California Consumer Privacy Act Countdown to Compliance Anthony M. Isola aisola@fisherphillips.com (415) 490-9018 www.fisherphillips.com fisherphillips.com
Topics • How the Law Came Into Effect • Who Must Comply With the Law • How to Comply with Requirements for Employees and Job Applicant Data • What Are the New Rights Consumers Have to Their Data • How to Comply with Requirements for Consumer Data (of Non-Employees and Non-Job Applicants ) • Anticipated Changes in the Law, Including AG’s Revised Proposed Regulations, Issued on Friday Feb. 7. fisherphillips.com
“Cyberweapons and sophisticated hacking pose a greater threat to the United States than the risk of physical attacks.” Kirstjen Nielsen Secretary of Homeland Security in a speech at GW University September 5, 2018 fisherphillips.com
Consumer Privacy is a Hot Topic • The public is keenly aware of this issue and driving discussion: Data breaches. Data collection and sharing (Facebook, Google, etc.). Targeted advertising. • Increasing protections for consumers polls well with the public. fisherphillips.com
This Is a Global Issue General Data Protection Regulation (GDPR) • Effective May 2018. • Regulates data protection and privacy for all citizens of the EU and the European Economic Area (EEA). • Also addresses transfer of personal data outside of the EU and EEA areas. fisherphillips.com
California Consumer Privacy Act AB 375 Bill History How did this Bill Come to be Law? • Alastair Mactaggart, a rich real estate developer, self-funded a ballot measure that would have implemented an even tougher law than the one that was passed. • Because the state legislature would have become irrelevant regarding privacy if the measure passed, the state lawmakers passed pass AB 375. fisherphillips.com
Whom Does the Law Protect? Applies To • All California residents, including: Customers Employees Visitors to a company internet site or building Contractors and independent contractors Vendors It’s not just your “customer’s” data. fisherphillips.com
Whom Does the Law Apply To? All companies that collect California residents’ data and: Applies To • Have annual gross revenues in excess of $25,000,000. - OR- • Annually buy, receive, sell or share for commercial purposes , alone or in combination, the personal information of 50,000 or more California consumers, households or devices. -OR- • Derives 50 percent or more of its annual revenues from selling consumers’ personal information. fisherphillips.com
Whom Does the Law Apply To? Applies To This includes: • Companies directing that others collect the information on their behalf • “ Controlled ” Affiliates • “Controlled” companies or non-profits that share common branding fisherphillips.com
What Types of Information Does the Law Apply To? • “Personal Information” of California Residents: Protects • Online AND offline; paper AND electronic. • Much broader than typical “PII.” • Essentially, most information that could identify an individual OR be used in conjunction with other information to identify an individual. fisherphillips.com
What is Personal Information? Information • Information that identifies, relates to, describes, is Personal capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. • Inferences drawn from any PI to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes. fisherphillips.com
Examples of Personal Information: Information • Identifiers such as a real name, alias, postal Personal address, username, online identifier (IP address), email address, SSN, driver’s license number, passport number, etc. • Commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies. fisherphillips.com
Limited Exemptions from Personal Information: Personal Information • Publicly available information • Certain types of “regulated” information HIPAA-regulated info FCRA-regulated consumer/credit reports Info regulated under Gramm-Leach-Bliley Act PI of employee/agent of business collected solely in context of a B-to-B transaction fisherphillips.com
What rights does this law confer to consumers? • Right to know Rights • Purpose limitation • Right to deletion • Right to opt-out of sale • Right to be free of discrimination • Regulatory enforcement • Private right of action (limited) fisherphillips.com
A Temporary Break for Employers • CCPA Amended in October 2019 (AB 25) Originally intended to exempt employee data collected by employers for employment purposes. After it passed the Assembly, there was late opposition from labor groups. Compromise postpone by one year (until 1/1/2020) all requirements for employee data except 2. fisherphillips.com
AB 25 – Amends the CCPA • 2 requirements still go into effect 1/1/2020 with respect to employee/job applicant data : Reasonable security measures to protect employee data (both physical and electronic). Disclosure of categories of PI collected and the business purposes for which it is collected. fisherphillips.com
How Do You Comply with Applicant and Employee Requirements of CCPA? •Data Mapping Thorough inventory of data. How is data collected? Where is data stored (electronic and paper form)? What is the business purpose? Who are the third parties with whom the data is shared with? fisherphillips.com
How Do You Comply with Applicant and Employee Requirements of CCPA? • Implement reasonable security measures. Conduct an internal or external security assessment of your security measures and data retention practices with respect to employee and applicant data. Draft and implement a data security policy. fisherphillips.com
How Do You Comply with Applicant and Employee Requirements of CCPA? • Implement reasonable security measures (continued) Conduct due diligence on your service providers to who you disclose any employee information. For contracts with third parties with whom you share employee or applicant info, confirm the contracts have CCPA-required language. fisherphillips.com
How Do You Comply with Applicant and Employee Requirements of CCPA? • Distribute employee and job applicant disclosures. The disclosure must be comprehensive. The disclosure must specify the information that is collected and business purpose the company uses the information. You are prohibited from collecting and using any PI that you don’t list in the disclosure. fisherphillips.com
What about CCPA for Consumers? • Effective 1/1/2020, a covered business also has to comply with all the requirements of the CCPA pertaining to data collected about CA non-employee and non-applicant consumers. • This includes data collected about CA households or devices through the company website that any member of the public can visit. fisherphillips.com
What rights does this law confer to consumers? • Right to know Rights • Purpose limitation • Right to deletion • Right to opt-out of sale • Right to be free of discrimination • Regulatory enforcement • Private right of action (limited) fisherphillips.com
Right to Know • Businesses will have to inform consumers, at or Rights before the point of collection , what categories of PI they collect and the business’s purpose in collecting that information. • Businesses will have to provide information within 45 days of receiving a verifiable consumer request. fisherphillips.com
Right to Know • Consumers can request up to 2X per year Rights Categories of PI you collected or have Purposes for which each category of PI is used Categories of sources from which you got that PI Whether the PI is being disclosed or sold Categories of third parties to whom the PI is being disclosed or sold • Right to access, free of charge, the specific pieces of PI you collected fisherphillips.com
Purpose Limitation • Information must generally be used for company’s operational purposes or other notified purposes that are reasonably necessary and proportionate to the purpose for which the data was collected. • Businesses cannot use the data for a purpose not disclosed – additional disclosure will be needed. • Businesses cannot collect additional categories of personal information without providing notice. fisherphillips.com
Right to Deletion • The right to have their data deleted, upon Rights request, unless it “is necessary for the business to maintain the consumer’s personal information.” fisherphillips.com
For example: • Comply with a legal obligation. Reasons to Refuse Deletion • Find, prevent or prosecute security breaches. Request • “Enable solely internal uses that are reasonably aligned with the consumer’s expectations. • “Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.” fisherphillips.com
Recommend
More recommend
