CCPAThe First Six Months of the CCPA: Final Regulations, AG Enforcement and Plaintiff Lawsuit Trends

The First Six Months of the CCPA: Final Regulations, AG Enforcement and Plaintiff Lawsuit Trends

The California Consumer Privacy Act (CCPA) is about to hit the 6-month milestone, and oh what a long, strange trip it’s been. Although the CCPA’s effective date was January 1, 2020, the California Attorney General (AG) has still not issued final regulations for the Act, to the frustration of many businesses seeking to implement CCPA compliance programs, but the AG has repeatedly affirmed that enforcement of the Act will commence on July 1, 2020. Furthermore, plaintiff attorneys have brought a range of CCPA related lawsuits – some under the CCPA’s private right of action provision for data breaches are more expected, with other lawsuits attempting to leverage the CCPA to bring a range of non-CCPA claims.  We explore all this and more, below.

I. Status of CCPA Regulations: Likely Delayed

There is a procedural process that the AG has to follow to finalize the CCPA regulations. In short, the AG has to submit the proposed final CCPA regulations to the CA Office of Administrative Law (OAL) for review for compliance with the State Administrative Procedures Act. After that, OAL typically has 30 working days to conduct a review and either approve and file with the Secretary of State (SOS) or disapprove. Governor Newsome recently extended this timeframe by an additional 60 days due to COVID-19 pandemic.

Regulations generally become effective once a quarter based on when the final regulations are approved and filed with the SOS. In order for the CCPA final regulations to become effective by July 1, they have to be filed with OAL, approved by OAL and submitted to the SOS by May 31.

As the AG has not submitted the final CCPA regulations to OAL as of this writing, it is unlikely that the OAL will have time procedurally to expedite review and get approval, pushing the potential effective date to the next quarter. This has led to speculation that final regulation will be delayed until October.  

Technically there is still time to meet the July 1 date, and the AG could also potentially submit late and ask for earlier enforcement. We continue to monitor the status of the CCPA final regulations and will update this blog when additional information is forthcoming.

II. Attorney General Enforcement: Still Anticipated  

Despite a delay in the CCPA final regulations, the California AG has repeatedly affirmed his intent to commence enforcement of the CCPA on July 1, 2020. Indeed, the AG’s office has rejected requests by a consortium of business and trade associations to delay enforcement of the CCPA in light of the COVID-19 pandemic, stating that they are “committed to enforcing the CCPA upon finalizing the regs or July 1, whichever comes first.” Consequently, businesses should still anticipate that regulatory enforcement of the CCPA will commence July 1.

While the AG has committed to enforcing the CCPA starting July 1, unfortunately the lack of final regulations for a regulation full of contradictions and ambiguities creates additional challenges for businesses working towards CCPA compliance. Nevertheless, our Beckage attorneys recommend that businesses do not wait for the promulgation of final regulations to finish preparing for compliance. Instead, it is advised that where the CCPA is unclear on its own requirements, businesses should consider reviewing past interpretations and enforcement of other privacy laws for guidance.

III. CCPA Lawsuits: From Data Breach to Wrongful Collection

A range of CCPA-related lawsuits have been filed in California in the first six months following the enactment of the CCPA, leading to many questions about the scope of the CCPA’s private right of action.  

Initially, the CCPA’s private right of action provision, as written, is narrow: it applies only to the CCPA’s data security provision. Cal. Civ. Code. 1798.150. This provision authorizes consumers to commence civil proceedings against a business whose failure to implement and maintain “reasonable security procedures” resulted in the unauthorized access or exfiltration, theft, or disclosure or consumer non-encrypted and nonredated personal information. Further, the definition of “personal information” in this section of the Act is narrower than the definition of PI applicable to other CCPA provisions, applying only to an individual’s name together with another identifying data element such as SSN, driver’s license number, or medical information. (Note: The California Privacy Rights Act, dubbed CCPA 2.0, which we profiled elsewhere, would expand this definition to include email addresses, usernames and passwords).

As written, the CCPA private right of action provides for the possibility of injunctive, declarative relief, actual damages or statutory penalties for qualifying incidents. But before bringing suit that seeks statutory damages, a plaintiff must provide the business with “notice and cure” opportunity, with the “cure” part of this provision is not defined.  

