New York Expands Data Privacy Protections

By:

Nick Akerman, Partner; Robert Cattanach. Partner; Sam Bolstad, Associate

New York continued its active legislative session last week, this time by expanding its data breach notification law. The SHIELD Act (Stop Hacks and Improve Electronic Data Security), signed by Governor Andrew Cuomo on July 25, 2019, notably expands the definition of a data breach and the scope of what constitutes personal information. But the law could have gone farther; the state did not enact a private right of action, as has California, and which several other states are considering. New York’s action does, however, contain several other very significant provisions in the context of data breaches involving New York residents.

Here are the major elements of the SHIELD Act:

Expanded Definition of What Constitutes a Data Breach: New York expanded its definition of a data breach (a “breach of the security of the system”) to include instances when an attacker merely views (“accesses”) personal information, even if the attacker does not download, steal, or otherwise acquire that information, commonly labeled as ‘exfiltration.’ Under the expanded definition, any unauthorized “access” requires the company to provide notice of the data breach.

Expanded Definition of Personal Information: New York also expanded its definition of personal information (“private information,” in the Act’s terms), to include two new categories: (1) biometric information, such as a fingerprint or “voice print”; and (2) an email address or user name, in combination with the corresponding password or a security question and answer. The law also requires a company to provide notice when an attacker accesses information protected under HIPAA, just as if that information were “private information” under New York’s definition.

Global Reach: The law applies to every company holding the personal information of a New York consumer, regardless of where the company is based. As with GDPR and soon to be California’s Consumer Privacy Act, the enforceability of this extraterritorial reach remains open to question.

Increased Damages: The new law increases the maximum penalty for failure to provide notice from $150,000 to $250,000, and authorizes a statutory penalty for the greater of $5,000 or $20 per instance of failed notification. The law also authorizes courts to award actual damages to consumers.

Enforcement: The law will be enforced by the Attorney General’s Office, and takes effect in 90 days, i.e., late October.

Ramp Up to Improved Cybersecurity Programs: The law also requires companies to improve their cybersecurity programs by March 2020. The law specifies a number “administrative, technical and physical safeguards” that each company must implement by that date, and requires each company to appoint an employee to manage the cybersecurity program. The law makes an exception for a “small business,” defined as a company with either: (1) fewer than fifty employees; (2) less than $3 million in gross annual revenue for the last three years; or (3) less than $5 million in year-end total assets. Small business are still required to maintain “reasonable” safeguards.

Increased Requirements for Consumer Credit Reporting Agencies: That same day, Governor Cuomo also signed a bill that addresses consumer credit reporting agencies, a direct response to the Equifax breach of 2017. The new law requires consumer credit reporting agencies to provide identity theft prevention and mitigation services to consumers who are affected by a security breach at a credit reporting agency. The agency must provide those protections to an affected consumer for five years, and cannot charge the consumer fees during security freezes on credit reports.

What’s Next
In the absence of any overarching federal breach notification or consumer privacy law, states are expected to continue to adopt initiatives that require companies to protect consumers’ personal information. Whether it be an expanded definition of personal information, greater statutory damages, or allowing private rights of action, individual states can be expected to keep pace with, or in some instances outpace, developments in other states. The challenges of this emerging ‘patchwork quilt’ of regulations may be significant, but compliance always starts with robust information governance policies and procedures.

Nevada’s New Privacy Law – Beating California in the Backstretch

By:  Jamie Nafziger, Dorsey & Whitney, Partner; Samir Islam, Dorsey & Whitney, Associate

 

Just as companies are reaching the straightway in their efforts to get ready to comply with the California Consumer Privacy Act (“CCPA”) by January 1, Nevada has burst ahead with a privacy law that will take effect before the CCPA. On May 29, 2019, Nevada Governor Steve Sisolak signed SB 220 into law, amending Nevada’s existing law that requires an operator of an Internet website or online service to provide a privacy notice to consumers detailing certain of the operator’s privacy practices; SB 220 goes into effect on October 1, 2019.1 SB 220 allows consumers to opt-out of operators of Internet websites and online services selling personally identifiable information to other entities for monetary consideration and will require both legal and operational changes for businesses. Operators, as defined by the law, must create a “designated request address” that allows consumers to submit requests prohibiting sale of information collected about the consumer, and operators must respond to the requests within 60 days.

