Dazed and Confused: Gray Areas in the Golden State's New Privacy Law
Firms are helping clients prepare for the enactment of the California Consumer Protection on January 1, 2020. But it's difficult to hit the ground running with some vagaries surrounding the law still in place.
March 04, 2019 at 09:30 AM
8 minute read
Sometimes you want to go where everybody knows your name—or at the very least is familiar with your data breach incident response plan. Clients new and old alike have been trickling into law firms in anticipation (or mild apprehension) of the California Consumer Privacy Act (CCPA).
The law brings new and sweeping changes to the way the U.S. has traditionally viewed consumer privacy, whether businesses are ready for them or not.
The state's forthcoming privacy regulations, which are scheduled to kick into effect on Jan. 1 2020, will bear more than a passing resemblance to the European Union's General Data Protection Regulation (GDPR), empowering Californians with more control over the way their data is collected, shared or viewed by companies on a daily basis.
While the GDPR may provide a suitable springboard for the complying with the CCPA, sticking the landing will require navigating some big and potentially expensive question marks around expectations and execution that may continue to linger well beyond 2020.
One of the most immediate questions, for instance, is what the law will actually entail.
“The CCPA is not yet set in stone, so we really don't know what the law is going to look like when it goes into effect in 2020. It's a bit of a moving target,” says Kevin Cahill, a partner based out of the Orange County office of Dechert. “[People] want to get started with compliance, but we still don't know what the rules of the road are, so it's kind of hard to go at it full steam at this point.”
Once the CCPA was signed by California lawmakers, Cahill and the other attorneys working in cybersecurity and data privacy at Dechert began reviewing the particulars of the new regulation, some of which they fully expect to change.
In fact, it has changed from the initial version already: Several amendments to the law were passed last September, eliminating a notification requirement for consumers pursuing private action and bringing additional clarification to what entities are exempt from the CCPA's reach.
For attorneys, heeding these ongoing changes can be a bit like trying to prepare a client to take the driver's test while the DMV is still in the process of color-coding the traffic lights.
“The law is evolving in that there were amendments to it, and there might be additional amendments to it before it's enacted in 2020, so in that sense it's kind of a moving target,” says Hanley Chew, of counsel at Fenwick and West.
Still, if you absolutely have to start taking aim, Chew thinks that the CCPA requirements targeting transparency and the mechanisms companies need to manage and disclose the data they're collecting will probably be around for the long-haul.
|When Clients Stick their Heads in the Sand
One fairly pressing question many companies will face is if the law applies to them. But for some, getting to that question means first realizing the law exists in the first place.
For all of the talk about various privacy laws waiting to come into fruition at the state or federal level, business managers are apt to begin tuning some of the noise out in favor of one of the many other demands competing for their attention—customers, employees, the actual turning of a profit.
Ditto for a company's in-house counsel. “In-house folks are busy people, they don't have time always to pay attention to every new legal or legislative development so it's sort my job to keep track of things that could impact their business,” Cahill says.
Elizabeth Dill, a partner in Lewis Brisbois' data privacy and cybersecurity practice, noted that, when dealing with the GDPR, corporate clients tended to fall into one of three categories: those who reach out immediately after the regulations are announced, those who reach out with just enough time to undergo the compliance process, and those who reach out within days of the law's effective date.
She recommends that lawyers and their clients begin preparing for the CCPA as soon as possible. The scope of the work required can vary depending on the size and nature of the company itself. Plus, there are some clients who walk through the door wondering if the CCPA even applies to them.
The answer to that question can usually be ascertained through a data mapping exercise focused on the kind of data company traffics in and how it is collected, stored and processed.
“What we usually do is prepare an assessment for clients based on a questionnaire that they fill out for us, and the answers to the questions determine, for our purposes, whether or not we're going to proceed forward and recommend that they start the process of compliance,” Dill says.
That questionnaire relies heavily upon the wide-ranging parameters that bring a company or business under the mandate of the CCPA, which are not contingent upon the limits of the California border.
The CCPA generally doesn't care which zip code is listed next to a business' corporate headquarters so long as the data of a California resident is involved. Then, if a company has gross revenue of more than $25 million; buys, receives, or sells the personal information of 50,000 or more consumers; or derives more than 50 percent of its revenue from selling consumer information, the regulations apply.
“Also we ask about what kinds of information they handle, what kinds they store, what kinds they transmit, if they sell any kind of personal information,” Dill says. “But one of the things that's interesting about the CCPA, like the GDPR, is that the definition of personal information is much broader than even California's data breach notification statute.”
Personal information as defined by the CCPA isn't just limited to information like Social Security numbers, driver's license numbers or financial account numbers. According to Dill, the law encompasses any information that relates to or could reasonably be linked to a particular consumer or a household.
How one chooses to define “household” might constitute one of several potential ambiguities lawyers may have to contend with as the CCPA continues to shift in and out of focus. While a common sense definition of the word is well within grasp, Dill thinks it will be the subject of much discussion moving forward.
|More of a Fraternal Twin than GDPR Clone
Because the CCPA has a similar disposition to the GDPR, businesses that have already taken the plunge with the GDPR have a running start when it comes to getting up to speed with certain provisions of the new California law.
The CCPA's “right to be forgotten,” for example, requires companies to acquiesce to demands made by individual consumers to have their data erased. It's a fixture of the GDPR, but a first for privacy law in America.
Ensuring that those kinds of requests are seen, processed and executed in a timely fashion may require companies to make significant changes to their preexisting infrastructure or reallocate manpower. But thanks to the GDPR, some of the more dramatic alterations to the fabric of a business could have already been made.
“I think a lot of companies have already put a lot of the infrastructure in place in order to comply with the GDPR, and so a lot of times we're just building on what they've already put in place,” Chew says .
Still, the blueprints for complying with GDPR and the CCPA aren't precise matches. Reece Hirsch, a partner Morgan Lewis, thinks the privacy rights outlined in the CCPA are potentially much more fine-tuned to the individual than GDPR regulations.
For example, consumers under the umbrella of the CCPA have the right to know the categories of data that a business has collected about an individual and how that information has been sold or disclosed over a period of time stretching back 12-months prior.
The expansiveness of such requirements can quickly become a burden to companies attempting to comply.
“It affects many different components of the company's business, and so I think it's important to start by engaging all of the relevant personnel within the company about what these new rules might mean, even though they are still a work in progress,” Hirsch says.
Regardless, January 2020 definitely won't be the last law firms and corporate legal departments hear about the CCPA. In addition to helping clients deal with any confusion regarding practical applications of the law or keeping abreast of future amendments, there's also a chance they'll be seeing more time in court.
A provision of the CCPA creates statutory damages for security breaches, and as a result Hirsch expects to witness a spike in California security breach class action suits. Lawyers may want to consider incorporating a review of a client's incident response plan into their CCPA prep work.
“It's a good time for organizations to revisit and retune their incident response plan to make sure that they are making themselves as bulletproof as possible so that they are prepared to both detect breaches as soon as they occur and also to respond to them quickly to mitigate harm,” Hirsch says.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250