CCPA Task Force

California’s new Consumer Privacy Protection Act (“CCPA”) goes into effect January 1, 2020. CCPA can apply to businesses even if they do not have offices or employees in California. It can also reach activities conducted outside of California. CCPA breaks new ground in US privacy law, though organizations that are subject to complying with the EU’s GDPR may find complying with CCPA less of an adjustment in their data practices.

Businesses collecting and using personal data of California consumers (defined broadly enough to cover consumers, employees, business contacts and others) should know their CCPA obligations. Non-compliant businesses may be subject to up to $2500 per violation and $7500 for each intentional violation.

A pending amendment to CCPA could broaden consumers’ ability to sue for any violation of CCPA (and not just data breach related incidents). Under CCPA as currently passed, consumer plaintiffs are entitled to statutory damages. This means they don’t have to prove damages, only a CCPA violation to recover damages. Most privacy lawsuits lose because damages can’t be proven. CCPA has the potential to change privacy litigation as we know it.

Our CCPA Task Force is available to assist and advise clients in efficiently addressing CCPA-related issues. To learn more about the issues in this client alert, please contact Nadia Aram at nadia.aram@wbd-us.com (919.755.2119).

Do you know what California consumers can demand from your business under CCPA? Consider that “consumers” is broadly defined as a natural person resident in California for other than a transitory purpose and could include customers, employees, business contacts and others

Any entity processing personal information of California consumers on your behalf (i.e., your vendors and service providers) must have a written contract in place including specific language. Review the steps below to help bring vendor contracts in compliance with CCPA.

Consider that “consumers” is broadly defined as a resident of California for other than a transitory purpose and could include customers, employees, business contacts and others. CCPA broadly defines “personal information” and may capture pieces of information your business had not previously treated as personal information, and consequently may reach across your vendors broadly as well.

1. Do we need to amend our existing vendor contracts to comply? If you answer “yes” to all of the questions below, then you will be required to update them.

• Does CCPA apply to our company? 
• Does our company use or share personal information of California consumers with any service providers?
• Will the contracts be in place on or after January 1, 2020 when CCPA applies?

2. How do we amend our existing vendor contracts?

Either an informal agreement or more formal amendment could work if signed by and binding on both parties.

3. What about my new vendor contracts? 

Keep all this in mind for them, too. 

4. What language must we add to existing or new vendor contracts to comply? Include these terms:

Prohibit the vendor from retaining, using or disclosing the personal information for any purpose other than the specific purpose of performing the services specified in the contract for your business (including retaining, using, or disclosing the personal information for a commercial purpose other than providing such services).

CCPA broadly defines “commercial purposes” in a manner that largely restricts the vendor’s ability to use the personal information for their own benefit outside of rendering services to your business. Engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism, is not within the meaning of “commercial purposes.”

POTENTIAL TRAP FOR THE UNWARY:

CCPA requires additional actions to avoid being categorized as “selling” to your vendor the personal information you use or share with your vendor - even if the vendor was merely intended to help you process the data. To avoid this trap, additional terms are required to be included in the vendor contract and you are also required to make appropriate disclosures of the business purpose for which the data was shared with the vendor in your public privacy notice. CCPA enumerates acceptable business purposes, as a concept separate and distinct from the commercial purposes mentioned above.

This overview does not substitute for considering CCPA’s requirements in their entirety.

Don’t wait to implement your California Consumer Privacy Act (CCPA) compliance. California’s new privacy law goes into effect January 1, 2020. Consumer lawsuits are expected to follow shortly after implementation. CCPA can apply to businesses without offices or employees in California. It can also reach activities conducted outside of California. Does CCPA apply to you? See our prior alert here. Click here to see our table suggesting compliance tasks and possible next steps.

1. Delegate CCPA compliance oversight to a knowledgeable employee or team   

Identity key business stakeholders; assemble multidisciplinary team; engage legal counsel to assist as needed

2. Maintain and regularly update a business-wide privacy policy

Map data collected by your business (including how it is used and where it resides); implement processes to provide consumers with required information about collection and use of their personal information; document how and why the privacy policy is aligned with legal requirements; appropriately disclose the privacy policy to the public.

