Even though the California Consumer Privacy Act (“CCPA”) has been in effect since January 1, 2020, and enforcement of all CCPA provisions has been available since July 1, 2020, significant uncertainty exists regarding the substantive application of the CCPA and whether its provisions will endure. Three areas of uncertainty predominate: (1) when will exemptions for employee and business-to-business (“B2B”) information expire; (2) which companies are the early targets of the California Attorney General’s enforcement and on what basis; and (3) will the California Privacy Rights Act (“CPRA”) pass on November 3?
ince the beginning of the year, industry leaders and counsel advising clients on data security issues have held their collective breath in anticipation of the tsunami of California Consumer Privacy Act (CCPA) lawsuits. The CPPA, ballyhooed over the past few years as the next big thing in consumer litigation, is now the law in California. The most comprehensive cybersecurity and information privacy statutory scheme in the nation, the CCPA creates an express private right of action for individuals whose data is breached by hackers and mandates that significant penalties be assessed against the company that violates cybersecurity standards.While no CCPA lawsuits were filed in January, a consumer privacy lawsuit filed February 3 in the U.S. District Court for the Northern District of California has garnered a great deal of attention. Touted by some as the “first” CCPA case, a closer reading of the Complaint filed in Barnes v. Hanna Anderson, LLC (No. 3:20-CV-00812) shows that the plaintiff does not assert a direct claim under the statute. There is a simple reason for this. The data breach alleged in Barnes occurred in 2019, before the effective date of the CCPA. Although the Complaint alleges acts or omissions in 2020 by stating that the retailer did not tell customers or the Attorneys General about this in January, the fact that the data breach occurred before the effective date of the CCPA would render a direct claim subject to a motion to dismiss.
As of January 1, 2020, the California Consumer Privacy Act (CCPA) is in effect and impacts numerous businesses that collect or process the personal information of California residents. The CCPA carries potentially stiff penalties for noncompliance, but the actual text of the law does not provide a clear roadmap for companies to feel comfortable that they are doing things the right way. As such, we are already seeing dramatic disparities in how companies across the world are interpreting the CCPA and choosing to implement its requirements. They can’t all be right.
The California Attorney General recently published a report assessing CCPA compliance costs. The report attempts to quantify the monetary value of consumers’ personal data, and estimates the total value of personal data exceeds $20 billion annually. The report goes on to estimate the total cost of initial compliance at $55 billion for all companies subject to the CCPA. The report assumes that initial compliance costs will constitute the “vast majority,” of compliance costs. Anecdotally, however, this assumption may need to be reconsidered in light of the anticipated recurring expenses that companies eventually will be required to incur in order to respond to data subject access requests.
Businesses may receive a bit of breathing room as a result of two amendments to the California Consumer Privacy Act (CCPA) passed on Friday, September 13, 2019, by the California Legislature. The Legislature gave businesses a one-year moratorium on two significant aspects of the law: its application to employees, job applicants, owners, officers, directors, medical staff members, and contractors; and its application to business-to-business transactions. The Governor has until October 13, 2019, to sign or reject the amendments. Although the amendments provide some of the needed clarifications and error corrections and a significant break from needing to respond to certain data subject requests from employees and B2B contacts, businesses will still need to complete their data mapping (even for these categories of consumers) and will still need to be prepared to offer the rights not exempted on January 1, 2020, even if these amendments are signed by the Governor.For those following the process, five bills passed the Legislature: AB 25, AB 874, AB 1146, AB 1355, and AB 1564. Proposed amendment AB 846 on loyalty programs was shelved. In addition to the two widely applicable amendments about employees and business-to-business transactions discussed in detail below, the Legislature also passed a number of minor or narrowly applicable amendments. The amendments amount to 98 pages of printed material. We will cover only the more significant of them in this article.
New York continued its active legislative session last week, this time by expanding its data breach notification law. The SHIELD Act (Stop Hacks and Improve Electronic Data Security), signed by Governor Andrew Cuomo on July 25, 2019, notably expands the definition of a data breach and the scope of what constitutes personal information. But the law could have gone farther; the state did not enact a private right of action, as has California, and which several other states are considering. New York’s action does, however, contain several other very significant provisions in the context of data breaches involving New York residents.
Just as companies are reaching the straightway in their efforts to get ready to comply with the California Consumer Privacy Act (“CCPA”) by January 1, Nevada has burst ahead with a privacy law that will take effect before the CCPA. On May 29, 2019, Nevada Governor Steve Sisolak signed SB 220 into law, amending Nevada’s existing law that requires an operator of an Internet website or online service to provide a privacy notice to consumers detailing certain of the operator’s privacy practices; SB 220 goes into effect on October 1, 2019.1 SB 220 allows consumers to opt-out of operators of Internet websites and online services selling personally identifiable information to other entities for monetary consideration and will require both legal and operational changes for businesses. Operators, as defined by the law, must create a “designated request address” that allows consumers to submit requests prohibiting sale of information collected about the consumer, and operators must respond to the requests within 60 days.
Since its adoption last year, U.S. financial institutions have been confronted with the challenge of planning their compliance with the California Consumer Privacy Act (the “CCPA”)1. The CCPA becomes effective in two stages—January 1, 2020 and July 1, 2020 (or possibly sooner depending upon the date the California Attorney General adopts implementing regulations).2Regrettably, considerable confusion exists within the financial industry about the scope of the CCPA and the obligations it imposes on financial institutions.In an effort to provide our financial intermediary clients and friends with a workable summary of a financial institution’s obligations—and in particular for financial institutions that do not have a physical presence in California—this Alert is intended to assist in identifying coverage considerations, and provide a practical approach to the development of a project plan that will demonstrate reasonable compliance with the CCPA’s admittedly ambiguous set of requirements and obligations.
On Thursday, March 16, 2019, the California Senate Appropriations Committee held in Committee SB 561, which would have greatly expanded the private right of action (i.e., the ability to bring private class actions) available under the California Consumer Privacy Act (“CCPA”). SB 561 was introduced in February by California Attorney General (“AG”) Xavier Becerra and Senator Hannah-Beth Jackson. Notably, the bill sought to amend the existing private right of action to cover all violations of the CCPA, as opposed to merely data breaches. Additionally, the bill would have discontinued the 30-day cure period, whereby businesses were immunized from penalization by the AG to the extent they were able to cure an alleged violation within 30-days’ notice thereof, and would have eliminated businesses’ and third parties’ entitlement to seek interpretive guidance regarding compliance from the AG (and instead would authorize the AG to publish general guidance).
As companies were getting up-to-speed on the effects of the European Union’s General Data Protection Regulation (GDPR) last year, California quickly enacted its own privacy law, the California Consumer Privacy Act (“CCPA” or “Act”) last June. We address below the high risk associated with the CCPA and its interaction with regulations in key U.S. industries. The fast-passed legislation was designed to avoid a November 2018 ballot initiative on the subject, and was plagued by errors and ambiguities that require robust clarification. The Act’s take-away, however, was abundantly clear – California consumers have a right to know what personal data companies are collecting and are empowered to bring a private right of action for a data breach (and even potentially for other violations of the Act).