CCPA Amendments – Where They Stand Today

A little more than 100 days prior to the effective date of the California Consumer Privacy Act (CCPA), six amendments (A.B. 25, A.B. 874, AB 1146, A.B. 1202, A.B. 1355 and A.B. 1564) to the act were approved by California lawmakers at the close of the legislative session, which ended on Friday, Sept. 13. The governor must sign or veto these bills by Oct. 13. Most notably, if they become law, the bills would delay implementation of most of the CCPA’s data subject rights to human resources data and business-to-business transaction communications data for one year. A bill that would have clarified that certain data collection and use in connection with loyalty programs was permissible (A.B. 846) was pulled by the author, but may be brought back up in the next legislative session if the regulations implementing the act, a first draft of which is expected from the California Attorney General’s (Cal AG) office in late September or early October, do not address the issue. The proposed amendments also would require a business that collects and sells consumer personal information (PI), but does not have a direct relationship with those consumers, to register with the state as a data broker. In addition, the bills address the scope of personal information that is covered by the act, the meaning of certain consumer rights and how those rights are to be administered, and what training is required of personnel that will handle privacy inquiries and requests.

Data Broker Registry

AB 1202 would require “businesses” that knowingly collect and sell consumer personal information, that lack a direct relationship with those consumers, to register with the Cal AG, whose office would then publish the names and contact information of the registrants on the Cal AG’s website. A prior version of the bill would have also required data brokers to give consumers certain precollection notice of the categories of personal information collected and the purposes for the collection, which could have been satisfied by posting such notice on the data broker’s website, but those provisions were struck prior to passage. The intent of the law is to provide consumers with a way to identify businesses that may be collecting and selling their information that they may not know how to contact to determine if they have collected their personal information and to exercise their do-not-sell and other consumer privacy rights (e.g., to obtain a copy of the personal information and/or request its deletion).

 Scope of Coverage Delayed (employees and transactional)

AB 25 provides that, until Jan. 1, 2021, only the precollection notice requirement of Section 1798.100(b) and the private right of action for data security incidents of Section 1798.150 will apply to personal information that is collected by a business in the course of a person acting as a job applicant, employee or contractor who is performing services under a written agreement. AB 1355 provides a similar one-year delay in the imposition of the obligations of Sections 1798.100, .105, .110, .115, .130 and .135 on a business with respect to communications with a person acting on behalf of another business regarding providing or receiving products or services to or from such business. Californians whose personal information is collected in such communications while they are acting on behalf of a business would not, however, see a delay in their ability to exercise their do-not-sell rights (Section 1798.120) with respect to such data. It is important to note that this does not include communications when the person is acting on behalf of themselves or other consumers, but rather addresses only business-to-business transactional communications. The issue of what the proper scope of coverage should be for human resource data and business-to-business communications data is likely to be revisited next legislative season.

Exceptions to Statutory Coverage

AB 1146 adds exemptions for certain vehicle information shared in connection with warranty repairs and recalls. AB 1355 would amend the Fair Credit Reporting Act (FCRA) exclusion of Section 1798.145(d) to clarify that it applies only to personal information furnished to credit reporting agencies to the extent such information is subject to regulation by the FCRA and is not used, communicated, disclosed or sold except as authorized by the FCRA.

Exceptions to Scope of Personal Information

AB 874 amends the definition of “publicly available information,” which is deemed not to be personal information regulated by the CCPA, by removing the government-purpose limitation of Section 1798.140(o)(2). Currently, the CCPA does not apply the exception if “the data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records ….” If AB 874 becomes law, all that will be required to take data out of the scope of the CCPA’s rights and obligations is to show that it is lawfully made available from federal, state or local government records and does not include biometric information collected by a business about a consumer without the consumer’s knowledge. AB 874 also clarifies that deidentified information and aggregate consumer information are also not within the definition of personal information. Efforts to further refine the definition of deidentified information to loosen the deidentification standards were not successful. AB 874 further would add the word “reasonably” before “capable” as part of “capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” in the definition of personal information.

