Dazed and Confused: Gray Areas in the Golden State's New Privacy Law
Firms are helping clients prepare for the California Consumer Privacy Act, but with some vagaries still surrounding the law it will be difficult to hit the ground running.
March 01, 2019 at 02:30 PM
8 minute read
The original version of this story was published on Legal Tech News
Sometimes you want to go where everybody knows your name—or at the very least is familiar with your data breach incident response plan. Clients new and old alike have been trickling into law firms in anticipation (or mild apprehension) of the California Consumer Privacy Act.
The law brings new and sweeping changes to the way the U.S. has traditionally viewed consumer privacy, whether businesses are ready for them or not.
The state's forthcoming privacy regulations, which are scheduled to go into effect Jan. 1, 2020, will bear more than a passing resemblance to the European Union's General Data Protection Regulation, empowering Californians with more control over the way their data is collected, shared or viewed by companies on a daily basis.
While the GDPR may provide a suitable springboard for complying with the CCPA, sticking the landing will require navigating some big and potentially expensive question marks around expectations and execution that could linger well beyond 2020.
One of the most immediate questions, for instance, is what the law will actually entail.
“The CCPA is not yet set in stone, so we really don't know what the law is going to look like when it goes into effect in 2020. It's a bit of a moving target,” says Kevin Cahill, a partner based out of Dechert's Orange County office. “[People] want to get started with compliance, but we still don't know what the rules of the road are, so it's kind of hard to go at it full-steam at this point.”
Once the CCPA was signed by California lawmakers, Cahill and the other attorneys working in cybersecurity and data privacy at Dechert began reviewing the particulars of the new regulation, some of which they fully expect to change.
In fact, it has changed from the initial version already: Several amendments to the law were passed last September, eliminating a notification requirement for consumers pursuing private action and bringing additional clarification to what entities are exempt from the CCPA's reach.
For attorneys, heeding these ongoing changes can be a bit like trying to prepare a client to take a driver's test while the DMV is still in the process of color-coding the traffic lights.
“The law is evolving in that there were amendments to it, and there might be additional amendments to it before it's enacted in 2020, so in that sense it's kind of a moving target,” says Hanley Chew, of counsel at Fenwick & West.
Still, if you absolutely have to start taking aim, Chew thinks the CCPA requirements targeting transparency and the mechanisms companies need to manage and disclose the data they're collecting will probably be around for the long haul.
|Does It Apply to You?
One fairly pressing question many companies will face is if the law applies to them. But for some, getting to that question means first realizing the law exists in the first place.
For all of the talk about various privacy laws waiting to come into fruition at the state or federal level, business managers are apt to begin tuning some of the noise out in favor of one of the many other demands competing for their attention—customers, employees, the actual turning of a profit.
Ditto for a company's in-house counsel. “In-house folks are busy people, they don't have time always to pay attention to every new legal or legislative development, so it's sort my job to keep track of things that could impact their business,” Cahill says.
Elizabeth Dill, a partner in Lewis Brisbois Bisgaard & Smith's data privacy and cybersecurity practice, notes that, when dealing with the GDPR, corporate clients tended to fall into one of three categories: those who reach out immediately after the regulations are announced, those who reach out with just enough time to undergo the compliance process, and those who reach out within days of the law's effective date.
She recommends that lawyers and their clients begin preparing for the CCPA as soon as possible. The scope of the work required can vary depending on the size and nature of the company itself. Plus, some clients walk through the door wondering if the CCPA even applies to them.
The answer to that question can usually be ascertained through a data-mapping exercise focused on the kind of data a company traffics in and how it is collected, stored and processed.
“What we usually do is prepare an assessment for clients based on a questionnaire that they fill out for us, and the answers to the questions determine, for our purposes, whether or not we're going to proceed forward and recommend that they start the process of compliance,” Dill says.
That questionnaire relies heavily upon the wide-ranging parameters that bring a company or business under the mandate of the CCPA, which are not contingent upon the limits of the California border.
The CCPA generally doesn't care which ZIP code is listed next to a business' corporate headquarters so long as the data of a California resident is involved. Then, if a company has gross revenue of more than $25 million; buys, receives or sells the personal information of 50,000 or more consumers; or derives more than 50 percent of its revenue from selling consumer information, the regulations apply.
“We ask about what kinds of information they handle, what kinds they store, what kinds they transmit, if they sell any kind of personal information,” Dill says. “But one of the things that's interesting about the CCPA, like the GDPR, is that the definition of personal information is much broader than even California's data breach notification statute.”
Personal information as defined by the CCPA isn't just limited to information like Social Security numbers, driver's license numbers or financial account numbers. According to Dill, the law encompasses any information that relates to or could reasonably be linked to a particular consumer or household.
How one chooses to define “household” is one of several potential ambiguities lawyers may have to contend with as the CCPA continues to shift in and out of focus. While a common-sense definition of the word is well within grasp, Dill thinks it will be the subject of much discussion moving forward.
|A Close Cousin to GDPR
Because the CCPA has a similar disposition to the GDPR, businesses that have already taken the plunge with the GDPR have a running start when it comes to getting up to speed with certain provisions of the new California law.
The CCPA's “right to be forgotten,” for example, requires companies to acquiesce to demands made by individual consumers to have their data erased. It's a fixture of the GDPR, but a first for privacy law in America.
Ensuring that those kinds of requests are seen, processed and executed in a timely fashion may require companies to make significant changes to their pre-existing infrastructure or reallocate man power. But thanks to the GDPR, some of the more dramatic alterations to the fabric of a business may have already been made.
“A lot of companies have already put a lot of the infrastructure in place in order to comply with the GDPR, and so a lot of times we're just building on what they've already put in place,” Chew says.
Still, the blueprints for complying with GDPR and the CCPA aren't precise matches. Reece Hirsch, a partner at Morgan, Lewis & Bockius, says the privacy rights outlined in the CCPA are potentially much more fine-tuned to the individual than GDPR regulations.
For example, consumers under the umbrella of the CCPA have the right to know the categories of data that a business has collected about an individual and how that information has been sold or disclosed over a period of time stretching back 12 months.
The expansiveness of such requirements can quickly become a burden to companies attempting to comply.
“It affects many different components of the company's business, and so I think it's important to start by engaging all of the relevant personnel within the company about what these new rules might mean, even though they are still a work in progress,” Hirsch says.
Regardless, January 2020 definitely won't be the last time law firms and corporate legal departments hear about the CCPA. In addition to helping clients deal with any confusion regarding practical applications of the law or keeping abreast of future amendments, there's also a chance they'll be seeing more time in court.
A provision of the CCPA creates statutory damages for security breaches, and as a result Hirsch expects to witness a spike in California security breach class action suits. Lawyers may want to consider incorporating a review of a client's incident response plan into their CCPA prep work, he says.
“It's a good time for organizations to revisit and retune their incident response plan to make sure that they are making themselves as bulletproof as possible so that they are prepared to both detect breaches as soon as they occur and also to respond to them quickly to mitigate harm,” Hirsch says.
Email: [email protected]
|This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllShareholder Activists Poised to Pounce in 2025. Is Your Board Ready?
NLRB Bans 'Captive Audience' Meetings, Yanking Away Platform Employers Used to Combat Unionizing
Trending Stories
- 1Elon Musk Names Microsoft, Calif. AG to Amended OpenAI Suit
- 2Trump’s Plan to Purge Democracy
- 3Baltimore City Govt., After Winning Opioid Jury Trial, Preparing to Demand an Additional $11B for Abatement Costs
- 4X Joins Legal Attack on California's New Deepfakes Law
- 5Monsanto Wins Latest Philadelphia Roundup Trial
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250