CCPA Questions Answers by an Experienced Data Privacy Lawyer
The California Consumer Privacy Act (CCPA) went live on January 1, 2020, and companies have until July 1 of this year to comply before enforcement begins. Data privacy, and compliance with data privacy regulations, is an ongoing process, and one that requires constant iteration and learning. To help companies better understand the nuances of CCPA, Axiom co-hosted a webinar entitled “Cramming for CCPA” with Above the Law in late 2019. In this post, Axiom lawyer and webinar panelist Sue Gomez, who is an expert in data privacy in addition to being a lawyer, responded to questions from participants. We’re sharing her responses here, to help companies that are still working to comply with CCPA to make decisions about where and how to invest their legal and data privacy resources.
What’s the best approach to getting ready for CCPA?
Sue Gomez: Under CCPA, a California-covered business needs to know what personal information it collected from California consumers, the purpose of that information, which categories of personal information were sold, and which categories were disclosed for a business purpose. [See Calif. Civil Code §1798.100(b)]. They must be able to respond to a verifiable consumer request to opt out of sales of the personal information, provide access, and correct or delete the personal information collected over the past 12 months in a portable format within 45 days.
In short, getting ready for CCPA is a monumental task even for those businesses fully compliant with GDPR. However, even though the law is now live, this is not the time to panic. Businesses should focus on the big picture, then take on the nuanced details one step at a time, establishing a record of good-faith compliance efforts and plans. Here are some practical steps:
Data Inventory: Create a personal inventory or data map to understand how your company collects, shares, and uses personal information; the purposes for and the parties with whom they share it; how it is retained and disposed of; and security measures in place.
Update privacy policies/statements and real-time notices: Take special care as to what’s stated in privacy statements and responses to consumer requests. A company’s misstatements could lead to potential exposure, not only under the CCPA but also under other consumer-friendly statutes, like §§17200, 17500, and data breach statutes.
Process for handling consumer requests: Set up and test the “Do Not Sell My Personal Information” button on your homepage, as well as any webpage where personal information is collected, to allow consumers to opt out the sale, as well as to submit requests associated with the other consumer rights under CCPA.
Coordinate cross-functionally within your company and with service providers, to ensure that once exercised, the consumer’s requests are honored and their data is no longer used within the organization. Also ensure the operationalized implementations of CCPA are followed to the letter and spirit of the regulation and in accordance with your notices and promises. This will take significant buy-in and coordination with legal, privacy, information technology, security, and business operations functions, as well as across service providers and vendors.
Data Security: Review data security policies and procedures (maintaining Attorney-Client Privilege where possible) to be sure they comply with standards set forth for “reasonable security measures appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” Check against the 20 minimal controls in the Center for Internet Security’s Critical Security Controls (the “CIS 20 Controls”), which are generally seen to set the minimal standard for reasonable security, and include:
- Written information security program
- Governance
- Ongoing risk assessment and management
- Employee training
- Vendor management
- Incident response plan
Vendors: Identify your vendors and other third parties with whom personal information is shared:
- Review existing contracts, making sure they limit what a service provider can do with your personal information
- Consider what methods may be needed to continue to receive and share information that is subject to a DNS request
Does the Private Right of Action include attorneys’ fees?
Sue Gomez: Under CCPA, a private litigant may be entitled to recover statutory damages for a data breach of its unencrypted or unredacted personal information attributable to failure of the company to maintain adequate and reasonable security, of not less than $100 or greater than $750 per incident (or actual damages, whichever is greater), as well as injunctive relief or declaratory relief and other relief the court deems proper [Calif. Civ Code §1798.150].
What that will mean will be up to the courts, as the law came into effect on January 1, 2020. As of this time, the draft regulations promulgated by the California Attorney General in October 2019 do not expressly include recovery of attorneys’ fees. However, it is important not to discount the impact that statutory damages may have on the ability of the private or class litigants to proceed, in that CCPA goes beyond California’s current data breach law [Calif. Civ Code §1798.84(b)], by giving litigants the ability to recover statutory damages without having to prove individual harm.