Note: CCPA applies to all personal information of California consumers and not only data collected online

3. Implement and maintain reasonable security practices    

Identify internal or external resources for information technology and data security; determine any contractual information security requirements; consult with others in industry or sector to determine best practices for securing information collected, stored or used by the business; regularly review internal information security practices and document them; prepare a data breach notification plan; conduct table-top exercises to simulate data breach response 

4. Maintain procedures to respond to requests for access to personal data and specific pieces of information    

Document consumer verification process and how it is aligned with legal requirements; document work flows showing internal procedures are followed; implement templates for customer service communications; audit files and processes to ensure internal policies are followed; log and track requests from consumers and retain copies of responses   

5. Maintain procedures to respond to requests to delete personal information     

Establish protocols for responding to such requests in a timely and effective manner; identify data within any applicable exception to deletion on which your business relies and how long it can or should be retained; audit files and processes for legal compliance

6. Maintain procedures to respond to requests to opt-out of sale of personal information     

Provide consumers with appropriate notice that their personal information is being sold, if applicable, and implement processes to respond to and honor requests to opt-out to such sale; audit processes for legal compliance

7. Update vendor contracts to comply with CCPA and avoid being characterized as “selling” personal information to vendors    

Identify vendors or third parties that receive personal information from your business and include appropriate contract terms to address CCPA requirements; make vendor or third party aware of your business’s privacy policy and their obligation to comply with it, if any; diligence vendors and their privacy and data security practices, as appropriate

8. Maintain procedures for collection and use of personal information of minors (as applicable)    

Obtain appropriate opt-in consent with respect to persons 16 or younger whose personal information is sold

9. Conduct appropriate privacy training for personnel depending on their job function    

Offer appropriate training to personnel; require personnel to participate in privacy and security training; prepare templates and scripts for personnel responding directly to consumers’ requests under CCPA; document how compliance of personnel is evaluated or checked

10. Assess affiliates’ need to comply with the CCPA and implement family-wide compliance if necessary    

The affiliates of a business subject to the CCPA may all come under the CCPA where they all do business under a common brand; pro-actively determine whether compliance with the CCPA can be limited to one or more specific companies in a family of companies and take appropriate actions based on the outcome of the review

The CCPA is a complex law, and this overview does not substitute for considering CCPA requirements in their entirety. The CCPA, while a comprehensive privacy law, does not supplant other California or other state privacy laws. Don’t lose sight of other privacy obligations in the U.S. as you navigate CCPA compliance for your business. 

Womble Bond Dickinson (US) LLP communications are intended to provide general information about significant legal developments and should not be construed as legal advice on any specific facts and circumstances, nor should they be construed as advertisements for legal services.

Don’t wait to implement your California Consumer Privacy Act (CCPA) compliance as it could require changes to your operations. CCPA can apply to businesses even if they do not have offices or employees in California. It can also reach activities conducted outside of California. See our prior alert here to see if CCPA applies to your business.

With the impending implementation of the CCPA, brands and platforms that use text messages to contact consumers (could be customers, employees, others) must be sure their texting programs comply with the CCPA.

Two areas of particular interest for businesses sending texts are: (1) determining whether they are “selling” personal information under the CCPA and managing the requirements for a data seller under the CCPA, and (2) how to simultaneously comply with a request to delete personal information under the CCPA with the need to maintain records of obtaining prior express written consent for purposes of the Telephone Consumer Protection Act (“TCPA”).

What does the CCPA definition of “selling” personal information mean for brands that send text messages?

The term “sell” under the CCPA is defined broadly to mean “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

What this means is that even if a business is not receiving monetary payment in exchange for the consumers’ data, it could still be considered to be “selling” under the CCPA in certain circumstances when the data is shared with third parties.

For example, consider a scenario where a business is collecting personal information for purposes of sending text messages and it makes the information available to a vendor to conduct research and provide additional insight on each consumer. If the vendor is authorized to “mine” the data for its own purposes, that is likely sufficient consideration to make the disclosure to the vendor a sale under the CCPA. If on the other hand, the contract with the vendor includes appropriate language to exclude the disclosure from being such a sale (language largely directed to using the data solely to service the business providing the data), the disclosure can be excluded from being considered a sale under the CCPA. Where two brands share personal information of California consumers for co-marketing or some other mutual benefit, even if no money changes hands, the fact each benefits from the exchange could be sufficient consideration to support a sale having occurred under the CCPA. Whether there is a “sale” for CCPA purposes can be a potential trap for the unwary. The distinction matters, as the CCPA imposes additional obligations on sellers of personal information.

If a business is considered to be “selling” personal information, then the CCPA mandates that the business must implement an opt-out procedure to such selling for California residents, must seek their opt-in to such selling if they are between 13-16 years old, and must obtain parental consent to such selling if they are children under 13.

Additionally, the CCPA provides that a business cannot discriminate against a person opting-out from selling of their personal information. This means that the text messaging business must determine a way to provide the same services to their text users whether they are “selling” the users’ information or not (or come under a CCPA exception that allows for permissible different treatment of different users). 

