Source: Canada US
Link: CA Consumer Privacy Act Gets a Rewrite
When the law was signed by then Governor Brown (see our prior Alert here), the expectation was that Attorney General Becerra would issue the enabling regulations by July of this year, which would allow a phase-in period. Then by January 1, 2020, the requirements would be clear and companies would be able to properly formulate and implement their compliance policies. Regretfully, things are not going as expected.
First, in accordance with the law, General Becerra organized a series of public meetings:
In the same press release which announced these meetings, General Becerra advised the regulations would be adopted by July 1, 2020 and went on to remind businesses that they must comply with the key provisions of the CCPA by January 1, 2020:
While the lack of regulations any sooner is something of a challenge for businesses, it was the introduction of SB 561 on February 22, 2019 that was the real surprise. The bill was introduced by Senator Jackson with the full support of General Becerra, so it is reasonable to think it will pass and be signed into law by the end of the current legislative session later this year.
The changes were described as follows:
These proposals are troubling for businesses in some obvious ways. We start with there being no definition in the law making clear who is a consumer. As such, the language must be read broadly to include anyone who resides in California. Next is the proposal is to amend Civil Code 1798.150 to read (the italicized language reflects the changes introduced):
(a) (1) Any consumer whose rights under this title are violated, or whose non-encrypted or non-redacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
(A) To recover damages in an amount not less than one hundred dollars ($100) and not great than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater. [emphasis added]
(B) Injunctive or declaratory relief.
(C) Any other relief the court deems proper.
In other words, the plaintiff’s bar will be able to bring class action lawsuits whether or not actual damages were suffered. With the number and size of the breaches which have been reported in recent memory, one understands the frustration with data aggregators being subject to limited liability, but the solution then is to make clear that not all companies fall within the definition of data aggregators and so starting with an earnings amount includes too many entities whose business has nothing to do with the buying, selling or sharing of consumer data.
SB 561 removes requirements that the Attorney General provide, at taxpayers’ expense, businesses and private parties with individual legal counsel regarding CCPA compliance, removes language that allows companies a “free pass” to cure CCPA violations before enforcement may occur, and adds a private right of action, allowing consumers the opportunity to seek legal remedies for themselves under the act.
In short, companies that do not comply could find themselves with serious damages due to consumers, but also to the State of California (see CC 1798.155). On the one hand, that may not be a bad thing if your business is that of being a data aggregator and you are among the group of companies that have been involved with the massive data breaches which have been reported in recent memory. However, not all companies are data aggregators and so why not narrow the definition of companies that are covered by the CCPA? As it stands right now, companies of just about any size, regardless of industry, are subject to the CCPA:
The law states that a company is subject to the CCPA if it “satisfies one or more of the [above] thresholds.” So, that means any company whose gross revenues are in excess of $25 million, regardless of whether they are a data aggregator, is subject to the requirements of the CCPA.
Then, we get to what does “receive” mean? For example, does the company receive data from the spouse or children of an employee qualify as consumer data? Does the company “share” that data if it gives the data to the company’s health insurance carrier or pension fund with the employee’s permission? Is doing so a “commercial purpose”? Hopefully the regulations which are yet to be written will answer some of these critical questions, but in the meantime, companies would be wise to get ready for January 1, 2020.
As with preparation for the European General Data Protection Regulation, companies should start by answering the following questions:
As part of the process, companies will want to form a Project Team. In doing so, some of the key points for it to address are:
Companies will also want to
There is still time – will you be ready?