SB 220 is a substantial amendment to Nevada’s existing privacy law, and presents a new challenge to industry in general. On its face, the law is narrower in scope than the CCPA, and includes narrower definitions of “consumer” and “sale,” along with carving out exceptions for financial institutions covered by the Gramm-Leach-Bliley Act (“GLBA”) and covered entities under the Health Insurance Portability and Accountability Act (“HIPPA”). Nonetheless, companies focusing on CCPA compliance must now shift resources to becoming compliant with SB 220.

SB 220 Requirements

SB 220 has four main requirements, but several key definitions and exclusions govern the law’s application:

An “operator”2 must establish a “designated request address”3 through which a consumer may submit a “verified request”4 directing the operator not to make any sale5 of “covered information”6 collected about the consumer.
The consumer can submit a verified request through the designated request address, at any time, directing an operator to not make any sale of covered information the operator has collected about the consumer.
An operator that receives a verified request is prohibited from making any sale of any covered information the operator has collected or will collect about the consumer.

An operator must respond to a consumer’s verified request within 60 days. The operator may extend the response period no more than 30 days if (a) the operator determines that such an extension is reasonably necessary; and (b) an operator that extends the response period notifies the consumer of such an extension.

The Nevada Attorney General has enforcement power over SB 220’s provisions. If the Attorney General believes that an operator directly or indirectly violated SB 220, the Attorney General may seek a temporary or permanent injunction or seek to impose a civil penalty not to exceed $5,000 for each violation. Unlike the CCPA, SB 220 does not establish a private right of action against an operator.

Although some consumers may welcome greater opportunities to stop certain sharing of their personal information, businesses developing compliance programs will face a new hurdle from SB 220, with its differing definitions, exceptions, and requirements. Even companies that do not sell personally identifiable information for monetary consideration will need to create the request mechanism and respond to consumer requests and may be left feeling like Nevada has missed the break.

1 See Nev. Rev. Stat. §603A.340. Under the provision, an operator must make available a notice that:

Identifies the categories of covered information that the operator collects through its Internet website or online service about consumers who use or visit the Internet website or online service and the categories of third parties with whom the operator may share such covered information;
Provides a description of the process, if any such process exists, for an individual consumer who uses or visits the Internet website or online service to review and request changes to any of his or her covered information that is collected through the Internet website or online service;
Describes the process by which the operator notifies consumers who use or visit the Internet website or online service of material changes to the notice required to be made available by this subsection;
Discloses whether a third party may collect covered information about an individual consumer’s online activities over time and across different Internet websites or online services when the consumer uses the Internet website or online service of the operator; and
States the effective date of the notice.

2 SB 220 defines an “operator” as a person who:

Owns or operates an Internet website or online service for commercial purposes;
Collects and maintains covered information from consumers who reside in [Nevada] and use or visit the Internet website or online service; and
Purposefully directs its activities toward Nevada, consummates some transaction with Nevada or a resident thereof, purposefully avails itself of the privilege of conducting activities in Nevada, or otherwise engages in any activity that constitutes sufficient nexus with the State to satisfy the requirements of the United States Constitution.
However, the following are not considered operators as defined by the law:

Some Third Parties: A third party that operates, hosts or manages an Internet website or online service on behalf of its owner or processes information on behalf of the owner of an Internet website or online service;
Financial Institutions as defined under the GLBA: A financial institution or an affiliate of a financial institution that is subject to the provisions of the GLBA, 15 U.S.C. §§ 6801 et seq., and the regulations adopted pursuant thereto;
Covered Entities under HIPPA: An entity that is subject to the provisions of the HIPPA, Public Law 104-191, as amended, and the regulations adopted pursuant thereto; or

Motor Vehicle Manufacturers or Repair People: A manufacturer of a motor vehicle or a person who repairs or services a motor vehicle who collects, generates, records, or stores covered information that is:
Retrieved from a motor vehicle in connection with a technology or service related to the motor vehicle; or
Provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle.

3 A “designated request address” is an “electronic mail address, toll-free telephone number or Internet website established by an operator through which a consumer may submit to an operator a verified request.”

4 A “verified request” is a request that is (1) submitted by a consumer to an operator; and (2) for which an operator can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.

5 “Sale” is defined as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”

The term “Sale” does not include: “(a) the disclosure of covered information by an operator to a person who processes the covered information on behalf of the operator; (b) the disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer; (c) the disclosure of covered information by an operator to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator; (d) the disclosure of covered information to a person who is an affiliate, as defined in Nev. Rev. Stat. §686A.620, of the operator; OR (e) the disclosure or transfer of covered information to a person as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the person assumes control of all or part of the assets of the operator.”

