California, home to more than 40 million people and the 5th largest economy in the world, has passed the California Consumer Privacy Act (CCPA), its omnibus consumer privacy law. The law creates sweeping new requirements concerning the collection, maintenance, and tracking of information for both employees or customers who are residents of California. Many aspects of the implementation and enforcement are still being finalized by the California Attorney General. However, companies with employees or customers in California need to take stock of the information they are processing that could qualify as “personal information” for California residents, and they need to begin establishing mechanisms for compliance before the end of 2019. Continue Reading The California Consumer Privacy Act of 2018: What Businesses Need to Know Now
Welcome to the California Consumer Privacy Act (CCPA) […as if we didn’t have enough to worry about with the GDPR!].
The bracketed, italicized text, albeit a bit cynical, is with little doubt, how many of us initially reacted to the news of a new data protection law, hailed as the standard in consumer privacy protection, in California. And while the effective date is supposed to be January of 2020, January of 2019 isn’t too early to starting getting ready for the new law.
To dispel the rumors, the CCPA is not “GDPR-lite.” Where it comes on the heels of the GDPR’s May 2018 enforcement date, it isn’t a mirror image of the GDPR, or even a “watered down” variant of it. Drafters of the CCPA did indeed look to the GDPR as a basis for some of data protection concepts, but they focused on existing California privacy laws as well.
In September of this year, with SB 327, California stepped into the vanguard of information age law by passing a cybersecurity regulation on the Internet of Things. SB 327 has added new sections to Cal. Civil Code §1798. Specifically, §1798.91 et seq. While this seems to be a good thing, the larger question is what does it do, and how far does it reach?
At the end of June, the California legislature passed its Bill 375, the California Consumer Privacy Act of 2018. The Act contains a number of concepts that would be familiar to those who are working to bring their companies and organizations into compliance with GDPR. The new law defines a category of “Personal Information” that radically departs from a traditional definition of Personal Data commonly found in various State Data Privacy Laws, which usually ties an individual name to other identifiers like social security number, account number, or other factors. Instead, the California Act defines “Personal Information” as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It does not, mercifully, include publicly available information, but it still comes closer to a GDPR-like definition of “personal data” than any other US law.
The Act provides California residents some rights that also appear familiar. For example:
- Consumers can request a copy of all the Personal Information a business has collected;
- Consumers have the right to request that the business delete their Personal Information (subject to some exceptions), and a right to direct a company to not share their Personal Information with third parties; and
- Consumers can request that a business disclose the categories of information it has collected, the sources of information, the purpose for the collection and/or its sale of the information, and the third parties with whom the information is shared.
These certainly sound like concepts that could be referenced as The Right to Access; The Right to Be Forgotten; and Data Portability.
Business requirements include:
- Meaningful notifications to consumers at the point of contact where Personal Information is collected;
- Updated online privacy notices to include the types of Personal Information collected, the purpose of collection, and rights information;
- Implementation of Data Security measures to protect Personal Information;
- Providing training to employees handling Personal Information or involved in consumer inquiries;
- The inclusion of provisions in contracts with third parties with whom Personal Information is shared to include data privacy protections and restrictions on disclosure; and
- The inclusion of a “do not sell my personal information” option on public facing interfaces and websites that collect personal information. Companies must take measures to not discriminate against users who opt out, but at the same time they can offer price incentives to those who chose to opt in.
The Act takes effect on January 1, 2020. It has the same approximate 2 year “runway” period that GDPR provided in 2016 (leading up to May 25, 2018) for companies to gear up their compliance. This law has potentially widespread impact, but some of the mechanisms of its application remain unclear, due in some degree to some of its broadly worded language. In this way, it is also similar to the GDPR.
The challenge with implementation for large companies is the same as every other State level data privacy law – it is often virtually impossible to reliably identify who the “California” consumers are. Thereby making it by practical necessity a global requirement for all publicly facing systems and applications for all users.
We recommend that most companies prioritize and stage their compliance today, focusing on GDPR in the short term, but a California (or potentially necessary practical nationwide) compliance strategy should be included in late 2018 and 2019 IT and Privacy compliance plans.