For businesses that work with vendors to send text messages, complying with the CCPA likely includes to:

1. Identify third party vendors involved in collecting or processing such information;

2. Review the contracts with such vendors and update them, as needed;

3. Implement policies and procedures to comply with the new opt-out sales rules in the contracts with your vendors, or alternatively, if feasible, seek to have the vendor contracts exempted from what is considered selling data by including CCPA-compliant terms to do so; and

4. Determine how to address requests for deletion of personal information (more on this topic below).

How to balance the obligation to comply with a request to delete personal information under the CCPA with the need to maintain consent records under the TCPA?

In order to comply with the TCPA, text messaging businesses must be able to prove that they obtained “prior express written consent” of the consumers they are contacting with an “automatic telephone dialing system” for “telemarketing purposes.” Is this in conflict with the consumers’ right to request deletion of their personal information under the CCPA?

The analysis of this question may be different for individuals contacted by the text messaging business that have opted-out from receiving text messages and individuals who have not opted out, but still request their personal information to be deleted under the CCPA.

For individuals who consented to receive text messages and then subsequently submitted opt-out requests, the text messaging businesses can refuse the request to delete relying on the “comply with legal obligations” exception under the CCPA. The justification would be that they have the legal TCPA obligation to maintain an internal do not call list.

For individuals who consented to receive text messages and have not opted out, but still request all their personal information to be deleted under the CCPA, several other exceptions to deletion under the CCPA could apply. The request for deletion could be declined on the basis that the personal information must be retained to complete the transaction or service requested by the consumer (e.g., text updates for shipping status of a product, texted account alerts, texted appointment reminders, texted service progress alerts, etc.). Other possible exceptions involve retaining the personal information solely for internal use by the business for purposes that a consumer would reasonably expect or compatible with the purposes for which the information was collected. Whether a particular exception applies is a factual analysis unique to each business and the analysis the business performed to arrive at the applicability of the exception should be documented by the business.

Although the scope of enforcement and litigation under the CCPA are still to be tried, challenges under the CCPA are expected to commence shortly after the CCPA becomes effective on January 1, 2020. Businesses sending texts should know, understand and be prepared to comply with their CCPA obligations sooner rather than later as it can take some time to implement CCPA-compliant policies, procedures and contractual updates.

For more information on complying with the CCPA, please check out Womble Bond Dickinson’s “Top 10 Things to Do to Prove CCPA Compliance” alert here or contact one of our attorneys.

This overview does not substitute for considering CCPA’s and TCPA’s requirements in their entirety.

Don’t wait to implement your California Consumer Privacy Act (CCPA) compliance as it could require changes to your operations. CCPA can apply to businesses even if they do not have offices or employees in California. It can also reach activities conducted outside of California. See our prior alert here to see if CCPA applies to your business.

What’s “new” in PI under CCPA? PI now includes content not always considered PI in the past such as:

1. data relating not only to an individual consumer, but also to households
2. online identifiers
3. geolocation data
4. IP addresses
5. Internet browsing or search history, including information regarding a consumer’s interaction with an Internet website, application, or advertisement
6. commercial information, including a consumer’s records of things purchased, considered, or other purchasing or consuming histories or tendencies
7. inferences drawn (e.g., predications about consumer or household preferences or tendencies)
8. audio, electronic, visual, thermal, olfactory, or similar information

Why are these definitional changes significant?

• Businesses subject to CCPA now have new compliance obligations. Some action items may include:

a) Many businesses will need to revise their posted privacy policies and internal processes to account for the broader definition of PI under CCPA as part of otherwise working to have policies and processes that comply with CCPA).

b) They will have to determine whether to apply the broad treatment of PI in California across their data subjects in the US (even if not required in other states) if it would be too cumbersome to isolate PI subject to CCPA from other PI those businesses maintain.

c) Businesses may also desire to evaluate whether the new CCPA requirements make raising a claim under their cyber liability insurance harder and how to compensate for that possibility.

d) Businesses may need to amend vendor contracts to account for an updated definition of PI (as part of otherwise addressing whether the vendor contracts comply). See our prior vendor contracts alert here.

• CCPA expands the types of data that businesses must treat as PI. Under CCPA, this expanded definition of PI is used for purposes of allowing consumers to exercise their CCPA rights*. This definition is very broad compared to existing PI definitions in the US, many of which are found in data breach notification laws. Under US state data breach laws, data is considered PI if it contains both an identifying factor and an account number or other sensitive personal data element.
  • For example, in California what is PI for purposes of determining whether a data breach occurred means an individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (i) social security number, (ii) driver’s license number or California identification card number, (iii) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, (iv) medical information, or (v) health insurance information.
  • CCPA itself relies on California’s separate data breach law definition of PI to determine what would be an actionable data breach under CCPA. That’s good news because an actionable data breach exposing a business to liability in California applies to a narrow subset of PI. However, it doesn’t change the fact that a business otherwise must apply CCPA’s other requirements to a broad and vast amount of individuals’ data.

