be:

  • Easy to read in plain, straightforward language
  • In a format that draws the consumer’s attention to the notice
  • Accessible to those with disabilities
  • Available in all languages in which the company regularly conducts business

The regulations make clear that it is necessary, but not sufficient, to update your privacy policy to be compliant with CCPA. You must also provide notice to consumers at the time of data collection, which must be visible and accessible before any personal information is collected. The regulations make clear that no personal information may be collected without proper notice. You may use your privacy policy as the notice at the time of collection, but you must link to a specific section of your privacy policy that provides the statutorily required notice.

The regulations specifically provide that for offline collection, businesses could provide a paper version of the notice or post prominent signage. Similar to General Data Protection Regulation (GDPR), a company may only use personal information for the purposes identified at the time of collection. Otherwise, the business must obtain explicit consent to use the personal information for a new purpose.

In addition to the privacy policy requirements in the statute itself, the regulations require more privacy policy disclosures. For example, the business must include instructions on how to verify a consumer request and how to exercise consumer rights through an agent. Further, the privacy policy must identify the following information for each category of personal information collected: the sources of the information, how the information is used and the categories of third parties to whom the information is disclosed. For businesses that collect personal information of 4,000,000 or more consumers, the regulations require additional disclosures related to the number of consumer requests and the average response times. Given the additional nuances of the disclosure requirements, we recommend working with counsel to develop your privacy policy.

If a business provides financial incentives to a consumer for allowing the sale of their personal information, then the business must provide a notice of the financial incentive. The notice must include a description of the incentive, its material terms, instructions on how to opt-in to the incentive, how to withdraw from the incentive and an explanation of why the incentive is permitted by CCPA.

Finally, the regulations state that service providers that collect personal information on behalf of a business may not use that personal information for their own purposes. Instead, they are limited to performing only their obligations under the contract between the business and service provider. The contract between the parties must also include the provisions described in CCPA to ensure that the relationship is a service provider/business relationship, and not a sale of personal information between a business and third party.

2. Consumer requests

Businesses must provide at least two methods for consumers to submit requests (most commonly an online form and a toll-free number), and one of the methods must reflect the manner in which the business primarily interacts with the consumer. In addition, businesses that substantially interact with consumers offline must provide an offline method for consumers to exercise their right to opt-out, such as providing a paper form. The regulations specifically call out that in-person retailers may therefore need three methods: a paper form, an online form and a toll-free number.

The regulations do limit some consumer request rights by prohibiting the disclosure of Social Security numbers, driver’s license numbers, financial account numbers, medical-related identification numbers, passwords, and security questions and answers. Presumably, this is for two reasons: the individual should already know this information and most of these types of information are subject to exemptions from CCPA.

One of the most notable clarifications related to requests is that the 45-day timeline to respond to a consumer request includes any time required to verify the request. Additionally, the regulations introduce a new timeline requirement for consumer requests. Specifically, businesses must confirm receipt of a request within 10 days. Another new requirement is that businesses must respond to opt-out requests within 15 days and must inform all third parties to stop selling the consumer’s information within 90 days. Further, the regulations require that businesses maintain request records logs for 24 months.

3. Verification requirements

The most helpful guidance in the regulations relates to verification requests. The regulations provide that a more rigorous verification process should apply to more sensitive information. That is, businesses should not release sensitive information without being highly certain about the identity of the individual requesting the information. Businesses should, where possible, avoid collecting new personal information during the verification process and should instead rely on confirming information already in the business’ possession. Verification can be through a password-protected account provided that consumers re-authenticate themselves. For websites that provision accounts to users, requests must be made through that account. Matching two data points provided by the consumer with data points maintained by the business constitutes verification to a reasonable degree of certainty, and the matching of three data points constitutes a high degree of certainty.

The regulations also provide prescriptive steps of what to do in cases where an identity cannot be verified. For example, if a business cannot verify the identity of a person making a request for access, then the business may proceed as if the consumer requested disclosure of only the categories of personal information, as opposed to the content of such personal information. If a business cannot verify a request for deletion, then the business should treat the request as one to opt-out of the sale of personal information.

Next steps

These draft regulations add new wrinkles, and some clarity, to what is required for CCPA compliance. As we move closer to January 1, 2020 companies should continue to focus on preparing compliant disclosures and notices, finalizing their privacy policies and establishing procedures to handle consumer requests. Despite the need to press forward on compliance, the regulations are open to initial public comment until December 6, 2019, with a promise to finalize the regulations in the spring of 2020. We expect further clarity as these draft regulations go through the comment process and privacy professionals, attorneys, businesses and other stakeholders weigh in on their clarity and reasonableness.


Copyright © 2019 Godfrey & Kahn S.C.

For more on CCPA implementation, see the National Law Review Consumer Protection law page.

