September 29, 2020

Volume X, Number 273

September 29, 2020

Subscribe to Latest Legal News and Analysis

September 28, 2020

Subscribe to Latest Legal News and Analysis

PRIVACY ALERT: California Leads the Privacy Parade Again with Groundbreaking Privacy Legislation

June 28, 2018 will be a watershed day in the history of U.S. data privacy legislation.   California has become the first state to move away from the U.S. approach of legislating data privacy in slow bits.   Yesterday, both houses of the legislature passed – and Governor Brown signed into law – the California Consumer Privacy Act of 2018.

Earlier we wrote about the effort to pass the California Privacy Ballot Initiative No. 17-0039 (the “Ballot Initiative”) that would be put forth on the November 6th, 2018 ballot.  The Ballot Initiative would give consumers broad rights regarding their personal information, including being able to learn who their personal information is being disclosed or sold to, preventing businesses from discriminating against consumers who exercise their rights under the act including opting out of the sale of their personal information.  Further, the Ballot Initiative would have given a private right of action to consumers to sue businesses where the business experienced a security breach and failed to implement reasonable security procedures, with statutory damages of $1,000, which would increase to $3,000 for willful violations.

As a sort of compromise, Senator Bob Hertzberg (D-Van Nuys) and Assemblymember Ed Chau (D-Monterey Park), resurrected a revised version of a bill introduced in 2017 that provides many similar elements to the Ballot Initiative, which will also be authored by Senator Bill Dodd (D-Napa), although in most cases in a less aggressive form.  The provisions of the California Consumer Privacy Act become operative only if the Ballot Initiative is withdrawn from the ballot.  It is expected to be withdrawn today, but stay tuned on that point.

Assuming the Ballot Initiative is withdrawn, the California Consumer Privacy Act of 2018 (“CCPA”) will become effective on January 1, 2020.   The delayed effective date was planned to give the legislature the ability to provide sorely needed correction and clarification to the hastily drafted (and often confusing) text before it goes into effect.

The consumer rights embedded in the CCPA will look familiar to those who have been dealing with the GDPR.  It represents a major development in U.S. privacy law, and although it only applies to California residents, it will have ripple effects in the other 49 states and companies should be developing compliance plans.

Below is an overview of important portions of the proposed legislation.

  • Expansion of “Personal Information” (PI):
    • The CCPA expands the scope of “Personal Information” beyond the GDPR – and certainly well beyond any U.S. privacy law. It defines “Personal Information” as information that identifies, relates to, describes, is capable of being associated with, or could reasonably [be] linked, directly or indirectly, with a particular consumer or household.”   There a new laundry list of items to be considered PI, including IP addresses, persistent or probabilistic identifiers that can be used to identify a particular consumer or device, records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies; Internet or other electronic network activity information, professional or employment-related information; or any consumer profile.
  • Consumer’s Right to Request Disclosure:
    • A consumer, defined as a “a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations,” and would apply to such “consumers” even if identified only by unique identifier.   Under the CCPA, consumers have a right to request that businesses disclose the categories and specific pieces of PI that it collects about the consumer, the categories of sources from which that PI is collected, the business purposes for collecting or selling the PI, and the categories of third parties with which the information is shared — all at or before the point of collection of the PI.
    • However, consumers do not have the right to request the names of the actual entities to which the PI was transferred.
    • The CCPA requires a business to make disclosures about the information and the purposes for which it is used.
  • Consumer’s Right to Request Deletion:
    • The CCPA grants a consumer the right to request deletion of personal information and would also require businesses to have service providers delete the information.
    • It also provides for many exceptions including where the collected personal information is:
      • Necessary to provide a good or service requested by the consumer or reasonably anticipated due to relationship with the consumer.
      • Detecting security incidents or fraud, as well as debugging existing intended systems.
      • Enabling internal uses that are aligned with consumer expectations based on the relationship.
      • Complying with legal obligations.
    • These exceptions could be construed to be fairly broad in nature, particularly as they related to detecting fraud, and debugging systems.
  • Consumer’s Right of Access and Data Portability
    • Consumers may request access to the PI held by the business, and to obtain it in a “readily usable format” that allows porting the data over to another entity “without hindrance.” Upon verification of consumer identity, the business must respond, however, businesses are not required to retain information that is obtained in a one-time transaction or to re-identify or link information that is not in identifiable form.  It remains to be seen whether this applies to pseudonymized data.
    • Consumers may make this request to a business no more than twice in a calendar year.
  • Consumer’s Right to be Forgotten:
    • A consumer has the right to request that a business delete any PI collected from the consumer, subject to certain exceptions. Businesses are required to notify customers of this right to request deletion.
  • Non-Discrimination/Opt Out Right:
    • Opt Out: The CCPA authorizes a consumer to opt out of the sale of personal information by a business. Businesses must make available, in a form reasonably accessible to consumers, a “clear and conspicuous link to the homepage”, titled “Do Not Sell My Personal Information.”  That link must go to a webpage that enables the consumer to opt out.   The business must wait a minimum of 12 months before requesting to sell the PI of a consumer who has opted out.
    • Non-Discrimination: Business are prohibited from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data. Financial incentives offered to the consumer for the collection, sale, or deletion of PI are permitted only with the prior opt-in by the consumer.
    • Between 16 and 13 must opt inThe CCPA prohibits a business from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized, as specified, to be referred to as the right to opt in. Consumers under the age of 13 would still be subject to the federal Children’s Online Privacy Protection Act.
  • Enforcement:
    • Attorney General: The CCPA is enforced by the Attorney General
    • Private Right of Action: Consumers whose nonencrypted or nonredacted personal information, that is subject to unauthorized disclosure as a result of “business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information” can sue civilly.
      • Damages: Limited to not less than $100, and not more than $750.
      • Injunctive relief is also available.
    • Mandatory Notice to Business:
      • Prior to initiating action, consumer must provide the business 30 days’ written notice specifying which portions of the title that the business is alleged to have violated.
      • If the business is able to cure within 30 days, no action for individual or statutory or class-wide damages may be initiated. “Curing” a data breach may be difficult.
      • At this time, it is not clear how a business would cure unauthorized disclosure of personal information that has already occurred.
      • No notice is needed to sue for actual pecuniary damages suffered due to alleged violations of the title.

