Tag Archives: ccpa

Calling All California Employers – Are You CCPA Compliant?

The California Consumer Privacy Act (CCPA) went into effect January 1, 2020. Many California employers have improperly ignored its application to their businesses. While most employee rights were carved out of the CCPA’s application until January 2, 2021, there are still key requirements under the CCPA that employers of California residents must abide by starting January 1, 2020.

Does the CCPA Apply to Your Business?

The CCPA generally will apply to any for-profit company that does business in California, collects the personal information of California residents (including employees residing in California) and either (1) has at least $25 million in annual gross revenues; (2) buys, sells, shares or receives information from at least 50,000 California consumers; or (3) derives at least 50% of its annual revenue from selling California personal information.

If your business satisfies one of the thresholds, then having California employees is enough to trigger compliance requirements under the CCPA.

Compliance Required Today With Respect to California Employees

Effective January 1, 2020, all businesses that satisfy the threshold requirements under the CCPA are required to provide initial privacy notices to their California resident employees.

In addition to the initial notice requirements, California employers should be aware that a data breach of HR data stemming from a lack of reasonable protections could be the trigger for a class action lawsuit. It is important for employers to scrutinize information security policies, properly manage all third party service providers who have access to HR data and update internal and external privacy policies to ensure compliance under the CCPA.

Risks of Noncompliance

The CCPA is enforceable by both the California Attorney General and through limited private rights of action (specific to claims with respect to data breaches). Enforcement of the CCPA will begin by the California Attorney General six months after the publication of final regulations or July 1, 2020, whichever is sooner. Fines can run from $2,500-$7,500 per incident (for example, a violation involving 10,000 California consumers could result in fines of $25 million to $75 million).

Share Button

California Attorney General Issues Draft CCPA Regulations – Has The Playing Field Changed?

The California Attorney General (AG) has issued the long-awaited draft regulations for the California Consumer Privacy Act (CCPA), which regulations will be officially filed on October 11, 2019. The AG stated that July 1, 2020 is the expected effective date of final regulations and enforcement. This is not to be interpreted as a safe harbor, but simply an enforcement delay. The public may submit written comments to the proposed regulations prior to December 6, 2019 at 5:00pm. The CCPA is effective on January 1, 2020.

Below are highlights of the key take-aways from the proposed regulations:

Disclosure. The regulations provide a clear emphasis on transparency and set forth format and content requirements for disclosures and privacy notices.

Requests. The regulations include additional parameters on the procedures for receiving and responding to consumer requests, including guidance on timing and reasonings for denying requests. The regulations also provide detailed guidance on how to verify the identity of a requesting consumer.

Training and Record Retention. The regulations reinforce and add guidance to the CCPA-specific training requirements and add new record retention requirements for consumer requests.

To learn more about whether the CCPA applies to your business and how McGrath North attorneys can assist in implementing an efficient and cost-effective compliance plan, contact McGrath North’s data privacy attorneys.

Share Button

CCPA Amendments – Do The Delays Affect You?

The California Consumer Privacy Act (CCPA) will go into effect on January 1, 2020. In September, the California legislature passed a handful of amendments that may have large impacts on your business’s overall plan for compliance with the CCPA. The Governor of California has until October 13, 2019 to sign the amendments into law or veto the bills.

The CCPA is a sweeping piece of legislation designed to provide California residents with control over how their personal information is used and shared by businesses “doing business in California”. Businesses who are subject to the CCPA requirements must implement procedures for and facilitate consumer data requests, update their privacy policies and flow-down compliance obligations to their vendors. To determine whether the CCPA applies to you and your business, refer to Tackling the California Market Article.

Employee Data – AB-25. Ultimately, the CCPA will apply to employee data. However, AB 25 has sun-setted the application of most of the CCPA’s key provisions with respect to personal information that is collected about employees. As of January 1, 2020, businesses will have to provide employees notice about what categories of information the business collects and the purpose for collection, but businesses will not need to offer employees opt-out, access, and deletion rights until January 1, 2021. California resident employees will still be entitled to bring a private right of action under the CCPA with respect to a data breach.

Business to Business Data – AB 1355. AB 1355 added new Section 1798.145(l) which provides that certain obligations under the CCPA do not apply to personal information collected during business to business communications until January 1, 2021 when new Section 1798.145(l) would become inoperative. The year-long exemption would apply to “personal information reflecting written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transactions with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.” Effective January 1, 2020, B2B customer personnel will still have the right to opt-out of their information being sold and be entitled to bring a private right of action under the CCPA with respect to a data breach.

