CCPA
Subscribe to CCPA's Posts

State Privacy Patchwork Spreads with Signing of Colorado Privacy Act

On July 7, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (CPA) into law, the latest in the recent wave of state privacy legislation but unlikely to be the last. The CPA will take effect July 1, 2023, six months after Virginia’s Consumer Data Protection Act (CDPA) and the California Privacy Rights Act (CPRA) become effective. Organizations subject to the new Colorado law will have to prepare for new consumer rights and restrictions with respect to Colorado consumers’ personal data. What follows are key takeaways from the CPA and the implications for businesses grappling with the changing privacy landscape in the US.

Applicability and Exemptions

Not all organizations will be covered by the new CPA. To be subject to the law, an organization must do business in Colorado and meet one of the following requirements:

  • The organization processes data on 100,000 or more Colorado consumers annually.
  • The organization processes data on 25,000 or more Colorado consumers annually and “sells” any personal data.

This applicability threshold sets a relatively high bar, and many companies that are subject to the California Consumer Privacy Act of 2018 (CCPA)/CPRA may not meet these thresholds in Colorado.

There are a number of exemptions and limitations built into the Colorado law. Personal data regulated under existing federal privacy regimes, such as the Health Insurance Portability and Accountability Act (HIPAA), will be exempt from the CPA, as will personal data about employees and others “acting in a commercial or employment context.” Further, the CPA’s substantive requirements will not limit organizations’ ability to process data for legal compliance, fraud prevention, security, contract fulfillment or any “internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship” with the organization.

Substantive Rights Largely Mirror Other State Privacy Laws

The CPA establishes a number of substantive rights that Colorado consumers will have with respect to their personal data. In general, these rights mirror those in the existing laws in California and Virginia, including the following:

  • Notice. Covered organizations will be required to disclose data collection and processing details in their public-facing privacy policies. In addition, a new “duty of purpose specification” requires that companies identify the “express purposes for which personal data are collected and processed.” Whether existing privacy policies are sufficiently “express” for these purposes will be an important consideration for organizations under the CPA and one that will likely lead to both confusion and potential regulation in the future.
  • Access, Correction and Deletion. Consumers will have the right to access, correct and delete their personal data. For the right to access, businesses will be required to provide data in a portable format where feasible.
  • Opt Out. Consumers have the ability to opt out of data “sales,” targeted advertising and high-risk automated “profiling.”
  • Opt In. As with the CDPA, businesses must seek opt-in consent before collecting or processing “sensitive personal data,” which includes data revealing an individual’s race, ethnicity, religious beliefs, [...]

    Continue Reading



California Voters Approve the California Privacy Rights Act

On November 3, 2020, California voters passed the California Privacy Rights Act (CPRA) ballot initiative with slightly under 60% of votes to approve the measure (as of publication). The ballot initiative, which was submitted by the architects of the California Consumer Privacy Act of 2018 (CCPA), had earlier garnered 900,000 signatures—far more than the roughly 625,000 necessary for certification on the 2020 ballot.

The CPRA amends the CCPA, adds new consumer rights, clarifies definitions and creates comprehensive privacy and data security obligations for processing and protecting personal information. These material changes will require businesses to—again—reevaluate their privacy and data security programs to comply with the law.

Effective date and timeline for enforcement

The CPRA amendments become operative on January 1, 2023, and will apply to personal information collected by businesses on or after January 1, 2022 (except with respect to a consumer’s right to access their personal information). Enforcement of the CPRA amendments will not begin until July 1, 2023.

The CCPA’s existing exemptions for business contacts, employees, job applicants, owners, directors, officers, medical staff members and independent contractors will remain in effect until December 31, 2022.

The newly created California Privacy Protection Agency (“Agency”) will be required to adopt final regulations by July 1, 2022. For more information about the Agency and its role in enforcing the amended CCPA, see our previous article.

The passage of the CPRA does not affect the enforceability of the CCPA as currently implemented.

New rights under the CPRA

In addition to the CCPA’s rights to know, to delete, and to opt out of the sale of personal information, the CPRA creates the following new rights for California consumers:

  • The right to correct personal information
  • The right to limit the use of sensitive personal information
  • The right to opt out of the “sharing” of personal information

These rights are explained in greater detail in our previous article.

New compliance obligations for businesses subject to the CPRA?