The CCPA Is Approaching: What Businesses Need to Know about the Consumer Privacy Law

The most comprehensive data privacy law in the United States, the California Consumer Privacy Act (CCPA), will take effect on January 1, 2020. The CCPA is an expansive step in U.S. data privacy law, as it enumerates new consumer rights regarding collection and use of personal information, along with corresponding duties for businesses that trade in such information.

While the CCPA is a state law, its scope is sufficiently broad that it will apply to many businesses that may not currently consider themselves to be under the purview of California law. In addition, in the wake of the CCPA, at least a dozen other states have introduced their own comprehensive data privacy legislation, and there is heightened consideration and support for a federal law to address similar issues.

Below, we examine the contours of the CCPA to help you better understand the applicability and requirements of the new law. While portions of the CCPA remain subject to further clarification, the inevitable challenges of compliance, coupled with the growing appetite for stricter data privacy laws in the United States generally, mean that now is the time to ensure that your organization is prepared for the CCPA.

Does the CCPA apply to my business?

Many businesses may rightly wonder if a California law even applies to them, especially if they do not have operations in California. As indicated above, however, the CCPA is not necessarily limited in scope to businesses physically located in California. The law will have an impact throughout the United States and, indeed, worldwide.

The CCPA will have broad reach because it applies to each for-profit business that collects consumers’ personal information, does business in California, and satisfies at least one of three thresholds:

  • Has annual gross revenues in excess of $25 million; or
  • Alone or in combination, annually buys, receives for commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more California consumers; or
  • Derives 50 percent or more of its annual revenues from selling consumers’ personal information

While the CCPA is limited in its application to California consumers, due to the size of the California economy and its population numbers, the act will effectively apply to any data-driven business with operations in the United States.

What is considered “personal information” under the CCPA?

The CCPA’s definition of “personal information” is likely the most expansive interpretation of the term in U.S. privacy law. Per the text of the law, personal information is any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The CCPA goes on to note that while traditional personal identifiers such as name, address, Social Security number, passport, and the like are certainly personal information, so are a number of other categories that may not immediately come to mind, including professional or employment-related information, geolocation data, biometric data, educational information, internet activity, and even inferences drawn from the sorts of data identified above.

As a practical matter, if your business collects any information that could reasonably be linked back to an individual consumer, then you are likely collecting personal information according to the CCPA.

When does a business “collect” personal information under the CCPA?

To “collect” or the “collection” of personal information under the CCPA is any act of “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.” Such collection can be active or passive, direct from the consumer or via the purchase of consumer data sets. If your business is collecting personal information directly from consumers, then at or before the point of collection the CCPA imposes a notice obligation on your business to inform consumers about the categories of information to be collected and the purposes for which such information will (or may) be used.

To reiterate, if your business collects any information that could reasonably be linked back to an individual, then you are likely collecting personal information according to the CCPA.

If a business collects personal information but never sells any of it, does the CCPA still apply?

Yes. While there are additional consumer rights related to the sale of personal information, the CCPA applies to businesses that collect personal information solely for internal purposes, or that otherwise do not disclose such information.

What new rights does the CCPA give to California consumers?

The CCPA gives California consumers four primary new rights: the right to receive information on privacy practices and access information, the right to demand deletion of their personal information, the right to prohibit the sale of their information, and the right not to be subject to price discrimination based on their invocation of any of the new rights specified above.

What new obligations does a business have regarding these new consumer rights?

Businesses that fall under the purview of the CCPA have a number of new obligations under the law:

  • A business must take certain steps to assist individual consumers with exercising their rights under the CCPA. This must be accomplished by providing a link on the business’s homepage titled “Do Not Sell My Personal Information” and a separate landing page for the same. In addition, a business must update its privacy policy (or policies), or a California-specific portion of the privacy policy, to include a separate link to the new “Do Not Sell My Personal Information” page.

A business also must provide at least two mechanisms for consumers to exercise their CCPA rights by offering, at a minimum, a dedicated web page for receiving and processing such requests (the CCPA is silent on whether this web page must be separate from or can be combined with the “Do Not Sell My Personal Information” page), and a toll-free 800 number to receive the same.