6 The definition of “covered information” is narrower than comparable state laws, like the CCPA, and means “any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator in an accessible form: (1) a first and last name; (2) a home or other physical address which includes the name of a street and the name of a city or town; (3) an electronic mail address; (4) a telephone number; (5) a social security number; (6) an identifier that allows a specific person to be contacted either physically or online; (7) any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.” Nev. Rev. Stat. §603A.320.

 

National Financial Institutions—Developing A Project Plan To Comply With The California Consumer Privacy Act

 

By:  Joseph Lynyak, Partner, Dorsey & Whitney;  Tom Scanlon, Of Counsel, Dorsey & Whitney;  Erin Bryan,Associate, Dorsey & Whitney

Since its adoption last year, U.S. financial institutions have been confronted with the challenge of planning their compliance with the California Consumer Privacy Act (the “CCPA”)1. The CCPA becomes effective in two stages—January 1, 2020 and July 1, 2020 (or possibly sooner depending upon the date the California Attorney General adopts implementing regulations).2

Regrettably, considerable confusion exists within the financial industry about the scope of the CCPA and the obligations it imposes on financial institutions.

In an effort to provide our financial intermediary clients and friends with a workable summary of a financial institution’s obligations—and in particular for financial institutions that do not have a physical presence in California—this Alert is intended to assist in identifying coverage considerations, and provide a practical approach to the development of a project plan that will demonstrate reasonable compliance with the CCPA’s admittedly ambiguous set of requirements and obligations.

What obligations does the CCPA impose on a covered business?

The CCPA requires that a covered business respond to newly enacted privacy rights for a California resident, which includes the rights to:

  • Know what categories of “personal information” or “PI” is being collected;
  • Know whether personal information is sold or disclosed and to whom;
  • Say “no” to the sale or disclosure of personal information, and to require a covered business to delete PI; and
  • Receive equal service and price, whether or not privacy rights under the CCPA are exercised.

The CCPA creates a complicated set of procedural and substantive requirements on the part of a covered company. For example, a covered business must be capable of responding to a “verified consumer request” for personal information, provide a summary of categories of PI that are collected about a California resident, state whether PI is sold or transferred to third parties, and delete information at the direction of the California resident (similar to the right to be forgotten under the EU’s General Data Protection Regulation).3

Is a financial institution a covered business under the CCPA? 

Two distinct questions should be asked to determine whether a financial institution could be subject to the requirements of the CCPA: (1) does the financial institution qualify as a “business” covered by the CCPA; and (2) to what extent may a covered financial institution take advantage of one or more of the exemptions, including the exemption for its treatment of PI pursuant to Title V of the federal Gramm-Leach-Bliley Act (“GLBA”) or the California Financial Information Privacy Act (“CFIPA”) (which we refer to collectively as the “GLBA Exemption”)4.

The CCPA broadly defines the term “business” to include various entities, including a corporation, partnership, limited liability company or similar entity, “that is organized or operated for the profit or financial benefit of its shareholders or other owners.” However, a covered business also must “[do] business in the State of California” and meet one or more of the following thresholds: (A) have an annual revenue (currently interpreted to be global revenue) of $25,000,000; (B) engage in commercial activities involving the collection, sale, or disclosure of “the personal information of 50,000 or more consumers, households, or devices;” or (C) “[d]erive 50 percent or more of its annual revenues from selling consumers’ personal information.” Even though the conditions and thresholds appear to target larger or data-rich companies, the definition of a “business” will subject most national financial institutions to the facially broad coverage of the CCPA.5

Second, the GLBA Exemption may afford a financial institution partial relief from certain requirements of the CCPA. Commercial banks, savings banks, mortgage companies, loan servicers, data aggregators, and others generally qualify as a type of “financial institution” that is engaged in collecting, processing, selling, or disclosing PI “pursuant to” the GLBA (and the CFPB’s implementing Regulation P6) or the CFIPA. The scope of the partial GLBA Exemption is important for purposes of developing an effective compliance plan, and will be discussed in greater detail below.

To what extent might the GLBA Exemption reduce a financial institution’s compliance obligations under the CCPA?

Unfortunately for the financial industry, the GLBA Exemption leaves financial institutions exposed to a number of compliance risks under the CCPA. After the CCPA was enacted, the GLBA Exemption was hurriedly added at the very end of the 2018 California legislative session. The GLBA Exemption states:

This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.

By its terms, the CCPA’s GLBA Exemption only exempted PI—meaning the data itself—from coverage under the CCPA, but not the financial institution holding the data. Further, notwithstanding the exemption, liability for data breaches of a limited range of a California resident’s data remains subject to the CCPA’s private right to recover statutory damages.8

How do the CCPA, the GLBA and the CFIPA fit together?

This interplay among and between the CCPA, the CFIPA and the GLBA has created an interpretative quagmire for covered financial institutions attempting to determine the scope of their compliance responsibilities. On one hand, some industry stakeholders have argued that the GLBA Exemption excludes PI from virtually all requirements under the CCPA, while others have advocated that the exemption is very limited in scope, and specifically does not exclude financial institutions from obligations established by the CCPA that are not similar to those in the GLBA and the CFIPA.

The compliance risk for financial institutions

As a starting point in the analysis, we look at the interplay between the CFIPA and the GLBA. When initially adopted by the California Legislature in 2003 (and effective in 2004), it was clear that the CFIPA was an attempt to create substantially equal privacy rights under California law as were created by the GLBA. However, the CFIPA was more extensive than the GLBA in that, rather than providing a California consumer with the right to “opt-out” from covered data being sold or transferred to a non-affiliated party (which was the approach adopted by the GLBA), the CFIPA required that covered financial institutions obtain an affirmative opt-in consent from a California consumer prior to sharing or transferring data to third parties. Importantly, because Section 524 of the GLBA contains a “reverse preemption” provision that provides that state law privacy rights trump privacy rights as contained in the GLBA, for years covered financial institutions have provided the more extensive California-based privacy rights contained in the CFIPA rather than the more limited privacy rights as contained in the GLBA.9

It is important to understand that both the GLBA and the CFIPA are primarily disclosure statutes, and impose no substantive obligations on a covered financial institution beyond the opt-out and opt-in rights exercised by a California consumer, discussed above. Neither statute limits the amount or content of information that may be collected by a covered financial institution, including responding to consumer requests for information following the delivery of required disclosures.10

Given the limited nature of the GLBA Exemption—and its interplay with the CFIPA—the disclosure scheme as contemplated by those statutes (including Regulation P) arguably may control initial disclosures required to be delivered (as specified by the CFIPA and the GLBA), but may not exempt a financial institution from responding to a “verified consumer request” for PI whether or not the data was originally disclosed in accordance with the GLBA (as modified by the opt-in requirements of the CFIPA).

Planning for compliance

A careful reading of the CCPA’s GLBA Exemption indicates that, subsequent to the delivery of initial account disclosures, the GLBA Exemption may be of limited value in real-world communications between a covered financial institution and California residents exercising their privacy rights pursuant to Sections 1798.100 through 1798.125 of the CCPA. Importantly, both the GLBA and the CFIPA contain data definitions that are narrower than the expansive definitions of PI contained in the CCPA. Also, the GLBA and the CFIPA are generally limited to consumers opening accounts with a covered financial institution, whereas the exercise of a consumer’s privacy rights under the CCPA is not limited by the establishment of an account relationship. Further, the CCPA’s definition of a “consumer” extends to a California resident, whereas the GLBA’s and the CFIPA’s disclosure requirements are limited to the traditional concept of data obtained as part of a “consumer purpose” relationship (i.e., for personal, household or family purposes).

Unless the California Attorney General elects to clarify the coverage question created by the GLBA Exemption discussed above, covered financial companies may have no choice but to comply with all requirements of a covered business under the CCPA (with the possible exception of continuing to employ GLBA- and CFIPA-compliant disclosures). Failing to adopt a narrow view of the scope of the CCPA’s GLBA Exemption may jeopardize the structuring of an effective compliance program by the deadlines established by the CCPA in 2020.

What must be included in a project plan to comply with the CCPA?

In order to comply with the extremely short time frames required by the CCPA, we suggest that several components should be considered, as follows:

Essential plan elements

There are two essential elements that should be included in any CCPA project plan. The first is data mapping to identify systems of records that contain PI covered by the CCPA. Anecdotal reports from national financial institutions—particularly those who did not engage in data mapping in order to comply with the GDPR—indicate significant operational difficulties being experienced to both identify data systems and develop methodologies to capture and to retrieve covered data to respond to a verified consumer request. Stated another way, data mapping should begin as soon as possible.

