New year to ring in nation’s most comprehensive privacy law
In a June tIPsheet article titled “Privacy Gone Public: How growing push for privacy laws may affect U.S. Businesses,” we gave an update on the California Consumer Privacy Act (CCPA) and some pending amendments that could have created significant liability for businesses throughout the country. Now, as the January 1, 2020 CCPA enactment deadline draws nearer, recently passed legislative amendments and recently proposed California regulations enforcing the CCPA provide some clarity on this new privacy law.
Expanded private right of action shot down
Businesses scrambling to comply with the CCPA claimed a victory when the California Senate blocked an amendment to the CCPA that would have given plaintiffs the right to sue for any CCPA violation. Although this may prevent a wave of CCPA litigation from occurring next year, it doesn’t necessarily eliminate the threat of private CCPA litigation as creative plaintiffs may look for other ways to pursue CCPA claims, such as California’s Unfair Competition Law.
Limited private right (mostly) survives amendments
The CCPA’s limited private right of action for data breaches also remains largely intact after recent amendments. This limited right provides private plaintiffs the right to sue if a company’s failure to “implement and maintain reasonable security procedures and practices” results in “unauthorized access and exfiltration, theft, or disclosure” of that consumer’s personal information. Recent amendments did make one significant change: limiting this right to instances where non-encrypted and non-redacted personal information has been breached, where the initial version of the law allowed private claims if non-encrypted or non-redacted personal information had been breached. This could be a powerful defense to private liability, as encryption or redaction of personal information could demonstrate “reasonable security” under the CCPA.
Employee regulation halted (for now)
Recent amendments also stalled CCPA applicability to employee/employer relationships, providing a one-year timeframe for the California legislature to pass a separate employee privacy bill. As a result of this exemption, many of the CCPA’s requirements will not apply to the personal data of job applicants, employees, officers and directors and, in many instances, individual contractors of a business so long as the personal information is collected and used solely in connection with the person’s role working for the business. Also excluded from the CCPA’s scope is emergency contact information and information necessary to administer benefits to the extent that information is used solely for these purposes. These exemptions do not, however, eliminate an employer’s obligation to provide notice of the limited private right of action in the event of a data breach. So, employers should still evaluate whether California-based employees will require additional or revised employee privacy notices prior to January 1, 2020, and should be prepared for new employee-specific laws to go into effect in January 2021.
Enforcement deadlines made more confusing
Most companies breathed a sigh of relief earlier this year when the California Attorney General announced it would not start CCPA-prosecutorial efforts until July 1, 2020. Many took this as a six-month “grace period” in working toward compliance. Unfortunately, the California AG has recently announced no such grace will be given, as it apparently intends to prosecute violations that exist as of January 1st, and is only waiting until July to initiate that prosecution.
Attorney General regulations make clear that the CCPA applies to offline activity
The Attorney General’s regulations also provide important clarity on the intended scope of the CCPA’s requirements. Recently proposed regulations provide express guidance on the CCPA for both online and offline collection activities, including notice requirements for brick-and-mortar environments. This is a clear signal that the CCPA is not limited to online commerce and that California regulators intend to apply the CCPA to offline collection of personal information.
De facto violations
The California Attorney General’s proposed regulations also provide guidance on CCPA-required notices, making clear that certain notices must be provided at the point of collection. Importantly, the regulations suggest that if a business fails to provide notice at the time of collection, it could be considered a de facto violation of the CCPA to collect and use any personal information of a California consumer. The proposed regulations also suggest that if a business fails to provide the notice and ability to opt-out of the sale of personal information, any sale of personal information may be considered a de facto violation of the CCPA.
Service provider liability
Attorney General regulations also state that service providers that do business in California may be subject to CCPA liability even if performing services for non-regulated entities. This creates the potential for contractual liability if “applicable law” and indemnity provisions of service agreements are not carefully reviewed to ensure that your company is not agreeing to comply with the CCPA by virtue of a broad contract. Businesses should identify those service providers with which they exchange personal information to determine whether there are appropriate contractual provisions governing personal information and the parties’ rights and obligations in the event of a data breach or intrusion.
Next steps for businesses
As 2020 draws nearer, these CCPA amendments and regulations provide much-needed clarity on the scope and impact of the country’s most comprehensive data privacy law. However, many of the law’s requirements still remain unclear. Although the “westward expansion” of data privacy seems to have been (somewhat) curtailed for now, the CCPA has created a push for increased privacy regulation in numerous other states and on a federal level. As a result, businesses should review their internal and external policies as well as their vendor agreements to mitigate the risk of liability and enforcement that these new laws pose.