The clock is now ticking. On May 4th the European Parliament published the final text of the General Data Protection Regulation (“GDPR”), and the rules of the game have significantly changed – at least in the context of EU data protection law. First, the GDPR changes the underlying approach to data protection law, with a new emphasis placed on accountability and risk-based approaches. “Privacy by Design” and “Privacy by Default” have been included in the regulatory ecosystem. Second, significant changes have been made to the obligations of “controllers” and “processors”. These include specific criteria for having compliant privacy notices and vendor management contracts. Third, enforcement is now a very real, and potentially risky, thing. With the possibility of administrative fines being up to 4% of a business’ global gross revenue, private rights of action by individuals, and non-profit privacy watchdog groups (also known as “Civil Society”) having the right to complain of a company’s privacy practices directly to the local Data Protection Authorities; compliance with the GDPR will now be one of those risks that any business who touches EU data will need to seriously consider. Fortunately, the GDPR won’t go into effect until May 25th 2018. However, businesses with significant data from the EU need to start considering how to comply now. Continue Reading Europe Is Shifting, And It’s a Big Deal – The New GDPR
It is the beginning of 2016, and American companies are anxiously awaiting news of whether or not a new “Safe Harbor 2.0” will emerge. In October of 2015, the European Court of Justice declared invalid Safe Harbor 1.0 in the Schrems decision. This had an immediate effect on any American company collecting personal data from the EU by removing the legal basis for this kind of data transfer. As of October 2015, consumer, client, and even employee data cannot be legally transferred to the US under the Safe Harbor Framework.
Fortunately, the data protection regulators (“DPAs”)recognized the turmoil this decision created within the business community on both sides of the Atlantic. As a result, the Article 29 Working Party (which is the convention of DPAs from each of the EU Member States) issued an enforcement moratorium on enforcement actions until the end of January 2016, so that they could assess the effectiveness of data transfer tools available. As part of this moratorium, the Working Party called on “…Member States and European institutions to open discussions with U.S. authorities in order to find legal and technical solutions”; and that the “current negotiations around a new Safe Harbor could be part of the solution.” Continue Reading Safe Harbor 2.0 – Is It Happening?
The annual conference of the world’s data protection regulators is a three day exercise, with half of the conference being “closed door” for the regulators only, and the other half being a series of side meetings and presentations, which report out to interested attendees the results of the closed door meetings. This is a good meeting to gain insight in the next year’s trends in data protection regulation and enforcement across the globe. While this conference happens every year, the events in the European Court of Justice and the impending completion of the new General Data Protection Regulation (“GDPR”) made this year’s conference particularly interesting. Here are some of the insights which were developed during the conference: Continue Reading The 37th International Conference of Data Protection & Privacy Commissioners – Some Observations
Today the European Court of Justice (“ECJ”) issued its Judgment in the Schrems case, and in doing so, added another tremor to the ongoing seismic shift related to cross-border privacy law. The two major elements of today’s Judgment are: 1) that Commission Decision 2000/520/EC of 26 July 2000 of the adequacy of the protection provided by the US Safe Harbor Framework (the “Safe Harbor Decision”) is invalid, and 2) even if the Safe Harbor Decision were otherwise valid, no decision of the Commission can reduce the authority of a national data protection authority to enforce data protection rights as granted by Article 28 of Directive 95/46/EC (the “DP Directive”).
Clearly, the first element brings a more immediate concern for all the companies participating in the Safe Harbor framework. However, the second element will have much longer term consequences for the stability of US-EU commerce and privacy law. Continue Reading Safe Harbor – Not so Safe After Schrems
With the recent uptick in the U.S. of lawsuits filed as a result of a data breaches, state legislators in the U.S. have been busy updating the many different state laws that dictate how a company must respond if they have been hacked and personal information has been compromised. With no comprehensive federal law that sets forth a uniform compliance standard, companies operating in the U.S. must comply with a patchwork of 47 different states laws that set forth a company’s obligations in the event of a data breach.
Additionally, the trend is to have more than just notice requirements. Now companies have to develop proactive steps they must take to avoid a data breach in the first place. We first saw this with the Massachusetts law, and the model is expanding.
In any case involving a data breach of customer or employee information, the first line of defense for the defendant is to assert that the plaintiff(s) lack standing to bring suit. In Remijas v. Neiman Marcus Group, the Seventh Circuit became the first United States Court of Appeals to tackle the issue of standing in the context of data breach litigation since the Supreme Court’s pronouncement on standing in Clapper. Continue Reading 7th Circuit – Alleged Injuries Can Confer Standing In Data Breach Suit