Requests to Know under the CCPA: Practical Compliance Tips

By Rachel E. Ehlers on February 26, 2020

The much anticipated California Consumer Privacy Act (“CCPA”) is now in effect (as of January 1, 2020), and as we’ve recently reported, class action litigation under the CCPA has already begun. Organizations should have already assessed whether their business is subject to the new law and if so, taken steps to ensure compliance. Likely, one of the most difficult compliance areas of the CCPA is responding to consumer requests to know the personal information a business collects about them. Under the CCPA consumers have the right to know what personal information a business is collecting about them. The information must be made available, free of charge, within 45 days, although extensions are available in limited circumstances. The business’s response to a request to know must be in a “readily useable format that allows the consumer to transmit this information to another entity without hindrance.” In addition, in October of 2019, as required by the CCPA, Attorney General Xavier Becerra announced Proposed Regulations that operationalize the new law and provide clarity and specificity to assist in implementation of the CCPA. The Proposed Regulations, which were recently updated, have yet to be finalized, but as is, have a technical and substantive impact on the consumer request to know process.

The CCPA defines “personal information” very broadly, which is the reason consumer requests to know are particularly cumbersome for businesses. Per the statute, personal information is that which “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition includes the types of personal information we are used to seeing, including Social Security numbers and driver’s license numbers, it also includes a person’s name and address (physical and email). In addition, it may include less obvious things like the person’s browsing history, biometric data, and geolocation data.

The following are practical tips for handling consumer requests to know:

Preparing for compliance

Identification of process owner: Organizations should designate a person or team to handle requests to know.
Develop an effective process: Organizations should have clear internal policies and procedures for responding to requests. Like the discovery process in litigation, reviewing data in response to a request can be incredibly burdensome. Personal information must be transmitted securely and all deleted information must be permanently erased, deidentified or aggregated. Organizations may want to employ technology and outside partners to make this process more efficient. For example, current technology is available to make files more easily searchable, to extract key metadata, and to remove duplicate files to eliminate redundancy. In addition, organizations must maintain records of consumer requests for at least 24 months, and these records generally cannot be used for any other purpose.
Training: The response team (which may include third party service providers if applicable), and other key staff and management involved in handling requests must receive training on what a consumer may request and the organization’s policies and procedures for responding to requests.
Data mapping: Organizations should have an easy-to-access file of what personal data it is storing, why it has the data, how it uses the data, with whom it shares the data, how long it retains the data, and where it is located.
Provide a method for requests: Under the CCPA, organizations are required to create at least two designated methods for submitting disclosure requests, including, at minimum, a toll-free number and another acceptable method, such as an email address. Organizations should provide clear direction on how to submit requests to know and should not make the process difficult, as this could lead to fines for non-compliance.

Responding to a request

Ensure request is valid: To comply with requests to know, organizations need verification and authentication processes to confirm the identity of the consumer making the request and the validity of the request. A request made by a third party on behalf of someone else should be refused without written authority. The Proposed Regulations require organizations to establish, document and comply with reasonable methods for verifying the identity of the consumer. There are also several factors for determining the “reasonable” identity verification method:
- The type, sensitivity and value of the personal information collected;
- The risk of harm to the consumer posed by unauthorized access or deletion;
- The likelihood that fraudulent or malicious actors would seek the personal information;
- Whether the personal information the consumer must provide in order to verify their identity is easily spoofed or fabricated;
- The manner in which the business interacts with the consumer; and
- Available technology for verification.

If the identity of the consumer cannot be verified, the individual submitting the request must be informed that the request cannot be verified. Moreover organizations must implement reasonable security measures to detect fraudulent identity verification activity and prevent unauthorized access to these records. Note that there are separate verification requirements if the organization maintains a password-protected account with the consumer. Organizations should not collect additional data during the verification process. Instead, they should rely on existing credentials. For example, if, during the period it collected the data, the organization required a dedicated user name, it should use this to verify the requester. We will be addressing some of these issues in other posts; check out one of our recent blog posts on the topic available here.

Narrow the search: Ideally, requests to know should be as specific as possible, and organizations should work with the requestor to narrow the scope as much as possible. For example, if a consumer requests all personal information ever collected by the organization, the search could be vast. But if the organization works with the consumer to determine the specific matter of the consumer’s concern, the requesting consumer may agree to narrow the scope of the request.
Determine universe of data that should be searched: This may include electronic records, emails, archived information, information stored on organizational databases and paper files. The CCPA requires disclosure of certain information in response to a request to know, including the source, the purpose for collection and any third parties with which the data is shared, among others; organizations should ensure they are disclosing all required information.
Ensure response is timely: Organizations must confirm receipt of a request within 10 business days and respond to the request within 45 calendar days from the time the request is received, not from when the request is verified although an extension may be possible. It can take a considerable amount of time to respond to a request, and this is a short timeframe. Thus, organizations should begin work on the request as soon as it is received.
Review response to ensure it does not contain the personal information of others: The individual is only entitled to their own personal data, and organizations must redact any documents or information related to another individual, unless that individual has provided consent. This becomes complicated in the context of joint household requests. Under the CCPA, all members of a household can jointly request to know or delete specific pieces of personal information for the household. While the household request was referenced in the CCPA, only in the update to the Proposed Regulations has procedures for this request been addressed – businesses may respond to household requests only if all consumers of the household jointly make the request, the business verifies the identity of each consumer, and verifies that each is current household member. If a member of the household is under 13 years of age, there must be verifiable parental consent before compliance with the request.
Monitor compliance: Compliance with company policies and procedures for responding to requests should be periodically audited.