There are other specific requirements for privacy policy disclosures, method of consumer request,  and business response and other important compliance requirements that we will discuss in detail over the coming weeks.   We will also be paying close attention to legislative sessions in other states for the introduction of similar legislation.   Watch this space.

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume VIII, Number 180


About this Author

Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...

Brian H. Lam, Mintz Levin, software licensing lawyer, vendor agreements attorney

Brian Lam is a member of Mintz’s Privacy & Security Practice and Technology Transactions Practice. Brian focuses his practice on providing practical advice that enables companies to pursue their business in a competitive environment while reducing risk associated with the collection, use, storage, transfer, and potential loss of data. He frequently negotiates complex data-centric information technology agreements, and designs policies and corresponding controls for the implementation of best practices, compliance with state and federal law, and international considerations. He often reviews the data flows within an organization from both a senior leadership perspective as well as at the implementation level, and provides actionable recommendations to engineer such data flows in order to reduce compliance risk and engender consumer trust.

Brian frequently provides advice to clients that wish to buy or sell corporate entities whose business models leverage data and information technology, including data aggregation, analytics, and open source software.

Brian has been designated a Fellow of Information Privacy (FIP) by the International Association of Privacy Professionals, and is also a Certified Information Privacy Professional (CIPP) (US Specialization), Certified Information Privacy Manager (CIPM), and a Certified Information Systems Security Professional (CISSP). He has a B.S. in Computer Science and an M.S. in Telecommunications from the University of Colorado at Boulder, College of Engineering and Applied Science.

He is also a member of Governor Brown’s California Cybersecurity Task Force, a statewide partnership comprised of key stakeholders, subject matter experts, and cybersecurity professionals from California's public and private sectors, academia, and law enforcement that serves as an advisory body to the State of California Senior Administration Officials in matters related to cybersecurity.

Before becoming an attorney, Brian worked at one of the country’s leading information security firms, where he focused on analyzing the existing network security controls of financial institutions, online merchants, and government organizations. He also conducted penetration tests, provided guidance on PCI-DSS compliance, and assisted federal law enforcement with digital forensics post security incident. Subsequently, he joined one of the world’s largest management consulting and information services firms, where he led efforts to design and implement large-scale information security initiatives for Fortune 500 companies, including one of the world’s largest banking and consumer credit companies.