California Consumer Privacy Act (CCPA)
Data Privacy Issues
Between January and September 2019, it’s reported that there were over 7.9 billion data records exposed — a 33% increase from the same time in 2018. In the first quarter of 2020, the number of exposed privacy records were at an increase of 273% over last year.
In 2020 along, there have been dozens of massive reported data breaches including:
MGM Resorts: In July, 2020: Researchers found 142 million personal records from former guests at the MGM Resorts hotels for sale on the Dark Web…
Walgreens: March, 2020: Walgreens announced an error with their mobile app’s messaging feature that exposed personal messages sent within the app. The error also reportedly shared the names, prescription numbers and drug names, store numbers, and shipping addresses of its users. The extent of the disclosure has not been ascertained but, it’s worth noting that the app has had over 10 million downloads.
Zoom: April 2020: The credentials of over 500,000 Zoom teleconferencing accounts including email addresses, passwords, personal meeting URLs, and host keys are said to have been hacked and made available on the dark web.
Google Chrome: Just today, reports surfaced that a Google Chrome browser bug has exposed billions of users to potential data theft.
BEFORE DIVING TOO DEEP INTO THIS POST, PLEASE NOTE THAT NO LEGAL ADVICE IS BEING GIVEN. ALTHOUGH I AM A LAWYER, I’M NOT YOUR LAWYER. STATE AND FEDERAL LAWS, RULES AND REGULATIONS CHANGE QUICKLY. CONSULT WITH A QUALIFIED LAWYER IN YOUR STATE IF YOU HAVE ANY QUESTIONS OR LEGAL NEEDS. THANK YOU.
What is the California Consumer Privacy Act (CCPA)
Consumers have real and legitimate concerns over data security and privacy. States, like California, are trying to take steps to address these issues and move towards fixing the problem.
The state of California rolled out the California Consumer Privacy Act (CCPA) on January 1, 2020, and it went into effect on July 1, 2020.
In fact, I shared a few thoughts with Kim Garst on her live video show. Please give it a watch. We covered not only some of the things in this post, but also additional tips and safety ideas.
So what is the CCPA? Well, it’s a new law that attempts to ensure that consumers in California have a right to know what personal information is being collected from them. It also gives consumers the right to ask companies to delete that information or opt-out of its collection.
One thing companies will need to do to comply with the law is to place a consent banner or other prominent notice on their website. I’m guessing this will eventually apply to all “home” pages on social and digital. In any case, the banner or other legal notice will need to inform consumers that their data is going to be collected and how they can opt-out of the process.
Another requirement is that companies that the CCPA applies to (see below) will also need to give consumers steps allowing them to request and find out what data was collected and, set things up so the company is able to delete all the data if the consumer makes the request.
What Companies are Affected by the CCPA?
Generally speaking, the CCPA applies to any for-profit business which:
(i) has prior year annual gross revenues in excess of $25million, or
(ii) processes the personal information of 50,000 or more California residents (note that “personal information” means more than name, address and telephone numbers. My understanding is that this also includes digital information like device ID and IP address), or
(iii) derives 50% or more of its income from the sale of personal information.
One thing most businesses and consumers are not aware of is that the business does not have to be located or have employees in California for CCPA to apply. California “long-arm” jurisdiction statutes (see below) will usually control if an out of state business falls under California jurisdiction and the CCPA.
It is my understanding that as of July 1, 2020, businesses in violation of the CCPA will be subject in enforcement actions by the California Attorney General. Fines can range from $2,500 per violation to $7,500 for intentional violations if not cured (fixed) within 30 days.
STEPS BUSINESSES CAN TAKE TO PROTECT THEIR CLIENTS, CUSTOMERS AND THEMSELVES
CREATE AND MANAGE DETAILED DATA INVENTORY SYSTEMS
Determine what kind and types of personal information your business processes. Don’t leave anything to chance. Hire experts to help you do this.
At this time the CCPA doesn’t mandate data mapping or the preparation of a data inventory in the same way that other privacy laws do (see the General Data Protection Regulation). But here’s the deal, unless a company is able to keep track of the data collected, it is not going to be able to comply with a consumer’s request to report and delete. Thus, from a real-world perspective, data management is critically important.