Also considering that CCPA requires a consumer seeking damages to provide a 30-day notice and cure period to the company, if the company responds in writing stating the breach has been cured and promises no further violations, then no action may proceed. As of this time, the definition or standards for “cure” is unclear, but it may take on a similar approach to other consumer protection acts such as California’s Consumer Legal Remedies Act (CLRA) [Calif Civil Code §1750 et seq], which covers unfair and deceptive acts related to sale of goods. Courts have interpreted offers to pay for damages, including attorneys’ fees, resulting from alleged CLRA violations as a sufficient cure. Companies facing CCPA notices may also need to do the same, along with offering to pay the cost of free data monitoring services.
How does the obligation to register as a data broker change a company’s practices?
Sue Gomez: The Data Broker Registration Requirement AB 1202 obligates businesses that knowingly collect and sell personal information, without a direct relationship with the consumer, to register with the Attorney General on or before January 31 following each year in which a business meets the definition of data broker, and to pay a fee. This means disclosing their name and any additional information or explanation the data broker chooses to provide concerning its data collection practices.
The purpose of the registration is to permit consumers to locate a business’ website that they may not otherwise been aware of, and to opt out of “sales,” which under the CCPA are defined quite broadly. Data brokers need to be prepared to receive and respond to consumer requests promptly, and to maintain records of the consumer requests and how they handled them. Data brokers that fail to register will be subject to injunction and liability for civil penalties, fees, and costs in an action brought by the Attorney General, with any recovery deposited in Consumer Privacy Fund set up by the law.
Class actions under CCPA?
Sue Gomez: CCPA removes traditional impediments to class action or other litigants who previously had to prove harm to have standing, provable damages unless willful or reckless – which is not an easy task, and leads to class action litigations often failing or settling. The private right of action under CCPA [Calif. Civ Code §1798.150(a)(1)], with its limited private right of action for “unauthorized access and exfiltration, theft, or disclosure of a consumer’s unencrypted or nonredacted personal information,” is expected to change this dramatically with damages verdicts that could rise significantly as a result of breach notifications required by California data breach laws.
Note that a savings clause in the CCPA requires a consumer seeking damages to provide 30 days' written notice identifying the specific CCPA violation. If a cure is possible, and the business actually cures the violation within 30 days and provides an express written statement of the actions to cure, and assures no further violations will occur, a potential litigant would not be able to pursue statutory damages, but still could seek actual pecuniary damages suffered as a result of the alleged violations.
Businesses trying to limit their liability should carefully consider whether (and how) to include an effective class action waiver in their privacy notices. The CCPA currently has a prohibition on any contract terms or class action waivers that would limit a consumer’s CCPA rights, but that may run into preemption under the Federal Arbitration Act. It’s also possible that the attempt to include waivers could run afoul of California’s other consumer protection statutes (such as §17200) and be deemed an unfair trade practice.
Does “sell” include transfer within a company and with third-party vendors for use in the organization?
Sue Gomez: Under CCPA, covered businesses must enable consumers to opt out of data “sales” of personal information to third parties. It is not considered a sale when a business shares personal information with a service provider that is necessary and proportional to perform business purposes, but only if 1) the business is provided notice of that information being used or shared in its terms and conditions consistent with [Calif. Civ Code §1798.135, and 2)] the service provider does not further collect, sell, or use the personal information of the consumer, except as necessary to perform the business purpose.
Note that a “service provider” is defined specifically in the CCPA as an entity that processes personal information on behalf of a business for a business purpose. See notes below on vendor agreements. If a service provider does not limit such activities to what is necessary, then the transfer will be considered a sale of personal information and subject to the right to opt out, or to request for deletion when a consumer submits such a request. Calif Civ Code §1798.105.