  • Upon receipt of a verified consumer request to delete personal information, the business must delete that consumer’s personal information within 45 days.
  • Upon receipt of a verified consumer request for information about the collection of that consumer’s personal information, a business must provide the consumer with a report within 45 days that includes the following information from the preceding 12 months:
    • Categories of personal information that the business has collected about the consumer;
    • Specific pieces of personal information that the business possesses about the consumer;
    • Categories of sources from which the business received personal information about the consumer;
    • A corporate statement detailing the commercial reason (or reasons) that the business collected such personal information about the consumer; and
    • The categories of third parties with whom the business has shared the consumer’s personal information.
  • Upon receipt of a verified consumer request for information about the sale of that consumer’s personal information, a business must provide the consumer with a report within 45 days that includes the following information from the preceding 12 months:
    • Categories of personal information that the business has collected about the consumer;
    • Categories of personal information that the business has sold about the consumer;
    • Categories of third parties to whom the business has sold the consumer’s personal information; and
    • The categories of personal information about the consumer that the business disclosed to a third party (or parties) for a business purpose.
  • Finally, a business must further update its privacy policy (or policies), or the California-specific section of such policy(s), to:
    • Identify all new rights afforded consumers by the CCPA;
    • Identify the categories of personal information that the business has collected in the preceding 12 months;
    • Include a corporate statement detailing the commercial reason (or reasons) that the business collected such personal information about the consumer;
    • Identify the categories of personal information that the business has sold in the prior 12 months, or the fact that the business has not sold any such personal information in that time; and
    • Note the categories of third parties with whom a business has shared personal information in the preceding 12 months.

What about employee data gathered by employers for internal workplace purposes?

As currently drafted, nothing in the CCPA carves out an exception for employee data gathered by employers. A “consumer” is simply defined as a “natural person who is a California resident …,” so the law would presumably treat employees like anyone else. However, the California legislature recently passed Bill AB 25, which excludes from the CCPA information collected about a person by a business while the person is acting as a job applicant, employee, owner, officer, director, or contractor of the business, to the extent that information is collected and used exclusively in the employment context. Bill AB 25 also provides an exception for emergency contact information and other information pertaining to the administration of employee benefits. The bill awaits the governor’s signature – he has until October 13, 2019 to sign.

But not so fast – Bill AB 25 only creates a one-year reprieve for employers, rather than a permanent exception. The exceptions listed above will expire on January 1, 2021. By that time, the legislature may choose to extend the exceptions indefinitely, or businesses should be prepared to fully comply with the CCPA.

California employers would thus be wise to start considering the type of employee data they collect, and whether that information may eventually become subject to the CCPA’s requirements (either on January 1, 2021 or thereafter). Personal information is likely to be present in an employee’s job application, browsing history, and information related to payroll processing, to name a few areas. It also includes biometric data, such as fingerprints scanned for time-keeping purposes. Employers who collect employees’ biometric information, for example, would be well advised to review their biometric policies so that eventual compliance with the CCPA can be achieved gradually during this one-year grace period.

Notwithstanding this new legislation, there remains little clarity as to how the law will ultimately be applied in the employer-employee context, if and when the exceptions expire. Employers are encouraged to err on the side of caution and to reach out to experienced legal counsel for further guidance if they satisfy any one of the above thresholds.

What are the penalties for violation of the CCPA?

Violations of the CCPA are enforced by the California Attorney General’s office, which can issue civil monetary fines of up to $2,500 per violation, or $7,500 for each intentional violation. Currently, the California AG’s office must provide notice of any alleged violation and allow for a 30-day cure period before issuing any fine.

Are there any exceptions to the CCPA?

Yes, there are a number of exceptions. First, the CCPA only applies to California consumers and businesses that meet the threshold(s) identified above. If a business operates or conducts a transaction wholly outside of California then the CCPA does not apply.

There are also certain enumerated exceptions to account for federal law, such that the CCPA is pre-empted by HIPAA, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act as it applies to personal information sold to or purchased from a credit reporting agency, and information subject to the Driver’s Privacy Protection Act.

Would it be fair to say that the CCPA is not very clear, and maybe even a bit confusing?

Yes, it would. The CCPA was drafted, debated, and enacted into law very quickly in the face of some legislative and ballot-driven pressures. As a result, the bill as enacted is a bit confusing and even contains sections that appear to contradict its other parts. The drafters of the CCPA, however, recognized this and have included provisions for the California AG’s office to provide further guidance on its intent and meaning. Amendment efforts also remain underway. As such, it is likely that the CCPA will be an evolving law for at least the short term.

Regardless, the CCPA will impose real-world requirements effective January 1, 2020, and the new wave of consumer privacy legislation it has inspired at the state and federal level is likely to bring even more of the same. It is important to address these issues now, rather than when it is too late.


© 2019 Much Shelist, P.C.

For more on the CCPA legislation, see the National Law Review Consumer Protection law page.

The California Consumer Privacy Act Series Part 1: Applicability

California’s new privacy law, the California Consumer Privacy Act (the “CCPA”), goes into effect on January 1, 2020.  It is the most expansive state privacy law in U.S. history, imposing GDPR-like transparency and individual rights requirements on companies.  The law will impact nearly every entity that handles “personal information” regarding California residents, including (at least for now) employees.  An overview of the CCPA’s applicability is set forth below.

