In the last few weeks we have seen both regulatory and legislative action that has helped to clarify the scope and impact of the California Consumer Privacy Act ("CCPA"). By way of a refresher, the CCPA seeks to protect the personal information of California consumers by giving them greater knowledge about the nature and extent of the data collected about them, how it is used (sold or shared) by those who possess it, and how the individual consumer can control the use of his/her personal data. The CCPA applies to companies, regardless of where they are located, which:
- Have annual gross revenues in excess of $25 million;
- Alone or in conjunction with others annually buy, sell, receive or share for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or
- Derive 50% or more of their annual revenues from selling consumer personal information.
This framework leaves companies to ask some very basic questions before deciding next steps:
- What is our annual gross revenue (not limited to California income)?
- Do we have the personal information of at least 50,000 consumers, households or devices located in California?
- Do we sell the personal data we have of those California consumers, households or devices? If so, do we derive 50% or more of our annual revenues from those sales?
- Even if we do not sell that personal data, do we disclose any portion of it to any third parties?
If you answered more than $25 million to the first question or yes to any of the remaining questions, you could be subject to the CCPA, but there is more to the analysis. The next important question is: do you hold personal data belonging to any California consumers, households or devices? If you answered no, you can breathe a sigh of relief. If not, get ready for the year-end push!
To be clear, personal data is defined as: "Any data that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, including but not limited to a real name, alias, postal address, unique personal identifier, online identifier Internal Protocol address, email address, account name, social security number, driver's license number, passport number and other similar identifiers." You can add to that personal information as already defined in Civil Code § 1798.80: signature, physical characteristics or description, telephone number, state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information, and you quickly come to the conclusion that just about any information you have that relates to a specific consumer (a California resident) qualifies as what is generally referred to as personal data, personal information, personally identifiable information or PII, and is the focus of the CCPA.
Due to the extensive nature of the legal and regulatory changes, we are going to cover this topic in two Alerts. This first one deals with the legislative changes. The next one will address the regulations which were recently released for comment by the California Attorney General.
All of these bills were signed into law on October 11, 2019. There is a good deal of overlap regarding the individual provisions in these bills. What you see below are the highlights.
AB 25 –
- Permits businesses to seek verification of the identity of the consumer who makes the request for records. The process to do so must be "reasonable" and done through an account if the consumer maintains an account with the business, but the consumer cannot be required to set up an account for this purpose alone. Consumers may make such requests only twice in any 12 month period and businesses must reply to such requests in a timely manner, even if only to say we cannot authenticate the requestor.
- More concerning is the consumer may now bring a private right of action if the business fails to "implement reasonable security procedures and practices" if such action or inaction results in "exfiltration, theft or disclosure" of personal data. See more details below in the discussion on AB 1355.
- Businesses that collect personal data "to, at or before" the point of collection, must inform the consumer as to the categories of personal information to be collected and the purposes for which that data will be used.
- If the collection is for purposes of a job applicant, an employee, owner, director, officer, medical staff member or contractor of the business, such actions are exempt for one year only – so until January 1, 2021. In this context, the collection of emergency contact information or data needed to administer benefits are also exempt.
- Two or more methods must be provided by which the consumer may request information, and at a minimum, that must include a toll-free telephone number, and a website address if a website is maintained by the business. If the business deals exclusively online and has a direct relationship with the consumer, the business must provide an email address for submission of these requests.
- Upon request, the personal data must be provided to the consumer free of charge within 45 days of the business receiving a verifiable consumer request, and the ability to extend for another 45 days remains but only if "reasonably necessary". Notice of the extension must be given to the consumer within the original 45 day period. The period of disclosure is the 12 months preceding receipt of the verifiable consumer request and is to be delivered by mail or through the customer's account, at the consumer's option, and in readily useable format which permits the data to be transmitted from one entity to another "without hindrance". Consumers may make such requests no more than twice in any 12 month period.
- Companies must maintain two lists – one for personal data which is sold and the other for the personal data which is disclosed. The data on both lists must be provided to consumers upon request, along with the categories of third parties buying/receiving that data.
- A description of the consumer's rights regarding disclosure of personal data, the designated methods for submitting requests and confirmation the company does not discriminate due to the consumer's exercise of these rights.
- A list of the categories of personal data collected in the prior 12 months, meaning categories of personal information collected; their source(s); the business purpose(s) for the collection or sale of the personal data; the categories of third parties with which the business shares personal data; and the specific pieces of personal data collected about the consumer.
- Businesses must also ensure that all individuals responsible for handling consumer inquiries about the company's privacy practices have been properly trained, to include directing consumers to the means to exercise their rights.
- Beside the statutory preemptions already in state or federal law, the only other recognized exception is if the data is collected and used wholly outside California.
AB 874 –
- Those subject to the CCPA are clarified to be businesses, meaning for profit entities, including those which control others or co-brand. Non-profits are not subject to the CCPA.
- Personal information is further clarified to include that which identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, including real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers, including biometric data (see below in the discussion of AB 1130 for a definition). Also included are geolocation and professional or employment-related information.
