Tag Archives: privacy

Calling All California Employers – Are You CCPA Compliant?

The California Consumer Privacy Act (CCPA) went into effect January 1, 2020. Many California employers have improperly ignored its application to their businesses. While most employee rights were carved out of the CCPA’s application until January 2, 2021, there are still key requirements under the CCPA that employers of California residents must abide by starting January 1, 2020.

Does the CCPA Apply to Your Business?

The CCPA generally will apply to any for-profit company that does business in California, collects the personal information of California residents (including employees residing in California) and either (1) has at least $25 million in annual gross revenues; (2) buys, sells, shares or receives information from at least 50,000 California consumers; or (3) derives at least 50% of its annual revenue from selling California personal information.

If your business satisfies one of the thresholds, then having California employees is enough to trigger compliance requirements under the CCPA.

Compliance Required Today With Respect to California Employees

Effective January 1, 2020, all businesses that satisfy the threshold requirements under the CCPA are required to provide initial privacy notices to their California resident employees.

In addition to the initial notice requirements, California employers should be aware that a data breach of HR data stemming from a lack of reasonable protections could be the trigger for a class action lawsuit. It is important for employers to scrutinize information security policies, properly manage all third party service providers who have access to HR data and update internal and external privacy policies to ensure compliance under the CCPA.

Risks of Noncompliance

The CCPA is enforceable by both the California Attorney General and through limited private rights of action (specific to claims with respect to data breaches). Enforcement of the CCPA will begin by the California Attorney General six months after the publication of final regulations or July 1, 2020, whichever is sooner. Fines can run from $2,500-$7,500 per incident (for example, a violation involving 10,000 California consumers could result in fines of $25 million to $75 million).

Share Button

CCPA Amendments – Do The Delays Affect You?

The California Consumer Privacy Act (CCPA) will go into effect on January 1, 2020. In September, the California legislature passed a handful of amendments that may have large impacts on your business’s overall plan for compliance with the CCPA. The Governor of California has until October 13, 2019 to sign the amendments into law or veto the bills.

The CCPA is a sweeping piece of legislation designed to provide California residents with control over how their personal information is used and shared by businesses “doing business in California”. Businesses who are subject to the CCPA requirements must implement procedures for and facilitate consumer data requests, update their privacy policies and flow-down compliance obligations to their vendors. To determine whether the CCPA applies to you and your business, refer to Tackling the California Market Article.

Employee Data – AB-25. Ultimately, the CCPA will apply to employee data. However, AB 25 has sun-setted the application of most of the CCPA’s key provisions with respect to personal information that is collected about employees. As of January 1, 2020, businesses will have to provide employees notice about what categories of information the business collects and the purpose for collection, but businesses will not need to offer employees opt-out, access, and deletion rights until January 1, 2021. California resident employees will still be entitled to bring a private right of action under the CCPA with respect to a data breach.

Business to Business Data – AB 1355. AB 1355 added new Section 1798.145(l) which provides that certain obligations under the CCPA do not apply to personal information collected during business to business communications until January 1, 2021 when new Section 1798.145(l) would become inoperative. The year-long exemption would apply to “personal information reflecting written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transactions with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.” Effective January 1, 2020, B2B customer personnel will still have the right to opt-out of their information being sold and be entitled to bring a private right of action under the CCPA with respect to a data breach.

To learn more about all of the CCPA amendments and how McGrath North data privacy experts can assist you in preparing a comprehensive, tailored and practical CCPA compliance plan, contact one of our privacy experts.

Share Button

CCPA Doesn’t Apply To Financial Institutions? Think Again – Big Impacts On Banks Privacy Operations

Financial Institutions have always banked their privacy practices on the requirements under Title V of the Gramm-Leach-Bliley Act (GLBA) and its implementing regulations. That day is now over! The California Consumer Privacy Act (CCPA) is sweeping in and changing the financial privacy landscape. Many had hoped the CCPA would have an all-inclusive exemption for financial instructions already subject to compliance under GLBA; however, the California legislature has made clear that CCPA’s application will apply to portions of data held by financial institutions.

Scope of Financial Institution Exemption

CCPA exempts certain types of information that are subject to GLBA. The impact for financial institutions – all of the personal information collected today that is not subject to GLBA will be subject to CCPA (to the extent the financial institution is subject to CCPA). This includes the following information: personal information collected through general advertising and website marketing; personal information obtained from non-financial institution partners; and personal information obtained for commercial (non-personal or household) purposes.

A financial institution will be subject to CCPA if it does business in California and either (1) has at least $25 million in annual gross revenues; (2) buys, sells, shares or receives information from at least 50,000 California consumers; or (3) derives at least 50% of its annual revenue from selling California personal information.