To learn more about all of the CCPA amendments and how McGrath North data privacy experts can assist you in preparing a comprehensive, tailored and practical CCPA compliance plan, contact one of our privacy experts.

Share Button

CCPA Doesn’t Apply To Financial Institutions? Think Again – Big Impacts On Banks Privacy Operations

Financial Institutions have always banked their privacy practices on the requirements under Title V of the Gramm-Leach-Bliley Act (GLBA) and its implementing regulations. That day is now over! The California Consumer Privacy Act (CCPA) is sweeping in and changing the financial privacy landscape. Many had hoped the CCPA would have an all-inclusive exemption for financial instructions already subject to compliance under GLBA; however, the California legislature has made clear that CCPA’s application will apply to portions of data held by financial institutions.

Scope of Financial Institution Exemption

CCPA exempts certain types of information that are subject to GLBA. The impact for financial institutions – all of the personal information collected today that is not subject to GLBA will be subject to CCPA (to the extent the financial institution is subject to CCPA). This includes the following information: personal information collected through general advertising and website marketing; personal information obtained from non-financial institution partners; and personal information obtained for commercial (non-personal or household) purposes.

A financial institution will be subject to CCPA if it does business in California and either (1) has at least $25 million in annual gross revenues; (2) buys, sells, shares or receives information from at least 50,000 California consumers; or (3) derives at least 50% of its annual revenue from selling California personal information.

Financial Institution Data Likely Subject to CCPA

The initial action financial institutions should take is to perform an internal data mapping exercise. Once the financial institution has determined what personal information it collects that is not subject to GLBA, the financial institution can prepare a practical and efficient CCPA compliance plan for all “non-GLBA” information.

Learn More.

As you are formulating a plan to comply with CCPA, our experienced privacy team is ready to partner with you in determining the most practical approach that minimizes disruptions to your already existing GLBA obligations. Here is a link for more information about our team: Privacy Team

Want to learn more about CCPA, click here to read Tackling The California Market From The Midwest? What A Business Needs To Know About The California Consumer Privacy Act (CCPA)

Share Button

Tackling The California Market From The Midwest? What A Business Needs To Know About The California Consumer Privacy Act (CCPA)

The data privacy regime is starting to look like more of the wild west every day. A year after companies had to focus resources on complying with Europe’s onerous requirements under the General Data Protection Regulations (GDPR), companies must once again gear-up for the first round of U.S. state efforts to tighten up data privacy rules with California’s new California Consumer Privacy Act (CCPA), which comes into effect on January 1, 2020. Whether you were able to ignore GDPR or not, CCPA sets the data privacy bar higher for most U.S. based companies.

DOES CCPA APPLY TO YOUR COMPANY?

CCPA generally will apply to any for-profit company that does business in California; and, either (1) has at least $25 million in annual gross revenues; (2) buys, sells, shares or receives information from at least 50,000 California consumers; or (3) derives at least 50% of its annual revenue from selling California personal information.

COMPLIANCE WITH GDPR DOES NOT EQUAL COMPLIANCE WITH CCPA.

While many aspects of CCPA read similar to the regulations you may have become familiar with under GDPR, there are clear differences. Like GDPR, CCPA will require companies to carefully craft specific language in their website privacy policy, including providing certain rights to California consumers, such as the right to request what personal information has been collected, the right to request that information is deleted, and the right to access information.

CCPA also includes specific disclosure requirements with respect to the “sale” of California consumer personal information and specific disclosure requirements with respect to personal information of minors. As part of the “sale” disclosures, many companies will need to add a new website opt-out option labeled “Do Not Sell My Personal Information.”

RISKS OF NONCOMPLIANCE.

CCPA is enforceable by both the California Attorney General and through limited private rights of action (specific to claims with respect to data breaches). Enforcement of CCPA will begin by the California Attorney General 6 months after the publication of final regulations or July 1, 2020, whichever is sooner. Fines can run from $2,500-$7,500 per incident (for example, a violation involving 10,000 California consumers could result in fines of $25 million to $75 million).

EXEMPTIONS – GLBA AND HIPPA.

There are specific exemptions with respect to certain types of data under CCPA. If you are a financial institution subject to Gramm-Leach-Bliley Act (GLBA) or a covered entity subject to HIPPA, certain data collected will be exempt. However, financial institutions and covered entities are still subject to CCPA with respect to data not subject to GLBA (non-NPPI) or HIPPA protection (i.e. non-PHI). It is important for companies to understand the interplay between all privacy regulations and set forth a data privacy compliance program that complies with all applicable laws.

WHERE TO START.