Who will the CCPA impact?

Most of the CCPA’s obligations apply directly to a “business,” which is an entity that:

  1. Handles “personal information” about California residents;
  2. Determines the purposes and means of processing that “personal information”; and
  3. Does business in California, and meets one of the following threshold requirements:

(a) Has annual gross revenues in excess of $25 million;

(b) Annually handles “personal information” regarding at least 50,000 consumers, households, or devices; or

(c) Derives 50% or more of its annual revenue from selling “personal information.”

However, “service providers” that handle “personal information” on behalf of a business and other third parties that receive “personal information” will also be impacted.  As currently written, however, the CCPA does not apply to non-profit organizations.

The CCPA’s three threshold requirements seem relatively straightforward, yet upon examination raise additional questions that will need to be clarified down the road.  For example:

  • Does the 50,000 devices threshold cover devices of California residents only, or apply more broadly?
  • Is the $25 million annual revenue trigger applicable only to revenue derived from California or globally?
  • What timeframe do businesses who suddenly find themselves within the CCPA’s ambit have to bring themselves into compliance with its provisions?

What is “personal information” as defined in the CCPA?

The CCPA defines “personal information” broadly in terms of (a) types of individuals and (b) types of data elements.  First, the term “consumer” refers to, and the CCPA applies to data about, any California resident, which ostensibly includes website visitors, B2B contacts and (at least for now) employees.  It is not limited to B2C customers that actually purchase goods or services.  Second, the data elements that constitute “personal information” term include non-sensitive items that historically have been less regulated in the U.S., such as Internet browsing histories, IP addresses, product preferences, purchasing histories, and inferences drawn from any other types of personal information described in the statute, including:

  • Identifiers such as name, address, phone number, email address;
  • Characteristics of protected classifications under California and federal law;
  • Commercial information such as property records, products purchased, and other consuming history;
  • Biometric information;
  • Internet or other electronic network activity;
  • Geolocation data;
  • Olfactory, audio, and visual information; and
  • Professional or educational information.

Does the CCPA have any exemptions?

The CCPA will apply to a broad number of businesses, covering nearly all commercial entities that do business in California, regardless of whether the business has a physical location or employees in the State.  However, there are some nuanced exemptions.

As a general matter, the exemptions are based on the types of information that a business collects, and not on the industry of the business collecting the information.  These include information that is collected and used wholly outside of California, subject to other state and federal laws, or sold to or from consumer reporting agencies.  Specifically, the excluded categories of “personal information” include:

      1. Activity “wholly outside” California

The CCPA does not apply to conduct that takes place “wholly outside” of California, although it is unclear how such an exemption will apply in practice.  The statute provides that this exemption applies if:

  • The business collects information while the consumer is outside of California;
  • No part of the sale of the consumer’s “personal information” occurs in California; and
  • No “personal information” collected while the consumer is in California is sold.

Determining when a consumer is outside of California when his or her “personal information” is collected will be challenging for businesses.  For example, given that an IP address is expressly included as “personal information” under the law, is a business supposed to do a reverse-lookup to determine whether an individual’s IP address originates in California?

      1. Data subject to other U.S. laws

While the CCPA exempts certain types of information subject to other laws, importantly it does not exempt entities subject to those laws altogether.  Entities subject to these laws are also not exempt from the CCPA’s statutory damages (i.e., no injury necessary) provisions relating to data breaches.  Likewise, some types of information (clarified below) are not exempt from the data breach liability provision.  At a glance, these exemptions appear helpful; however, they may end up making operationalizing the law even more difficult for certain entities.  For example:

  • Protected Health Information (“PHI”) and “Medical Information.” The CCPA exempts all PHI collected by “covered entities” and “business associates” subject to HIPAA and “medical information” subject to California’s analogous law, the Confidentiality of Medical Information Act (“CMIA”).  It also exempts any patient information to the extent a “covered entity” or “provider of health care,” respectively, maintains the patient information in the same manner as PHI or “medical information.”  However, many of these entities and their “business associates” collect information beyond what is considered PHI, such as employment records, technical data about website visitors, B2B information, and types of research data.  This data may not be eligible for the CCPA exemption.
  • Clinical Trial Information. The CCPA exempts information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule.
  • Financial Information. Information processed pursuant to the Gramm-Leach-Bliley Act (“GLBA”) or the California Financial Information Privacy Act (“CalFIPA”) is exempt from the CCPA.  Much like the health-related exemption, this rule does not exempt entities subject to these laws altogether from its requirements to the extent an entity is processing information not expressly subject to GLBA/CalFIPA.  This particular exemption does not apply to the data breach liability provision.
  • Consumer Reporting Information. The CCPA exempts information sold to and from consumer reporting agencies if that information is reported in, or used to generate, a consumer report and use of that information is limited by the Fair Credit Reporting Act.
  • Driver Information. The CCPA also exempts information processed pursuant to the Driver’s Privacy Protection Act of 1994 (“DPPA”).  Importantly, entities subject to this law are not altogether exempt and this exemption does not apply to the data breach liability provision.