Consumer Rights, Notices and Requests

The bills would make changes to the scope and management of consumer rights requests, including:

  • No Toll-free Number for Online Businesses: Removing the toll-free method of receiving consumer rights requests requirement for a “business that operates exclusively online and has a direct relationship with a consumer.”
  • Specific Pieces of PI: Changing the language of Sections 1798.110(c)(1) and (5) to make it clear that privacy notices are to include instructions to the consumer on how they can obtain their specific pieces of personal information and not that the notice must, as the language currently reads, include the specific pieces of information. If this becomes law, it should settle the debate as to whether “specific pieces” means the actual pieces of personal information or a description of data types (e.g., your name and address) that are more granular than the enumerated categories of personal information set forth in the definition of personal information required to be used in notices and information request responses.
  • No Collection or Retention Obligations: Clarifying that a business need not collect personal information it would not normally collect or retain personal information it would not normally retain just to be available to satisfy consumer rights.
  • Use of Account: Permitting the ability to require that consumer requests be made through an account if the consumer has an account. However, it would still be impermissible to require account creation merely to make a request.
  • Verification: Allowing a business to “require authentication in light of the nature of the personal information requested” before disclosing or delivering responsive PI. In addition, the definition of “verifiable consumer request” is expanded to apply not only to Sections 1798.110 and .115 (information rights) but also to .100 (copies of PI) and .105 (deletion of PI), but remains silent as to .120 and .135 (do not sell). However, the Cal AG’s regulations are meant to provide more detail on both verification and the process for exercising do-not-sell rights and this continuing ambiguity regarding verification of opt-out requests may be clarified as part of the rule-making process.
  • Children: Clarifying that the category of children who may exercise their own do-not-sell opt-in rights under Section 1798.120(c) are at least 13 and less than 16 years old, making it clear that opt-in does not apply to 16-year-olds.
  • Privacy Notice: Adding that the online privacy notice must include a description of consumer rights under Sections 1798.100 (access and copy) and .105 (deletion), not just .110 (collection information), .115 (sale information) and .125 (nondiscrimination). The privacy notice disclosure of do-not-sell rights is covered in Section 1798.135, so now it is clear that privacy notices must explain all the various consumer rights.

Scope of Nondiscrimination (value + loyalty)

AB 1355 clarifies that the standard for evaluating the value of personal information to determine the reasonableness of financial incentives and differential pricing exemptions to the nondiscrimination requirements of Section 1798.125 is the value to the business, not to the consumer.

As noted, AB 846 would have allowed retailers and other businesses with loyalty programs to collect, use and, in some circumstances, disclose personal information as part of loyalty programs without fear of violating the nondiscrimination provision of the CCPA if certain conditions were met. Late in the session, the legislature continued to amend the bill regarding the scope of what would or would not be permissible and Assemblywoman Burke pulled the bill from vote eligibility on Sept. 12. It is a two-year bill, so it can be renewed in January when the legislature reconvenes. However, this is an issue the Cal AG has indicated interest in and clarifications could rise out of the regulatory process prior to the next legislative session.

Training

AB 25 expands the provision in Section 1798.130(a)(6) regarding training personnel responsible for handling privacy inquiries to address additional provisions of the title previously omitted (as to copy and deletion requests). Training about the do-not-sell right is covered in Section 1798.135(a)(3), so the amendment would make it clear that the appropriate personnel must be trained on all of the CCPA’s consumer rights.

Conclusion

Assuming California’s governor signs the bills into law in the coming weeks, businesses will receive a one-year respite from having to address fully their human resources and business-to-business communications data. However, they should beware that the private right of action for security incidents attributable to failure to maintain reasonable security still applies to such data. The bills that have passed provide some welcome clarifications regarding the CCPA, but it will be dependent upon the Cal AG to provide further guidance, particularly regarding verification. In the meantime, businesses should be working toward the Jan. 1 implementation deadline, at least with regard to the data that the bills do not propose to except from coverage. For more information, see our U.S. Consumer Privacy Resource Center.

Just How Far Does California’s New IoT Security Law Reach?

