Proposed Modifications to CCPA Regulations – Definitions and Consumer Notice Requirements

Note: This blog post is the first of three expanding on the information contained in an Alert on the Duane Morris LLP website.

On February 10, 2020, California’s Office of the Attorney General proposed a modified version of the California Consumer Privacy Act (CCPA) regulations first published on October 11, 2019. The initial proposed regulations were summarized in our previous Alert. The deadline for providing comments on the modified proposed regulations is February 25, 2020.

The proposed changes to the definitions, notices, and privacy policies in the modified regulations are summarized below.

Section 999.301 – Definitions

  • The definition of “categories of sources” now requires businesses to provide descriptions of the sources with enough “particularity to provide consumers with a meaningful understanding of the type of person or entity.” The same particularity requirement applies to categories of third parties.
    • CCPA Example: Categories may include advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks and data brokers.
  • COPPA is now explicitly defined as the “Children’s Online Privacy Protection Act, 15 U.S.C. sections 6501 to 6508 and 16 Code of Federal Regulations part 312.5.”
  • “Employment benefits” and “employment related information” are now defined terms.
  • The definition of “household” is clarified and narrowed. Under the prior version of the proposed regulations, this was defined as anyone occupying a single dwelling. Now, household includes those individuals who not only live at the same address, but who must also share a common device or service and be identified by the business as sharing the same account or unique identifier.

Section 999.302 – Definitional Guidance

  • Adds a new section titled “Guidance Regarding the Interpretation of CCPA Definitions.” This guidance clarifies that what is considered “personal information” depends on the manner in which the information is maintained by a business.
    • CCPA Example: If a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be personal information.

Section 999.304 – General Notice Requirements

  • Adds an explicit overview of what notices are required for businesses subject to the CCPA, including the requirements that a business provide consumers with a privacy policy, notice at collection of personal information, notice of right to opt-out of the sale of personal information, if applicable, and notice of financial incentive, if applicable.

Section 999.305 – “At Collection” Notices

  • Requires businesses to following generally recognized industry standards to ensure that the “at collection” notices are reasonably accessible to consumers with disabilities. Also clarifies that the notice must be provided in the languages in which the business generally provides information to consumers in California.
  • Clarifies and provides additional illustrative examples of notice considered readily available at or before the point of collection of any personal information.
    • CCPA Example: When collecting personal information online, providing a conspicuous link to the notice on a business’ introductory page of its website and on all webpages where personal information is collected.
    • CCPA Example: When collecting personal information through a mobile app, providing a link to the notice on the mobile application’s download page and within the application, such as through the application’s settings menu.
    • CCPA Example: When personal information is collected in person or via phone, providing the notice orally.
  • Adds a “just-in-time” notice requirement for personal information collected from a mobile device that a consumer would not “reasonably expect” to be collected in connection with an app. The notice must include a summary of the categories of personal information being collected and a link to the full notice at collection.
    • CCPA Example: If the business offers a flashlight app and the app collects geolocation information, the business shall provide a just-in-time notice, such as through a pop-up window when the consumer opens the app, which contains the required information.
  • Clarifies that a business may not use a consumer’s personal information for any purpose “materially different” from the purpose disclosed at the point of collection, unless the business obtains explicit consent from the consumer for the materially different purpose.
  • For a data broker registered with the Office of the Attorney General, the “at collection” notice is not needed if the registration includes a link to its privacy policy that includes instructions on how to submit a request to opt out. The data broker is no longer required to contact the consumer or the source of personal information directly.
  • Clarifies that for requirements effective January 1, 2021, a “do not sell” link will not be necessary for employment-related information, and the notice at collection for employment-related information may include a link to, or a paper copy of, a business’ privacy policies for job applicants, employees, or contractors as opposed to the privacy policy for consumers.

Section 999.306 – “Do Not Sell” Opt-Out Notices

  • No longer requires a business that “may sell” personal information in the future to provide an opt-out notice if that business is not presently selling personal information.
  • Requires businesses to follow generally recognized industry standards to ensure that the opt-out notices are reasonably accessible to consumers with disabilities. Also clarifies that the notice must be provided in the languages in which the business generally provides information to consumers in California.
  • Clarifies that a business that collects personal information through a mobile app may provide the opt-out notice within the app, such as through the app’s settings menu.
  • Requires an affirmative authorization for the sale of personal information collected when the business does not have a notice of right to opt-out posted.
  • Includes an example opt out button that, if used, must (1) be in addition to, not in lieu of, the posting of a notice of the right to opt-out, (2) appear to the left of the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link, and (3) be approximately the same size as the other buttons on a business’ web page.
  • CCPA Example:

Section 999.307 – Financial Incentive Notices

  • Requires businesses to follow generally recognized industry standards to ensure that the notice of financial incentives is reasonably accessible to consumers with disabilities. Also clarifies that the notice must be provided in the languages in which the business generally provides information to consumers in California and to be readily available where consumers will encounter it before opting into a financial incentive or price or service difference.
  • The notice must explain how the financial incentive or price or service difference is reasonably related to the value of the consumer’s data.