Moreover, the differences in definitions of relevant terms (e.g., “personal information” under the CCPA versus “nonpublic personal information” under GLBA) are important to consider when assessing relevant obligations and could result in institutions being only partially exempt from CCPA compliance.

 

© Copyright 2019 Squire Patton Boggs (US) LLP
This post was written by India K. Scarver and Elliot Golding    of Squire Patton Boggs.         

Federal Privacy Law – Could It Happen in 2019?

This was a busy week for activity and discussions on the federal level regarding existing privacy laws – namely the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). But the real question is, could a federal privacy law actually happen in 2019? Cybersecurity issues and the possibility of a federal privacy law were in the spotlight at the recent Senate Judiciary Committee hearing. This week also saw the introduction of bipartisan federal legislation regarding Internet of Things (IoT)-connected devices.

Senate Judiciary Committee Hearing on GDPR and CCPA

Let’s start by discussing this week’s hearing before the Senate Judiciary Committee in Washington. On March 12, the Committee convened a hearing entitled GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation.  The Committee received testimony from several interested parties who discussed the pros and cons of both laws from various perspectives. One thing was clear – technology has outpaced the law, and several of those who provided testimony to the Committee argued strongly for one uniform federal privacy law rather than the collection of 50 different state laws.

Some of the testimony focused on the impact of the GDPR, both on businesses and economic concerns, and some felt it is too early yet to truly know the full impact. Others discussed ethical concerns regarding data use, competition, artificial intelligence, and the necessity for meaningful enforcement by the Federal Trade Commission (FTC).

One thing made clear by the testimony presented is that people want their data protected, and maybe they even want to prevent it from being shared and sold, but the current landscape makes that difficult for consumers to navigate. The reality is that many of us simply can’t keep track of every privacy policy we read, or every “cookie” we consent to. It’s also increasingly clear that putting the burden on consumers to opt in/opt out or try to figure out the puzzle of where our data is going and how it’s used, may not be the most effective means of legislating privacy protections.

Model Federal Privacy Law

Several of the presenters at the Senate hearing included legislative proposals for a federal privacy law. (See the link included above to the Committee website with links to individual testimony). Recently, the U.S. Chamber of Commerce also released its version of a model federal privacy law. The model legislation proposal contains consumer opt-out rights and a deletion option, and would empower the FTC to enforce violations and impose civil penalties for violations.

IoT Federal Legislation Is Back – Sort of

In 2017, federal legislation regarding IoT was introduced but didn’t pass. This week, the Internet of Things Cybersecurity Improvement Act of 2019 was introduced in Congress in a bipartisan effort to impose cybersecurity standards on IoT devices purchased by the federal government. The new bipartisan bill’s supporters acknowledge the proliferation of internet-connected things and devices and the risks to the federal government of IoT cybersecurity vulnerabilities. This latest federal legislation applies to federal government purchases of IoT devices and not to a broader audience. We recently discussed the California IoT law that was enacted last year. Effective January 1, 2020, all IoT devices sold in California will require a manufacturer to equip the device with “reasonable security feature or features” to “protect the device and any information contained therein from unauthorized access, destruction, use modification or disclosure.”

The convergence of the new California law and the prospect of federal IoT legislation begs the question of whether the changes to California law and on the federal level would be enough to drive change in the industry to increase the security of all IoT devices. The even bigger question is whether there is the political will in 2019 to drive change to enact a comprehensive federal privacy law. That remains to be seen as the year progresses.

 

Copyright © 2019 Robinson & Cole LLP. All rights reserved.
This post was written by Deborah A. George of Robinson & Cole LLP.

The Digital Revolution Takes on New Meaning: Among Calls for Heightened U.S. Data Privacy Measures, California is King

California’s ambitious new data privacy law, the California Consumer Privacy Act of 2018 (“CCPA”),[1] will go into effect on January 1, 2020, and promises to bring a new era of digital regulation to America’s shores. Financial institutions that just navigated their way through implementing the European Union’s General Data Protection Regulation (“GDPR”),[2] which became effective in May 2018,[3] may be uneasy about the prospect of complying with yet another new data privacy compliance regime. They will find some comfort in the fact that many of the systems and processes designed for GDPR compliance will serve their needs under the CCPA as well. However, between now and the go-live date of the CCPA, U.S. federal and state laws and regulations are likely to continue to evolve and expand, and financial institutions will need to prepare for CCPA implementation while staying abreast of other fast-moving developments. In this article, we provide some key takeaways for how firms can be as prepared as possible for the continuing evolution of U.S. data privacy law.