Group of people standing in line and looking at their smart phonesOn January 1, 2020, California’s new Internet of Things (IoT) Security Law goes into effect. The law is the first IoT-specific security law in the United States and, simply put, requires all IoT devices sold in California to be equipped with reasonable security measures.

There has been a significant amount of discussion regarding exactly what types of devices are covered by the new regulations and what “reasonable security measures” entail.

Who is covered?

Any “manufacturers” of connected devices that sell their products in California will be required to incorporate reasonable security features into their devices. It does not matter where the product is made. It is also important to note that “manufacturers” include not only those companies that perform the manufacturing themselves, but also companies that “contract with” others to manufacture devices on their behalf. The law does contain several exclusions, including security vulnerabilities caused by user installation of third-party software and devices already regulated by certain healthcare statutes. However, since the interconnectivity of third-party software may be the source of a security breach, the question arises whether to consider how a covered device interacts with such third-party software. Continue Reading

Less Than a Month to Go Until Nevada Privacy Law Effective Date

As discussed in our previous blog post on the topic, Nevada’s amendments to its privacy law are set to go into effect Oct. 1, 2019. Less comprehensive in scope than the much-heralded CCPA, the Nevada privacy law amendment has received significantly less attention than its California counterpart. Even so, the new Nevada privacy law presents its own compliance challenges that companies shouldn’t overlook in the CCPA compliance scramble.

To see a countdown clock and find resources on how to prepare for Nevada’s SB 220 and the CCPA, see our U.S. Consumer Privacy Resource Center.

Inconsistencies and Compliance Challenges

The amended Nevada privacy law establishes a requirement that “operators” of internet websites or online services set up a procedure whereby Nevada residents are given the opportunity to opt out of data sales. Specifically, organizations must establish a “designated request address”—which can be a toll-free phone number, email address, or internet website—where Nevada residents may submit requests to opt out of data sales. Companies must cease the sale of a Nevada resident’s data upon receipt of a “verified request,” defined as a “request submitted by a consumer … for which an operator can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.”

Continue Reading

Risk Management Strategies to Reduce Risk Associated with Telehealth

The use of technology to provide healthcare has existed for decades; however, recent advances in technology and changes in reimbursement have increased the prevalence of telehealth for diagnosing and treating patients. Telehealth is an emerging and promising method of providing healthcare in areas where healthcare may be limited or unavailable. Telehealth provides quality, cost-effective healthcare and can reach individuals in remote or underserved locations. It has also been shown to increase patient satisfaction.

The Health Resources and Services Administration of the U.S. Department of Health & Human Services defines telehealth as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, public health and health administration, and may include non-clinical services.” The Centers for Medicare & Medicaid Services and all 50 states have regulations governing the use of and reimbursement for telehealth services, and commercial payers are increasingly covering these services. Reimbursement policies for telehealth services vary and may limit or restrict the type of facilities and providers who may seek reimbursement, setting geographical limitations on reimbursement for certain medical conditions. Because of the surge in the use of telehealth, healthcare providers need to be aware of the risks associated with the use of this technology and implement mitigation strategies to reduce these risks.

Continue Reading

Summer Is Over – It’s CCPA and NV Crunch Time

It is less than 120 days until California’s ground-shifting new privacy regimen – the California Consumer Privacy Act (CCPA) – goes into effect. There is only a week left for the Legislature to pass the handful of amendment bills that still survive, and we should have the attorney general’s proposed regulations published for public comment within weeks. Furthermore, the digital advertising industry has decided on a way to address the CCPA and future laws that may give consumers the ability to opt out of data disclosures that are not necessary to provide core services to the consumer. Hopefully, many unanswered questions will be at least partially answered in the next two months. In the meantime, here are some previews.