Financial Institution Data Likely Subject to CCPA

The initial action financial institutions should take is to perform an internal data mapping exercise. Once the financial institution has determined what personal information it collects that is not subject to GLBA, the financial institution can prepare a practical and efficient CCPA compliance plan for all “non-GLBA” information.

Learn More.

As you are formulating a plan to comply with CCPA, our experienced privacy team is ready to partner with you in determining the most practical approach that minimizes disruptions to your already existing GLBA obligations. Here is a link for more information about our team: Privacy Team

Want to learn more about CCPA, click here to read Tackling The California Market From The Midwest? What A Business Needs To Know About The California Consumer Privacy Act (CCPA)

Share Button

HIPAA-Covered Entity Exemption To CCPA, Don’t Be Mistaken – You May Still Have To Comply

With the California Consumer Privacy Act’s (CCPA) compliance deadline fast approaching (January 1, 2020), companies are preparing to comply with the additional complex data privacy and security requirements. HIPAA-Covered Entities may mistakenly overlook the fact that the CCPA does not wholly-exempt personal information collected by HIPAA-Covered Entities, but in turn only exempts information already protected by HIPAA. HIPAA, the Health Insurance Portability and Accountability Act, requires health care organizations, employer-sponsored group health plans, healthcare clearinghouses, and other Covered Entities to ensure the privacy and security of Protected Health Information (“PHI”). Although the CCPA exempts data that constitutes PHI, a HIPAA-Covered Entity or related Business Associate must still protect personal data (or even health data) that is covered by the CCPA but does not satisfy the definition of PHI under HIPAA.

HIPAA-Covered Entity Data Could Be Subject to CCPA

What type of data is governed by HIPAA and, as a result, exempt from the CCPA? PHI is defined as “individually identifiable health information” held or transmitted by a Covered Entity or its Business Associate, in any form or medium, whether electronic, paper, or oral. For example, health information, demographic data, medical histories, test results, and insurance information are forms of PHI if they can reasonably be used to identify a patient. Identifiers coupled with health information such as names, geographic locations, dates, contact information, social security numbers, and more can also constitute PHI. If the data amounts to PHI, that data is exempt from the CCPA.

Not all data collected by a HIPAA-Covered Entity amounts to PHI. For example, employment records held in the hands of an employer (rather than held by the group health plan sponsored by the employer) are not PHI. Any data collected by a HIPAA-Covered Entity that is not PHI will be subject to the CCPA (to the extent the entity is subject to the CCPA). However, the CCPA provides for an exception. When a Covered Entity or health care provider maintains health information in the same manner as PHI, even though the health information is not PHI, the CCPA rules do not apply. That being said, applying HIPAA privacy and security rules to non-PHI could be a burdensome task and cause confusion amongst a Covered Entity’s employee population.

What This Means for HIPAA-Covered Entities

Start your data mapping now. To determine what information is collected that is not protected under HIPAA and, to what extent the CCPA applies to such data, you must understand what categories of information are collected, who it is received from, what’s being done with the data and who it is shared with. From there, you can formulate a CCPA plan that correlates and flows with obligations under HIPAA to ensure efficiencies throughout your data compliance program.

As you are reviewing CCPA application to your entity, reach out to our experienced privacy and ERISA team to partner with you to develop a practical plan that minimizes risk and syncs to your already existing HIPAA obligations. Here is a link for more information about our team: Privacy Team

Want to learn more about CCPA, click here to read Tackling The California Market From The Midwest? What A Business Needs To Know About The California Consumer Privacy Act (CCPA)

Share Button

Tackling The California Market From The Midwest? What A Business Needs To Know About The California Consumer Privacy Act (CCPA)

The data privacy regime is starting to look like more of the wild west every day. A year after companies had to focus resources on complying with Europe’s onerous requirements under the General Data Protection Regulations (GDPR), companies must once again gear-up for the first round of U.S. state efforts to tighten up data privacy rules with California’s new California Consumer Privacy Act (CCPA), which comes into effect on January 1, 2020. Whether you were able to ignore GDPR or not, CCPA sets the data privacy bar higher for most U.S. based companies.

DOES CCPA APPLY TO YOUR COMPANY?

CCPA generally will apply to any for-profit company that does business in California; and, either (1) has at least $25 million in annual gross revenues; (2) buys, sells, shares or receives information from at least 50,000 California consumers; or (3) derives at least 50% of its annual revenue from selling California personal information.

COMPLIANCE WITH GDPR DOES NOT EQUAL COMPLIANCE WITH CCPA.

