California Consumer Privacy Act – April 2020 Update

April 6, 2020Insights

This client alert provides an update about the California Consumer Privacy Act (CCPA) as it stands on April 6, 2020. As of this date, the California Attorney General’s office has indicated that it does not plan to delay the July 1, 2020 enforcement date due to the current COVID-19 pandemic.  We recognize that many companies are currently busy dealing with the impact of COVID-19. With the CCPA enforcement date fast approaching, we can help make sure you have the resources you need to keep your compliance efforts on track and in line with current best practices. Please note that this is not a comprehensive review of the CCPA and its requirements – for information tailored to your specific circumstances, please contact your Gunderson attorney.

Background: A Quick Refresher

  • What is the CCPA?

- The CCPA is California’s state data privacy law. It regulates the collection, use and sale of personal information about California residents.

- The CCPA defines “personal information” broadly:  it includes any information that identifies, relates to, or is reasonably capable of being linked – directly or indirectly – with a California resident or household. Practically speaking, this means that a significant portion of data about your users – down to the level of IP addresses – is likely to be considered personal information regulated by the CCPA. While the CCPA does not apply to personal information that is subject to the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act (FCRA), and certain other state and federal laws, many businesses that are subject to such laws also collect and process personal information that is subject to the CCPA, for example in the context of marketing and other processing activities outside the scope of the specified laws.

  • What are the key dates?

- The CCPA came into effect on January 1, 2020.

- The California Attorney General’s office will begin enforcing the CCPA on July 1, 2020.

  • Which companies need to comply?

- For most companies, if you have greater than $25 million dollars in annual gross revenue or collect the personal information of 50,000 or more CA consumers, households or devices, you’ll need to comply.  Note that personal information includes IP addresses, so many companies meet this threshold based solely on web traffic.

  • What is required to comply?

- Privacy Notices. You must provide specific notices to CA residents (including to your CA-based employees and job applicants).  This requires you to update your website privacy policy and create new notices for employees and job applicants.

- User Rights. CA residents have certain rights regarding their personal information that you must honor, including:

  • Opt-Out: The right to prevent you from selling their personal information. (Note that “sell” is broadly defined; you may be “selling” personal information if you make it available to anyone in any way and get any direct or indirect benefit from doing so, even if there is no monetary compensation involved.)
  • Access:  The right to receive access to the specific personal information that you have collected about them.
  • Erasure: The right to require that you delete personal information that you have collected about them.
  • Data Security. You must use reasonable security measures when processing personal information.  Security breaches carry increased liability, including the potential for class actions and regulatory fines.
  • Commercial Agreements. You should update agreements with your service providers and customers to ensure that personal information is shared in accordance with CCPA requirements.

Current Updates and Latest Attorney General Regulations

  • What is the latest update on the California Attorney General’s proposed regulations?

- On March 11, 2020, the California AG (CA AG) published its second set of modifications to the proposed regulations implementing the CCPA.  The initial draft regulations were published on October 11, 2019, with the first modifications published on February 10, 2020. The latest update of the implementing regulations added a number of important changes, including the following:

  • Service Providers Can Use Personal Information for Limited Internal Purposes. The new regulations allow service providers to use personal information obtained in the course of providing services for a business in order to build or improve the quality of its services, provided that it may not build customer profiles to provide services to another business, or correct or augment data acquired from another source. This is consistent with common industry practice of enterprise businesses authorizing service providers to use personal information internally to improve the services they provide (including for feature optimization, troubleshooting bugs, or training algorithms that benefit all customers).
  • Notice Requirement Relaxed if Personal Information Not Collected Directly from the Consumer. The new regulations clarified that if a business does not collect personal information directly from a consumer, it does not need to provide a “notice at collection” to the consumer provided it does not sell the consumer’s personal information.
  • IP Addresses Are Personal Information. The new regulations affirmed that IP addresses are personal information, regardless of whether a company can link them to an individual or a household. This means that companies that otherwise wouldn’t be subject to CCPA may now be subject as a result of collecting IP addresses from 50,000 or more website visitors.

  • What is the status of the private right of action?