Analyzing the application of data privacy regulations can be daunting. McGrath North recommends companies start with data mapping to determine what information is collected, where the information is collected from, and what a company does with the information (including a list of third-parties that the information is later shared with). From here, companies can start to formulate well-thought-out compliance programs that allow them to comply with applicable data privacy laws while maintaining efficient and effective operations.

With a heightened national focus on data privacy and security, these burdensome and sometimes difficult to manage regulations are not going away. Whether you put in place a compliance program to satisfy the requirements of GDPR or not, CCPA and other U.S. state-based data privacy laws will impact almost all nationally operating entities.

McGrath North has data privacy experts to help you work through the weeds of the regulations and to partner with you to determine the most practical and efficient way for your company to implement privacy policies and procedures to ensure compliance. Here is a link for more information on our team: Privacy Team

Click here to read GDPR ONE YEAR LATER: HAS YOUR COMPANY SORTED THROUGH THE CONFUSION AND RISKS – WHAT U.S. COMPANIES NEED TO REMEMBER.

Share Button

Lurking in the Shadows – Is Your Business Affected By The California Consumer Privacy Act?

Unless you have been paying attention to data privacy news, you may not realize that January 1, 2020, is the implementation date of the California Consumer Protection Act (CCPA) and that July 1, 2020, is the current deadline for the California Attorney General to implement regulations under CCPA.  As currently drafted, the CCPA directs the California Attorney General to forego bringing any enforcement action under the CCPA until six months after publication of such final regulations, or July 1, 2020, whichever is sooner.

The CCPA constitutes an expansion beyond California’s existing privacy laws and various provisions of the new law will apply to all businesses that do business in California:

  • With annual gross revenue greater than $25 million (not just in California),
  • That obtain or share for commercial purposes the personal information of 50,000 or more California residents, households or devices, or
  • That get 50% or more of their revenue from selling or sharing the personal information of California residents. 

Many non-California based businesses may be surprised to learn that they fall within the scope of the CCPA. 

The CCPA was passed quickly to avoid a similar voter initiative ballot measure, and as a result has numerous ambiguities and apparent inconsistencies. The law was amended on September 23, 2018, and it is very likely that the law will be changed again by amendment, and clarified through final rules and regulations, before it comes into effect on January 1, 2020.

In the meantime, it is useful to look at what the law, in its current form, will require. From a practical perspective, for businesses already following California’s existing privacy laws, some of the main differences under the new law will be: (1) allowing California residents to opt out of the sale of their personal information to third parties, (2) getting opt in consent before selling the personal information of California residents under the age of 16, (3) advising California residents, upon request and in privacy notices, what personal information the business has collected about them, how it was collected, why, and if it has been shared or sold, (4) the introduction of personal information “portability” and deletion requirements for businesses that maintain covered personal information; and (5) having a privacy policy that includes both online and offline personal information collection. 

Note that at this point, the application of the CCPA to employee data remains an open question. On its face, the CCPA appears to apply only to California “consumers.” However, the CCPA’s definition of consumer (a California resident) combined with California’s longstanding practice of protecting individual privacy rights, suggests that the CCPA also may extend to the personal information of California residents maintained as part of an employment relationship. If so, the CCPA would apply to residents of California who are job applicants, full or part time employees, temporary workers, interns, volunteers, independent contractors, and even such persons’ dependents or beneficiaries.

While the CCPA will almost certainly change again before it comes into effect on January 1, 2020, businesses may want to begin thinking now about some of the core new provisions in that law, in particular, how the business will respond to consumers’ requests for information about their personal information held by the business and such consumers’ requests to delete their personal information held by the business.  Note that as presently drafted, the CCPA requires businesses to maintain a twelve (12) month look back (as early as back to January 1, 2019) of data processing activities relating to covered personal information. 

Also worth watching is the law’s treatment of private rights of action. While the CCPA does not contain a private right of action for violation of any of the new disclosure or individual rights provisions, it does provide a private right of action for California consumers whose information has been compromised in a data breach resulting from inadequate security measures.  This essentially codifies the concept of negligence in California data breaches and, by imposing statutory damages ($100-$750), may largely affect the pleading and proof of damages in data breach cases, which is often the issue of greatest dispute.  From a litigation standpoint, these statutory damages plus the broad definition of “consumer” means that plaintiff’s attorneys may be gearing up to use the CCPA to bring cases against businesses that do business in California on behalf of a myriad of different groups about whom businesses typically hold personal information including, for example, end use customers, employees, shareholders and service providers and vendors.

If you have questions or would like to discuss the CCPA’s application to your business, please contact a member of the McGrath North Privacy and Data Security team.

Share Button