  1. The New California Data Privacy Law Will Apply Broadly to Financial Institutions with Customers in California

Financial institutions with customers who are California residents almost certainly fit within the types of businesses to which the CCPA will apply. A “business” subject to the CCPA includes for-profit sole proprietorships, partnerships, limited liability companies, corporations, associations, or any other legal entities that collect consumers’ personal information and that satisfy one or more of the following criteria:

  • has annual gross revenues in excess of $25 million;

  • alone or in combination annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or

  • derives 50% or more of its annual revenue from selling consumers’ personal information.[4]

The CCPA also applies to legal entities that control or are controlled by a CCPA-covered business, and where the two legal entities share common branding (such as a shared name, servicemark, or trademark).[5]

For U.S. businesses seeking to remain outside the purview of the CCPA, the available carve-out is extremely narrow. Businesses that collect or sell the personal information of a California resident are exempt from the CCPA only if “every aspect of that commercial conduct takes place wholly outside of California.” This requires that (a) the personal information must have been collected when the consumer was outside of California, (b) no part of the sale of the consumer’s personal information occurred in California, and (c) no personal information collected while the consumer was in California was sold. In practice, this means that any firm with a website or other digital presence visited by California residents will likely be ensnared by the CCPA even if they lack employees or a physical presence in the state.[6]

Businesses that fail to comply with the CCPA are subject to the possibility of a state enforcement action and consumer lawsuits (available only after providing notice to the business and the business fails to cure the violation within 30 days).[7] However, unlike the GDPR which can impose fines calculated as a factor of global revenue, the CCPA assesses penalties of up to $2,500 per violation and up to $7,500 per intentional violation.[8]

  1. California’s Expansive Concept of “Personal Information” Is Similar to the GDPR

When determining what consumer data will constitute personal information under the CCPA, firms can look to certain similarities with the GDPR.

Under the CCPA, “personal information” means “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes, but is not limited to, names, addresses, identification number (such as social security, driver’s license, or passport), email address, and Internet Protocol (IP) address. It also includes biometric information, internet activity information (such as web browser or search history, or information regarding a consumer’s interaction with a website), geolocation data, and employment-related or education information.[9] This definition is largely consistent with how the GDPR broadly defines “personal data” for residents of the EU.[10]

The CCPA does not apply to data that has been “deidentified,” which means personal information that cannot reasonably identify, relate to, describe, or be linked to a particular consumer.[11] This is akin to the GDPR’s exclusion for “anonymized” data which cannot be used to identify a data subject. In addition, the CCPA does not apply to “aggregate consumer information,” which is information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household or device.[12]

One difference between the two regimes, however, is that the CCPA’s definition of personal information excludes “publicly available” information, which is information that is lawfully made available from federal, state, or local government records.[13] The GDPR does not have a similar exception and instead provides the same protections to personal data regardless of its source.

  • California Consumers Will Enjoy a New Bill of Rights Protecting their Personal Information

Another similarity between the CCPA and the GDPR is the recognition of several fundamental rights that consumers will soon enjoy relating to the collection, use, and sale of their personal information. Under the CCPA, these can effectively be described as:

  • Right of Disclosure. A business that collects a consumer’s personal information will be required, at or before the point of collection, to inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information will be used.[14] A consumer, e., a “natural person who is a California resident,” will also have the right to request such a business disclose to that consumer the categories and specific pieces of personal information the business has collected.[15] Such a request must be complied with promptly, by mail or electronically, and free of charge to the consumer; however, businesses will not be required to provide such information per consumer request more than twice in a 12-month period.[16] Together with this right, consumers will also have the ability to request the business or commercial purpose for collecting or selling personal information, and the categories of third parties with whom the business shares personal information.[17] Finally, consumers will have the right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose what personal information was collected and the categories of third parties to whom it was sold.[18]

  • Right of Deletion. A consumer will have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.[19] If a business has received such a request, it will be required not only to delete the consumer’s personal information from its records, but also to direct any service providers to do the same.[20] This obligation to delete personal information at consumer request is subject to several exceptions, including for the completion of a financial transaction, to detect security incidents or debug errors, and to comply with legal obligations.[21]

  • Right to “Opt Out.” A consumer will have the right to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information going forward.[22] Once a business has received such an instruction from a consumer, it may not resume selling that consumer’s personal information unless express authorized to do so.[23] This right of a consumer to “opt out” must be clearly communicated to consumers on a business’ website under a banner titled “Do Not Sell My Personal Information,” with an accompanying link that enables a customer to opt out of the sale of the consumer’s personal information.[24]