It should be noted that under the CCPA consumers are allotted several rights in regards to their personal information, including, for example the “right to delete” the information businesses have collected about them, and while the practical tips described above are particularly geared towards a consumer’s “right to know”, the underlying principles generally can be applied to other forms of consumer requests as well.

In addition, as of now, businesses are exempt from most CCPA obligations in regards to their employees – the exclusion includes information collected “by a business in the course of the natural person acting as a job applicant to, an employee of, director of, officer of, medical staff member of, or contractor of that business” (see more on this in a recent blog post discussing employees under the CCPA). As of now, however, this exemption sunsets on January 1, 2021, and while it is not clear what will be, considering the current direction of privacy law, it seems likely that there will be more and not less privacy protections for employees by the end of 2020.

Check out some of our other CCPA resources for more practical insights and tips:

Two More Significant Rulings for TCPA Litigation – Eleventh and Seventh Circuits Narrowly Interpret ATDS

By Jason C. Gavejian and Maya Atrakchi on February 24, 2020

In back-to-back decisions bound to have significant impact on Telephone Consumer Protection Act (TCPA) class action litigation, the Eleventh and Seventh Circuit Courts recently reached similar conclusions, narrowly holding that the TCPA’s definition of Automatic Telephone Dialing System (ATDS) only includes equipment that is capable of storing or producing numbers using a “random or sequential” number generator, excluding most “smartphone age” dialers. Each court expressly rejected the Ninth Circuit’s more expansive interpretation from a ruling in 2018, concluding that the TCPA covers any dialer that calls from a stored list of numbers “automatically”. These decisions are significant as most technologies in use today only dial numbers from predetermined lists of numbers.

One of the most complex issues under the TCPA is determining whether the technology utilized qualifies as an ATDS. The TCPA prohibits using an ATDS to make calls to cell phone numbers, absent prior consent of the called party. The complexity lies with the TCPA’s definition of an ATDS as: equipment which has the capacity (A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.

When the TCPA was enacted in 1991, most American consumers were using landline phones, and Congress could not begin to contemplate the evolution of the mobile phone. The Federal Communications Commission (FCC) with its 2015 Declaratory Ruling & Order (2015 Order), attempted to provide clarifications on the TCPA for the mobile era, including the definition of ATDS and what devices qualify. The 2015 Order only complicated matters further, providing an expansive interpretation for what constitutes an ATDS, and sparking a surge of TCPA lawsuits in recent years. The FCC’s expansive definition in the 2015 Order was set aside by the D.C. Circuit Court in March 2018.

The Eleventh Circuit three-judge panel opinion concluded simply, “In the age of smartphones, it’s hard to think of a phone that does not have the capacity to automatically dial telephone numbers stored in a list, giving §227 [of the TCPA] an ‘eye-popping sweep’…Suddenly an unsolicited call using voice activated software (think Siri, Cortana, Alexa), or an automatic ‘I’m driving’ text message could be a violation worth $500…Not everyone is a telemarketer, not even in America.”

In the case before the Eleventh Circuit, the plaintiffs alleged that they had received over a dozen unsolicited calls over a one-year period, from the defendants . While the defendants acknowledged that that they had indeed placed the calls, they argued that this was not a TCPA violation, as their calling system required too much “human intervention” to qualify as an ATDS. The Court agreed with the defendants, finding that in each element of the calling system, there was a “human’s involvement” – from the marketing team creating a “set of parameters” regarding who they intended to contact, to a team of employees programing the “criteria” into the system, a team that reviews the final call list, and finally a team that presses a button labeled “make the call”. “Unless and until the employee presses this button, no call goes out…far from automatically dialing phone numbers, this system requires human involvement to do everything except press the numbers on a phone.”

Last week, less than one month after the Eleventh Circuit’s ruling, the Seventh Circuit, with a similar fact pattern reached a similar conclusion. The Seventh Circuit noted that accepting the plaintiffs’ arguments against the defendant’s dialing system would have “far-reach consequences…it would create liability for every text message sent from an iPhone. That is sweeping restriction on private consumer conduct that is inconsistent with the statute’s narrower focus”. The Seventh Circuit also emphasized the historical intention of the TCPA.