The CPRA creates new obligations that are similar to the data processing principles found in the European Union’s General Data Protection Regulation (GDPR). Such responsibilities include:

  • Transparency: Businesses must specifically and clearly inform consumers about how they collect and use personal information and how they can exercise their rights and choice;
  • Purpose limitation: Businesses may only collect consumer’s personal information for specific, explicit and legitimate disclosed purposes and may not further collect, use or disclose consumers’ personal information for reasons incompatible with those purposes;
  • Data minimization: Businesses may collect consumers’ personal information only to the extent that it is relevant and necessary to the purposes for which it is being collected, used and shared;
  • Consumer rights: Businesses must provide consumers with easily accessible means to obtain their personal information, delete it or correct it, and to opt out of its sale and the sharing across business platforms, services, businesses and devices, and to limit the use of their sensitive information; and
  • Security: Businesses are required to take reasonable precautions to [...]

    Continue Reading



New Proposed CCPA Regulations Add Clarity to Process for Opting Out of Sale of Personal Information

On October 12, 2020, the California Department of Justice announced the release of a new, third set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations. The proposed modifications amend a final set of regulations that were approved by the California Office of Administrative Law just two months earlier.

The Third Set of Proposed Modifications to the CCPA Regulations released on October 12 do not make substantial changes to the previously final set of CCPA regulations. The majority of the proposed modifications serve to clarify existing requirements rather than add new requirements or materially alter existing ones. As a result, the new proposed modifications should help businesses better understand what is expected to maintain compliance with certain aspects of the CCPA.

Process for Opting Out of Sale of Personal Information

The Department of Justice proposed to amend Sections 999.306(b)(3) and 999.315(h) to provide more detail about how a business should provide the right to opt out of the sale of personal information. Specifically, the Department of Justice:

  • Provides illustrative examples of how a business that collects personal information offline can provide its opt-out notice offline—through paper forms, posting signage directing consumers to an online notice or orally over the phone.
  • Makes clear that the methods for submitting opt-out requests should be easy for consumers to find and execute. For example, consumers should not have to search or scroll to find where to submit a request to opt out after clicking on the “Do Not Sell My Personal Information” link. A business should not use confusing language, try to impair a consumer’s choice to opt out or require a consumer to read through or listen to reasons why they should not opt out before confirming their request. In addition, the process for requesting to opt out shall collect only the amount of personal information necessary to execute the request.
Verifying Authorized Agent

The Department of Justice added language to Section 999.326(a) clarifying what a business may request to verify that an agent is authorized to act on a consumer’s behalf. Specifically, a business may require an authorized agent to provide proof of signed permission from the consumer for the agent to submit the request. In addition, the business may require the consumer to either verify their own identity directly with the business or directly confirm with the business that they provided the authorized agent permission to submit the request. Previously, a business had to go through the consumer to verify the authorized agent. Now, a business can verify the authorized agent directly.

Notices to Consumers Under 16 Years of Age

Finally, the Department of Justice clarified in Section 999.332(a) that all businesses that sell personal information about children must describe in their privacy policies the processes used to obtain consent from the child or parent (as applicable). Previously, the regulations were worded such that only a business that sells the personal information of both consumers under 13 and consumers between 13 [...]

Continue Reading




CCPA Amendment Update: California Governor Approves CCPA Amendment with Exceptions for HIPAA De-Identified Information and Other Health Data

On September 25, 2020, Governor Gavin Newsom signed into law California AB 713, which amends the California Consumer Privacy Act (CCPA) to create expanded exceptions for: HIPAA business associates; information that has been de-identified in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA); and information collected, used or disclosed in certain human subjects research. AB 713 reflects an intense lobbying effort by medical technology, pharmaceutical, and other health and life sciences industry stakeholders. AB 713 became effective immediately following Governor Newsom’s signature, as the bill included an urgency clause calling for immediate action to mitigate the CCPA’s potential negative impact on health-related research.

AB 713 eases some of the CCPA compliance challenges experienced by the health care and life sciences industries by more closely aligning the CCPA with HIPAA and other laws governing human subjects research. However, AB 713 also creates new compliance obligations by requiring entities subject to requirements for “businesses” under the CCPA, as well as other entities residing or doing business in California, to include certain provisions in license agreements or other contracts for the sale or license of de-identified patient information. While AB 713 becomes effective immediately, as discussed below, it requires compliance with the new contracting requirement beginning January 1, 2021.

We summarize below the salient provisions of AB 713.

Exception for De-identified Patient Information

AB 713 provides relief to health care, life sciences and other organizations that have been grappling with how to achieve compliance with the previously inconsistent de-identification standards under HIPAA and the CCPA. Without AB713’s CCPA amendment, it was possible for data that has been de-identified under the HIPAA de-identification standard to constitute “personal information” under the CCPA because CCPA and the HIPAA Privacy Rule include different language for their respective de-identification standards. This has complicated CCPA-regulated businesses’ strategies for licensing or otherwise commercializing HIPAA de-identified data. For example, HIPAA protected health information that has been de-identified under HIPAA may still contain identifiers of California physicians or other individuals who serve patients. These identifiers may have constituted “personal information” under the CCPA when held by a CCPA-regulated business, creating a right under the CCPA for the individuals to opt out of sales of the personal information. For more information about the inconsistent HIPAA and CCPA de-identification standards, see our On the Subject.