Last Thursday night I co-hosted an event for Attorney General Xavier Becerra in Los Angeles. There was a lively conversation with the AG; these are some of the highlights:

  • The AG’s office has been, as we know, consulting with stakeholders to help develop the regs. However, the AG reported that they have also consulted with EU data protection authorities to get the benefit of their experiences.
  • The upcoming regulatory public comment period will be meaningful, and the AG is particularly interested in hearing about compliance challenges, inadvertent consequences and constructive suggestions for refinements. He encourages written comments with specific recommendations for edits or additional regulations.
  • The AG is particularly concerned with the lack of meaningful transparency and choice for consumers regarding their personal information (PI) and will likely be concentrating on pre-collection notice and the breadth of opt-out, both in the regulations and in enforcement priorities.
  • Previously an advocate against the right to cure, the AG expressed doubt that many types of violations could be capable of cure given that consumers’ rights would have been injured and the resulting damage already done. That said, he indicated that a good faith effort to interpret and comply would be met with a better response than outright noncompliance.
  • While promising not to be in the “gotcha” business, and seeking to work with industry to develop sound approaches to interpretation of the title, the AG indicated that his office’s mandate is enforcement and consumer protection, and the first cases brought will be “must wins” so that examples can be made for industry, both as to the substantive issues involved and the risk of noncompliance.

Continue Reading

Maryland Insurance Administration Issues Breach Notification Bulletin

On Aug. 29, 2019, the Maryland Insurance Administration (MIA) issued Bulletin 19-14. The purpose of the bulletin is to inform insurers, nonprofit health service plans, health maintenance organizations, managed care organizations, managed general agents and third-party administrators of a new security breach reporting requirement to the Compliance & Enforcement Unit at the MIA.

Effective Oct. 1, 2019, pursuant to Insurance Article § 4-406, carriers are required to notify the insurance commissioner of a breach of the security of a system if the carrier (1) conducts an investigation required under § 14-3504(b) or (c) of the Commercial Law Article; and (2) determines that the breach of security of the system creates a likelihood that personal information has been or will be misused. The notice needs to be provided at the same time that the Maryland attorney general is notified pursuant to § 14-3504(h) of the Commercial Law Article.

The notice to the commissioner must include (1) a brief description of the circumstances of the security breach, (2) a copy of any notifications sent to consumers and (3) a copy of the notice submitted to the Maryland attorney general. The MIA has created an online form that can be used to submit the notice.

The MIA has thus joined a growing number of insurance departments that have issued bulletins, guidance or regulations on reporting security breaches. See our previous blog posts here and here.

CCPA Amendment Progress Report: July Update

As we reported in April, May and June, a number of potentially significant amendments to the California Consumer Privacy Act (CCPA) continue to make their way through the state legislative process. Below we provide a summary of recent developments from earlier this month, including changes that may materially affect how businesses approach their CCPA compliance efforts.

Bills That Passed With Amendments

AB 25: Changes to the Employee Exception

This bill has been closely watched since its introduction, as the inclusion of employees in the definition of “consumers” covered by the CCPA could represent a serious compliance burden for certain companies. Initially, the bill would have amended the definition of “consumer” to exclude job applicants, employees, contractors and agents whose personal information was collected and used in the context of the employment relationship, essentially removing HR data from the scope of the CCPA. That exception has now been limited, and it will expire entirely following a one-year grace period. Specifically:

  • The exception does not apply to the private right of action set forth in Section 1798.150. Employees may bring civil actions for data security breaches affecting personal information maintained by their employers.
  • The notice requirement in Section 1798.100(b) will apply to these individuals as of January 1, 2020.
  • The entire exception will become inoperative as of January 1, 2021.

Accordingly, businesses must prepare to provide their employees with CCPA-compliant notice regarding the collection and use of personal information as they would for any other consumer. It appears the delay with respect to other CCPA requirements was inserted in the latest amendments to allow stakeholders time to address concerns regarding employee surveillance. Continue Reading

EU Updates: ePrivacy Regulation Inches Forward, EDPB Issues Guidance on Interplay Between GDPR and ePrivacy Directive

Adoption of the ePrivacy Regulation

Introduced in 2017, and originally slated to go into effect with the GDPR (on May 25, 2018), it now appears the ePrivacy Regulation will not be implemented before late 2021. With the Romanian Presidency’s oversight of the Council of the European Union passing to Finland as of July 1, and in view of forthcoming EU parliamentary elections and procedural considerations, it is possible that the adoption of the ePrivacy Regulation may be delayed even further.

Key concepts currently up for debate and the subject of amendments in the Regulation’s latest draft include:

  • Conditioning access to website content on a user consenting to advertising cookies: The current draft states this would not be “disproportionate” unless the site is provided by public authorities. Notably, this position contradicts those taken in Article 29 Working Party Guidance from April 2018, and in enforcement actions by supervisory authorities (see our post here on the UK ICO’s enforcement in this regard).
  • No consent needed to process electronic communications data for information security reasons: Previous drafts would not have provided as much leeway on this point as the current draft allows.
  • To what extent metadata can be processed by end users after receipt, or by a third party entrusted by them, without consent: One practical implication of this is that it may regulate aggregated and anonymized data that some companies rely on for analytics. Otherwise, this type of data may fall outside the scope of regulation (i.e., GDPR) since it may not be considered personal data.
  • Expansion of the definition of “direct marketing communications”: The proposed definition would cover communications using new technologies (including voice over IP calls and electronic message applications), bringing these and other popular mobile applications within the scope of the ePrivacy Regulation.
  • How the ePrivacy Regulation will interact with new technologies, in particular in the machine-to-machine, “internet of things” and artificial intelligence contexts.
  • Enforcement by supervisory authorities: The latest draft requires cooperation with other supervisory authorities, as under the GDPR.

For more information, view the Romanian Presidency’s May 22, 2019 Progress Report. The Council of the European Union only briefly discussed the ePrivacy Regulation during its meeting on June 6 and 7, 2019.

We will continue to monitor and provide updates on the progress of the ePrivacy Regulation. Continue Reading

FTC Announces Enforcement Action, Warning Letters for Companies Falsely Claiming Privacy Shield Participation

Press enter button on the keyboard computer Shield cyber Key lock security system abstract technology world digital link cyber security on hi tech Dark blue background, Enter password to log in. lock finger KeyboardThe Federal Trade Commission (FTC) recently announced a compliance sweep of companies claiming to be in compliance with the U.S.-EU Privacy Shield and U.S.-Swiss Privacy Shield Frameworks. The U.S.-EU Privacy Shield and the U.S.-Swiss Privacy Shield programs enable companies to self-certify that they have adopted a number of data protection practices to bring their businesses in line with European data protection law. Because the U.S. lacks a generally-applicable federal data protection law, and because the standards for data protection in the U.S. are less stringent than those in the EU, the U.S. is considered to be an “inadequate” jurisdiction under European law, and data transfers to the U.S. are generally barred. However, if a company adopts data protection practices consistent with the requirements of European law, it may self-certify compliance with the U.S.-EU Privacy Shield and U.S.-Swiss Privacy Shield with the U.S. Department of Commerce. Adherents to the Privacy Shield frameworks can then represent their data protection practices as “adequate” under EU law, enabling free and legal transfer of personal data regarding EU data subjects to the U.S. under the European Union’s General Data Protection Regulation and Swiss Data Protection Act. Continue Reading

Texas Moves Forward With Updates to Breach Notification Law and Institutes Privacy Council to Study Data Privacy Legislation

Texas is one of the many states that looked to be following in the footsteps of California’s enactment of a broad consumer privacy law (the California Consumer Privacy Act), which has far-ranging implications for businesses and consumers. Two comprehensive data privacy bills, HB 4390 and HB 4518, were filed and heard at the last legislative session. HB 4518, also known as the Texas Consumer Privacy Act, proposed overarching consumer protection legislation that closely resembled the California Consumer Privacy Act. HB 4518 stalled in the Texas House of Representatives in favor of HB 4390. HB 4390, also known as the Texas Privacy Protection Act, was introduced as comprehensive data privacy legislation, but was significantly less detailed than HB 4518. HB 4390 went through several rounds of revisions in both the Texas House and Senate until it was whittled down to the final version, which revises the notification requirements of the Texas Identity Theft Enforcement and Protection Act and creates the Texas Privacy Protection Advisory Council in order to develop recommendations for future data privacy legislation. HB 4390 has passed both the Texas House and Senate and is awaiting signature from the governor to be enacted. Continue Reading

LexBlog