UPDATE YOUR PRIVACY NOTICES
Companies affected by the CCPA should update their privacy notices so that everything is clear and concise. Nothing should be left to chance. Use written privacy notices and update your TOS agreements. All data collected should be described and, all access, opt-out and data deletion steps should be clearly outlined. Include all contact information to help the consumer with this process. Be transparent.
CREATE A PLAN TO RESPOND TO CONSUMER REQUESTS
Everybody in your company needs to know what they need to do with management and control of consumer data. Steps need to be shared about what needs to happen to comply with the CCPA and all consumer related requests and issues.
Right now there is a 45 day period of time within which a company must respond. Another issue is that companies must make sure they are not providing consumer information to the wrong person or party. Some type of identification and confirmation process will need to take place when a CCPA consumer request is made. I don’t think this is an area most companies are giving much thought to. Following health care HIPAA disclosure procedures might be a good place to start when it comes to setting up rules and a process for your company.
PRIVATE RIGHT OF ACTION FOR DAMAGES BY CONSUMERS
If there is a data breach in violation of the CCPA, consumers can bring a private civil action for damages. Depending on the type of incident, claims can be brought for $100 and $750 per consumer per incident, or actual damages, whichever is greater.
What’s important to understand is that the burden of proof shifts to the company to show it implemented reasonable security measures to protect the personal information. Reasonable security measures will likely include physical and administrative measures, employee training, and vendor diligence. For these reasons, you want to make sure you have set up a full management and control process as mentioned above.
THERE’S MORE: THE CALIFORNIA PRIVACY RIGHTS ACT (“CPRA”)
This new act, if approved by California voters in November, will go into effect on January 1, 2023. Between now and then, there’s a chance that the California legislature may, on it’s own, roll out this law (or some version of it) before November.
My understanding is that the proposed new CPRA would impose new obligations that would apply to personal consumer information collected after January 1, 2023. I’ve heard the CPRA is going to be like the CCPA on steroids. We’ll have to see what happens. The important thing to remember is to stay on top of the changes and new laws.
ARE YOU DOING BUSINESS IN CALIFORNIA?
I mentioned above that the CCPA may apply to many companies not located in California and companies that don’t even have employees in California.
How can this be? Is your company one of these businesses?
What I’m referring to is California’s long-arm statute (Code Civ. Proc., § 410.10) which generally permits the broadest possible exercise of jurisdiction, limited only by Constitutional considerations.
Until the California Attorney General clarifies things under the CCPA, courts use these factors to determine if California has jurisdiction over companies “doing business” in California.
-Is the business conduct intentional as opposed to merely fortuitous?
-Usually one or two isolated transactions are typically not enough to constitute “doing business.” The facts of each case will be determine the importance of a transaction.
-While entering into a contract with a California entity does not necessarily constitute “doing business” in California, it can be a big factor to the courts.
-A company’s lack of physical presence in California is a factor but not determinative.
-Having a passive website alone may not be enough but, having website content or a marketing program targeting California residents might be enough to show that a company is “doing business” in California.
-Specifically soliciting or advertising to California citizens may constitute “doing business” in California.
-Ongoing and successive online transactions in California may constitute “doing business.”
In summary, whether or not your company is doing business in California depends on a lot of factors. Often times it will come down to a judge or jury making that determination. If so, and if you meet the other CCPA requirements mentioned above, you must take the necessary steps required under this and all new laws.
As you can see, there’s a lot of concern with consumer data safety and privacy. Things need to be fixed. Consumers need to be better protected. Following California’s example, other states are also enacting new laws similar to California’s CCPA and over the next several years, I expect to see all states with similar laws.
Smart business owners and companies will be proactive and take the necessary steps to put consumer safety first and stay current on all state and federal rules, regulations and laws. Starting the process today will help protect everyone in the future.
If you have a lawyer, reach out for answers. If you need to find a good lawyer in your state, here are a few tips to help you do just that.