May 26, 2020

CCPA Compliance: Are you Ready for PI 2.0? (5 Months to Go)

Don’t wait to implement your California Consumer Privacy Act (CCPA) compliance as it could require changes to your operations. CCPA can apply to businesses even if they do not have offices or employees in California. It can also reach activities conducted outside of California. See our prior alert here to see if CCPA applies to your business.

Under CCPA a business needs to track certain personal information to be able to honor consumer requests. Consumers may ask, for example, to know what information a business has on hand about them (among other rights*). CCPA also requires a business to secure personal information to help avoid an actionable data breach. The CCPA’s broad definition of personal information is unprecedented in existing US state privacy law. Consequently, CCPA may cause many businesses to reclassify certain information as personal information (“PI”). Welcome to PI 2.0.

What’s “new” in PI under CCPA? PI now includes content not always considered PI in the past such as:

1. data relating not only to an individual consumer, but also to households

2. online identifiers

3. geolocation data

4. IP addresses

5. Internet browsing or search history, including information regarding a consumer’s interaction with an Internet website, application, or advertisement

6. commercial information, including a consumer’s records of things purchased, considered, or other purchasing or consuming histories or tendencies

7. inferences drawn (e.g., predications about consumer or household preferences or tendencies)

8. audio, electronic, visual, thermal, olfactory, or similar information

Why are these definitional changes significant?

• Businesses subject to CCPA now have new compliance obligations. Some action items may include:

a) Many businesses will need to revise their posted privacy policies and internal processes to account for the broader definition of PI under CCPA (as part of otherwise working to have policies and processes that comply with CCPA).

b) They will have to determine whether to apply the broad treatment of PI in California across their data subjects in the US (even if not required in other states) if it would be too cumbersome to isolate PI subject to CCPA from other PI those businesses maintain.

c) Businesses may also desire to evaluate whether the new CCPA requirements make raising a claim under their cyber liability insurance harder and how to compensate for that possibility.

d) Businesses may need to amend vendor contracts to account for an updated definition of PI (as part of otherwise addressing whether the vendor contracts comply). See our prior vendor contracts alert here.

CCPA expands the types of data that businesses must treat as PI. Under CCPA, this expanded definition of PI is used for purposes of allowing consumers to exercise their CCPA rights*. This definition is very broad compared to existing PI definitions in the US, many of which are found in data breach notification laws. Under US state data breach laws, data is considered PI if it contains both an identifying factor and an account number or other sensitive personal data element.

• For example, in California what is PI for purposes of determining whether a data breach occurred means an individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (i) social security number, (ii) driver’s license number or California identification card number, (iii) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, (iv) medical information, or (v) health insurance information.

• CCPA itself relies on California’s separate data breach law definition of PI to determine what would be an actionable data breach under CCPA. That’s good news because an actionable data breach exposing a business to liability in California applies to a narrow subset of PI. However, it doesn’t change the fact that a business otherwise must apply CCPA’s other requirements to a broad and vast amount of individuals’ data.

* CCPA gives data subjects, with some exceptions, the rights to (i) be informed if their personal information is sold or disclosed, (ii) approve of the sale of their personal information, (iii) demand deletion of the information, (iv) opt-out and (v) be protected from discrimination if they exercise their privacy rights.

This overview does not substitute for considering CCPA’s requirements in their entirety.

Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Theodore Claypoole, Intellectual Property Attorney, Womble Carlyle, private sector lawyer, data breach legal counsel, software development law
Senior Partner

As a Partner of the Firm’s Intellectual Property Practice Group, Ted leads the firm’s IP Transaction Team, as well as data breach incident response teams in the public and private sectors. Ted addressed information security risk management, and cross-border data transfer issue, including those involving the European Union and the Data Protection Safe Harbor. He also negotiates and prepares business process outsourcing, distribution, branding, software development, hosted application and electronic commerce agreements for all types of companies.

...

704-331-4910
Nadia Aram, Womble Carlyle, Intellectual Property Attorney, technology licensing lawyer, commercial agreements legal counsel, private securities law
Associate

Nadia advises clients in a variety of business transactions involving the use and commercialization of intellectual property and technology. She has experience drafting and negotiating a broad variety of contracts, including technology licenses, services, consulting and other complex commercial agreements to help clients realize the value of their assets day-to-day, and as part of strategic product and technology acquisitions and divestitures. Nadia also practices in the areas of franchise law, and advertising, sweepstakes & promotions law, including advising clients on digital media marketing to minimize the risks of advertising and marketing online.

She started at the firm as a corporate attorney with a focus on mergers and acquisitions and private securities offerings and investments, and brings her knowledge and experience of corporate matters to bear on her current practice and advice to clients on strategic transactions. Relevant industry experience includes: biotechnology, agrochemical, pharmaceutical, software, retail, manufacturing, financial and other services sectors.

919-755-2119