The second element is perhaps the most important risk mitigation step that a covered financial institution can take to avoid liability. The CCPA allows for the recovery of statutory damages for specified data breaches by private parties (including class action liability for breaches involving multiple California residents). Statutory damages range from $100 per incident to $750 per individual breach.11 According to the statutory liability provision of the CCPA, the only defense to statutory damages is a showing that a covered company had in place reasonable data security measures for the PI it held in its systems.12 Liability for statutory damages for specified data breaches commences as of January 1, 2020, regardless of whether the California Attorney General issues implementing regulations after that date.13

Accordingly, as an essential element of a project plan, a covered financial institution should be prepared to demonstrate that its data security measures are reasonable, based upon industry standards, and have been regularly confirmed by internal and external audits.

General project plan elements

In addition to the two essential components of a financial institution’s project plan, discussed above, the following implementation tasks may likely be required to be included in a CCPA project plan, and include:

  • Identifying data constituting PI
  • Determining the applicability of full or partial exemptions from data use and retention
  • Determining the scope of the GLBA Exemption for data, discussed above
  • Determining the methodologies for receiving and responding to a verifiable consumer request
  • Designing and building internal call centers/response teams
  • Amending disclosures of privacy policies
  • Modifying website(s)
  • Adopting methodologies to implement “opt-out” and “opt-in” elections and deletion of PI
  • Reviewing and modifying agreements with third parties and vendors
  • Drafting internal policies and procedures
  • Establishing training programs

A recommended implementation approach—evolving compliance

We note that several commentators and vendors have advocated engaging in an implementation program that is extraordinarily complex and (in our view) not capable of being completed within the CCPA’s time limitations. Importantly, the patent ambiguities in regard to a covered financial institution’s compliance obligations require that a financial institution establish its own compliance goals and response measures while interpretative guidance is being developed and eventually becomes available.

As a practical matter, lending and account relationships may form the basis for most data requests made by a California resident to a covered financial institution, which may constitute an initial starting point for responding to CCPA inquiries. Similarly, a financial institution may have to determine the degree of information included in a response, and may have to implement an evolving degree of data inquiries as the Attorney General refines the question of reasonable compliance.14

In sum, until the matter is clarified, financial institutions should be wary of overreliance on a broad reading of the partial GLBA Exemption. To do so may result in the development of an implementation plan that is deficient in regard to reasonable scope and content.

Please note that the analysis set forth in this Alert is not intended to be a comprehensive discussion of the obligations that are contained in the CCPA; California-licensed lawyers at Dorsey have been closely following CCPA legislative and regulatory developments, and are available to discuss the same.


AB 25 Passes the California Assembly – and Excludes Employee Information from Coverage under the California Consumer Privacy Act (the “CCPA”)

By Joseph Lynyak and Samir Islam

On May 29, 2019, the California Assembly took a major step to rationalize the coverage of the CCPA by excluding employee information from the definition of “consumer.”   Specifically, the term “consumer” was amended to exclude  a person whose personal information has been collected by a covered business in the course of the person “acting as a job applicant to, an employee of, a contractor of or an agent on behalf of” a covered business.  (The scope of the exclusion is limited to personal information collected and used solely within the context of the person’s role as a job applicant to, an employee of, a contractor of or an agent on behalf of a covered business.) The information that would be “collected and used solely within the context of the person’s role…” would likely still require interpretation and guidance in connection with areas of potential overlap between business and personal such as mobile devices, vehicles, and computers for both personal and business uses and events and travel with both business and personal components.  Importantly, AB 25 also addresses vendor-related employee relationships by excluding applicant or employee information relating to a “contractor,” which is defined to mean a person who provides services to a covered business under a written contract.

The latest version of AB 25 was passed unanimously, and now heads to the California Senate for further deliberations.  If adopted and signed by the Governor, AB 25 would resolve a particularly pernicious overreach concern raised by virtually all industry critics.

The Dorsey Privacy Team is actively following legislative and regulatory developments in regard to the CCPA. We will continue to keep you updated on developments as they arise.