While many aspects of CCPA read similar to the regulations you may have become familiar with under GDPR, there are clear differences. Like GDPR, CCPA will require companies to carefully craft specific language in their website privacy policy, including providing certain rights to California consumers, such as the right to request what personal information has been collected, the right to request that information is deleted, and the right to access information.

CCPA also includes specific disclosure requirements with respect to the “sale” of California consumer personal information and specific disclosure requirements with respect to personal information of minors. As part of the “sale” disclosures, many companies will need to add a new website opt-out option labeled “Do Not Sell My Personal Information.”

RISKS OF NONCOMPLIANCE.

CCPA is enforceable by both the California Attorney General and through limited private rights of action (specific to claims with respect to data breaches). Enforcement of CCPA will begin by the California Attorney General 6 months after the publication of final regulations or July 1, 2020, whichever is sooner. Fines can run from $2,500-$7,500 per incident (for example, a violation involving 10,000 California consumers could result in fines of $25 million to $75 million).

EXEMPTIONS – GLBA AND HIPPA.

There are specific exemptions with respect to certain types of data under CCPA. If you are a financial institution subject to Gramm-Leach-Bliley Act (GLBA) or a covered entity subject to HIPPA, certain data collected will be exempt. However, financial institutions and covered entities are still subject to CCPA with respect to data not subject to GLBA (non-NPPI) or HIPPA protection (i.e. non-PHI). It is important for companies to understand the interplay between all privacy regulations and set forth a data privacy compliance program that complies with all applicable laws.

WHERE TO START.

Analyzing the application of data privacy regulations can be daunting. McGrath North recommends companies start with data mapping to determine what information is collected, where the information is collected from, and what a company does with the information (including a list of third-parties that the information is later shared with). From here, companies can start to formulate well-thought-out compliance programs that allow them to comply with applicable data privacy laws while maintaining efficient and effective operations.

With a heightened national focus on data privacy and security, these burdensome and sometimes difficult to manage regulations are not going away. Whether you put in place a compliance program to satisfy the requirements of GDPR or not, CCPA and other U.S. state-based data privacy laws will impact almost all nationally operating entities.

McGrath North has data privacy experts to help you work through the weeds of the regulations and to partner with you to determine the most practical and efficient way for your company to implement privacy policies and procedures to ensure compliance. Here is a link for more information on our team: Privacy Team

Click here to read GDPR ONE YEAR LATER: HAS YOUR COMPANY SORTED THROUGH THE CONFUSION AND RISKS – WHAT U.S. COMPANIES NEED TO REMEMBER.

Share Button

Lurking in the Shadows – Is Your Business Affected By The California Consumer Privacy Act?

Unless you have been paying attention to data privacy news, you may not realize that January 1, 2020, is the implementation date of the California Consumer Protection Act (CCPA) and that July 1, 2020, is the current deadline for the California Attorney General to implement regulations under CCPA.  As currently drafted, the CCPA directs the California Attorney General to forego bringing any enforcement action under the CCPA until six months after publication of such final regulations, or July 1, 2020, whichever is sooner.

The CCPA constitutes an expansion beyond California’s existing privacy laws and various provisions of the new law will apply to all businesses that do business in California:

  • With annual gross revenue greater than $25 million (not just in California),
  • That obtain or share for commercial purposes the personal information of 50,000 or more California residents, households or devices, or
  • That get 50% or more of their revenue from selling or sharing the personal information of California residents. 

Many non-California based businesses may be surprised to learn that they fall within the scope of the CCPA. 

The CCPA was passed quickly to avoid a similar voter initiative ballot measure, and as a result has numerous ambiguities and apparent inconsistencies. The law was amended on September 23, 2018, and it is very likely that the law will be changed again by amendment, and clarified through final rules and regulations, before it comes into effect on January 1, 2020.

In the meantime, it is useful to look at what the law, in its current form, will require. From a practical perspective, for businesses already following California’s existing privacy laws, some of the main differences under the new law will be: (1) allowing California residents to opt out of the sale of their personal information to third parties, (2) getting opt in consent before selling the personal information of California residents under the age of 16, (3) advising California residents, upon request and in privacy notices, what personal information the business has collected about them, how it was collected, why, and if it has been shared or sold, (4) the introduction of personal information “portability” and deletion requirements for businesses that maintain covered personal information; and (5) having a privacy policy that includes both online and offline personal information collection. 

Note that at this point, the application of the CCPA to employee data remains an open question. On its face, the CCPA appears to apply only to California “consumers.” However, the CCPA’s definition of consumer (a California resident) combined with California’s longstanding practice of protecting individual privacy rights, suggests that the CCPA also may extend to the personal information of California residents maintained as part of an employment relationship. If so, the CCPA would apply to residents of California who are job applicants, full or part time employees, temporary workers, interns, volunteers, independent contractors, and even such persons’ dependents or beneficiaries.

While the CCPA will almost certainly change again before it comes into effect on January 1, 2020, businesses may want to begin thinking now about some of the core new provisions in that law, in particular, how the business will respond to consumers’ requests for information about their personal information held by the business and such consumers’ requests to delete their personal information held by the business.  Note that as presently drafted, the CCPA requires businesses to maintain a twelve (12) month look back (as early as back to January 1, 2019) of data processing activities relating to covered personal information. 

Also worth watching is the law’s treatment of private rights of action. While the CCPA does not contain a private right of action for violation of any of the new disclosure or individual rights provisions, it does provide a private right of action for California consumers whose information has been compromised in a data breach resulting from inadequate security measures.  This essentially codifies the concept of negligence in California data breaches and, by imposing statutory damages ($100-$750), may largely affect the pleading and proof of damages in data breach cases, which is often the issue of greatest dispute.  From a litigation standpoint, these statutory damages plus the broad definition of “consumer” means that plaintiff’s attorneys may be gearing up to use the CCPA to bring cases against businesses that do business in California on behalf of a myriad of different groups about whom businesses typically hold personal information including, for example, end use customers, employees, shareholders and service providers and vendors.

If you have questions or would like to discuss the CCPA’s application to your business, please contact a member of the McGrath North Privacy and Data Security team.

Share Button

McGrath North To Host January 28 IAPP Privacy After Hours Event

privacyMcGrath North is pleased to host the International Association of Privacy Professionals (IAPP) Privacy After Hours event coming to Omaha on January 28.  Privacy After Hours is a fun and easy way for IAPP members and non-members to get to know other local privacy professionals. There’s no agenda, just show up to the designated location and have a good time! The event is open to anyone who works in or is interested in privacy. The Omaha event will be Thursday, January 28, 2016, 6:15 pm – 7:45 pm at Fox and Hound, Western Crossing Shopping Center, 506 N 120th Street, Omaha, NE 68154.

For more information click here to access the IAPP website.

Share Button

Cyber-Risk: It’s Not Just An IT Issue, It’s A Board Issue

Cyber-RiskOn June 10, 2014, U.S. Securities and Exchange Commissioner Luis A. Aguilar spoke at the New York Stock Exchange “Cyber Risks and the Boardroom” Conference.  With the high number of recent successful cyber-attacks, Commissioner Aguilar suggests that cyber-risk must be considered a part of a board’s overall risk oversight. It is the board’s responsibility to ensure the adequacy of the company’s cybersecurity measures.  Aguilar cites to suggestions for how this can be done, including boards reviewing annual budgets for privacy and IT security programs, assigning roles and responsibilities for privacy and security, and receiving regular reports on breaches and IT risks.  Aguilar encourages companies to conduct regular risk assessments and cites the recently released Framework for Improving Critical Infrastructure Cybersecurity by the National Institute of Standards and Technology (“NIST”) as the likely standard for best practices in assessing a company’s cybersecurity risks. In short, boards need to be or get educated on cybersecurity risks and be proactive in trying to minimize such risks.

Commissioner Aguilar’s speech can be found at: http://www.sec.gov/News/Speech/Detail/Speech/1370542057946

Share Button

Do Data Breach Guidelines Signal Coming Enforcement Efforts Against Businesses With Customers Or Operations In California?

cybersecurityAny business that has customers or operations in California should pay attention to California law regarding privacy and data security.  The State of California has been active in the areas of breach notification, privacy policies for online services that collect personal information from California residents, privacy practices for the mobile app industry, online privacy rights for California minors, and disclosure by operators of websites regarding whether third parties may be collecting personally identifiable information relating to a consumer’s online activities.  Last year alone, fourteen pieces of legislation involving privacy and data security were introduced in California’s legislature, three of which were signed into law by Governor Brown.

On February 27, 2014, the California Attorney General’s Office released guidelines outlining steps that smaller firms can take to prepare themselves against data breaches.  While the California AG’s Office has indicated that the recommendations offered in the guidelines are not “regulations, mandates or legal opinions,” firms that have customers or operations in California should be alert to the possibility that the California AG’s office may in the future view the guidelines as an informal mandate for all businesses with customers or operations in California.  A copy of the guidelines can be found here.  McGrath North’s lawyers stand ready to assist your business in addressing the compliance challenges created by the constantly evolving federal and state privacy and data security laws.

Share Button