- Personal information does not include publicly available information, or that which is de-identified, aggregated or pseudonymized.
- Business is held to not sell data when it shares that data at the direction of the consumer, even to third parties; uses the data to accomplish the consumer's opt-out instruction; shares the data with a service provider to perform a business purpose, provided notice is provided to the consumer and the service provider does not collect, sell or use the data for other purposes; in the merger, acquisition, bankruptcy or other transactions where the third party assumes control of all or part of the business and no change in the uses of the data will occur.
AB 1146 exempts the retention and exchange of vehicle ownership data between a dealer and the vehicle manufacturer.
AB 1202 defines data brokers as "a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship." Excluded from this definition are any consumer reporting agency covered by the Fair Credit Reporting Act, any financial institution to the extent that it is covered by the Gramm-Leach-Bliley Act and its regulations, and any entity covered by the Insurance Information and Privacy Protection Act. Data brokers are now required to register on or before January 31 of each year with the Attorney General who is directed to create a page on his website to publicize the information received. Data brokers are invited, but not required, to provide any other information about their data collection practices they wish to submit at time of registration. A modest fine structure is provided for non-compliance.
AB 1355 –
Originally a business was liable if the consumer information was maintained in an unencrypted or un-redacted manner. The standard of care was changed by this bill to a duty to implement and maintain "reasonable security procedures and practices appropriate to the nature of the information" so as to protect that personal data.
There is also clarification regarding what are considered legitimate business purposes: "[t]he use of personal information for the business's or a service provider's operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected."
This bill goes on to define business purposes as:
(1) Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
(2) Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
(3) Debugging to identify and repair errors that impair existing intended functionality.
(4) Short-term, transient use, provided that the personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer's experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
(5) Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
(6) Undertaking internal research for technological development and demonstration.
(7) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
The other notable revision has to do with the right of the consumer to bring a lawsuit. Under the original CCPA, only the Attorney General had the ability to enforce this law. That, too, has changed. Now, any consumer whose "non-encrypted and non-redacted" personal information is subject to "unauthorized access and exfiltration, theft or disclosure" as the result of the businesses failure to "implement and maintain reasonable security procedures and practices appropriate to the nature of the information" may be sued. The plaintiff is, however, limited to recover no less than $100 and no more than $750 per consumer per incident or actual damages, whichever is greater, along with injunctive or declaratory relief and any other damages the court deems proper. In reaching its decision, the court is instructed to "consider any one or more of the relevant circumstances ..., including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, and the defendant's assets, liabilities and net worth."
Prior to initiating any civil action, the consumer must provide the business with 30 days' written notice identifying the violations alleged by reference to the specific provisions of the CCPA. If the business is able to cure, does so within that 30 day period and provides express written notice about the cure and assurances that no further violations will occur, neither an individual or class action lawsuit may be brought. However, no notice is required to recover "pecuniary" damages, i.e., out of pocket costs. If violations continue, the consumer may sue to enforce the written statement and pursue statutory damages for violation of the written assurance and other rounds. However, any such lawsuit may only rely only violations of the CCPA and no other grounds for recovery.
AB 1564 – this new law mirrors the provisions in other bills previously summarized and deals with such topics as notice to consumers and maintenance of two lists (sale and disclosure).
Also enacted was AB 1130 which makes some changes to California's data breach laws. First, it underscores the obligation on agencies and businesses to give notice of any breach to those whose data was compromised. While much of what is addressed has to do with the notice requirements, of particular interest is the expanded definition of personal information, which now includes any of the following: first name or initial and last name in combination with "any one or more of the following data elements, when either the name or the data elements are not encrypted:
(A) Social security number.
(B) Driver's license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
(C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
(D) Medical information.
(E) Health insurance information.
(F) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.
(G) Information or data collected through the use or operation of an automated license plate recognition system, [as defined elsewhere in the law]
(2) A username or email address, in combination with a password or security question and answer that would permit access to an online account."
Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. One fact all of these bills have in common is they acknowledge the exemptions already in the CCPA for:
- California Confidentiality of Medical Information Act
- Health Insurance Portability and Accountability Act
- Health Information Technology for Economic and Clinical Health Act
- Federal Policy for the Protection of Human Subjects – clinical trial
- Personal information collected, processed, sold, or disclosed pursuant to a specified federal law relating to banks, brokerages, insurance companies, and credit reporting agencies, among others – Gramm-Leach-Bliley Act
- California Financial Information Privacy Act.
- Driver's Privacy Protection Act of 1994,
- If infringe on the noncommercial activities of newspapers and periodicals.
Whereas the legal framework for the CCPA has now been further clarified, it is important to keep in mind those who were behind the ballot initiative which led to its quick enactment are looking for still stronger protections. As such, it remains possible more changes will occur in the next election and legislative cycle. For now, we refer you to Part 2 of this Alert which will be published tomorrow for information about the proposed regulations.
The CCPA takes effect on January 1, 2020. Are you ready?