AB 713 resolves the potential disconnect between the CCPA and HIPAA’s de-identification standards by expressly providing that the CCPA does not apply to information that meets the following conditions:

  • The information has been de-identified in accordance with a HIPAA de-identification method (i.e., the safe harbor or expert determination method).
  • The information was derived from patient information that was originally collected, created, transmitted or maintained by an entity subject to HIPAA, the California Confidentiality of Medical Information Act (CMIA) or the Federal Policy for the Protection of Human Subjects (Common Rule). “Patient information” means protected health information or individually identifiable health information under HIPAA, identifiable private information under the [...]

    Continue Reading



The Uncertain “State” of US Data Protection Law: California Leads the Way

The California Consumer Privacy Act of 2018 (CCPA), which took effect this year, introduced a complicated data protection framework for the personal information of California residents, imposing a variety of new obligations on affected businesses. Although the interpretation of many of the CCPA’s provisions remains unsettled—and proposed regulations are still pending— the CCPA’s original architects have already advanced another proposed law, the California Privacy Rights Act (CPRA), which will be decided in a statewide referendum this November. If enacted, the CPRA would substantially amend the CCPA, granting consumers additional rights and imposing further liability on businesses.

Whether or not it passes, the proposed CPRA highlights the fluid state of the US legal environment for data protection, which has left businesses around the world struggling to account for the uncertain risks and compliance costs posed by these developments.

It did not have to be this way. The developments in California are due in part to the failure of the US Congress to enact comprehensive federal data protection legislation. Despite widespread support, compromise on a federal standard remains elusive, with legislators unable to agree on critical questions, such as whether or not the law will pre-empt state laws like the CCPA.

Click here to read the full article, and many more in our latest International News: Focus on Global Privacy and Cybersecurity.




Key Issues We’re Tracking as CCPA Enforcement Nears

Although 2020 has already provided more than its share of surprises for businesses, one thing appears to remain unchanged: the California attorney general’s commitment to enforcing the California Consumer Privacy Act beginning July 1, 2020. As companies work to ensure compliance with this legislation, we explore several key issues.

No one will disagree that a lot has happened since the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. Despite the Coronavirus (COVID-19) pandemic, the invasion of murder hornets and a number of other not-entirely pleasant surprises that 2020 has brought us thus far, it appears that the California attorney general is still committed to enforcing the CCPA starting on July 1, 2020. As your business prepares for CCPA enforcement, there are a number of issues to keep in mind:

1. The CCPA regulations still have not been finalized and are unlikely to take effect until October 2020.

The attorney general’s regulations, which aim to interpret and implement the important provisions of the CCPA, still have not been finalized. March 27, 2020, marked the end of the comment period for the current draft regulations (which was the second set of modifications released by the attorney general). We are now waiting to see whether the attorney general will issue yet another set of proposed modifications, or submit the current version to the California Office of Administrative Law (OAL) for approval. For the regulations to take effect July 1, the OAL would need to receive and approve the final regulations by May 31, which appears to be an unlikely scenario. Accordingly, the regulations likely will not take effect until October 1, and could potentially be delayed until 2021. As a result, companies should be prepared for CCPA enforcement to begin before the regulations take effect.

2. We’ve started to see the effects of the private right of action.

California consumers have begun to file lawsuits seeking to enforce their (purported) rights under the CCPA. The cases present a first opportunity for courts to examine the private right of action created by the law. One case, in particular, presents a potentially unanticipated theory of harm, and could prove fundamental in establishing the extent of liability for businesses subject to the CCPA. We describe these lawsuits in greater detail here. Because these lawsuits will begin to define the contours and scope of the CCPA, businesses subject to the CCPA should keep a close eye on their progress.

3. The Office of the Attorney General lacks enforcement resources.

As we wrote in a previous article, despite significant enforcement expenditures by the Office of the Attorney General (OAG), it is still an agency with limited resources. This is even more true now that more of the OAG’s resources are likely devoted to COVID response and related urgent priorities. Many expect that the OAG will only be able to pursue a limited number of CCPA enforcement actions, particularly if, as expected, it takes on large and well-funded companies. Media reports continue to indicate that the attorney [...]