Section 999.308 – Privacy Policies

  • Requires businesses to follow generally recognized industry standards to ensure that the privacy policy is reasonably accessible to consumers with disabilities. Also clarifies that the notice must be provided in the languages in which the business generally provides information to consumers in California.
  • Clarifies that a mobile app may include a link to the privacy policy in the app’s settings menu.
  • Clarifies that the categories of third parties to whom information is disclosed or sold must be provided for each category of personal information identified.
  • Clarifies that the privacy policy must state whether the business has “actual knowledge” that it sells personal information of minors under 16 years of age.
  • Clarifies that the privacy policy should provide instructions on how an authorized agent can make a request on a consumer’s behalf, as opposed to explaining how a consumer can designate an authorized agent.

Employee Rights Rolled Into California’s New Consumer Privacy Act – What Employers Should Know

California has enacted the California Consumer Privacy Act of 2018, establishing the strictest data privacy law in the United States. Recent amendments provide a one-year partial exemption for personal information that is collected from job applicants, employees, business owners, directors, officers, medical staff or contractors. However, qualifying employers are still required to provide certain disclosures and are still liable for statutory damages if unencrypted, sensitive employee data is breached as a result of a failure to implement reasonable security measures.

The following is a CCPA checklist for employers:

·      Determine whether the CCPA applies to your business.

·      Inform key decision-makers about the CCPA and appoint privacy compliance manager.

·      Conduct data mapping of employee personal information.

·      Draft an employee-specific disclosure document.

·      Ensure that the employee disclosure is provided at or prior to the collection of employee personal information (including all applicants).

·      Ensure that all contracts with service providers with access to employee personal information include robust information security and privacy provisions.

·      Ensure compliance with other privacy, security and data protection and disposal laws.

For more detailed information on this topic, please see our Alert.

Nevada Privacy Law Takes Effect October 1: Is Your Company Compliant?

The newest Nevada privacy law, SB 220, is about to become operative on October 1, 2019, and will require website operators to provide consumers with the right to opt out of the sale of their personal information. The definition of what constitutes a “sale” is fairly narrow and includes several broad exclusions. Therefore, this opt-out provision is likely to apply only in narrow circumstances. However, businesses that may be covered by this new law will need to complete the following items prior to October 1:

  1. Determine whether the law applies to your business.
  2. Confirm compliance with existing consumer notice requirements.
  3. Establish a designated request address where consumers may submit a verified request to opt out of the sale of their covered information.
  4. Develop policies, procedures and processes for verifying and responding to requests within 60 days.

Please see our Alert for a detailed discussion of this law and when it applies.

Pa. Supreme Court Rules Employers Have Legal Duty to Protect Employees’ Personal Information from Data Breaches

On November 21, 2018, the Pennsylvania Supreme Court ruled that the University of Pittsburgh Medical Center (UPMC) had a legal duty to exercise reasonable care to protect sensitive employee information against an unreasonable risk of harm when that information is stored on an internet-accessible computer system. Dittman v. UPMC, No. 43 WAP 2017 (Pa. Nov. 21, 2018). In doing so, the Court made clear that the criminal acts of third parties who may breach a computer system do not alleviate the legal duty on a business to protect such information. The Court further held that the economic loss doctrine (a doctrine that precludes tort cases where the loss is purely monetary) did not apply in this case because the legal duty to protect sensitive employee information exists independently from any contractual obligations between the parties.

Visit the Duane Morris LLP website to read the full Alert.

What the Recent Cyberattack Means and Ways Businesses Can Protect Themselves

The unprecedented cyberattack on October 21, 2016, which crippled many of the Internet’s most widely trafficked sites, should be a wakeup call for businesses about the potential for hackers to weaponize common Internet-enabled devices and cripple businesses.

What Happened?