SB 561 Held in Committee-Private Right of Action under the CCPA Confined (for Now)

By:  Joe Lynyak, partner, Dorsey & Whitney and Elizabeth Snyder, associate, Dorsey & Whitney

On Thursday, March 16, 2019, the California Senate Appropriations Committee held in Committee SB 561, which would have greatly expanded the private right of action (i.e., the ability to bring private class actions) available under the California Consumer Privacy Act (“CCPA”). SB 561 was introduced in February by California Attorney General (“AG”) Xavier Becerra and Senator Hannah-Beth Jackson. Notably, the bill sought to amend the existing private right of action to cover all violations of the CCPA, as opposed to merely data breaches. Additionally, the bill would have discontinued the 30-day cure period, whereby businesses were immunized from penalization by the AG to the extent they were able to cure an alleged violation within 30-days’ notice thereof, and would have eliminated businesses’ and third parties’ entitlement to seek interpretive guidance regarding compliance from the AG (and instead would authorize the AG to publish general guidance).

Heard on April 29, 2019 by the California Senate Appropriations Committee, SB 561 was placed in the Committee’s Suspense File, which holds bills that will significantly impact the state’s budget. With a May 17 deadline to report bills to the Senate Floor, the Committee voted Thursday on the bills in the Suspense File, including SB 561. The good news for businesses covered by the CCPA was that the bill was held in Committee, meaning that it will not move forward this year.

The private right of action, and the potential for class actions, will therefore remain confined to the data breach context when private enforcement goes live on January 1, 2020.

The Dorsey Privacy Team is actively following legislative and regulatory developments in regard to the CCPA. We will continue to keep you updated on developments as they arise.

 

Potentially Expanded Private Right of Action Increases Risk of Class Action Exposure Under the California Consumer Privacy Act

By:  Divya Gupta, partner, Dorsey & Whitney and Elizabeth Snyder, Associate , Dorsey & Whitney

Looking Back – the California Consumer Privacy Act, and How We Got Here

As companies were getting up-to-speed on the effects of the European Union’s General Data Protection Regulation (GDPR) last year, California quickly enacted its own privacy law, the California Consumer Privacy Act (“CCPA” or “Act”) last June. We address below the high risk associated with the CCPA and its interaction with regulations in key U.S. industries.

The fast-passed legislation was designed to avoid a November 2018 ballot initiative on the subject, and was plagued by errors and ambiguities that require robust clarification.  The Act’s take-away, however, was abundantly clear – California consumers have a right to know what personal data companies are collecting and are empowered to bring a private right of action for a data breach (and even potentially for other violations of the Act).

As the broadest-sweeping privacy legislation the United States has seen in 20 years, the Act quickly spun off numerous state equivalents, including Hawaii (S.B. 418), Maryland (S.B. 613), Massachusetts (S.D. 341), New Mexico (S.B. 176), New York (S.B. 224), Rhode Island (S.B. 234), and Washington (S.B. 5376), among others.  Even with so many states on the privacy bandwagon, federal preemption is unlikely in the near future given disagreements around the mechanisms of enforcement, the types of data deserving protection, and conflicting incentives for companies versus consumers.

While the legislation itself is cumbersome, we broke it down in detail for you here.  At brass tacks, consumers now have a right to know which of their personal information has been collected and shared, can opt out of the sharing of that personal information, and can request deletion of same.  The threshold for compliance for companies is three-fold: 1) gross annual revenues over $25 million, 2) buy, receive, sell, or share the personal data of 50,000 of more consumers, households, or devices, or 3) receive at least 50% of annual revenue from selling consumers’ data.  Importantly, a covered company need meet only one of the three criteria.

With such a broad breadth, the Act’s coverage spans companies across all industries.

Industry Spotlight – What’s the Impact to Your Company?

The stated goal of the CCPA is simple—to give California residents control over how their personal data is used, stored, and sold.  From a consumer perspective, this sounds desirable enough.  That is, until you look a bit under the cover at how compliance is going to be effectuated from an industry perspective.

Health Care Industry

For the health care industry, exemptions are key.  However, any health care company with employees in California, or that operates a website accessed by California residents, will likely be covered. In terms of types of information covered, industry insiders should keep a careful inventory of consumer personal information to help meet one of the Act’s carve-outs for protected health information collected by HIPAA-regulated “covered entities” and “business associates.”  A HIPAA-governed entity or Confidentiality of Medical Information Act (“CMIA”)-governed health care provider can obtain an exemption for patient information maintained in the same manner as medical information or protected health information.

Notably, the HIPAA and CMIA exemptions apply not to the covered entities themselves, but instead to the information collected by the entities.  To the extent covered entities and health care providers maintain information not governed by either HIPAA or the CMIA, they might still be required to comply with the Act’s provisions relating to the collection, use, and sharing of that data.  Thus, health care businesses must pay careful attention to the types of information they are collecting, how that information is defined across different statutes, and the extent to which similar data receives dissimilar protection under the idiosyncratic definitional structure of the CCPA.  For example, data that is “deidentified” under HIPAA, and therefore no longer considered protected personal health information, may not qualify for protection under the CCPA’s carve-out, creating potential compliance gaps and litigation risk.

Food and Agriculture Industry

Compliance is comparatively easier for the food and agriculture industry because of the types of data collected.  AgTech businesses, which are plentiful in California, typically do not collect an abundance of personally identifiable information.  However, if they have employees in California, operate a website used by California residents, or use precision agriculture tools to collect information about Cali producers, such as names, addresses, or social security numbers, they will be required to comply with the CCPA. Thus, it will behoove AgTech businesses to begin their compliance work and keep careful records of the types of information they collect, since the CCPA applies to information collected both on and offline.

Financial Services Industry

The financial services industry, just as the healthcare industry, must carefully inventory information collected, since the CCPA does not apply to personal information that is “collected, processed, sold, or disclosed” pursuant to the Gramm-Leach Bliley Act (“GLBA”) and the California Financial Information Privacy Act (“CFIPA”), but likely will apply to employee information, and certain information collected from website and app users from California. Notably, the above exemptions do not immunize financial institutions from the class action data breach provisions of the CCPA.  This is particularly important, given that the difference between compliance and non-compliance for financial institutions largely hinges on understanding the differences in protection that attend the treatment of similarly named, but dissimilarly defined types of data across the GLBA, CFIPA, and CCPA.  For instance, both the GLBA and the CFIPA, on the one hand, and the CCPA, on the other, cover consumer and personal information; however, nuanced differences in definitions between the statutes mean that information may fall between the cracks of the financial exemptions and CCPA protection.

The consequences of such a compliance gap are more acute in the financial sector, given that class action litigation has been made available to address the “unauthorized access and exfiltration, theft, or disclosure,” of the nonencrypted or nonredacted personal information of consumers, that has been compromised as a result of the financial institution’s failure to maintain “reasonable security procedures.” Since the statutory language establishing the carve-outs for financial information does not apply to the private right of action provision, financial institutions, like all other businesses, are still on the hook for significant statutory damages in the event of a data breach.

Technology and Fintech Industry

Technology/fintech companies will need to tailor their business activities to avoid implicating restrictions on the sharing of data and reselling personal information.  Under the CCPA, consumers have the right to opt out of the sharing of their personal information, and third parties to whom a consumer’s information has been sold are prohibited from re-sharing that information until the consumer has been notified of the sharing and afforded the opportunity to opt out.  Given the expansive definition of “sell” under the CCPA, data-dependent companies stand to lose the very foundations of their businesses models.

Interestingly, the impact here is not exclusive to the business side.  While it is certainly true that data brokers, social media platforms, and mobile application developers will acutely feel the impact of restrictions on “selling,” and “re-selling,” personal information, to the extent that their operating revenues are dependent on exactly the type of data exchange and ad networks the CCPA seems to cover, consumers, who have become accustomed to a free Internet, might be similarly impacted.  If website operators can no longer fund their offerings via data exchanges and ad placement, they will be forced to solicit payment for services, potentially harming consumers who do not want to pay for content.

Thus, regardless of industry, the CCPA stands to leave a definitive footprint in how companies handle consumer data going forward and will heighten focus on consumer privacy.

What’s New and Where Are We Headed?

If the broad industry impact of the CCPA isn’t scary enough, the fact that the legislation itself keeps changing should spook even the most compliance-minded companies.  Due to its hasty drafting, the CCPA has already been formally amended once. The California State Legislature passed SB-1121 in August 2018, amending the original legislation to address questions of enforcement, exemptions, and preemption, among other changes. However, new amendments might still be forthcoming.

For example, California Assembly Bill 25 was introduced in December to amend the Act to exclude employees from the definition of consumer.  Of particular note in this space, the CCPA covers employee data, to potentially include performance reviews, internal correspondence, and other personal information germane to Californians in their roles as employees. Given the undesirable consequences of allowing the Act to cover employee data access requests (to include not only overwhelming request volume, but also misuse of the system to acquire information for use in employment lawsuits), the bill, if passed, hopes to divorce information collected pursuant to employment or application for employment from the personal information protected under the CCPA.  Any benefit to be gained by the exclusion of employee information, however, would be eclipsed by the potentially enormous impact of SB 561, if passed.

The amendments proposed in SB 561, introduced in the California Legislature on February 22, 2019, by California Attorney General (“AG”) Xavier Becerra and California State Senator Hannah-Beth Jackson, are significant for all industries covered by the CCPA.

The proposed changes broaden the scope of the private right of action to encompass ALL violations of the CCPA, as opposed to only data breaches.  Importantly, the proposed amendments would also remove other business safeguards, such as the 30-day cure period during which businesses may attempt to rectify violations following notice thereof, and business’ entitlement to solicit opinions from the AG regarding compliance guidance (the general guidance would instead be published).

What’s the Takeaway – Why Should We Be Concerned?

As the law currently stands, the California AG cannot begin to bring enforcement actions for violations of the CCPA until July 1, 2020.  However, the private right of action becomes available on January 1, 2020.  As we have noted, the difference between compliance and liability for many industries is the CCPA’s ambiguous and often counterintuitive definition of key terms – i.e., “consumer,” “personal information,” “sell,” even “business,” to the extent that non-profits (important in the health-care context) are roped into the CCPA’s coverage if they are controlled by a for-profit entity.

An expanded private right of action would allow consumers to bring actions for violations big and small, technical and substantive, and questionably defensible, insofar as consumers may not be required to show any concrete, particularized harm in the event of a violation.

If you’ve been following Dorsey’s coverage on the CCPA, then you know that this means $$$, especially for hungry class action attorneys, as the potential for damages is high.  The CCPA, as amended, permits a penalty assessed by the AG of up to $2,500 for each unintentional violation, and up to $7,500 for each intentional violation; for private plaintiffs in the data breach context, statutory damages range between $100-$750 per individual, per incident.  This means that even a relatively small data breach involving 15,000 people equates to at least $1.5 million in damages.  Now imagine 25,000 people.  Well, you do the math.  The litigation costs alone are potentially catastrophic.

How Much Will It Cost You – Damages and Class Risk Are Key

The risks and costs of the class actions or litigation are not the only financial impacts, however.  Inevitably, cyber insurance premiums will increase, investigation costs and data gathering for compliance purposes will rise, and conflicting interpretations of various provisions will be promulgated, further complicating an already oblique compliance landscape.  Even attempts to outmaneuver class action liability are likely to have unintended, injurious consequences.  The CCPA contains a prohibition against class action waivers; however, there is a strong argument to be made that the Federal Arbitration Act will preempt this provision.  Yet, as we saw in the recent Uber arbitration case, attempts to limit class action liability by instituting mandatory arbitration provisions can backfire, where, as with Uber, mass arbitrations stick businesses with millions of dollars in filing fees alone.

Creative plaintiff’s lawyers will also tack on potential liability under the California Unfair Competition Law (“UCL”) if they are able to convince courts that the UCL can be used as a vehicle to pursue additional damages, or even non-data breach-related violations of the Act.  The UCL prohibits businesses from perpetrating “unlawful, unfair, or fraudulent” business practices, authorizing private rights of action where there is an auxiliary violation of other laws. Thus, plaintiff’s lawyers are likely to use the CCPA as a vehicle for sourcing unlawful or unfair consumer privacy practices, in order to weaponize them under the UCL, independently of a CCPA cause of action. More concerning still, the CCPA creates a private right of action for data breaches, which incentivizes plaintiff’s lawyers to pile on a secondary UCL claim in the data breach context. In the event the private right of action is expanded to cover all violations of the CCPA, the risk profile increases tremendously.

How Dorsey Can Help

With a January 1, 2020 implementation deadline forthcoming, compliance-minded in-house attorneys should have begun compliance efforts now.  Dorsey’s Cybersecurity, Privacy, and Social Media Team has developed assessment tools and guidance on reasonable security practices and procedures to help prevent data breaches and defend companies from the forthcoming tsunami of class actions.  Learn more about the how the CCPA impacts your business by contacting us.  Notably, Dorsey has partnered with leading technical security industry organizations to offer full-service advice.