Continue Reading




Importance of CCPA Compliance Highlighted by First Round of Private Actions

The first wave of California Consumer Privacy Act litigation has begun to roll in, and the complaints are already raising interesting questions about the scope of CCPA’s private right of action. The actions assert a variety of claims under numerous theories and present a broad range of potential risks to businesses subject to CCPA. In light of the many questions that surround CCPA’s private right of action, the extent of possible liability from private litigation is still largely unknown and potentially significant.

The first wave of private lawsuits filed under the California Consumer Privacy Act (CCPA) has begun to roll in, and the complaints are already raising interesting questions about the scope of CCPA’s private right of action. The recent explosion in popularity of video conferencing and social media software in response to the COVID-19 pandemic—and the technical issues some of these products have experienced—has inspired its own wave of litigation, with several cases alleging violations of CCPA along with other laws. The flurry of litigation activity makes clear the importance of CCPA compliance, particularly in the current challenging business environment. Although it’s too early to tell how these lawsuits will play out, some themes are emerging.

Refresher on CCPA Private Right of Action

Businesses are now familiar with the long list of privacy obligations imposed by CCPA and enforceable by the California attorney general. Although CCPA contains a private right of action, that right is applicable only to CCPA’s sole data security provision. Cal. Civ. Code § 1798.150 authorizes consumers to institute a civil action against a business whose failure to implement and maintain reasonable security procedures resulted in the unauthorized access and exfiltration, theft or disclosure of the consumer’s nonencrypted and nonredacted personal information. The definition of “personal information” in the context of § 1798.150 is narrower than the expansive definition applicable to other CCPA provisions, applying only to an individual’s name together with an identifying data element, such as a Social Security number, driver’s license number or medical information. A plaintiff may seek injunctive or declaratory relief, actual damages or statutory damages in an amount not less than $100 and not greater than $750 per consumer, per incident. Before seeking statutory damages, however, the consumer must provide the business 30 days’ written notice to cure the alleged violation. The “notice and cure” provision is the subject of some controversy, because CCPA does not explain how a violation that resulted in a data breach can be “cured.” CCPA also explicitly prohibits consumers from using alleged violation of its provisions “to serve as the basis for a private right of action under any other law,” thus, in theory, prohibiting a plaintiff from alleging that a CCPA violation constitutes a violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq. or other statutes. That hasn’t stopped plaintiffs from trying, as described below.

Theme #1: Suits Brought as Class Actions

Most, if not all, of the lawsuits brought under CCPA thus far have been brought as [...]

Continue Reading




New California Privacy Ballot Initiative Would Expand the CCPA

A proposed ballot initiative in California known as the California Privacy Rights Act, which is likely to pass if placed on the 2020 ballot, would both clarify and expand the existing California Consumer Privacy Act. Companies doing business in the state should closely monitor these developments and prepare for compliance, as we outline in this article.

A California ballot initiative known as the California Privacy Rights Act (CPRA) would clarify and expand the California Consumer Privacy Act (CCPA), granting significant new rights to consumers and imposing additional liability risks on companies doing business in the state. The CPRA is an update to the California Privacy Rights and Enforcement Act (CPREA) ballot initiative, which was proposed in late 2019 by the Californians for Consumer Privacy, which also sought to broadly amend and prevent changes to the CCPA that would undermine its consumer protections.

The proposed ballot initiative, submitted by the architects of the CCPA, garnered 900,000 signatures, far more than the roughly 625,000 necessary for certification on the 2020 ballot. Early polling reportedly shows strong support for the measure, so assuming the signatures are approved and the CPRA is placed on the ballot, it is considered likely to pass and to take effect on January 1, 2023.

The CPRA proposes a myriad of changes, and this article will not address them all. What follows is a discussion of the most significant changes for businesses and consumers in California, followed by enforcement and implementation considerations.

New Clarifications, Rights and Responsibilities

In a number of areas, the CPRA would modify the current CCPA in ways that are likely to be welcomed by companies grappling with the often ambiguous and unclear obligations under the current law:

  • “Personal information” would no longer include information that is manifestly made public by the individual or the media.
  • Businesses that receive deletion requests would be expressly permitted to maintain records of these requests for compliance purposes.
  • Consumers could no longer require a business to generate a list of “the categories of personal information it has collected about that consumer” in response to access requests.
  • “Service providers” and “contractors” (a new term that appears to replace the “third party” contract provisions) would not need to respond directly to consumer requests to access or delete information.