* CCPA gives data subjects, with some exceptions, the rights to (i) be informed if their personal information is sold or disclosed, (ii) approve of the sale of their personal information, (iii) demand deletion of the information, (iv) opt-out and (v) be protected from discrimination if they exercise their privacy rights.

This overview does not substitute for considering CCPA’s requirements in their entirety.

Don’t wait to implement your California Consumer Privacy Act (CCPA) compliance as it could require changes to your operations. CCPA can apply to businesses even if they do not have offices or employees in California. It can also reach activities conducted outside of California. See our prior alert here to see if CCPA applies to your business.

As the countdown to the January 1, 2020 effective date for the CCPA quickly approaches, healthcare entities and businesses in the health sector should exercise caution not to rely too heavily on the law’s HIPAA-related exceptions as a complete pass to avoid complying with the CCPA. The CCPA is the most comprehensive and toughest privacy law in the U.S. to date. Although a California law, the CCPA imposes stringent requirements on businesses nationwide that collect personal data from Californians (and meet certain thresholds). Those requirements include a number of on-going obligations to consumers and are accompanied by strong enforcement powers for non-compliance as well as a private right of action for certain data breaches. HIPAA does not provide a private right of action. While the CCPA exempts certain entities and data governed by HIPAA from CCPA’s scope, healthcare entities and related service providers should evaluate their systems, processes and data repositories to determine what (if any) personal information they collect is not outside the CCPA’s reach. They could find themselves with certain data subject to the CCPA and some outside of its scope. What does this mean for the healthcare industry? Perhaps it’s time to start thinking in terms of “HIPAA Plus” in a healthcare setting. Regulators, if the CCPA heralds a trend, are imposing new obligations related to the other personal data a healthcare entity, health plan, or related business maintains about a particular patient, employee, website visitor, or other person.

The CCPA broadly defines “personal information” to include information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Personal information under the CCPA includes data elements commonly considered protected information under most state security and data breach laws such as Social Security numbers, certain demographic information, financial account information and biometric data. However, the CCPA also calls out Internet browsing and search history, IP addresses, and personal information used to create consumer profiles (e.g., purchasing preferences, behavior, psychological trends, attitudes, abilities, and similar inference-based characteristics), which have not been historically considered “personal information” in the U.S.

The CCPA does offer some reprieve for the healthcare industry from the breadth of what is “personal information” under the CCPA by providing the following exemptions:

• Non-Profits: Certain non-profits are exempt from the CCPA if the company does not fall within the definition of a
• “business,” which means the entity is “organized or operating for the profit or financial benefit of its shareholders or other owners.”
• Medical Information or PHI: The law does not apply to “medical information” governed by the California Confidentiality of Medical Information Act (“CMIA”) or “protected health information” (“PHI”) governed by HIPAA, that is collected by a HIPAA covered entity or business associate.
• HCPs or Covered Entities: A “provider of healthcare” (as defined by the CMIA) and HIPAA covered entities (healthcare provider, healthcare clearinghouse, or health plan) are also exempted from the law, if such entities maintain patient information as though it was subject to the CMIA or HIPAA. Notably, “business associates” under HIPAA are not exempted alongside HIPAA covered entities under the CCPA.

• Research Data: Information collected as part of a clinical trial is also excluded from the CCPA when the trial is subject to the Common Rule. Although the Common Rule applies to federally-funded research studies, most drug and device manufacturers and other entities conducting studies involving human research subjects voluntarily adhere to requirements of the Common Rule. Absent additional guidance hopefully yet to come this year from the California legislature or California Attorney General clarifying aspects of the CCPA, it is unclear whether the CCPA exemption will only apply to institutions receiving federal research funding.
•  
• De-Identified Data: The CCPA does not apply to “deidentified” data; however, while similar in concept to the HIPAA equivalent, the standards for de-identification under HIPAA and the CCPA do not entirely overlap. As a result, it is possible that data that meets the HIPAA de-identification standard may not meet the CCPA exemption for deidentified data.

Despite these noted exemptions, healthcare entities, health plans and other businesses operating in the healthcare sector likely create, maintain or otherwise process personal information that falls outside these exemptions. Therefore, businesses should evaluate data processing activities across operations to identify any such outliers. For example, the following data types could be subject to the CCPA:

• Personal information (not regulated by the CMIA or HIPAA) collected through websites, health apps, health portals, and other digital technology or connected devices
• Personal information processed by the non-healthcare components of a HIPAA hybrid entity or information processed between a non-profit institution and its CCPA-covered affiliates, partners or related entities
• Pending the fate of a proposed amendment that may exclude certain employee data, personal information about employees (and dependents) collected or processed in an employer function as opposed to a HIPAA-covered health plan (e.g., information related to life insurance, short-term disability claims, certain wellness programs, workers’ compensation) as well as general employee information such as Social Security numbers, tax IDs, drivers’ license numbers, biometric or demographic information (e.g., employment applications, tax forms, or other employee records)
• Personal information collected through in-person conferences, fundraisers, marketing events or similar activities
• Personal information processed for research that falls outside the CCPA’s clinical research exemption (e.g., potentially data collected for privately-funded clinical trials, investigator and study staff information)

These are only a handful of possible examples of data that may fall outside the CCPA exemptions most applicable for the health sector. Therefore, while the California legislature has limited time left in session to make final decisions on proposed amendments to the CCPA and guidance from the California Attorney General is still pending, now is the time to take action despite unanswered questions and varied interpretation of this new law. All businesses, including healthcare entities, should take steps to: 1) identify data processing activities across their operations to determine what data (if any) is subject to the CCPA and where exemptions may apply; 2) coordinate with relevant stakeholders to form your strategic approach to compliance (e.g., will you take steps to meet an exemption, segment data such that the CCPA requirements only apply to a sub-set of information, or prioritize implementation with a risk-based approach); and 3) evaluate current policies, procedures and contracts for any necessary updates to comply with the CCPA (especially public facing online policies where lack of compliance may be quickly apparent). These are but a few of the recommended steps toward full-scale compliance. A wait-and-see approach may not be the best strategy to respond to this broad-reaching privacy law given the often extensive background preparation involved for many businesses to comply with the CCPA and the number of “copy cat” laws pending in other states. The CCPA also has 12-month “look back” terms, and so has the potential to apply retroactively unless California’s legislature or Attorney General intervene by way of amendments to, or regulations under, the CCPA.

This overview does not substitute for considering the CCPA’s requirements in their entirety.

Don’t wait to implement your California Consumer Privacy Act (CCPA) compliance as it could require changes to your operations. As a reminder, the CCPA takes effect January 1, 2020 and can apply to businesses even if they do not have offices or employees in California. It can also reach activities conducted outside of California. See our prior alert here to see if the CCPA applies to your business.

As of September 13, 2019, the California legislature advanced six CCPA amendments to Governor Newsom’s desk for signature. The Governor has until October 13, 2019, to act on any or all of these amendments. The amendments clarify some exemptions to the CCPA, create some new narrow exemptions, update some operational requirements, clarify some defined terms, and create a new data broker registry. Given the magnitude of the CCPA overall, and some of its provisions that 
lack clarity in interpretation, the amendments are relatively limited in nature and leave a number of questions about CCPA compliance unanswered. A brief overview of highlights from the amendments follows:

Limited Employee and Personnel Exemption

For a period of 1 year (January 1, 2020-December 31, 2020), the CCPA would not apply to personal information collected in connection with an individual’s role as a current or former job applicant to, employee of, owner of, medical staff member of, or contractor of a business—solely to the extent the individual’s personal information is used and collected in the context of that role. The limited exemption also covers emergency contact information of such persons and personal information necessary to administer benefits for any other person relating to such persons. These individuals nonetheless retain their CCPA rights to be informed of the categories of personal information collected and the purposes for which the personal information is used by the business along with their right to bring a private action for a data breach.

Changes to “Personal Information”

The word “reasonably” has been added in front of “capable of being associated with” a consumer or household in the definition of “personal information.”
Any “information that is lawfully made available from federal, state, or local government records” is “publicly available” and not “personal information,” regardless of how that information is used. Previously, businesses would have been required to use that information for a purpose compatible with the purpose for which the data is maintained in order to invoke the “public information” exemption. 
As amended, “personal information” does not include consumers’ information that is deidentified or aggregate consumer information. The amendments do not address or further clarify the standards for de-identifying data.

Limited B2B Information Exchange Exemption

For a period of 1 year (January 1, 2020-December 31, 2020), a number of CCPA rights would not apply to personal information collected in the context of a business-to-business relationship. This exemption does not apply to the rights to opt in / opt out from sale of one’s personal information and be protected from certain discrimination if one exercises one’s CCPA rights. To fall in this exemption, the individual must be acting as an employee, owner, director, officer, or contractor of a business, and their personal information exchanged must be in the context of a business relationship (e.g., conducting due diligence, or providing or receiving a product or service from the business). 

Clarifications Bearing on Implementing the CCPA

A business would be permitted to require reasonable authentication of the individual making a request to know what personal information the business maintains about them (or other CCPA request requiring verification) to help that business review and confirm if it is a verifiable consumer request. Reasonableness would be determined based on the circumstances, i.e., nature of information requested. If a consumer maintains an account with the business, then the business could require the consumer to submit requests via that account.