On the other hand, a “third party” as defined may not qualify for the same liability protection, and may be defined differently from a service provider. Businesses are advised to take steps to assure that all of their vendors qualify as service providers and, if needed, get written certification that the recipient of the data understands and agrees to the restrictions that apply (such as restrictions on selling the personal information and on retaining, using, or disclosing the personal information for any other purpose than performing the service), and cannot go outside the direct business relationship between recipient and the business.
Do vendor agreements need to be revised and how?
Sue Gomez: Yes, covered businesses should conduct due diligence on a case-by-case basis as to whether to seek relief from a “sale” under CCPA for disclosures to a “service provider.” This due diligence should include review under the existing contractual terms, and may require modifications to underlying agreements and obligations of the parties. This means that you should check for instances where a vendor has rights to use the data it processes for its own purposes, such as exchange with advertising agencies with respect to cookies or other tags placed on users of the site, or for “performing analytics.” In those cases, you should look for ways to amend the uses to de-identified data only used for data analytics on “behalf of the business.”
What you should look for includes language establishing that the service provider is a legal entity organized for profit that processes personal information (broadly defined by CCPA) on behalf of the covered business (and the business discloses such data) for a business purpose pursuant to a written contract that prohibits an entity from retaining, using, or disclosing the personal information for any purpose (including commercial purposes), except to perform the services specified in the contract.
The contract should also track the requirement that a service provider delete a consumer’s personal information from their records following a verifiable consumer request, and as such needs a mechanism to receive and handle such requests and be prepared to independently assess whether they are required to delete the personal information of a California resident after a consumer submits a right to delete, which must be done by the business or the service provider. Service providers and businesses need to determine how they will coordinate in handling these requests.
Can my service provider be liable?
Sue Gomez: Yes. Said another way, businesses that disclose information to a service provider are not liable for the acts of the service provider, unless the business has actual knowledge or reason to believe, at the time of disclosing the personal information, that the service provider intends to commit a violation of CCPA. Similarly, service providers are not liable for the obligations of a business under the law. [Calif Civ Code §1798.140 (w)(2)(B)].
But note that CCPA defines a “service provider” very specifically as a legal entity that processes personal information on behalf of a business, pursuant to a written contract for a business purpose. Businesses may use service providers and share personal information with them; and it is not considered a sale if the sharing of personal information is necessary to perform a business purpose; the business has provided notice that the information is being used or shared; and the service provider does not further collect, sell, or use the personal information of the consumer, except as reasonably necessary and proportionate to perform the business purpose to achieve the operational purpose for which the information was collected.
“Business purposes” include things like: performing services such as customer service, order fulfillment, payment processing, advertising or marketing, analytics and similar services, detecting security incidents and protecting against fraud debugging errors that impair intended functionality, internal research for technological development, quality control activities, and other limited uses provided it is not used to build a profile of the consumer.
What to do:
1) Check or enter into a written contract for a business purpose authorized by CCPA
2) Provide notice to consumers in its terms and conditions consistent with the regulations, specifically Calif. Civ Code §1798.135
3) Stop disclosing personal information if the business has actual knowledge, or reason to believe, that the service provider intends to commit a violation of the CCPA
Is it a best practice to appoint a Chief Privacy Officer?
Sue Gomez: One need only look to the recent Facebook consent decree (Facebook, Inc., In the Matter of, Civil Action Number: 19-cv-2184 dated July 24, 2019) to see why the answer is yes. In this, the Federal Trade Commission (FTC) essentially sets forth a best practice for the industry to have a risk-based security program, in addition to appointing a Chief Privacy Officer (CPO) to document the privacy program, perform risk assessments, review incidents, and the like.
Going a step further, the Facebook decree mandates that the company establish an independent Board committee to oversee the state of compliance (privacy and security) with the order and handle material risks, as well as to review quarterly and yearly management updates as evidence of its accountability related to data protection privacy and practices and procedures reasonably relevant to the company’s risk level. These independent directors, as well as privacy oversight management (presumably the CPO), must have relevant privacy and security program experience to perform these tasks and this oversight appropriately.
This decree can be seen as a call to all Boards to think about their philosophy about data protection and their privacy profile, and an opportunity for the more enlightened companies to evaluate and educate themselves on how their company is using (and monetizing as applicable) this valuable information. As often is the case with large-scale FTC and other regulatory body actions, decrees, and findings, the best companies will see this an opportunity, before trouble hits, to adopt these measures proactively and show how they’re responding to the consumers, the industry, and regulators by being responsible and thoughtful when it comes to personal information and data security.
As such, these Board-level discussions and actions, including requiring management appointment of a CPO with significant stature, resources, authority, and autonomy within the company and dotted-line reporting authority to the Board — similar to the Chief Compliance Officer – to effectuate a solid accountable program, will go a long way to establish the “tone from the top” messaging related to data privacy and security, consistent with company values and responsibilities, that is adopted and supported throughout all levels of the organization.
What are the cookie rules under CCPA?
Sue Gomez: Cookies fall into the category of “unique identifiers” or “unique personal identifiers” within the definition of “personal information” (see below) as it relates to the “consumer,” and therefore are treated as all other broad categories of personal information under the CCPA. This means cookies, like any other type of personal information that a business has on a consumer, are subject to disclosure, rules of sale opt-out, deletion, reasonable security, etc., as well as exceptions and exemptions.
[Calif. Civ Code §1798.140 et.seq.] “Personal Information” is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to a particular consumer or household; where a “consumer” means a natural person who is a California resident, however identified, including by unique identifier or unique personal identifier, which means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family over time and across different service, including but not limited to a device identifier, IP address, cookies, beacons, pixel tags, mobile ad identifiers or similar technology, customer number, unique pseudonym or user alias, telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device; where a “probabilistic identifier” means the identification of a consumer or a device to a degree of certainty or more probably than not, based on any categories of personal information including in, or similar to, the categories enumerated in the definition of personal information.
What do you make of Microsoft’s announcement to apply CCPA to all US consumers?
Sue Gomez: While some companies will narrowly interpret CCPA or even geofence their online presence in California to prevent overexposure, there is nothing in the regulations to prevent a company from making a bold statement about its commitment to privacy by applying the law across all US states (and at the same time simplify the need to verify California residency and deal with the ambiguities in the law as to who is entitled to the benefit of CCPA).
Decisions like this will be made at the highest levels of the organization (see above comments on CPO), and may make the utmost business sense for companies that can absorb the administrative burdens and risk, and that believe it offers a strong statement of value. There are at least 15 other states have been toying regulations similar to CCPA, and certainly the General Data Protection Regulation (GDPR) out of Europe tells us there is a groundswell of interest and concern over data protection and privacy and security, as our lives are increasingly spent online. Companies need to examine what they stand for related to privacy, what their customers and the public expect, and to be mindful about what they’re doing with the valuable asset of consumer data.
What is the 12-month look back?
Sue Gomez: The “12-month look back” refers to an obligation effective January 1, 2020, to provide access to the personal information collected over the past 12 months (which means, for a request received on January 1, 2020, looking back to January 1, 2019) in a portable format within 45 days in response to a “verifiable consumer request.” These obligations are effective January 1, 2020, despite that the California Attorney General’s delay in publishing final regulations and delay in enforcement to the earlier of either July 1, 2020, or six months from publication of the final regulations.
Axiom lawyers like Sue Gomez have helped companies build, strengthen, and scale their privacy programs. As the deadline for CCPA enforcement approaches, now is the time to begin or accelerate your privacy planning, implementation, and training. If you need expert privacy help and greater capacity to meet the July 1 deadline, Axiom can help you find the right lawyer for your needs. Get in touch.
The above is intended to provide insights into the Q&A raised by the audience during the Above the Law “Cramming for CCPA” webinar, and is not intended as legal advice or the basis for creation of an attorney-client relationship. Axiom provides flexible legal talent to help meet businesses’ ever-changing needs. Axiom is not a law firm and does not provide legal services or legal advice.