“The [defendant’s] system, like others commonly used today, pulls and dials numbers from an existing database of customers rather than randomly generating them.. .. Determining whether such systems meet the statutory definition has forced courts to confront an awkwardness in the statutory language that apparently didn’t matter much when the statute was enacted: it’s not obvious what the phrase “using a random or sequential number generator” modifies. The answer to that question dictates whether the definition captures only the technology that predominated in 1991 or is broad enough to encompass some of the modern, database‐focused systems.”

As we reported last week, several petitions are currently before the Supreme Court addressing issues with the TCPA, all with the potential to significantly impact the future of TCPA class action litigation. Particularly relevant to the Eleventh and Seventh Circuit rulings, back in October of 2019, the Court was petitioned to review the following issues: 1) whether the TCPA’s prohibition on calls made by an ATDS is an unconstitutional restriction of speech, and if so whether the proper remedy is to broaden the prohibition to abridge more speech, and 2) whether the definition of “ATDS” in the TCPA encompasses any device that can “store” and “automatically dial” telephone numbers, even if the device does not “us[e] a random or sequential number generator.” The Court has still not announced whether it will accept this petition.

The future of the TCPA remains uncertain, and 2020 will hopefully provide clarity for organizations facing TCPA class action litigation. While it appears that courts are generally leaning towards the narrowing of the TCPA in a myriad of aspects, organizations are still advised to err on the side of caution, during this period of uncertainty, when implementing and updating telemarketing and/or automatic dialing practices.

New York Adopts New Data Security and Privacy Regulations for Schools and Their Vendors

By Frank J. Fanshawe on February 20, 2020

We observed in a post on this blog that government agencies, businesses, hospitals, universities and school districts are frequent targets of data breaches that can affect millions of individuals. Cyberattacks on school districts continue to appear in the news. In January, students in the Pittsburg Unified School District (California) were left without internet access as a result of a ransomware attack, which compromised the schools’ servers and email. The Richmond Community Schools in Michigan suffered a similar cyber attack when threat actors infiltrated and locked down the schools’ servers and demanded a $10,000 ransom to return control of those servers.

The cyberattacks are compromising school vendors, too. In December, a student hacker committed a “brute force” attack on Naviance, an ed-tech provider that collects sensitive information on behalf of school districts throughout the United States. The attack on Naviance exposed the personal information of approximately 6,000 students. There are countless stories of other ed-tech providers sustaining similar cyberattacks.

It comes as no surprise in face of these cyberattacks that New York State regulators are taking action to protect personal information that schools and their vendors collect and maintain. We reported on this blog that the New York State Department of Education (“SED”) proposed new regulations (“Regulations”) to require school districts and state-supported schools to develop and implement robust data security and privacy programs to protect any personally identifiable information (“PII”) relating to students, teachers and principals. On January 14, 2020, the Board of Regents formally adopted the Regulations (which were modified since their initial publication). The Regulations were effective January 29, 2020.

While broad in scope, the Regulations include several requirements that are particularly noteworthy for schools and their vendors. They include:

School contracts – including “click wrap” agreements — with vendors who receive PII must state that the vendor will maintain all information in accordance with federal and state law and the school’s security and privacy policy.
Schools must include a Parent’s Bill of Rights in every contract with vendors who receive PII.
All schools must follow the National Institute for Standards and Technology Cybersecurity Framework (“NIST CSF”) as the standard for data security and privacy.
All schools must adopt by July 1, 2020 a data security and privacy policy that implements the requirements of the Regulations and aligns with NIST CSF.
Schools must publish their data security and privacy policies on their websites.
Schools must provide data privacy and security awareness training to officers and employees with access to PII.
Schools must designate a Data Protection Officer (“DPO”) who is responsible for the compliance program and to otherwise serve as a point of contact for the schools on data security and privacy matters.
Vendors that suffer a breach of PII must notify the affected schools within seven (7) calendar days; the schools must in turn notify SED within ten (10) calendar days of receipt of notification of a breach from the vendor; and the schools must notify the affected individuals of the breach without unreasonable delay but in no case later than sixty (60) days of discovery or receipt of breach notification from the vendor.

These Regulations certainly impose many new obligations on schools. Schools are urged to contact qualified legal counsel as they begin to develop and implement a comprehensive data security and privacy compliance program to comply with the mandates of the new Regulations.

4822-0398-2004, v. 1

The Supreme Court and the Future of the TCPA

By Jason C. Gavejian and Maya Atrakchi on February 12, 2020

In a decision that may have significant impact on businesses that face Telephone Consumer Protect Act (“TCPA”) related class action litigation, the Supreme Court recently accepted certiorari of a petition to rule on the constitutionality of the TCPA. The Court agreed to review a ruling of the Fourth Circuit which held that a TCPA exemption for government debt collectors was in violation of the First Amendment.

Specifically, the Supreme Court will address the issue of whether the government-debt exception to the TCPA’s automated-call restriction violates the First Amendment, and whether the proper remedy for any constitutional violation is to sever the exception from the remainder of the statute. The Fourth Circuit concluded that the government-debt exception was unconstitutional, and to sever the government-debt exception but leave untouched the TCPA’s general restriction on calls made with an “automatic telephone dialing system” (“ATDS”). It is still unclear whether the Supreme Court will only address severing the government-debt exception, or the constitutionality of the TCPA in its entirety.

This is not the first time, of late, that the Supreme Court has been petitioned to address the constitutionality of the TCPA. Back in October of 2019, the Court was petitioned to review the following issues: 1) whether the TCPA’s prohibition on calls made by ATDS is an unconstitutional restriction of speech, and if so whether the proper remedy is to broaden the prohibition to abridge more speech, and 2) whether the definition of “ATDS” in the TCPA encompasses any device that can “store” and “automatically dial” telephone numbers, even if the device does not “us[e] a random or sequential number generator.” The Court has still not announced whether it will accept this petition.

When the TCPA was enacted in 1991, most American consumers were using landline phones, and Congress could not begin to contemplate the evolution of the mobile phone. The TCPA defines ATDS as “equipment which has the capacity—(A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.” 47 U.S.C § 227(a)(1). In 2015, the Federal Communications Commission (FCC) issued its 2015 Declaratory Ruling & Order (2015 Order), concerning clarifications on the TCPA for the mobile era, including the definition of “Automatic Telephone Dialing System” (ATDS) and what devices qualify. The 2015 Order only complicated matters further, providing an expansive interpretation for what constitutes an ATDS, and sparking a surge of TCPA lawsuits in recent years.

In 2018, the U.S. Court of Appeals for the District of Columbia set aside the FCC’s expansive interpretation of what constitutes an ATDS and its approach to consent of reassigned wireless numbers. Since that decision, a circuit split has developed with the Third Circuit ruling that a dialer is not an ATDS unless it has the present ability to randomly or sequentially generate numbers and to dial them and the Ninth Circuit adopting a broader reading holding that the definition of ATDS includes any equipment that has the capacity to store random numbers and dial them, even if it cannot generate numbers randomly or sequentially. In February of 2019, a petition of writ of certiorari was filed with Supreme Court, to review the Ninth Circuit panel’s decision, but shortly after the parties reached a settlement agreement. Given the circuit split over the definition of ATDS under the TCPA, the issue is ripe for the Supreme Court to address.

There has been great uncertainty surrounding TCPA litigation in recent years, and 2020 may be the year organizations facing such litigation finally get some clarity on key issues. In the meantime organizations are advised to implement and update their telemarketing and/or automatic dialing practices to ensure TCPA compliance.

CA Attorney General Updates CCPA Proposed Regulations

By Joseph J. Lazzarotti and Jason C. Gavejian on February 10, 2020

Many businesses and their service providers have been awaiting final guidance from the California Attorney General concerning the California Consumer Privacy Act (CCPA). When news came last Friday of a regulatory update (“Update”), there may have been some initial disappointment that the Update did not announce final regulations, but only revisions to existing proposed regulations issued last year and a new comment period (ending February 24, instructions to submit comments here). However, while final regulations are still sometime away, initial disappointment may be softened by some of the Update’s revisions.

Based on our initial review of the Update, below are some key changes to the proposed regulations:

The Update would add guidance for interpreting defined terms under the CCPA. Specifically, the Update clarifies that determining whether information is “personal information” depends on whether the business maintains the information in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” This guidance and the example provided below would address concerns many have regarding information businesses collect online.

For example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.”

The proposed regulations confirmed the requirement for online notices to be accessible, but the Update would require generally recognized industry standards be followed, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Consortium.
The proposed regulations provided businesses could not use personal information for “any purpose other than disclosed in the notice at collection.” The Update would establish a less strict standard – “a purpose materially different than disclosed in the notice at collection.”
With regard to the contents of the notice at collection, the proposed regulations required (i) a list of the categories of personal information to be collected, and (ii) for each category, the business or commercial purposes for which it will be used. The Update would remove the requirement to list the purposes of use for each category. In other words, it appears it would be sufficient to list the business or commercial purposes for using all of the categories of personal information, not each one individually. This change would significantly simplify the notice at collection, and would be extended to the privacy policy as well.
With regard to notices at collection for employment-related data, a “Do Not Sell My Personal Information” link would not be required. Additionally, the notice could link to the business’s privacy policies for employees, applicants, etc., rather than consumers.
The Update provides for an optional “Opt-Out Button.”
Proposed regulations required a two-step process for online requests to delete personal information. The Update would make that two-step process optional.
With regard to the general requirement to make two or more designated methods available for submitting requests to know, the Update would relax the specific methods. At least one still must be a toll-free number. However, for website operators, the second need not be an interactive webform and could be an email address.
The Update also tweaks the timing of certain notice requirements. For example, when confirming receipt of a request to delete or a right to know, the business would have 10 business days, while responses to such requests generally would be due in 45 calendar
Under the Update, a business would not be required to search for personal information in response to a request to know if the business: (i) does not maintain personal information in a searchable or reasonable accessible format, (ii) maintains the personal information only for legal or compliance purposes, (iii) does not sell the information or use it for a commercial purpose, and (iv) describes to the consumer the categories of records not searched because it satisfied the three conditions above.
The Update would clarify that service providers that receive requests to know or to delete either can respond on behalf of the business or inform the consumer that it cannot act on the request because it is a service provider.

Businesses still need to monitor the development of CCPA regulation, but the Update would seem to provide some clarity and/or relief on some points. Also, there is a new opportunity to voice concerns and pose questions concerning the guidance thus far.

CCPA Data Breach Class Action Litigation Begins

By Joseph J. Lazzarotti and Jason C. Gavejian on February 6, 2020

Image result for CCPA class action As reported by Bloomberg Law, data breach class action litigation has begun under the California Consumer Privacy Act (CCPA). Filed in the Northern District of California, San Francisco Division, a putative class action lawsuit against Hanna Andersson, LLC and its ecommerce platform provider, Salesforce.com, alleges negligence and a failure to maintain reasonable safeguards, among other things, leading to a data breach. The complaint specifically seeks recovery under the CCPA – Cal. Civ. Code § 1798.100, et seq.

The complaint alleges a familiar story – in the latter part of 2019, hackers compromised the retailer’s website with malware enabling the hackers to scrape names, billing and shipping addresses, payment card numbers, CVV codes, and credit card expiration dates of thousands of the retailer’s customers. Hanna Andersson notified affected persons of the breach on January 15, 2020, and the complaint was filed on February 3, 2020.

Whether the complaint alleges sufficient harm for the case to proceed will be for the court to determine, but under the CCPA that may not be necessary. The new California law authorizes a private cause of action against covered businesses if a failure to implement reasonable safeguards to protect personal information results in a data breach. Cal. Civ. Code § 1798.150. If successful, a plaintiff can recover statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper.

To bring an action for statutory damages under the CCPA, consumers must first notify the business of the alleged violation. The business then has thirty days to cure the violation and provide the consumer with “an express written statement that the violations have been cured and that no further violations shall occur.” It does not appear an opportunity to cure was provided in this case. Also, the breach reportedly occurred in 2019, before the CCPA became effective (January 1, 2020).

Regardless of the outcome of this case, certainly one we will be watching, it should serve as an important reminder for businesses to ensure they have reasonable safeguards in place to protect personal information. Under California law,

A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

Cal. Civ. Code § 1798.81.5(b).

But, the meaning of “reasonable safeguards” is not entirely clear in California. One place to look is in the California Data Breach Report (Report) former California Attorney General, Kamala D. Harris, issued in February, 2016. According to the Report, an organization’s failure to implement all of the 20 controls set forth in the Center for Internet Security’s Critical Security Controls constitutes a lack of reasonable security.

It is not clear that adherence to those controls will provide a sufficient basis to defend a business from an action under the CCPA relating to a data breach. But, those controls might be a good place to start. It also is important to understand how those safeguards should be applied.

First, the CCPA’s private right of action for data breaches applies with respect to personal information of consumers and employees, applicants, officers, etc. Personal information of consumers and employees often resides on different systems, subject to access by different users, and collected, processed, and stored by different third party service providers. Thus, it is important to think broadly when safeguarding personal information that could trigger a class action under this section.

Second, “personal information” for purposes of the “reasonable safeguards” requirement is much narrower than the general definition of personal information for CCPA purposes. Specifically, the private right of action under Cal. Civ. Code § 1798.150 extend only to personal information, “as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5.” This means:

(A) An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

(i) Social security number.

(ii) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.

(iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

(iv) Medical information.

(v) Health insurance information.

(vi) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.

A similar cause of action exists under an Illinois privacy law that you might have heard about, the Illinois Biometric Information Privacy Act or “BIPA.” That provision has resulted in a flood of litigation, including putative class actions, seeking to recover statutory damages for plaintiffs who allege their biometric information has been collected and/or disclosed in violation of the statute. As data breaches continue to plague businesses across the country, including those subject to the CCPA, ensuring reasonable safeguards are in place may be the best defense.

Verifying CCPA Requests to Know and Requests to Delete

By Jerel Pacis Agatep and Joseph J. Lazzarotti on January 31, 2020

With the California Consumer Privacy Act (CCPA) effective for nearly one month, businesses continue to grapple with the many components of this new privacy framework. A key component of the CCPA is granting consumers the right to request information about and to exercise some control over their personal information. Developing sufficient mechanisms to receive, process and respond to these requests is a central and complex area of compliance for businesses. One aspect of processing consumer requests requires verifying the identity of the individuals making the requests, and their authority to be making the request.

The CCPA directed the State’s Attorney General to establish rules and procedures to govern a business’s determination that certain requests received from a consumer is a “verifiable consumer request.” In fact, the statute provides that businesses are not obligated to provide information to consumers if the business cannot verify the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer. On October 10, 2019, the California Attorney General’s (AG) office issued proposed regulations which, among other things, begin to address how businesses can structure procedures for verifying consumers when they seek to exercise their “Right to Know” and “Right to Delete.”

So how does a company verify a consumer’s identity? In this post, we address the general rules, bearing in mind they may change when the Attorney General’s office finalizes its regulations.

General Rules

Currently, businesses have some flexibility in determining the method by which they verify a consumer’s identity, although there are some basic guidelines they must follow:

Where they can feasibly do so, businesses should match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business.
Businesses should avoid collecting certain types of sensitive personal (e.g. SSN, government IDs, financial information, medical and health information, and biometric data), unless it is necessary to verify. See Civ. Code Sec. 1798.81.5(d).
Shape the verification method based on certain factors, such as: 1) type, sensitivity or value of personal information, 2) risk of harm to the consumer posed by unauthorized access or deletion, 3) likelihood that bad actors would seek the information, 4) vulnerability to being spoofed or fabricated, 5) manner in which the business interacts with the consumer, and 6) available technology for verification.
If the business uses a third-party identity verification service, be sure it complies with the CCPA rules for verification. Additionally, businesses should ensure these service providers maintain reasonable safeguards to protect the personal information they process in the course of verification.

Takeaways

The guidelines proposed by the AG’s office regarding verification boils down to “reasonableness” as it gives businesses a wide range of discretion and flexibility to establish a workable method that fits the business’ operation and financial capabilities. After establishing a “reasonable” method, the business has to document and comply with the method they have established.

Depending on the business’ capabilities, they can match the categories of information the consumer provides with the information the business already possesses or utilize a third-party verification service provider. Either way, businesses should refrain from requesting additional information for verification, unless doing so is necessary to protect the consumer.

Once the business has considered these items, they can get to work on shaping specific procedures for verification taking into account issues such as:

Who can make requests
Account holders versus non-account
“Requests to Know” versus “Requests to Delete”
Requests for categories of information versus specific pieces of information
Use of Authorized Agents

Please stay tuned as we address these in future blog posts.

Health Plan Sponsors – Have You Updated Your Vendor Agreements for Substance Use Disorder (SUD) Confidentiality Regulations?

By Joseph J. Lazzarotti on January 30, 2020

Employers that sponsor group health plans (medical, dental, vision, HFSA) are used to negotiating detailed administrative services agreements with vendors that provide services to those plans. Many also are familiar with “business associate agreements” required under HIPAA that must be in place with certain vendors, such as third-party claims administrators (TPAs), wellness program vendors, benefits brokers, etc. However, many plan sponsors may not be aware of a contract requirement with respect to the confidentiality of patient records relating to a substance use disorder (SUD). If applicable, these contract provisions must be in place by February 2, 2020.

Federal regulations (42 C.F.R. Part 2) provide specific protections for SUD patient records. In general, these are records held by certain SUD treatment programs, those that receive federal funding. The arm of the Department of Health and Human Services that regulates SUD programs, Substance Abuse and Mental Health Services Administration (“SAMHSA”), issued final regulations in 2018 concerning the confidentiality of SUD patient records. In a number of respects, these rules strengthen protections already in place under the HIPAA privacy and security rules.

How do the new SUD regulations affect contracts with health plan vendors?

Under Section 2.33 of the regulations, when a patient consents to a disclosure of their SUD patient records for payment and/or health care operations activities, the records may wind up with a “lawful holder” of those records (a plan sponsor, for example), and then on to the lawful holder’s third-party vendors to carry out the payment and/or health care operations on behalf of such lawful holder. When this happens, lawful holders must have in place a written contract with the third party obligating the third party to be bound by 42 C.F.R. Part 2.

The contract should require the third-party recipients of these records to implement appropriate safeguards to prevent unauthorized uses and disclosures, and to report any unauthorized uses, disclosures, or breaches. The contract also should prohibit the third party from re-disclosing the records unless the disclosure is to a contracted agent of the third party that is helping the third party provide services described in the contract, and any further disclosures are back to the third party or the lawful holder (plan sponsor).

In addition to the contract requirement, lawful holders must provide to such third parties a statement in connection with the disclosure, which may be as simple as “42 CFR Part 2 prohibits unauthorized disclosure of these records.”

What to do next?

Plan sponsors receiving SUD patient records in connection with their group health plan and sharing that information with a third-party service provider, or where the service provider is receiving such information on behalf of the plan sponsor, should review the provisions of their services agreements and, if applicable, business associate agreements. For plan sponsors not currently receiving SUD patient records, it may make sense to update these third-party contracts in the event such records are received. While updating these agreements, it may also be a good time to revisit other provisions to ensure strong contractual protections such as adding specificity on response to data incident, indemnification, limitation of liability, and other contractual protections.

Privacy & Cybersecurity Issues to Watch in 2020

By Joseph J. Lazzarotti and Jason C. Gavejian on January 28, 2020

2020 may very well be the most impactful year for data privacy and cybersecurity in the United States. In honor of Data Privacy Day, we discuss some of the reasons why that may be the case. In short, as privacy and cybersecurity risks continue to emerge for organizations large and small, the law is beginning to catch up which is prompting a significant uptick in compliance efforts.

The California Consumer Privacy Act and Its Admirers

On January 1, 2020, the long anticipated, hotly debated, and already amended California Consumer Privacy Act (CCPA) went into effect. According to a survey conducted by ComplianceWeek.com, however, nearly 80% of respondents felt either “somewhat confident,” “uncertain,” or “not confident at all” they would be compliant by the effective date. These results may be due to a variety of reasons: a lack of awareness or resources, reliance on the extended CCPA enforcement date (July 1, 2020), a belief that the California Attorney General enforcement efforts will be directed elsewhere, and/or anticipation of final regulations/further guidance from the California Attorney General.

Nonetheless, many businesses are working on CCPA compliance: mapping consumer data; providing notices at collection to consumers, employees, and applicants; updating websites and privacy policies; building internal procedures to verify and respond to consumer requests; and tightening their safeguards for protecting personal information. These efforts are worthwhile for many businesses as they are likely to yield dividends beyond California.

Following California’s lead, a number of other states have introduced similar measures in 2020 regarding individual privacy rights. These legislative efforts include: Florida (SB 1670, HB 963); Hawaii (SB 418, SB 2451); Illinois (SB 2330); Maryland (HB 249); Nebraska (LB 746); New Hampshire (HB 1680); New Jersey (S269, S236, A2188); Vermont (H. 899); Virginia (HB 473); Washington HB 2759). Earlier efforts began in 2019: New Mexico (SB 176); New York (A 6351, S 4411); Pennsylvania (HB 1049); Rhode Island (S 234, H 5930); and Texas (HB 4518). All of these measures may fail, but California’s influence on state privacy law is considerable. Remember, the country’s first data breach notification law became effective in 2003 in California, and now all 50 states have such a law, including a number of other countries.

Adoption of Biometric Technology Grows, Along with Regulation

SourceToday.com reports that “by 2025, Zion Market Research expects the global next-generation biometric market to reach $36.8 billion, up from $12.9 billion last year.” The same report cites Deloitte’s 2018 global mobile consumer survey (US edition) which finds that at least one biometric authentication method is used by nearly half of U.S. smartphone owners. The trend for biometrics is on the rise.

Organizations which collect and use biometric identifiers/information (e.g. fingerprints, face scans, etc.) should be mindful of the increasing privacy and data security regulation around biometric technologies and applications. While biometrics may be helpful in preventing fraud, managing employees’ time, or improving security, these benefits must be considered against the potential legal and compliance risks.

The most critical of these risks exists in Illinois under its Biometric Information Privacy Act (BIPA). Under BIPA a plaintiff is entitled to statutory damages for violations and actual harm is not required in order for an individual to sue. BIPA is at the heart of hundreds of putative class action lawsuits in Illinois. Compliance steps such as obtaining consent prior to collection or use and establishing a written policy may help mitigate risk. For more information on the BIPA and biometric information related concerns checkout our FAQs.

Of course, BIPA does not present the only compliance concern. In California, for example, the CCPA includes biometric information as a specific category of personal information, and following a change in 2019, a breach of biometric information could trigger a notification requirement. Other states regulating biometric information in one for or another include without limitation Arkansas, Colorado, Florida, Massachusetts, Nebraska, New York, Texas, and Washington.

Organizations’ Websites Provide a Window Into Compliance

Websites facilitate communication with consumers, constituents, patients, employees, and the general public. They project an organization’s image and promote goodwill, provide information about products and services and allow for their purchase. Websites also inform investors about performance, enable job seekers to view and apply for open positions, and accept questions and comments from visitors to the site or app, among many other activities and functionalities. Because of this vital role, websites have become an increasing subject of regulation making them a growing compliance concern, particularly as they are open to inspection by the public.

CCPA privacy policies, ADA accessibility, HIPAA notice of privacy practices, and COPPA consent mandates are just a few of the compliance requirements affecting websites and online applications or services. In 2020 and beyond, organizations will need to take a closer look at these and other compliance issues concerning their websites and online services.

Telephone Consumer Protection Act (TCPA)

While the Supreme Court did not choose to address whether the Hobbs Act (also known as the Administrative Orders Review Act) requires a district court to accept the Federal Communications Commission (FCC) interpretation of the TCPA (PDR Network, LLC v. Carlton & Harris Chiropractic, Inc., No. 17-1705) there have been a number of other developments impacting the TCPA. In December 2019, the FCC ruled that online faxes are TCPA exempt and the Supreme Court recently accepted certiorari of a petition to rule on the constitutionality of the TCPA. In granting certiorari, the Court agreed to review a ruling of the Fourth Circuit which held that a TCPA exemption for government debt collectors was in violation of the First Amendment. The case could have a significant impact on TCPA claims. Further, Congress recently proposed the TRACED Act, to combat the increasing number of robocall scams and other intentional violations of telemarketing laws. The TRACED Act, if passed, broadens FCC authority to levy civil penalties and extends the time period for the FCC to catch and take civil enforcement action against intentional violations. Needless to say, 2020 should be an interesting year for the TCPA.

Cybersecurity, Cybersecurity, and Cybersecurity

A rundown of anticipated, critical cybersecurity risks vying for attention at the upcoming RSA Conference in 2020 (the world’s biggest conference for CISOs) should provide reason enough for organizations to redouble their efforts at tightening security. But that is not all.

Less than two months from now, New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) becomes effective, imposing expansive data security requirements on companies. Among other things, and similar to data security frameworks in other states such as California, Colorado, Massachusetts, and Oregon, the SHIELD Act requires that any person or business, including a small business, that owns or licenses computerized data which includes private information of a resident of New York must develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.

Examples of practices considered reasonable administrative safeguards under the law include risk assessments, employee training, selecting vendors capable of maintaining appropriate safeguards and implementing contractual obligations for those vendors, and disposal of private information within a reasonable time period.

Similar frameworks already exist in other states. For example, in 2018, Colorado enacted HB 1128, creating obligations for businesses to maintain “reasonable security procedures and practices” for protecting personal identifying information. Similar rules have been in place since 2010 in Massachusetts. Requirements for reasonable safeguards to protect personal information also exist in numerous other states such as Alabama, Florida, Nevada, Illinois, Indiana, and Utah.

But, we will end where we began, the CCPA. We believe it will be an important driver of “reasonable safeguards” for personal information. This is because similar to BIPA, the CCPA authorizes a private cause of action against a covered business if a failure to implement reasonable security safeguards results in a data breach. If successful, a plaintiff can recover statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper. As the CCPA provides for statutory damages, Plaintiffs in these lawsuits may not have to show actual harm or injury to recover.

* * * * *

For these reasons and others, we believe 2020 will be a significant year for privacy and data security.

Happy Privacy Day!

Coronavirus Raises Privacy Concerns for Healthcare Providers and their Workers

By Joseph J. Lazzarotti on January 28, 2020

The outbreak of a new coronavirus that is believed to have began in central Chinese city of Wuhan and now appears to be spreading to the United States is driving concerns for organizations around preparedness regarding their operations, their customers, and their employees. Both the Center for Disease Control and Prevention (CDC) and the State Department have issued travel advisories, and the CDC asks everyone who traveled to Wuhan in the last 14 days and experiences symptoms to seek medical care immediately.

Many organizations are seeking guidance on how best to respond to these concerns, especially those in certain industries. Business that rely on international travel, such as in the commercial airline and border protection industries must be particularly aware. Organizations must consider a range of issues – travel restrictions, how to identify persons likely to have been exposed to the virus and how to limit that exposure, communication plans in the event an exposure is identified, as well as a range of employment law issues, including under the Americans with Disabilities Act, the Genetic Information Nondiscrimination Act, the National Labor Relations Act, and other federal and state laws. Learn more about these here.

Naturally, however, the spread of infectious disease also raises particular concerns for healthcare workers who want to do their jobs and care for their patients, while also protect themselves and their families. In the healthcare sector, as with prior contagious disease outbreaks, fears about contracting the virus could lead to impermissible “snooping” and sharing of information by healthcare employees. Covered entities and business associates therefore need to take this increased risk seriously and remind members of their workforce members that they may not access or disclose patient records for an impermissible purpose. Healthcare workers also should be reminded that impermissible snooping also can lead to termination, fines, and in some cases criminal prosecution.

In November 2014, during the Ebola outbreak, the Office for Civil Rights issued a bulletin addressing HIPAA privacy in emergency situations. This bulletin provides a good resource and reminder for health care providers when working in this environment. For some covered entities that may not yet maintain as robust a program for creating HIPAA privacy and security awareness, this would be a good opportunity to communicate some of the basic safeguards required under HIPAA, including when and under what circumstances they can share patient information with family, friends, public health agencies, and the media. All covered entities should also remember to document these efforts, as it is required under HIPAA and will help them to substantiate their compliance efforts.

Healthcare providers also must remember that HIPAA is not the only game in town. They have to also consider more stringent state laws that may apply in these situations. Additionally, for healthcare providers in different settings, such as universities in an educational setting, the Family Educational Rights and Privacy Act (FERPA) may have additional protections for treatment records pertaining to students.

No one knows where the next victim of the coronavirus will show up for care. First and foremost, that provider needs to be prepared to treat that person. But the provider also needs to be sure privacy and security safeguards are in place to avoid a breach of the patient’s privacy and a compliance exposure.