Data privacy issues dominate the headlines with an increasing number of states enacting or proposing new data privacy regulations that will require enterprises to drill down on how they collect, maintain and share their customers’ data. While it may seem like a daunting task, enterprises’ experience in achieving compliance with the California Consumer Privacy Act (CCPA) demonstrates that the process is manageable but requires ongoing attention. More importantly, it has forced enterprises to rethink the types of personal information they collect and share, and the policies and procedures they implement to safeguard that data.
The CCPA is arguably the most comprehensive consumer focused data privacy regulation enacted so far in the United States. While the federal government has enacted data privacy regulations that apply to certain industries, and states have similarly focused on key industries that collect sensitive personal information, effective January 1, 2020, the CCPA mandates far-reaching requirements that apply to a multitude of industries. Determining whether an enterprise is required to comply with the CCPA is the first step.
Generally speaking, an enterprise must comply with the CCPA if: (1) you are a for-profit entity with over $25 million in gross revenues that conducts business in the state of California and collect the personal information of California residents; or, (2) you annually buy, receive for the enterprises’ commercial purposes, sell, or share for commercial purposes the personal information of 50,000 or more California residents, households, or devices; or, (3) you derive 50 percent or more of your annual revenue from selling California residents’ personal information. While various exemptions to compliance exist, they are narrow and do not cover all uses of personal information from California residents, households, or devices.
For enterprises that are obligated to comply with the CCPA, the next step is developing a narrative that details the many ways that the organization collects data from California residents. Once that is completed, the categories of information collected need to be analyzed to determine why that information is being collected, who the information is shared with outside of the organization and the purposes for which the information is being shared.
After the data collection narrative has been started, efforts shift to identifying what disclosures need to be made in the enterprise’s privacy policy. For example, those enterprises that sell California customers’ personal information must post a “clear and conspicuous link” or button on their website’s home page titled “Do Not Sell My Personal Information,” describe the right to opt out and include a link to the “Do Not Sell My Personal Information” page in their privacy policy. Of course, this is one of the easier steps to accomplish.
The CCPA also mandates what information needs to be included in the enterprise’s privacy policy. For example, you must disclose the rights afforded to consumers under the CCPA and a list of the categories of personal information you have collected about California residents in the preceding 12 months and provide instructions on how a consumer can submit a verifiable request. While this is not an exhaustive list, these tasks and others require extensive analysis and input from different departments within an organization along with outside consultants.
The regulation of the collection of personal information from minors is also a key feature of the CCPA. Enterprises are prohibited from selling personal information of consumers between the ages of 13 and 16 without first obtaining affirmative opt-in consent from the consumer for the ages of 13 to 16, or from a parent or guardian where the consumer is under the age of 13.
We anticipate that the failure to comply with this requirement will generate significant enforcement proceedings brought by the California Attorney General, who is tasked with enforcement of the CCPA.
After these initial compliance efforts are addressed, organizations must also (1) provide training for certain employees concerning the CCPA’s prescribed consumer rights, (2) review and revise existing vendor agreements to ensure that contracts limit the vendor’s use of personal information as strictly as the CCPA prescribes, and (3) create and maintain a robust incident response plan. While enforcement is not expected to commence until July 1, 2020, enterprises that have not taken steps to become CCPA compliant face stiff statutory penalties.
The availability of new statutory damages and civil penalties pursuant to the CCPA underscore the need for a thoughtful and comprehensive approach to cybersecurity and pre-breach planning because the act will lead to a spike in the damages sought in data breach-related litigation involving California residents.
Recently, a data breach class-action lawsuit was filed that references the CCPA. The CCPA permits each consumer that can establish a violation of certain provisions of the CCPA to seek damages of up to $750, or actual damages, whichever is greater. As the CCPA hangs over enterprises, it remains to be seen whether it will have a measurable effect on the defense and prosecution of data breach lawsuits and resulting settlements.
On Feb. 3, 2020, the complaint in Barnes v. Hanna Andersson, LLC et al. (N.D. Cal., No. 20-cv-00812), was filed in the United States District Court for the Northern District of California, San Francisco Division, against children’s clothing company Hanna Andersson, LLC and Salesforce.com, Inc. (collectively “defendants”). The complaint alleges, among other things, negligence arising out of a data breach resulting in the loss of customers’ names, billing, shipping addresses, payment card numbers, CVV codes and credit card expiration dates.
The complaint is notable because it alleges that the defendants failed to adequately protect user data as required by the CCPA, specifically Cal. Civ. Code Section 1798.81.5, and that the defendants failed to safeguard their platforms or provide cybersecurity warnings. The CCPA provides that enterprises “shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
While the complaint seeks a declaratory judgment that the defendants’ existing security measures do not comply with its duties of care to provide reasonable security procedures, the complaint does not yet seek statutory damages under the CCPA. However, the plaintiff reserves the right to amend the complaint to seek such damages.
The CCPA provides that in the event of a data breach, “any consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action” and permits consumers to seek damages of no less than $100 and up to $750 per consumer per incident, or actual damages, whichever is greater.
If the plaintiff can establish that the defendants’ security procedures and practices were not reasonable, the plaintiff will likely amend the complaint seeking statutory fines. Whether CCPA statutory damages are ever awarded in the case remains to be seen, but the potential availability of such damages will likely factor into the plaintiff’s settlement negotiations.
The CCPA’s implicit goal is to have enterprises re-evaluate the categories of information they collect from California residents so as to minimize the risk of loss of that personal information. This conclusion is supported by the statutory damages that are now available to data-breach class action plaintiffs if they establish that an enterprise failed to maintain reasonable cybersecurity procedures and practices. In the end, the CCPA reveals its true nature as a data security regulation, adding more pressure to an organization’s cybersecurity experts to adopt “reasonable security procedures and practices” and make sure they evolve as new cyber risks emerge.