The cyberattack was caused in part by malware directed to more than 10 million Internet-connected devices, including DVRs, thermostats and closed-circuit video cameras. It caused a distributed denial-of-service attack (i.e., service interruption) that hit in three waves. Dyn, an Internet services company that directs Internet traffic, reported that the attack hit all of its 18 data centers globally. Early reports show that the disruption may be responsible for up to $110 million in lost revenue and sales. Perhaps most troubling is that the group claiming responsibility said the attack is merely a dry run for much larger attacks.

Continue reading “What the Recent Cyberattack Means and Ways Businesses Can Protect Themselves”

The Eighth Circuit Gives Defendants New Ammunition Against Data Breach/Misuse Cases

Since the Supreme Court’s decision in Spokeo v. Robins, courts have begun to ratchet back prior decisions on the minimum standard to plead an injury sufficient to establish Article III standing. The recent Eighth Circuit opinion in Braitberg v. Charter Communications adds to the growing number of cases defendants will rely upon to get data breach cases dismissed at the pleadings stage. Braitberg addressed standing in the context of the retention, use, and protection of personally identifiable information. Although the case did not involve a data breach, its holding is however instructive when defending against such cases.

In Braitberg, plaintiff alleged that he was required to provide personally identifiable information to purchase cable services and that the cable provider improperly retained his information long after he cancelled the services in violation of the Cable Communications Policy Act (“CCPA”).

Prior to Spokeo, such claims would have been sufficient to establish Article III standing because the Eighth Circuit permitted the actual injury requirement to be satisfied solely by pleading that there was an invasion of a legal right that Congress created. The Supreme Court in Spokeo held that Article III standing requires a “concrete injury” even in the context of a statutory violation.

With the benefit of Spokeo’s guidance, the Eighth Circuit acknowledged that Spokeo superseded its prior precedent. Accordingly, the panel affirmed the district court’s dismissal of the complaint for lack of Article III standing and failure to state a claim. In doing so, the panel rejected arguments that CCPA created standing to sue where the defendant merely retained the data in violation of the statute with no other injury. It further rejected an economic argument that retention of the data deprived plaintiff of the full value of the services received from the company.

This decision is important for two reasons. First, the Eighth Circuit further narrowed the scope of allegations that will give rise to Article III standing in a post-Spokeo world. Second, in denying the economic argument, the court cut off an alternative avenue by which plaintiffs have successfully alleged harm.

Is Your Business Prepared for a Ransomware Attack?

Ransomware attacks are on the rise and expected to reach epidemic proportions. The most publicized attack took place this year at the Hollywood Presbyterian Medical Center when it was forced to declare an “internal emergency” after a ransomware attack locked down its systems. Businesses that are viewed as offering a combination of valuable data and weak security may be seen as attractive to attackers. Some attackers have strictly financial motivations while others may simply be in it for “the data.”

According to Cisco’s Midyear Cybersecurity Report, email and malicious advertising are the primary ways ransomware infiltrates a system. Businesses often pay the ransom but even when paid, files may be lost or altered in ways that could be devastating to the business.

Cisco reports that companies entering into M&A deals often do not conduct enough due diligence on the risk posture of the acquired business and realize their shortcomings after the deal is done, when it is too late to remediate problems or when it’s harder to do so because the networks are intertwined.

What can you do? Robust security is clearly the first step to prevent attacks and that begins with the creation of a comprehensive privacy and security roadmap that addresses high risk areas, compliance gaps and specific tactics for incident preparedness. It is important to involve experienced counsel at the outset to not only advise on the array of federal and state privacy and cybersecurity laws and help develop the policy but also to direct any security investigation so that consultants can report potential vulnerabilities to outside counsel to protect potentially negative findings from discovery in future litigation.

On September 7th, the Federal Trade Commission will begin its series of seminars on new and emerging technologies with a workshop on ransomware.

Seller Beware: Recent Lawsuits Under N.J. Truth-in-Consumer Contract, Warranty and Notice Act Target E-Commerce Businesses

Online retailers across the United States have one more issue to consider as they prepare for the next sale: a growing number of lawsuits under the New Jersey Truth-in-Consumer Contract, Warranty and Notice Act (TCCWNA) alleging that standard online terms of service agreements on websites violate the New Jersey bar on deceptive notices.

The TCCWNA—N.J.S.A. 56:12-14 et. seq.—was enacted in 1981 to prohibit businesses from using provisions that deceived consumers about their legal rights. The statute provides a private right of action that allows both actual customers and prospective buyers to bring suit against businesses. Businesses that violate the TCCWNA are liable to aggrieved consumers for $100, actual damages, or both, as well as reasonable attorneys’ fees and court costs.

To read the full text of the Alert, please visit www.duanemorris.com.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress