The holidays are over. 2020 is upon us. And for American businesses with any connection to California, this means one thing: the California Consumer Privacy Act (CCPA), America’s version of GDPR is here. It is a phased launch. The law is in effect. But the most onerous provisions will only take effect on July 1. That is when the California Attorney General may enforce the CCPA’s toughest requirements.
The CCPA establishes a comprehensive legal framework to govern the collection and use of personal information. It applies to both online and offline data processing. The law provides unprecedented privacy rights to California consumers. California’s size and key role in the technology industry could make the CCPA the de facto national standard for U.S. privacy law.
The law introduces new legal risks and considerations for companies that collect information from Californians. The law’s broad sweep, expansive definition of personal information, extensive disclosure obligations, enhanced consumer rights, and potential for statutory fines represent substantial legal risk, Moreover, given the private right of action there is significant potential for consumer class action litigation in the event of a data breach.
Hastily enacted to stave off a draconian ballot initiative, the CCPA contains jurisprudential gaps. For instance, it lacks critical definitions. Moreover, the Attorney General’s office has released limited guidance to date. Experts expect additional guidance. And redrafting of the legislation itself remains a distinct possibility. All that aside, what should businesses be doing right now?
The CCPA applies to a business that:
- does business in California,
- collects personal information (directly or through an intermediary),
- helps determine the purposes of processing of that data, and
- (1) enjoys gross revenues above $25M, or (2) processes the personal information of 50,000 or more consumers, or (3) derives at least 50 percent of its annual revenues from selling consumers’ personal information.
A full compliance program would require a treatise. Moreover, as discussed above, so far only limited guidance is available. That said, businesses should plan to meet at least two requirements. First, there is the “Notice at Collection” mandate. Second is the “reasonable measures” requirement.
Notice at Collection
The “Notice at Collection” mandate requires that specific information be communicated to the consumer or employee. The business must specify the personal information it collects. And it must explain how it uses the information in each category. There are eleven categories of personal information, such as identifiers, geolocation data, biometric information, employment-related information, etc. See Cal. Civ. Code Sec. 1798.140(o).
Of course, this information leaves much open to interpretation. For instance, California residents are entitled to the Notice. But the circumstances triggering the obligations are unclear. Some persons are specifically entitled to the Notice. These include Californians such as applicants or contractors. But neither the CCPA nor the current guidance defines these terms. Who is a contractor? The recommended approach would be to take the broadest possible view of the term in an abundance of caution.
Similarly, the timing mandate is unclear. The CCPA requires that the delivery of the Notice precede the collection of personal information. To this end, businesses should design their website screen-flow to ensure that the Notice is required viewing prior to applicant or client entry of information. If the individual furnishes additional information later in the process e.g., for a credit or background check, the business should provide a second notice explaining the purpose of this added information.
A related issue is handling existing employees and customers. The CCPA has no explicit retroactive provision. Even so, the prudent approach would be to furnish existing data subjects a Notice of Collection. Moreover, data collection is a continual process. For example, transaction records and website preferences are being continually updated. The prudent business should err on the side of caution. The safe course is to furnish each employee and customer a Notice of Collection even if there is no explicit mandate to this end.
Finally, while the CCPA does not require such an appointment, a business should designate a point of contact. Not only does this assist employees and customers, it ensures the business is communicating a consistent message in all its dealings. Moreover, the point of contact can function as a two-way channel, apprising management of concerns and frequent queries to avert miscommunication
Reasonable Safeguards
The CCPA’s second issue is safeguarding customer and employee personal information. The CCPA allows California consumers affected by a data breach to bring an action for statutory damages. Consumers would include employees and applicants. The breach must be attributed to a failure to maintain reasonable safeguards to protect personal information. The statute allows a 30-day cure period. Despite this concession, it is hard to envision a satisfactory cure to a breach that has occurred.
A consumer can recover damages of not less than $100 and not greater than $750 per incident or actual damages, whichever is greater. They are also entitled to injunctive or declaratory relief. The court can also fashion additional relief tailored to the circumstances of the case.
There is no California regulatory guidance on what precise measures would constitutes “reasonable safeguards.” The closest benchmark is a 2016 report from then California Attorney General Kamala Harris. The Harris analysis focused on an existing California statute, Cal. Civ. Code 1789.81.5(b). It viewed the older statute to require businesses to satisfy, at a minimum, the 20 controls in the Center for Internet Security’s Critical Security Controls to be considered reasonable. Those controls can be considered an appropriate frame of reference to determine what is a “reasonable safeguard.”
Note that the “reasonably safeguard” obligation applies to a specific subset of personal information.
An individual’s first name or first initial and his or her last name along with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
- Social security number,
- Driver’s license number, California identification card number, or government identifiers (i.e., tax identification number, passport number, military identification number),
- Account number, credit, or debit card number, along with any required security code, access code, or password that would permit access to an individual’s financial account,
- Medical information,
- Health insurance information, and
- Biometric identifiers.
Given the scope of CCPA and the potential exposure, businesses should be reviewing their data security practices related to both customer and employee data. This review should include an assessment of vendor practices related to data processing.
Note that while CCPA is the first state law in the nation, it will not be an aberration. Nevada’s law was effective even before the CCPA. Other states, including Colorado, Massachusetts, and New York are enacting similar statutes. Not all will be cut from the same cloth. But given current public and political opinion, the future holds more, and not less privacy, regulation.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on diverse privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or sgul@poynerspruill.com. Mike may be reached at 919.783.2851 or mslipsky@poynerspruill.com.