Businesses that operate exclusively online and have a direct relationship with the consumer would only have to provide an email address for consumers to submit disclosure requests to the business (and not also a toll-free number). 

The amendments specifically permit the California Attorney General to adopt additional regulations on how to process 

and comply with verifiable consumer requests for specific pieces of personal information relating to households (which are included in the definition of personal information). There have been security and privacy concerns that members of a household will be able to seek copies of information of other individuals in a household. 

The amendments clarify that the CCPA does not require a business to collect personal information that it would not otherwise collect in the ordinary course of its business or retain personal information for longer than it would otherwise retain such information in the ordinary course of its business.

FCRA Information Exemption

The CCPA does not apply to information processing for purposes of the Fair Credit Reporting Act (FRCA), namely collecting, maintaining, disclosing, selling, communicating, or using personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency. The exemption does not impact an individual’s ability to bring a private action against a business for a data breach involving such information.

Narrow Vehicle Industry Exemption 

The amendments add a narrow vehicle industry exception for the CCPA’s “do not sell” requirements. The CCPA right to opt out or opt in from sale of one’s personal information would not apply to vehicle information (e.g., VIN, make, model, year, odometer reading) or ownership information (e.g., name of registered car owner and contact information) exchanged between a car manufacturer and new car dealer if used to carry out a vehicle repair covered by warranty or recall (so long as the recipient does not sell, share or use that information for any other purpose). 

On October 10, 2019, with no prior notice, the California Attorney General held a press conference announcing the publication of his office’s proposed regulations (set forth at §§ 999.300-999.341 of Title 11, Division 1, Chapter 20 of the California Code of Regulations) to implement the California Consumer Privacy Protection Act or the CCPA (the “Regulations”).  The following day, the California Governor signed all five of the legislature’s proposed CCPA amendments and squeezed in sign-off of an amendment to California’s data breach law (expanding the definition of “personal information” to include biometric data, tax ID, passport and other government-issued ID numbers).  The Regulations are open to public comment until December 6, 2019 and therefore subject to further changes just weeks before the CCPA goes into effect January 1, 2020.  Although the Attorney General stated that his office will not begin CCPA enforcement until July 2020, the CCPA includes a 12-month lookback period.  Therefore, while businesses now have freshly inked CCPA amendments to consider final, the Regulations are still to be determined.  Nonetheless, businesses should use the remaining 69 days to continue implementing compliance mechanisms and the Regulations do give perspective as to the general interpretation of the CCPA from the office responsible for enforcing the new law.  

This is one of several client alerts in a series counting down to the date when CCPA applies (Almost 1 month to go)

The California Consumer Privacy Act (CCPA) takes effect for businesses January 1, 2020. Don’t wait to implement your compliance as it could require changes to your operations. The CCPA can apply to businesses even if they do not have offices or employees in California. It can also reach activities conducted outside of California. See our prior alert here to see if the CCPA applies to your business.

Our CCPA Task Force is available to assist and advise clients in efficiently addressing CCPA-related issues. To learn more about the CCPA, please contact our Task Force.

The CCPA implementing regulations are still open for comment through December 6, 2019. Nonetheless, businesses subject to the CCPA are encouraged to do the best they can to implement a compliance program. Here are some of the frequently asked questions from our clients in that regard and possible responses based on what we know about the CCPA at present:

THRESHOLD QUESTION

1. Q: Would the CCPA apply to my business if we do not have any offices or employees in California?

A: Yes. Even for-profit companies with no physical operations or employees in California can be subject to the CCPA’s broad-reaching jurisdictional reach. 

2. Q: The only information my company collects is information we track through our website. Do we have to comply with the CCPA?

A: Very possibly. The broad definition of personal information under the CCPA includes assorted online analytics data. See our prior alert here regarding the expanded scope of what is personal information under the CCPA.

OPERATIONAL CONSIDERATIONS

3. Q: Should my business have separate website for California visitors?

A: It depends on viability for your business – can you isolate California consumer data from other customer data in a resource-efficient manner to have a separate website? Doing so is certainly an option from some businesses. Under this approach, a business can isolate for whom it honors consumer requests under CCPA (e.g., right to request information, deletion of certain information, etc.) or allows to opt-out from “sale” of their data. Recall “sale” is very broad and is any transfer of the data for consideration, possibly even implicating a transfer to a service provider, business partner or affiliate.

4. Q: If we opt for a separate website for California visitors, prompt them to access it, and they don’t, what then?

A: You have given them the option to avail themselves of their CCPA rights. If they elect not to, that is their decision. You would want to have a process in place to show or document that making the alternate site available was routine, and anyone from California would have had the option to proceed under the CA-specific website.

