Canada-U.S. Blog Trade Lawyers Cyndee Todgham Cherniak and Susan K. Ross

CA Consumer Privacy Act Gets a Rewrite

Posted in Cybersecurity and Privacy

When the law was signed by then Governor Brown (see our prior Alert here), the expectation was that Attorney General Becerra would issue the enabling regulations by July of this year, which would allow a phase-in period. Then by January 1, 2020, the requirements would be clear and companies would be able to properly formulate and implement their compliance policies. Regretfully, things are not going as expected.

First, in accordance with the law, General Becerra organized a series of public meetings:

  • San Francisco – January 8, 2019
  • San Diego – January 14, 2019
  • Inland Empire/Riverside – January 24, 2019
  • Los Angeles – January 25, 2019
  • Sacramento – February 5, 2019
  • Fresno – February 13, 2019

In the same press release which announced these meetings, General Becerra advised the regulations would be adopted by July 1, 2020 and went on to remind businesses that they must comply with the key provisions of the CCPA by January 1, 2020:

  • Disclose data collection and sharing practices;
  • Consumers have a right to request their data be deleted;
  • Consumers have a right to opt out of the sale or sharing of their personal information; and
  • Businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent.

While the lack of regulations any sooner is something of a challenge for businesses, it was the introduction of SB 561 on February 22, 2019 that was the real surprise. The bill was introduced by Senator Jackson with the full support of General Becerra, so it is reasonable to think it will pass and be signed into law by the end of the current legislative session later this year.

The changes were described as follows:

  • This bill would expand a consumer’s rights to bring a civil action for damages to apply to other violations under the act.
  • This bill would do away with any individual or entity seeking legal advice and instead specify the Attorney General may publish materials that provide businesses and others with general guidance on how to comply with the act.
  • This bill would remove the 30-day period in which a company may cure after receiving notice of an alleged violation.
  • The bill would also make related and conforming changes to those provisions.

These proposals are troubling for businesses in some obvious ways. We start with there being no definition in the law making clear who is a consumer. As such, the language must be read broadly to include anyone who resides in California. Next is the proposal is to amend Civil Code 1798.150 to read (the italicized language reflects the changes introduced):

(a) (1) Any consumer whose rights under this title are violated, or whose non-encrypted or non-redacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

(A) To recover damages in an amount not less than one hundred dollars ($100) and not great than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater. [emphasis added]

(B) Injunctive or declaratory relief.

(C) Any other relief the court deems proper.

In other words, the plaintiff’s bar will be able to bring class action lawsuits whether or not actual damages were suffered. With the number and size of the breaches which have been reported in recent memory, one understands the frustration with data aggregators being subject to limited liability, but the solution then is to make clear that not all companies fall within the definition of data aggregators and so starting with an earnings amount includes too many entities whose business has nothing to do with the buying, selling or sharing of consumer data.

SB 561 removes requirements that the Attorney General provide, at taxpayers’ expense, businesses and private parties with individual legal counsel regarding CCPA compliance, removes language that allows companies a “free pass” to cure CCPA violations before enforcement may occur, and adds a private right of action, allowing consumers the opportunity to seek legal remedies for themselves under the act.

In short, companies that do not comply could find themselves with serious damages due to consumers, but also to the State of California (see CC 1798.155). On the one hand, that may not be a bad thing if your business is that of being a data aggregator and you are among the group of companies that have been involved with the massive data breaches which have been reported in recent memory. However, not all companies are data aggregators and so why not narrow the definition of companies that are covered by the CCPA? As it stands right now, companies of just about any size, regardless of industry, are subject to the CCPA:

  1. Annual gross revenues in excess of $25 million;
  2. Companies which alone or in conjunction with others annually buy, sell, receive or share for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or
  3. Companies which derive 50% or more of their annual revenues from selling consumer personal information.

The law states that a company is subject to the CCPA if it “satisfies one or more of the [above] thresholds.” So, that means any company whose gross revenues are in excess of $25 million, regardless of whether they are a data aggregator, is subject to the requirements of the CCPA.

Then, we get to what does “receive” mean? For example, does the company receive data from the spouse or children of an employee qualify as consumer data? Does the company “share” that data if it gives the data to the company’s health insurance carrier or pension fund with the employee’s permission? Is doing so a “commercial purpose”? Hopefully the regulations which are yet to be written will answer some of these critical questions, but in the meantime, companies would be wise to get ready for January 1, 2020.

As with preparation for the European General Data Protection Regulation, companies should start by answering the following questions:

  • What consumer data do we collect?
  • From whom/what sources?
  • Where do we keep that data?
  • Who has access to it?
  • What do we do with it?
  • How long do we keep it?
  • What should be deleted?
  • What do we do with any databases that are not directly related to our core business (e.g. marketing)?

As part of the process, companies will want to form a Project Team. In doing so, some of the key points for it to address are:

  • Governance Committee
    • Who governs the project team?
    • As to the team itself –
      • Who is on it?
      • Who leads it?
      • What is its budget?
    • Inventory
      • Data we own and process
      • How we gain consent
      • What is our legitimate interest in that data
      • How we store and manage data
  • Centralized systems with proper controls in place
    • Right to be forgotten
    • Record of Processing Activities
    • Become and remain compliant!

Companies will also want to

  • Establish a written policy
  • Train employees
  • Create methods for consumers to assert their rights
  • Execute vendor contracts containing specific criteria

There is still time – will you be ready?