- The CCPA expressly provides a private right of action for California consumers solely in the event of a data breach arising out of a company’s failure to maintain reasonable security measures. Impacted California consumers can seek statutory or actual damages.

- While the level of security measures depends on the risk of the personal information held, at minimum, companies should follow the 20 CIS Controls published by the Center for Internet Security, as these have been endorsed by the CA AG as evidence of reasonable security.

- The CCPA limits its private right of action to security breaches (with other violations, including violations of the notice, collection, and use obligations only enforceable by the CA AG). However, a putative class action was filed in late February 2020 against Clearview AI (Burke et al. v. Clearview AI, Inc., et al., 20-CV-0370-BAS-MSB (S.D. Cal. Feb. 27, 2020)), asserting a violation of the CCPA’s notice obligations as the basis for a claim under California’s Unfair Competition Law (UCL). While it is unclear whether this cause of action will succeed, the case demonstrates that at this time companies may face litigation risk (and associated costs) outside the expressly stated private right of action for data breaches, unless and until courts expressly reject the UCL basis for a CCPA violation as standing for a direct claim. As a consequence, companies should not delay implementing a CCPA compliance program, and should ensure that they have rolled out all required public-facing notices under the CCPA.

  • Is there still a cure period for violations?

- Yes. Companies will have 30 days to correct any noncompliance.

- Note that while the cure period technically also applies to data breaches, it is rarely possible to effectively cure the issues caused in a breach.

  • What is the current status of employees and job applicants under the CCPA?

- An amendment to the CCPA signed on October 11, 2019 (Assembly Bill 25) postponed the application of the CCPA’s obligations with respect to CA employee data until January 1, 2021, except for the obligation to (1) provide employees and job applicants with the required disclosures under the CCPA, and (2) have reasonable security measures in place to protect the employee data, both of which are in effect as of January 1, 2020.  As a result, employees and job applicants may have a private right of action under the CCPA in the event of a data breach that is due to their employer’s failure to have in place reasonable security measures.  

- Companies should provide CA employees and job applicants with a privacy notice covering the required CCPA disclosures. This includes posting a job applicant privacy notice on the “careers” page of a company’s website where personal information (including resumes) of job applicants is collected. Your Gunderson attorney can provide you with a form notice and help you customize it for your business.

  • What is the current status of the B2B moratorium?

- The B2B moratorium, a result of Assembly Bill 1355 which was passed by the CA legislature in September 2019, delays enforcement of the CCPA’s obligations to provide notice and transparency, and to grant access and deletion rights, with respect to personal information of a California resident acting for another entity in the context of B2B transactions. It does not delay the application of the right to opt out of the sale of personal information or the non-discrimination right. It is important to note that the moratorium only applies to information obtained in the transactional context, for example in the course of completing sales, providing or receiving products or services, conducting due diligence, entering into contracts, or providing support to an entity. It does not apply to marketing communications not initiated by the other entity, or cold calling.

  • What is next for the CCPA?

- Enforcement by the CA AG starts on July 1, 2020. We expect to see a final version of the CA AG’s implementing regulations before such date, but we don’t expect any further major changes to the regulations. There have already been a number of lawsuits filed under the CCPA, and we expect to see more class actions as data breaches occur. We recommend that you connect with your Gunderson attorney to discuss your potential CCPA exposure and plan for compliance.

  • How can Gunderson help you?

- We have developed a set of forms and other materials to assist companies who are interested in developing their own CCPA compliance program, and we work closely with companies who prefer a comprehensive review and greater assistance.  Over the next few months we will distribute a series of topic-specific client updates together with forms and other materials.

- We are also available to provide remote training sessions for your employees on the CCPA and other data privacy laws (including the GDPR and the NY SHIELD Act).  Recent training sessions we have provided to companies include: updates on the CCPA and GDPR (including recent enforcement actions), how to implement and manage vendor contracts under the CCPA and GDPR, and steps to take to ensure CCPA compliance with respect to employees and job applicants.  We are also happy to customize training sessions according to your company’s specific needs or risks. Please contact your Gunderson attorney if you would like to discuss setting up a remote training session for your team.