5. Q: What are my options as a customer with service providers who refuse to add CCPA-required service provider language to my contracts with them? (Meaning language customer’s personal information provided by customer or collected by the vendor for a customer can only be used to provide services to customer or as otherwise permitted under the CCPA).

A: Keep asking for it. Our clients are seeing many vendors still don’t appreciate what the CCPA requires of them and are having a bit of an “ah-ha” moment when the CCPA is raised with them. Many businesses are only now considering CCPA compliance obligations as the CCPA’s January 1, 2020 effective date looms. A number of service providers are confused about why their customers are asking for CCPA language in their contracts when the service provider isn’t itself a business subject to the CCPA . Customers are having to explain that they have their own separate obligations to flow down to service providers.

Alternatively, some clients are finding vendors who do appreciate what CCPA requires but will not comply because it would negatively impact their business model monetizing data. In such an instance, clients may be forced to make hard choices to stop doing business with a particular vendor if it would have the effect of having the customer be deemed a data seller and the customer does not want to have this status.

6. Q: Why should my business care if it is a data seller under the CCPA?

A: Some businesses find data seller status acceptable or unavoidable. Other businesses are taking great pains to avoid such status as they believe it casts a negative impression on their business, for example, businesses that market to kids or provide healthcare or financial services may not want to be seen as selling data. Specifically, some businesses are very loath to provide a conspicuous opt-out to selling data on their website. Avoiding data seller status is contingent not only on the business taking appropriate measures within its control, but passing through certain obligations to its vendors.

7. Q: What kinds of challenges are other businesses facing as they implement verification for consumer requests under the CCPA?

A: Companies of all sizes continue to struggle with the risk-adjusted requirements for verified consumer requests. We describe these as “risk-adjusted” because the more sensitive the information in question, the higher the level of verification necessary. Simple when you describe it that way, but is providing four data points rather than two really that much more secure, given how much information about each of us is readily available? A quick and easy approach for determining the level of verification you should require is akin to the Golden Rule. If it were your personal information, at what level would you feel (more) comfortable? Unfortunately, only time will provide us with guidance on what level of rigor will be deemed appropriate even though data was sent to the incorrect requestor.

8. Q: What does the right to non-discrimination mean under the CCPA?

A: A business must include a statement in its privacy policy that advises consumers of the right not to be discriminated against for choosing to exercise any of their rights under the CCPA. Discriminatory practices can include providing disparate pricing, goods or services to a consumer because the consumer has exercised a right under the CCPA. However, not all loyalty programs or similar financial incentives are prohibited and a business may still offer a financial incentive or price or service difference if the difference is reasonably tied to the value of the customer’s data. The proposed CCPA regulations set forth parameters for calculating the reasonable value of consumer data when a business attempts to assert this exception. The business must also notify consumers of the financial incentive at or before the point of data collection.

Exemptions and Exceptions

9. Q: My business is a covered entity or business associate subject to HIPAA, do we still have to comply with the CCPA?

A: Maybe. Although the CCPA includes exemptions for medical information or protected health information (PHI) collected by a covered entity or business associate and treated in accordance with HIPAA (and also exempts covered entities that maintain PHI), some covered entities and business associates may also process or maintain personal information that falls outside of HIPAA that is subject to the CCPA. See our prior alert here.

10. Q: My business is subject to the Gramm-Leach-Bliley Act (GLBA), are we exempt from the CCPA?

A: Yes, for certain personal information subject to the GLBA, but not all personal information will be subject to the GLBA. Data not within the GLBA exemption could still be subject to the CCPA. Many businesses in financial services will find they have to comply with both the GLBA and the CCPA, and that sometimes there may be a conflict between the two, such as when a consumer requests that their personal information be deleted.

11. Q: Employee personal information is exempt from the CCPA until 2021, so my business doesn’t have to take any actions with regard to employee, job applicant, and similar data right?

A: No. As amended, certain requirements of the CCPA will not apply to the personal information of employees (including job applicants) until 2021. However, businesses must still meet the notice requirements that will be effective January 1, 2020, requiring employers to provide notice to employees and job applicants at or before the point of data collection. Employers should also note that employees and job applicants can still bring a private cause of action for the business’s failure to implement reasonable security procedures and practices if the violation results in a data breach of the employees’ personal information. Employers should also consider the operational impact of treating all employee data as in-scope for the CCPA, including contracts and arrangements with service providers for outsourced activities.

Contracts

12. Q: Does the CCPA require changes to existing contracts?

A: If you are a business subject to the CCPA and do not want to be a data seller under the CCPA, then yes, you will need to amend contracts to add appropriate “service provider” language to the contract. If you are a service provider serving businesses subject to the CCPA, you can expect to receive requests from your customers described under the immediately preceding sentence. Also, where you yourself wear both hats, you may find you need to make both downstream and upstream changes to your agreements to comply with the CCPA.

Website Changes

13. Q: Are businesses required to add a “Do Not Sell” button to websites if they do not “sell” any personal information as defined by the CCPA?

A: No. As currently drafted, the proposed regulations implementing the CCPA further clarify that a business that does not (and will not) sell personal information (which, within the meaning of the CCPA, is broadly defined) is not required to post a “Do Not Sell” button or link on its website home page or provide an in-person equivalent. However, the business is required to include a statement in its privacy policy that the business does not and will not sell personal information.

In contrast, a business that sells personal information must disclose that fact, along with the categories of recipients to whom the information was sold in the last 12 months and provide notice to consumers of the right to opt out of the sale. The business must provide at least two methods for consumers to opt out of the sale of their personal information, one of which must include a clear link or button on the home page of its website or mobile application that says “Do Not Sell My Personal Information” or “Do Not Sell My Info” and takes users to a form or page instructing them on the required details of the opt out process.

Penalties

14. Q: Do consumers have a private right of action to sue my company for non-compliance with the CCPA?

A. Consumers have a private right of action under the CCPA only in case of a business’s security breach or other data exposure incident. While only the California Attorney General has the right to otherwise enforce the non-data breach provisions of the CCPA to obtain statutory damages based on affected consumers, it is still possible for a plaintiff to undertake an “unfair and deceptive trade practices” law suit against a company that the consumer feels has harmed the consumer by taking actions that violate this law. This is not a direct action under the CCPA, but it is one way that the obligations imposed by the CCPA may see their way into court.

15. Q: Don’t I have until July, 2020 to comply with the CCPA when the California Attorney General would start enforcing the CCPA?

A: The CCPA regulations are open for public comment until December 6, 2019, with a final version expected in the spring of 2020. Pending these revisions, the Attorney General’s office can begin enforcement six months after the final regulations are in place, or by July 1, 2020. The Attorney General acknowledged, at the press conference announcing the proposed regulations, that there will likely be an enforcement delay closer to the July 1, 2020 deadline. However, he also warned businesses that the law goes into effect January 1, 2020 and that businesses need to get into compliance by then. He proceeded to pose this hypothetical “If someone is murdered and it takes us six months to arrest whoever did it, does that mean that they should go free?” He then answered by saying, “Look, I don’t think so. The law is the law.”

The CCPA is a complex legal structure, with legislation, amendments to the legislation, and draft regulations to keep in mind. This alert is not intended to exhaust the various CCPA questions businesses are asking or substitute for a thorough analysis of how the CCPA affects your business in the specific context of your business.

The California State Assembly has passed several amendments to the California Consumer Privacy Act (CCPA) this legislative session. Among the total of four CCPA amendments that were passed in the Assembly this week, two have the potential to affect a large number of businesses. These bills still need to be approved in the California Senate and then be signed by the governor before they become law. If that happens, the CCPA would provide significant exemptions for employers and businesses offering loyalty programs.

Assembly Bill 25 would exempt information collected in the employment context from CCPA coverage. This bill proposes to amend the CCPA definition of “consumer” by excluding persons whose information is collected and used solely within the context of the person’s role as an employee, contractor, job applicant, or agent of a business subject to CCPA. This means that employees won’t be vested with rights under the CCPA as employees, including the rights to delete, opt-in, and request disclosure. A private right of action will also be unavailable to them as an employee, should the employer suffer a data breach.

However, when that employee’s data is collected outside of the context of employment, the employee retains all CCPA rights. Imagine the following scenario: a California resident is employed by a company where she also shops. The company is a victim of a data breach resulting from its negligence. The data breach affects its HR database, compromising employment data, and its eCommerce site, compromising customer personal information. Under AB 25, the employee would be able to sue for the latter, but not the former.

Assembly Bill 846 would preserve businesses’ ability to offer and manage loyalty and rewards programs. The CCPA prohibits businesses from discriminating against a consumer, by charging higher prices or providing a lower level of goods or services, for exercising any of the consumer’s rights. Under AB 826, this prohibition would not be construed to prevent a business from offering a different price, rate, level, or quality of goods or services if the offering is in connection with a consumer’s voluntary participation in a loyalty program. So, for example, your favorite neighborhood coffee shop will still be able to facilitate a rewards program through its mobile app to comp you a free cup o’ joe after you buy your lattes for a couple of weeks.

Given the frenetic speed at which the CCPA rocketed through the legislature in 2018, it is unsurprising that there have been attempts to further contour the rough edges of the CCPA. These two amendments would bring welcome exemptions to businesses as they prepare themselves for compliance.

We are continuously monitoring these amendments. Womble Bond Dickinson’s CCPA compliance team is, of course, glad to discuss any of the pending amendments to date.