What the CCPA private right of action clearly does not provide, however, is the opportunity for plaintiffs to leverage the CCPA as a basis to bring other claims under other laws. Indeed, the CCPA explicitly prohibits consumers from using alleged CCPA violations “to serve as the basis for a private right of action under any other law,” thus prohibiting a plaintiff from alleging that a CCPA violation constitutes a violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq. or other statutes.

But, not unexpectedly, plaintiffs have not heeded this statutory prohibition, and are trying to leverage the CCPA for a range of non-data breach related claims, as described below.

Initially, the majority of CCPA related lawsuits filed to date have been brought in federal courts under the Class Action Fairness Act, 28 U.S.C. § 1332(d), which provides for federal jurisdiction for class-action claims that meet certain thresholds. Because this trend may result in a cannon of federal court CCPA jurisprudence before state courts are called to adjudicate CCPA matters, many anticipate this dynamic may result in even more rigorous state-court enforcement by the California AG post-July 1.

1. Substantive CCPA Privacy Claims

Although CCPA’s private right of action is explicitly limited to allegations of failure to provide injury “reasonable security” resulting in a data breach, plaintiffs have brought claims for violations of the substantive privacy provisions of CCPA.

For example, in the class action filed as Sweeney v. Life on Air, Inc. et al., No. 3:20-cv-00742 (S.D. Cal. Apr. 17, 2020) (Sweeney), the plaintiffs alleged violations of (i) Cal. Civ. Code § 1798.100(b), requiring notice at or before the point at which personal information is collected and limiting additional uses of personal information; (ii) Cal. Civ. Code §1798.120(b), requiring a business to provide notice of the right to opt-out of sales of personal information; (iii) Cal. Civ. Code § 1798.135(a)(1), requiring a “Do Not Sell My Personal Information” link on a business’s homepage and (iv) Cal. Civ. Code § 1798.135(a)(6), requiring a business using information collected in connection with an opt-out request solely to comply with the opt-out request. (Sweeney Complaint, ¶¶ 102-105.)

On its face, these claims do not appear to be sustainable under the plain text of CCPA, but its remains for the court, the Southern District of California, to clarify the scope of the CCPA private right of action.

2. Leveraging CCPA to State Unfair Competition and Other Claims

Also as expected, plaintiffs are attempting to do that which the CCPA appears to disallow – to use purported violations of the CCPA to state claims under other California statutes. For example, in Hurvitz v. Zoom Video Communications, Inc. et al., No. 2:20-cv-03400 (C.D. Cal. Apr. 13, 2020), plaintiffs allege that defendant Zoom Video Communications (Zoom) violated the provision of CCPA requiring a business to provide notice to consumers of the categories and uses of personal information it collects at or before the point of collection, and prohibiting the business from collecting additional categories of personal information or using personal information for additional purposes without providing additional notice. (See Cal. Civ. Code § 1798.100(b); Hurvitz Complaint, ¶ 213.)

Because substantive CCPA privacy claims may not be brought as private claims under the CCPA, or under other statutes based on the CCPA’s prohibition, the Hurvitz plaintiffs have instead alleged that the violation of the CCPA’s provisions constitutes an unlawful practice in violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq. Whether these claims are validly stated and the CCPA can be leveraged in this manner, especially in light of the CCPA’s facially clear prohibition described above, remains a determination for the courts.

3. CCPA Actions with Privacy Tort Claims

As expected, CCPA data breach claims are not being brought as straight CCPA actions, but are accompanied by a range of other privacy tort or statutory claims. For example, in Fuentes v. Sunshine Behavioral Health Group LLC, No. 8:20-cv-00487 (C.D. Cal. Mar. 10, 2020) (Fuentes), the plaintiffs brought 11 claims in addition to the CCPA claim, both statutory and common law. These including claims of negligence, negligence per se, breach of contract, and breach of implied contract arising from a data breach. Plaintiffs frequently bring multiple common law tort claims in data breach actions nationwide, and this trend was anticipated here. Ultimately it means that defense of a CCPA action will almost certainly include defense of other tort claims, for which additional discovery and damages may be available.  