  • Right to Non-Discrimination. Businesses will be prohibited from discriminating against consumers who exercise their various rights under the CCPA by denying them goods or services, charging different prices, or providing a different level or quality of goods or services.[25]

  1. Financial Institutions Should Not Expect a Complete Carve-Out Under Federal Law

The CCPA will not apply to personal information that is collected, processed, sold, or disclosed under certain federal laws.[26] One such law is the Gramm-Leach-Bliley Act (“GLBA”),[27] which covers financial institutions that offer consumers financial products, like banks, and contains its own consumer privacy-related protections.[28] However, this is not a complete exception because the CCPA defines personal information far more broadly than the financial-transaction-related data contemplated by the GLBA, and includes such data as browser history and IP address. As a result, firms will need to contemplate what personal information they collect in addition to what is captured under the GLBA and be prepared to protect it accordingly under the CCPA.

  1. Conclusion

California may be the next big word on U.S. data privacy legislation, but it is unlikely to be the last. In recent years, Congress and other states have faced increased pressure to explore new cybersecurity and data privacy legislation due to a multitude of factors including a growing awareness of how businesses collect and use personal information as seen with Cambridge Analytica’s use of Facebook data, and public frustration with companies’ perceived lackluster responses to major customer data breaches.[29] A recent report from the U.S. Government Accountability Office further highlights America’s growing appetite for GDPR-like legislation, calling it an “appropriate time for Congress to consider comprehensive Internet privacy legislation.”[30]  And while the last Congress failed to enact any new national data privacy legislation into law, both the House and Senate have held hearings recently to receive testimony on guiding principles for a potential federal data privacy law, with a key question being whether any such law should preempt state laws like the CCPA.[31] So while a full-blown U.S. equivalent of the GDPR may not yet be in the cards, the current mood among the public and among lawmakers points in the direction of more rather than less intensive data privacy rules to come.

1  SB-1121 California Consumer Privacy Act of 2018 (Sept. 24, 2018), 

2 European Commission, General Data Protection Regulation (Regulation (EU) 2016/679) of the European Parliament.

3  See Joseph Moreno et al., The EU’s New Data Protection Regulation – Are Your Cybersecurity and Data Protection Measures up to Scratch?, Cadwalader, Wickersham & Taft LLP (Mar. 6, 2017), .

4   Cal. Civ. Code § 1798.140(c)(1).

5   § 1798.140(c)(2).

6   § 1798.145(a)(6).

7   § 1798.150(b).

8   § 1798.155(b).

9   § 1798.140(o)(1).

10  Article 4 of the GDPR defines “personal data” as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

11  § 1798.140(h).

12  § 1798.140(a).

13  § 1798.140(o)(2). Under the CCPA, personal information loses its “publically available” designation if that data is “used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.” Id.

14  § 1798.100(b).

15  § 1798.100(a).

16  § 1798.100(d).

17  § 1798.110(a).

18  § 1798.115(a).

19  § 1798.105(a).

20  § 1798.105(c).

21  § 1798.105(d).

22  § 1798.120(a).

23  § 1798.120(c).

24  § 1798.135(a)(1).

25  § 1798.125(a)(1).

26  § 1798.145(e).

27  15 U.S.C. §§ 6801-6809, 6821-6827.

28  Federal Financial Institutions Examination Council, Gramm-Leach-Bliley Summary of Provisions.

29  See Joseph Moreno, States Respond to Equifax Cyber Breach with Enforcement Actions and Calls for Enhanced Regulatory Powers, Cadwalader, Wickersham & Taft LLP (Oct. 13, 2017).

30  United States Government Accountability Office, Internet Privacy Additional Federal Authority Could Enhance Consumer Protection and Provide Flexibility (Jan. 2019), https://www.gao.gov/assets/700/696437.pdf.

31  U.S. House Committee on Energy & Commerce Subcommittee on Consumer Protection & Commerce, Hearing on “Protecting Consumer Privacy in the Era of Big Data(Feb. 26, 2019), ; U.S. Senate Committee on Commerce, Science, and Transportation, Policy Principles for a Federal Data Privacy Framework in the United States (Feb. 27, 2019), ; Alfred Ng, At Hearing on Federal Data-Privacy Law, Debate Flares Over State Rules, CNET (Feb. 26, 2019), ; Daniel R. Stoller, New FTC Powers Weighed in Senate Data Privacy Hearing (1), Bloomberg Law (Feb. 27, 2019), .

 

© Copyright 2019 Cadwalader, Wickersham & Taft LLP

California AG Announces Amendment to the CCPA

On February 25, 2019, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson introduced Senate Bill 561, legislation intended to strengthen and clarify the California Consumer Privacy Act (CCPA), which was enacted in June of 2018. If enacted, this would be the second amendment to the CCPA, following an earlier amendment in September of 2018 that Governor Jerry Brown signed into law Senate Bill 1121, which also clarified and strengthened the original version of the law.

As we reported previously, the CCPA will apply to any entity that does business in the State of California and satisfies one or more of the following: (i) annual gross revenue in excess of $25 million, (ii) alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or (iii) derives 50 percent or more of its annual revenues from selling consumers’ personal information. Under the CCPA, key consumer rights will include:

  • A consumer’s right to request deletion of personal information which would require the business to delete information upon receipt of a verified request;
  • A consumer’s right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and 3rd parties to which the information was sold or disclosed;
  • A consumer’s right to opt-out of the sale of personal information by a business and prohibiting the business from discriminating against the consumer for exercising this right, including a prohibition on charging the consumer who opts-out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.

SB 561’s amendments include:

  • Expands a consumer’s right to bring a private cause of action. Currently, the CCPA provides consumer a private right of action if their nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure because the covered business did not meet its duty to implement and maintain reasonable safeguards to protect that information. The amendment broadens this provision to grant consumers a private right of action if their rights under the CCPA are violated.
  • Removes language that allows businesses the opportunity to cure an alleged violation within 30-days after being notified of alleged noncompliance.
  • Removes language allowing a business or third party to seek the opinion of the Attorney General for guidance on how to comply with the law. Instead, the amendment specifies that the Attorney General may publish materials that provide businesses and others with general guidance on how to comply with the law.

With an effective date of January 1, 2020 (and regulations not yet proposed), it is expected that additional amendments will be negotiated, drafted, and published. Last month, the California Attorney General’s Office began the CCPA rulemaking process with a six-part series of public forums, allowing all interested persons the opportunity to provide their comments on the new law.

SB 561 comes just days after the AG Becerra together with Assemblymember Mark Levine announced Assembly Bill 1130 to strengthen California’s existing data breach notification law. No doubt, California is leading the way in U.S. data privacy and security law.

Jackson Lewis P.C. © 2019.

This post was written by  Joseph J. Lazzarotti   Jason C. Gavejian and Maya Atrakchi

CCPA Part 2 – What Does Your Business Need to Know? Consumer Requests and Notice to Consumers of Personal Information Collected

This week we continue our series of articles on the California Consumer Privacy Act of 2018 (CCPA). We’ve been discussing the broad nature of this privacy law and answering some general questions, such as what is it? Who does it apply to? What protections are included for consumers? How does it affect businesses? What rights do consumers have regarding their personal information? What happens if there is a violation? This series is a follow up to our earlier post on the CCPA.

In Part 1 of this series, we discussed the purpose of the CCPA, the types of businesses impacted, and the rights of consumers regarding their personal information. This week we’ll review consumer requests and businesses obligations regarding data collection, the categories and specific pieces of personal information the business has collected, and how the categories of personal information shall be used.

We begin with two questions regarding data collection:

  • What notice does a business need to provide to the consumer to tell a consumer what personal information it collects?
  • What is a business required to do if that consumer makes a verified request to disclose the categories and specific pieces of personal information the business has collected?

First, the CCPA requires businesses to notify a consumer, at or before the point of collection, as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section. Cal. Civ. Code §1798.100.

Second, under the CCPA, businesses shall, upon request of the consumer, be required to inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. The CCPA states that “a business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance. A business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period.” Section 1798.100 (d).

Section 1798.130 (a) states that to comply with the law, a business shall, in a form that is reasonably accessible to consumers, (1) make available to consumers two or more designated methods for submitting requests for information required to be disclosed, including, at a minimum, a toll-free telephone number, and if the business maintains an Internet web site, a web dite address; and (2) disclose and deliver the required information to a consumer free of charge within forty-five (45) days of receiving a verifiable request from the consumer.

Many have suggested during the rule-making process that there should be an easy to follow and standardized process for consumers to make their requests so that it’s clear for both consumers and businesses that a consumer has made the verified request. This would be welcome so that it would make this aspect of compliance simpler for the consumer as well as the business.

When businesses respond to consumers’ requests, having a clear website privacy policy that explains the types of information collected, a documented process for consumers to make a verified requests, a protocol for responding to consumer requests, audit logs of consumer requests and business responses, a dedicated website link, and clear and understandable language in  privacy notices, are all suggestions that will help businesses respond to consumers and provide documentation of the business’ response.

As we continue to explore the CCPA and its provisions, we strive to understand the law and translate the rights conferred by the law into business operations, processes and practices to ensure compliance with the law. In the coming weeks, we’ll focus on understanding more of these provisions and the challenges they present.

 

Copyright © 2019 Robinson & Cole LLP. All rights reserved.
This post was written by Deborah A. George of Robinson & Cole LLP.