While most businesses are aware, a surprisingly small number report that they will be ready to comply with the California Consumer Privacy Act (“CCPA”), when it officially takes effect on January 1, 2020.
The CCPA was first signed into law in September 2018. Often touted as “GDPR Lite” or “GDPR 2.0” because of its similarity to the European regulation, CCPA’s key provisions are summarized as follows:
- Right To Be Forgotten: Upon a consumer’s request, a business subject to CCPA will be required to delete a consumer’s personal information.
- Right To Be Informed: Upon a consumer’s request, a business subject to CCPA that sells consumer personal information will be required to disclose the categories of information it collects and identify third parties to whom the information was disclosed or sold.
- Right To Opt Out: Upon a consumer’s request, a business subject to CCPA will be required to provide the consumer with the ability to prevent the business from selling the consumer’s personal information.
- Right of Non-Discrimination: If a consumer requests that a business not sell his/her personal information, the business is precluded from charging the consumer a higher price for goods or services, or providing the consumer a lower quality good or service, except if the difference is reasonably related to the value provided by the consumer’s data.
Since the CCPA was passed, it has already undergone changes, in September, 2018, and again on February 25, 2019, with the introduction of California Senate Bill 561 (“561”). While some changes were merely cosmetic, fixing errors, etc., the substantive changes aimed to clarify and strengthen the law. For example, 561’s amendments:
- Expand the consumer’s right to bring an action for damages: Previously, the CCPA allowed a consumer to bring suit for damages against the business if the business failed to maintain reasonable security protocols for non-encrypted, non-redacted personal information that resulted in unauthorized access, identity theft, or other disclosure. Now, instead of just the narrow, breach situation, consumers may bring a private right of action against a business by merely claiming that his/her rights under the CCPA were violated, in presumably any manner. Damages in these types of suits are statutory and a Plaintiff may recover up to $750 per incident. Additionally, since claims may be pursued on a class-action basis, this change is of critical importance.
- Delete a business’s ability to seek guidance from the Attorney General as to how to comply with the CCPA. In its place, the amendment adds language that the “Attorney General may publish materials” that may assist a business in compliance.
561, while a start, does not clarify all ambiguities in the CCPA. For example, language such as “households” remains vague as to whether it means consumers, or a combination thereof. Also, while the language of “consumers” and “businesses”, and other evidence seem to suggest that the CCPA was not intended to include “employers” vis-à-vis their “employees”, nowhere in the text does it clarify the same. If an amendment did indicate that the CCPA applied to employers and their employees, businesses in California would have to implement stringent security safeguards, as data breaches often involve divulgence of employees’ personal information. Therefore, while 561 provides the initial amendments, the CCPA likely will see further amendments prior to its January 1, 2020 launch
In conclusion, businesses subject to CCPA should begin to take steps toward compliance now. Data mapping, updating policies, developing teams, increasing security measures and other activities that will be required for compliance take time to implement. Businesses with questions as to whether it is subject to CCPA, or what steps to take, should contact a privacy attorney.
For further information regarding this topic, please contact:
Natalie A. Remien at firstname.lastname@example.org or 312-368-0100.
On May 25, 2018, the European General Data Protection Regulation (“GDPR”) went into effect. US-based companies that had offices in the European Union or European Economic Area (collectively, “EU”) or those companies whose target market consisted of persons living in the EU were forced to take both IT and legal measures to ensure compliance, or face heavy fines or potential court damages. However, many US-based companies simply decided that they would disable their e-commerce websites to the EU, and discontinue selling products to the EU, as a means of avoiding compliance with the GDPR.
While this strategy of avoidance may be successful for certain companies to avoid taking compliance measures required by GDPR, it will not be successful as a long term strategy as more States (and potentially the federal government) adopt privacy laws similar to the California Consumer Privacy Act of 2018 (“CCPA”).
Passed in June, 2018, the CCPA will become effective January 1, 2020. Once effective, US companies will have additional regulations with which to comply regarding the processing of personal information (“PI”) of California residents. PI is defined broadly to include “any information that …relates to … a particular consumer or household”. The law was designed to provide California consumers with a means of controlling their personal information, putting them in a better position to protect their privacy and autonomy. Specifically, the CCPA:
- Gives California consumers the right to know what PI a business has collected about them or their children;
- Gives California consumers the right to know if such PI has been sold or disclosed for a business purpose, and if so, to whom;
- Gives California consumers a right to have their PI deleted;
- Requires businesses to disclose to California consumers if it sells any of the consumer’s PI has been sold, and if so, allows California consumers to request that the business cease any sales of the consumer’s PI;
- Prevents a business from denying, changing, or charging more for a service if a California consumer requests information about the sale of the consumer’s PI, or refuses to allow the business to sell the consumer’s PI; and
- Requires businesses to safeguard California consumers’ PI and hold them accountable if such PI is compromised as a result of a security breach arising from the business’s failure to take reasonable steps to protect the security of consumers’ sensitive information.
Who Must Comply? Companies must comply if, in the course of their business, they receive PI from any California residents and if they or their parent or subsidiary either: (1) generate annual gross revenues in excess of $25 million, (2) collect PI of 50,000 or more California residents, households or devices annually, or (3) generate 50% or more of its annual revenue from selling California residents’ PI. Interestingly, parent companies and subsidiaries using the same branding are covered by the definition of “business” even if they themselves do not meet or exceed these parameters. Thus, essentially, most all US companies whose websites collect PI (even though obtaining IP addresses) are subject to the CCPA, unless they can ensure that less than 50,000 California residents or less than 50,000 of their devices visit the company’s site annually.
What about Companies Who Do Not Do Business in California?
Many US companies may have difficulty showing that they do not do business in California. According to the California Civil Code, only companies whose “commercial conduct takes place wholly outside of California” would be able to avoid the CCPA. Further, a company outside California is deemed to be “doing business” in California if it actively engages in any transaction for the purpose of financial or pecuniary gain or profit in California”. Those companies outside California but that are qualified to do business in California may be subject to the CCPA if they enter into “repeated and successive transactions” in California, including online transactions. However, while this is only limited to California, it is very probably that other states will adopt similar legislation.
Whose Information Is Affected?
The new law defines “consumer” broadly to include not only customers, but also employees, patients, tenants, students, parents and children. (Cal. Civ. Code Sec. 1798.140(g). A “resident” includes natural persons who are in California for anything other than a temporary or transitory purpose, and, those natural persons who are domiciled in California who are out of the State for a temporary or transitory purpose.
What Are The Penalties of Non-Compliance?
If a business is not incompliance with CCPA, the California Attorney General’s Office may bring a civil action against the business. The Office may levy penalties for non-compliance of up to $7500 per intentional violation of any provision or $2500 per violation for unintentional violations that are not cured within 30 days of notification.
What are Companies To Do?
Moving forward, all US Companies must engage in data mapping to determine what PI it collects, and then put in place updated privacy notices, and other procedures to comply with all relevant regulations. While California is often the ringleader, certainly other states are also developing similar laws aimed at the protecting PI of its residents. Until such time as a federal privacy regulation is put into place, US companies will need to analyze carefully where they do business and comply with a patchwork of state laws.
To learn more about the CCPA and other privacy related matters, please contact the author:
Natalie A. Remien, CIPP/US at:
email@example.com or (312) 368-0100.
With “hacking” and identify thefts becoming all too common place, each service provider must place more and more emphasis on protecting itself from legal liability caused by not only its own actions, but the actions of the company(ies) to whom it outsources. This article provides an introduction to contracting for service providers with an eye toward gaining legal platform upon which to adequately defend itself, if necessary.
In addition to government compliance, which will vary depending upon the industry, any company that collects personal information during the course of providing its services must take steps to safeguard itself from legal liability arising due to unwanted disclosures. One way to provide a legal safety net is to consider the applicable issues in the service provider’s agreement. The following is an abbreviated checklist.
- Whether personally identifiable information will be provided to service provider’s employees, and if so, what measures are taken to narrowly tailor the need to expose such information to only those employees or third parties who need to know in order to provide the service. In considering this, a service provider may want to consider identifying types of employees or third parties that may be exposed to such information, or even listing such persons and having them sign a confidentiality agreement with respect to such information.
- When does a service provider have to notify a customer of a security breach? Is there an obligation to notify customers of a potential privacy-related compliance issue? Or, only when a security breach has occurred? If a security breach is defined, service providers will be required to undertake all tasks from notification to remediation and payment for such remediation upon receipt of a complaint.
- While necessary, service providers will want to limit their contractual obligations to comply with compliance with IT management standards such as the International Organization for Standardization certification.
- If the service provider receives credit card information of customers, then at the very least, the following issues must be considered:
- Limitation of access of personal information to authorized employees or parties
- Securing business facilities, data centers, paper files, servicers, backup systems and computing equipment (mobile and other equip with info storage capability;
- Implementing network/ device application, database and platform security
- Securing info transmission storage and disposal
- Implementing authorization and access controls with media, apps, operating systems and equipment
- Encrypting highly sensitive personal information stored on any mobile media
- Encrypting highly sensitive transmitted over public or wireless networks
- Strictly segregating personal information from and info of service provider or its other customers so that personal information is not commingled;
- Implementing appropriate personnel security and integrity procedures and practices (conducting background checks, and providing appropriate privacy and info security training to service providers’ employees.
If you have any questions regarding your liability for disclosure of personal information, please contact:
Natalie Remien at:
firstname.lastname@example.org or (312) 368-0100.