However, these changes are largely overshadowed by the initiative’s imposition of significant new rights for consumers and responsibilities for businesses subject to the CCPA. These include the following requirements:

  • Businesses would need to contend with a new opt-out right to “Limit the Use of My Sensitive Personal Information,” which would require enhanced scrutiny of business practices involving certain “sensitive” categories of information. These sensitive categories of information are reminiscent of (but broader than) the categories of information typically regulated by US data breach notification statutes or are considered “special categories” under the EU General Data Protection Regulation. For purposes of the CPRA, “sensitive” categories will include certain government identifiers (Social Security number, driver’s license, state identification card or passport number); a [...]

    Continue Reading



Washington State Takes the Lead in CCPA Copycat Legislation Race, Trends Emerge

Since the California Consumer Privacy Act (CCPA) took effect on January 1, 2020, “copycat” legislation has been introduced at a dizzying pace by state legislatures across the country. Taking their cues from CCPA, at last count 16 states have borrowed language from California’s watershed law regarding consumer notices, data subject rights requests, and definitions of “personal information, “sale” of data and other key items. The likely intent is to provide equal (or, in some cases, greater) protections to the residents of their states.

As a practical matter, however, none of the proposed laws is identical to CCPA (nor to each other); some look to the EU General Data Protection Regulation (GDPR), and each takes a complex approach that requires careful reading. The proposed Washington Privacy Act (SB 6281) has been touted as the most comprehensive data protection law in the United States and combines elements of CCPA and GDPR, adding specific protections for biometric information. Late last week, the Washington House added significant enforcement “teeth” by passing an amendment that would provide a private right of action under the Washington Consumer Protection Act for any violation of the Privacy Act.

Despite the lack of uniformity among the recently proposed bills across the country, three key trends are emerging:

Trend #1 – Increased Push for a Private Right of Action

In Washington, pending legislation would extend the private right of action beyond alleged harm arising from data breaches to any violation of the proposed Washington Privacy Act. While prior versions of the legislation vested exclusive enforcement authority in the Washington Attorney General—with penalties up to $7,500 per violation—late last week, the Innovation, Technology and Economic Development Committee in the Washington House approved an amendment to SB 6281 under which any violation of the Privacy Act would be deemed a per se violation of Washington’s Consumer Protection Act. While it is unclear exactly how damages will ultimately be calculated, a broad private right of action is a significant enforcement mechanism for Washington consumers. Supporters of the amendment argued that without a private right of action, companies would have little incentive to comply with the law because the Attorney General’s office lacks the resources to undertake many enforcement actions.

Recent bills propose legislation that closely tracks the CCPA’s private right of action for individuals who allege that they were harmed by data breaches caused by a business’ failure to implement “reasonable security” measures. Both the Illinois Data Transparency and Privacy Act (SB 2330) and New Hampshire’s proposed privacy law, HB 1680, provide consumers with private right of action where personal information is (i) unencrypted and unredacted; and (ii) subject to exfiltration, theft or disclosure due to failure to implement reasonable data security procedures. Consumers may seek damages the greater of $100 – $750 per consumer, per incident or actual damages.

If Washington or other states enact data privacy laws with such provisions, the potential liability for organizations affected by data breaches or failing to comply with sweeping new privacy obligations could rapidly become [...]

Continue Reading




Privacy and Data Security: 2020 Considerations for the Insurance Industry

With the California Consumer Privacy Act of 2018 (CCPA) having taken effect on January 1, 2020, the privacy and data security landscape for insurance carriers, producers and insurtech (collectively, “insurers”) continues to grow more complex. A number of states have also recently passed laws regulating data security in the insurance industry, with the first transition period under a number of these laws set to end in 2020. Given the significant amount of sensitive personal information that insurers collect, process and retain, this trend of increased privacy and data security regulation within the insurance industry is likely to continue. To stay ahead of these new privacy and data security requirements, insurers need to take steps now to navigate the increasingly complex regulatory landscape.

How Does the CCPA Impact Insurers?

On January 1, 2020, California became the first state in the United States to enact comprehensive privacy legislation that governs the collection, use and sale of personal information of California residents (i.e., consumers) and households. Personal information is broadly defined as any information that identifies, relates to, describes is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. The CCPA applies to “businesses,” which are for-profit entities that determine the purposes and means of processing consumers’ personal information that do business in California and meet certain applicability thresholds.

Insurers operating in California that meet the CCPA applicability thresholds will be deemed “businesses” subject to a number of obligations under the CCPA, including disclosure obligations and requirements related to consumer privacy rights. While these obligations can be quite onerous, the vast majority of personal information that many personal line insurers collect, process and retain will likely fall under an exemption in the CCPA. The CCPA includes exemptions for:

(more…)




STAY CONNECTED

TOPICS

ARCHIVES