Important Clarifications Initiated on California Consumer Protection Act

Important Clarifications Initiated on California Consumer Protection Act

The California Consumer Protection Act (CCPA) will impact global companies. The CPPA aims to sets forth landmark privacy rights for Californians and becomes effective January 1, 2020. Last week the California Assembly Privacy and Consumer Protection Committee began clarifying important ambiguities in the CCPA through a serious of amendment bills. These amendment bills are not law just yet. These bills were actions taken by the Committee to advance proposed changes through the legislative process. Some of the most notable clarification from the amendment bills include:    

  • Updating the current CCPA to make it clear that employees are not “consumers” for purposes of the CCPA and addressing some of the concerns with household data.
  • Clarifying personal and de-identified information by adding a reasonableness standard to make it clear that not all information capable of being associated with an individual or household will be considered personal information. Further, the de-identification standard would be shifted to the FTC “reasonably linkable” de-identification definition which is better understood. 
  • Redefining “publicly available” to mean information that is lawfully made available from federal, state, or local records to ensure there is a public record exemption from the definition of “personal information.” 
  • Adding amendments that make loyalty programs exempt from the CCPA’s “non-discrimination” restrictions. 
  • General cleanup of mistakes and confusion in the current language.  
  • Updating the current CCPA requirement that businesses must establish a toll-free number to receive CCPA requests, to a requirement that they must provide a toll-free number or an email address.   

Two amendment bills were withdrawn that would have dramatically expanded the CCPA requirements.  Notably, it included the bill that extended the private right of action to all privacy violations, extended the opt-out to all sharing of personal information (not just “sales”), added data minimization requirements, and expanded the CCPA right-to-know requirement to require accounting to consumers the specific third parties to whom personal information was shared. 

What’s next? These amendment bills head to the Senate leadership. However, these initial steps suggest that some legislative clarifications of CCPA requirements may pass this year.  It is important to balance compliance with this state law with other data privacy and security laws across the globe.  Taking a practical approach with experienced legal teams will be critical.

DISCLAIMER: This alert is for general information purposes only. It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used or relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where the advice is sought.

Attorney Advertising: Prior results do not guarantee a similar outcome.

Abstracts Black and White hallway

Reminder – March 1, 2019 Deadline for Third-Party Vendor Policies

Once again, March 1st nears. And with it comes a cybersecurity compliance milestone for those entities operating under New York’s insurance, finance and banking laws. This date now looms large thanks to the New York State Department of Financial Services (“DFS”) and its Cybersecurity Regulation (“Regulation”) first put into effect on March 1, 2017. Let’s breakdown what this means.

Who?

“Covered Entities” under the Regulation, includes those entities that are operating or are required to operate under the New York insurance, finance and banking laws.

What?

The next compliance milestone pertains to putting in place policies for Third Party Service Providers. The policies and procedures need to address the security of vendors who are accessing a Covered Entity’s systems or “non-public information” as addressed under the Regulation.

The policies shall be based upon a risk assessment and address, to the extent applicable:

1.     The identification and risk assessment of Third-Party Service Providers (as defined under the Regulation);

2.     Minimum cybersecurity practices required to be met by such Third-Party Service Providers in order for them to do business with the Covered Entity;

3.     Due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third-Party Service Providers; and

4.     Periodic assessment of such Third-Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices.

Such policies and procedures shall include relevant guidelines for due diligence and/or contractual protections relating to Third-Party Service Providers including to the extent applicable guidelines addressing:

1.     The Third-Party Service Provider’s policies and procedures for access controls, including its use of Multi-Factor Authentication, as required by section 500.12, to limit access to relevant Information Systems and Nonpublic Information;

2.     The Third-Party Service Provider’s policies and procedures for use of encryption as required by section 500.15 of this Part to protect Nonpublic Information in transit and at rest;

3.     Notice to be provided to the Covered Entity in the event of a Cybersecurity Event directly impacting the Covered Entity’s Information Systems or the Covered Entity’s Nonpublic Information being held by the Third-Party Service Provider; and

4.     Representations and warranties addressing the Third-Party Service Provider’s cybersecurity policies and procedures that relate to the security of the Covered Entity’s Information Systems or Nonpublic Information.

Note, the DFS has advised that it is insufficient to rely solely on the Certification of Compliance submitted by the Third-Party Service Providers to the DFS under the Regulation as their only means of evaluating their compliance with this milestone.  

What else?

There have been a number of milestones for Covered Entities to address since the Regulation went into effect on March 1, 2017.  

When?

The process of developing and implementing Third Party Service Provider policies can be cumbersome and time-consuming given to the complexity of the relationships your company may have with a variety of Third-Party Service Providers.

Begin as soon as possible, as there are often several components to the analysis and March 1, 2019 is nearing.

Why?

Because the DFS Regulation says so.

The contents of the Regulation,23 NYCRR Part 500, can be found here: https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf.

How (to take Next Steps)?

Consult legal counsel to confirm whether your policies comply with the Regulation and other applicable laws.

The attorneys at Beckage PLLC can help you navigate through policy drafting the Third-Party Service Provider risk assessment and other regulatory compliance matters by offering practical legal advice that will help arm your company with the knowledge to assist in making sound business decisions.  

DISCLAIMER: This alert is for general information purposes only.  It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem.  Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.  If you have any questions, please contact an attorney at Beckage: www.beckage.com or info@beckage.com.

Attorney Advertising: Prior results do not guarantee a similar outcome.