The commencement of a CCPA private right of action and related claims present a meaningful risk to businesses doing business in California. Until judicial decisions provide clarity on the scope of the CCPA private right of action and the CCPA’s prohibition, the scope of these risks is substantial and not fully known. With the assistance of our experience Beckage team, a comprehensive CCPA compliance program, in addition to other risk mitigation strategies, should be considered. We can work with your company, regardless of size, to determine the best approach to build a proactive, buildable and defensible program that makes sense for your business.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

PrivacyData Breach Compliance Under the CCPA – What You Need to Know

Data Breach Compliance Under the CCPA – What You Need to Know

The California Consumer Privacy Act (“CCPA”) went into effect on January 1, 2020 and with it came expanded data breach laws and an increased risk of litigation. Attorney General enforcement of privacy-related suits cannot be initiated until six months after final regulations are approved by the California Attorney General or July 1 (whichever comes first), however data breaches are subject to enforcement via plaintiff private right of action now.

In fact, substantial data breach litigation has already begun under the CCPA, primarily in the form of consumer class actions brought in federal courts in California.

Businesses should be aware and prepared to comply with the data breach compliance requirements of the CCPA in the event of a data breach incident, as discussed below, or risk facing litigation.

Breach Defined

The CCPA provides consumers with a limited private right of action when “nonencrypted and nonredacted personal information…is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Violations are subject to penalties of $100 to $750 per incident, actual damages, and injunctive relief.

Personal Information Defined

In order for a data breach to be actionable, the information breached must be personal information as narrowly defined by California’s data breach notification law, Section 1798.81.5, not the broad definition included in the CCPA.  For the private right of action for data breaches, personal information means:

An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements…:

(i) Social security number.

(ii) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.

(iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

(iv) Medical information.

(v) Health insurance information.

(vi) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual.

This narrower definition of personal information should work to limit the availability of CCPA’s private right of action.

What Constitutes “Reasonable Security?”

The CCPA does not define “reasonable security” and the California Attorney General has not yet offered guidance on the subject. However, some California regulators have endorsed certain security measures as providing “reasonable security” in contexts outside of the CCPA.  

For example, the former California Attorney General, Senator Kamala Harris, provided clear guidance on what she considered reasonable security in the February 2016 California Data Breach Report. As highlighted in the report, covered entities should look to the Center for Internet Security’s list of 20 Critical Controls (“CIS Controls”) as a potential baseline security standard for reference. The CIS Controls consist of twenty key actions, including authentication, incident-response plans, data-protection policies, and other security safeguards. Although these CIS Controls are not prescriptive safeguards for CCPA compliance, they are a good place to start.

Notice and Cure Period

Before bringing an action for a security breach, the CCPA requires consumers to provide covered businesses with 30 days written notice, identifying the specific provisions the business allegedly violated. Businesses then have 30 days to address and resolve the violations without penalty. Businesses who fail to cure the violation open themselves up to civil action for monetary damages, injunctive relief, and any other relief the court deems proper.

CCPA Prohibition

The CCPA does appear to prohibit the commencement of lawsuits which leverage the CCPA to state other claims. The CCPA explicitly prohibits consumers from using alleged CCPA violations “to serve as the basis for a private right of action under any other law,” thus prohibiting a plaintiff from alleging that a CCPA violation constitutes a violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq. or other statutes. However, as described in other blogs, this has not stopped plaintiffs from bringing just these types of claims. Judicial decisions are required on the scope and enforceability of the CCPA’s prohibition on non-CCPA claims.

Takeaway

Businesses should continue to follow CCPA developments and carefully monitor related litigation in the coming months for further clarity on enforcement and compliance. CCPA data breach litigation is expected to considerably increase as plaintiffs take advantage of the CCPA’s private right of action for data breaches resulting from a company’s failure to implement and maintain “reasonable” security measure. Beckage will continue to provide updates as they become available. Additionally, AG enforcement of the CCPA data breach and privacy provisions is expected to commence soon, providing an additional layer of enforcement activity that businesses must be aware of. The Beckage team will continue to provide timely updates on the CCPA landscape and potential claims, and is available to discuss practical low-cost, high-impact tips for mitigating CCPA litigation risk.  

