Source: Canada US
Link: California Consumer Privacy Act: Are You Ready? (Part 1)
In the last few weeks we have seen both regulatory and legislative action that has helped to clarify the scope and impact of the California Consumer Privacy Act (“CCPA”). By way of a refresher, the CCPA seeks to protect the personal information of California consumers by giving them greater knowledge about the nature and extent of the data collected about them, how it is used (sold or shared) by those who possess it, and how the individual consumer can control the use of his/her personal data. The CCPA applies to companies, regardless of where they are located, which:
This framework leaves companies to ask some very basic questions before deciding next steps:
If you answered more than $25 million to the first question or yes to any of the remaining questions, you could be subject to the CCPA, but there is more to the analysis. The next important question is: do you hold personal data belonging to any California consumers, households or devices? If you answered no, you can breathe a sigh of relief. If not, get ready for the year-end push!
To be clear, personal data is defined as: “Any data that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, including but not limited to a real name, alias, postal address, unique personal identifier, online identifier Internal Protocol address, email address, account name, social security number, driver’s license number, passport number and other similar identifiers.” You can add to that personal information as already defined in Civil Code § 1798.80: signature, physical characteristics or description, telephone number, state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information, and you quickly come to the conclusion that just about any information you have that relates to a specific consumer (a California resident) qualifies as what is generally referred to as personal data, personal information, personally identifiable information or PII, and is the focus of the CCPA.
Due to the extensive nature of the legal and regulatory changes, we are going to cover this topic in two Alerts. This first one deals with the legislative changes. The next one will address the regulations which were recently released for comment by the California Attorney General.
All of these bills were signed into law on October 11, 2019. There is a good deal of overlap regarding the individual provisions in these bills. What you see below are the highlights.
AB 25 –
AB 874 –
AB 1146 exempts the retention and exchange of vehicle ownership data between a dealer and the vehicle manufacturer.
AB 1202 defines data brokers as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” Excluded from this definition are any consumer reporting agency covered by the Fair Credit Reporting Act, any financial institution to the extent that it is covered by the Gramm-Leach-Bliley Act and its regulations, and any entity covered by the Insurance Information and Privacy Protection Act. Data brokers are now required to register on or before January 31 of each year with the Attorney General who is directed to create a page on his website to publicize the information received. Data brokers are invited, but not required, to provide any other information about their data collection practices they wish to submit at time of registration. A modest fine structure is provided for non-compliance.
AB 1355 –
Originally a business was liable if the consumer information was maintained in an unencrypted or un-redacted manner. The standard of care was changed by this bill to a duty to implement and maintain “reasonable security procedures and practices appropriate to the nature of the information” so as to protect that personal data.
There is also clarification regarding what are considered legitimate business purposes: “[t]he use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected.”
This bill goes on to define business purposes as:
(1) Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
(2) Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
(3) Debugging to identify and repair errors that impair existing intended functionality.
(4) Short-term, transient use, provided that the personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
(5) Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
(6) Undertaking internal research for technological development and demonstration.
(7) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
The other notable revision has to do with the right of the consumer to bring a lawsuit. Under the original CCPA, only the Attorney General had the ability to enforce this law. That, too, has changed. Now, any consumer whose “non-encrypted and non-redacted” personal information is subject to “unauthorized access and exfiltration, theft or disclosure” as the result of the businesses failure to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information” may be sued. The plaintiff is, however, limited to recover no less than $100 and no more than $750 per consumer per incident or actual damages, whichever is greater, along with injunctive or declaratory relief and any other damages the court deems proper. In reaching its decision, the court is instructed to “consider any one or more of the relevant circumstances …, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, and the defendant’s assets, liabilities and net worth.”
Prior to initiating any civil action, the consumer must provide the business with 30 days’ written notice identifying the violations alleged by reference to the specific provisions of the CCPA. If the business is able to cure, does so within that 30 day period and provides express written notice about the cure and assurances that no further violations will occur, neither an individual or class action lawsuit may be brought. However, no notice is required to recover “pecuniary” damages, i.e., out of pocket costs. If violations continue, the consumer may sue to enforce the written statement and pursue statutory damages for violation of the written assurance and other rounds. However, any such lawsuit may only rely only violations of the CCPA and no other grounds for recovery.
AB 1564 – this new law mirrors the provisions in other bills previously summarized and deals with such topics as notice to consumers and maintenance of two lists (sale and disclosure).
Also enacted was AB 1130 which makes some changes to California’s data breach laws. First, it underscores the obligation on agencies and businesses to give notice of any breach to those whose data was compromised. While much of what is addressed has to do with the notice requirements, of particular interest is the expanded definition of personal information, which now includes any of the following: first name or initial and last name in combination with “any one or more of the following data elements, when either the name or the data elements are not encrypted:
(A) Social security number.
(B) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
(C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(D) Medical information.
(E) Health insurance information.
(F) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.
(G) Information or data collected through the use or operation of an automated license plate recognition system, [as defined elsewhere in the law]
(2) A username or email address, in combination with a password or security question and answer that would permit access to an online account.”
Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. One fact all of these bills have in common is they acknowledge the exemptions already in the CCPA for:
Whereas the legal framework for the CCPA has now been further clarified, it is important to keep in mind those who were behind the ballot initiative which led to its quick enactment are looking for still stronger protections. As such, it remains possible more changes will occur in the next election and legislative cycle. For now, we refer you to Part 2 of this Alert which will be published tomorrow for information about the proposed regulations.
The CCPA takes effect on January 1, 2020. Are you ready?