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

CCPAThe California Privacy Rights Act: The Who, What, Where, When, and How of the “CCPA 2.0

The California Privacy Rights Act: The Who, What, Where, When, and How of the “CCPA 2.0

While most business are still waiting on final regulations for the California Consumer Privacy Act (“CCPA”), which are likely to be delayed, and Attorney General enforcement on July 1 of this year, the same group behind the CCPA has proposed a new ballot initiative, the California Privacy Rights Act of 2020 (“CPRA”), dubbed “CCPA 2.0.” That group announced last week that it had gained enough signatures for the CPRA to be considered by California consumers on November 2020 ballot, where the initiative is believed to have a high chance of being passed.  

As described below, businesses suffering fatigue from implementing the CCPA may have to make further changes to their practices and updates to their privacy policies to address the CPRA.  

Who: Californians For Consumer Privacy, the consumer privacy organization that successfully initiated the “Consumer Right To Privacy Act” ballot initiative in California in 2018, which was then withdrawn in a compromise to allow the California State Legislature to pass the CCPA. The CCPA is effective as of January 1, 2020, with final regulations from the Office of the Attorney General expected immediately.  

What: The California Consumer Privacy Act, a ballot initiative by Californians For Consumer Privacy that seeks to significantly expand and amend the CCPA, with a one-year look back to January 2022.

Where: While the CCPA was passed in California, it purports to apply to all businesses with annual revenue of over $25 million which “do business in California,” where this threshold has been interpreted broadly to include business which collect and process California consumer personal information including, for example, by e-commerce sales or IP address (in connection with other data points), among other thresholds.  

While the CPRA has basically the same applicability thresholds of the CCPA, it does double the 50,000 data threshold in one provision of the CCPA applicability section, applying now to businesses with under $25 million in annual revenue that “alone or in combination, buys or sells or shares the personal information of 100,000 or more [California] consumers or households.”

When: If the CPRA initiative passes sampling, it will be on the ballot before California voters this November. As written, the CPRAhas a January 2023 effective date, with a one year look-back to January 2022. 

How: The CPRA creates additional privacy rights and obligations pertaining to certain category of personal information – sensitive personal information. Specifically, the CPRA proposes the following changes to the CCPA:

Sensitive Personal Information: The CPRA imposes limits on businesses’ use of “sensitive personal information,” a newly defined category of personal information that includes things like social security number, driver’s license, passport number, sexual orientation, biometric, health and financial information, and precise geolocation. The definition of “sensitive” PI under the CPRA is broader than the definition of sensitive categories of data under the European GDPR but the CPRA does not prohibit collection of this information altogether. Rather, the CPRA gives consumers additional rights to limit the processing and use of their sensitive data to specified purposes.

Data Correction: The CPRA gives consumers the right to request and require businesses to correct inaccurate personal information. These requirements are subject to reasonableness standards, require authentication, and there are specified exemptions. Service providers and contractors are required to assist businesses in complying with these requirements.

Expanded Breach Liability: By adding 21 words, the CPRA seeks to expand the data breach liability created by the CCPA. In addition to the private right of action for breaches of nonencrypted, nonredacted personal information under the CCPA, the CPRA would add a private right of action for unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security. This is an important change, given the high frequency of data breaches and incidents, and the inclusion of email addresses and related information in those breaches.  

Automated Decision Making: Automated decision making is a hot topic, stemming in part from the GDPR’s requirements around these types of actions. The CPRA attempts to address automated decision by regulating it as “profiling” and providing new rights of access and opt-outs.  

Specifically, the CPRA defines “profiling” as the automated processing of personal information to evaluate personal aspects of an individual and to make predictions concerning that individual’s performance at work, economic situation, health, preferences, interests, reliability, behavior, location or movements. The Act then requires promulgation of regulations to provide consumers with access and opt‐out rights for the profiling, including requiring businesses to disclose to them the logic and algorithmic underlying the decision-making process.  

Service Provider Provisions: The CPRA increases the contractual obligations of service providers (which are defined as in the CCPA) as currently exist under the CCPA, now requiring them to allow businesses to monitor the provider’s compliance with the contract provisions, certify that it understands and will comply with the contractual obligations.

The CPRA also seeks to impose data protection obligations directly on service providers, contractors and third parties. Specifically, it requires businesses that send personal information to third parties, service providers or contractors to enter into an agreement binding the recipient to the same level of privacy protection as provided by the act, granting the business rights to take reasonable and appropriate steps to remediate unauthorized use, and requiring the recipient to notify the business if can no longer comply.

Finally, the CPRA clarifies what the CCPA regulations do not: it requires service providers to cooperate with and assist businesses in providing requested personal information in response to verifiable data subject requests, as well as correcting or deleting information or limiting the use of sensitive personal information in response to such requests, though exceptions exist.

Enforcement Agency: Lastly, before the 2023 effective date, the CPRA requires the California state government to create a new agency, the California Privacy Protection Agency, to oversee and enforce data privacy.

Again, the CRPA, if passed by ballot initiative in November will not be effective until 2023, with a look back to 2022, giving businesses ample time to plan implementation.

In the meantime, businesses await the California Attorney General’s final CCPA regulations, which are now understood to be delayed, and the start of AG enforcement of the CCPA, which may still commence on July 1, 2020.

Beckage’s dedicated CCPA attorneys routinely counsel clients on implementation of CCPA policies and procedures, including assisting businesses to operationalize Data Subject Request (DSR) processes, perform CCPA training and record keeping, manage third party vendor relationships, and make CCPA required breach notifications. Our clients include major E-commerce retailers, international news media companies, consumer goods manufacturers and retailers, health care organizations and financial entities.

For more information about the CCPA, CPRA and its impact on your business, contact: Myriah V. Jaworski, Esq., CIPP/US, CIPP/E and Nicole Smith Esq..

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

Looking Back: Top Privacy and Cybersecurity Headlines from 2019Looking Back: Top Privacy and Cybersecurity Headlines from 2019

Looking Back: Top Privacy and Cybersecurity Headlines from 2019

In the fast-paced, ever-evolving world of privacy and cybersecurity law, gathering the biggest news from 2019 was no small feat – from new laws and landmark cases, to major technological developments and international guidelines, it was a busy year for anyone trying to stay up to date. But Beckage has narrowed down the top privacy and cybersecurity stories that shaped last year:

Read More
Important Clarifications Initiated on California Consumer Protection ActImportant Clarifications Initiated on California Consumer Protection Act

Important Clarifications Initiated on California Consumer Protection Act

The California Consumer Protection Act (CCPA) will impact global companies. The CPPA aims to sets forth landmark privacy rights for Californians and becomes effective January 1, 2020. Last week the California Assembly Privacy and Consumer Protection Committee began clarifying important ambiguities in the CCPA through a serious of amendment bills. These amendment bills are not law just yet. These bills were actions taken by the Committee to advance proposed changes through the legislative process. Some of the most notable clarification from the amendment bills include:    

  • Updating the current CCPA to make it clear that employees are not “consumers” for purposes of the CCPA and addressing some of the concerns with household data.
  • Clarifying personal and de-identified information by adding a reasonableness standard to make it clear that not all information capable of being associated with an individual or household will be considered personal information. Further, the de-identification standard would be shifted to the FTC “reasonably linkable” de-identification definition which is better understood. 
  • Redefining “publicly available” to mean information that is lawfully made available from federal, state, or local records to ensure there is a public record exemption from the definition of “personal information.” 
  • Adding amendments that make loyalty programs exempt from the CCPA’s “non-discrimination” restrictions. 
  • General cleanup of mistakes and confusion in the current language.  
  • Updating the current CCPA requirement that businesses must establish a toll-free number to receive CCPA requests, to a requirement that they must provide a toll-free number or an email address.   

Two amendment bills were withdrawn that would have dramatically expanded the CCPA requirements.  Notably, it included the bill that extended the private right of action to all privacy violations, extended the opt-out to all sharing of personal information (not just “sales”), added data minimization requirements, and expanded the CCPA right-to-know requirement to require accounting to consumers the specific third parties to whom personal information was shared. 

What’s next? These amendment bills head to the Senate leadership. However, these initial steps suggest that some legislative clarifications of CCPA requirements may pass this year.  It is important to balance compliance with this state law with other data privacy and security laws across the globe.  Taking a practical approach with experienced legal teams will be critical.

DISCLAIMER: This alert is for general information purposes only. It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used or relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where the advice is sought.

Attorney Advertising: Prior results do not guarantee a similar outcome.