California AG Urges Congress Not to Preempt the CCPA

Earlier this month, California Attorney General (“AG”) Xavier Becerra sent a letter to several members of U.S. Congress, providing an update on the implementation of the newly effective California Consumer Privacy Act (CCPA), and urging Congress not to enact a federal law that would preempt the CCPA and other state consumer privacy measures. Instead, AG Becerra called on Congress to develop a law that would “build on the rights” provided for by the CCPA, and partner with states to ensure greater consumer privacy protections.

“I invite Congress to look to the states as sources of innovation and expertise in data privacy, and not to undermine protections, like CCPA, that states have already developed. Therefore, as I noted above, I encourage Congress to favor legislation that sets a federal privacy-protection floor rather than a ceiling, allowing my state— and others that may follow—the opportunity to provide further protections tailored to our residents,” wrote AG Becerra. 

In addition, AG Becerra emphasized that Congress in its development of a federal consumer privacy law should extend enforcement powers broadly, providing state attorney generals with parallel enforcement authority, and consumers the ability to protect their rights directly under a private right of action. It is not clear the extent to which AG Becerra is suggesting the inclusion of a private right of action in federal law. The CCPA only authorizes a private cause of action against a covered business if a failure to implement reasonable security safeguards results in a data breach, and is not available when a consumer’s individual rights under the CCPA are violated. Moreover, the definition of personal information for a private right of action is much narrower than the general definition of personal information under the rest of the CCPA.

AG Becerra is instrumental in the CCPA legislative process, in particular his office is tasked with development of regulations to operationalize the CCPA and provide clarity and specificity to assist in the implementation of the law. AG Becerra announced proposed regulations in October 2019, and following a series of public hearings across California, announced a regulatory update to the existing proposed regulations in early February 2020, and then again last week. The AG’s regulations must be finalized and implemented by July 1, 2020.

In the meantime, the U.S. Congress has been plugging away at a federal consumer privacy law over the last couple years, with limited progress. Most recently, two competing federal consumer privacy bills were introduced. The first proposal, Consumer Online Privacy Rights Act, introduced by Sen. Maria Cantwell (D-Wash), and shortly after the United States Consumer Data Privacy Act , introduced by Senator Roger Wicker (R-Miss). While the two proposals have significant overlap, a key difference is their treatment of state consumer privacy laws. Cantwell’s proposal includes preemption of “directly conflicting state laws”, but stipulates that the federal law would not override state laws with a “greater level of protection”. Conversely, Wicker’s proposal includes a broad provision expressly preempting any state law “related to the data privacy or security and associated covered entities”.

A federal consumer privacy law, while still unclear what shape it will take and when, is almost inevitable.   With the CCPA in effect and other state measures on the horizon, the development of a meaningful data privacy and protection program has never been more important.

New York SHIELD Act FAQs

Over the past few months, businesses across the country have been focused on the California Consumer Privacy Act (CCPA) which dramatically expands privacy rights for California residents and provides a strong incentive for businesses to implement reasonable safeguards to protect personal information. That focus is turning back east as the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), becomes effective in less than two weeks. With the goal of strengthening protection for New York residents against data breaches affecting their private information, the SHIELD Act imposes more expansive data security and updates its existing data breach notification requirements.

This post highlights some features of the SHIELD Act. Given the complexities involved, organizations would be well-served to address their particular situations with experienced counsel.

When does the SHIELD Act become effective?

The SHIELD Act has two effective dates:

  • October 23, 2019 – Changes to the existing breach notification rules
  • March 21, 2020 – Data security requirements

Which businesses are covered by the SHIELD Act?

The SHIELD Act’s obligations apply to “[a]ny person or business which owns or licenses computerized data which includes private information” of a resident of New York. Previously, the obligation to provide notification of a data breach under New York’s breach notification law applied only to persons or businesses that conducted business in New York.

Are there any exceptions for small businesses?

As before the SHIELD Act, there are no exceptions for small businesses in the breach notification rule. A small business that experiences a data breach affecting the private information of New York residents must notify the affected persons. The same is true for persons or businesses that maintain (but do not own) computerized data that includes private information of New York residents. Persons or businesses that experience a breach affecting that information must notify the information’s owner or licensee.

However, the SHIELD Act’s data security obligations include some relief for small businesses, defined as any person or business with: Read More

What Does Phishing Have to do with Coronavirus?

As announcements relaying the spread of Coronavirus (COVID-19) continue daily, governmental agencies at all levels are offering information and guidance, and businesses are scrambling to prepare and protect their employees and customers. As part of a larger group in my firm helping to synthesize all this information, there is an aspect of responding to COVID-19 that has not gotten much attention – emerging phishing attacks by informed hackers trying to capitalize on fears employees have about the COVID-19 crisis and what their employers are doing to respond.

Image result for coronavirus phishing

We have posted several times about the different techniques hackers use to trick unsuspecting, distracted, or nervous employees into falling victim to a phishing attack. A good example, also particularly relevant now, is IRS Form W-2 cyber scams designed to get workers to email other employees’ Forms W-2. The IRS has issued numerous warnings about these scams and guidance for addressing them. And, the World Health Organization has issued a similar warning relating to COVID-19.

At the moment, organizations around the world are communicating with their workforces about coronavirus in areas such as (i) updated travel policies, (ii) work at home requirements, and (iii) cleaning best practices. ​Businesses also might be adjusting or changing plans for conferences and other business initiatives in response to the reported spread of COVID-19. Hackers do their research and see the opportunity. Through social engineering, they can target employees who in the current environment might be more likely to respond to an executive’s email seeking action on a coronavirus-related topic.

As with Form W-2 and other scams, employees may, for example, receive fake emails purporting to be information from management about coronavirus. The hacker might assume an executive’s identity and apparent e-mail address for the purpose of sending what appears to be a legitimate request to address a critical business need surrounding the virus’ outbreak. Unsuspecting and nervous employees might be more likely to respond, allowing attackers into the organization’s information systems.

While an organization can use firewalls, web filters, malware scans or other security software to hinder spear phishing, experts agree the best defense is employee awareness. So, it is a good idea to remind employees about this threat, along with guidance for avoiding these attacks.

In the event your business is a victim of such an attack, it needs to be prepared to respond. This may require steps such as (i) investigating the nature and scope of the attack, (ii) ensuring that the attackers are not still present in its systems, (iii) determining whether notification is required under applicable state law to individuals and state agencies, and (iv) helping employees whose personal information may have been compromised.

Requests to Know under the CCPA: Practical Compliance Tips

The much anticipated California Consumer Privacy Act (“CCPA”) is now in effect (as of January 1, 2020), and as we’ve recently reported, class action litigation under the CCPA has already begun.  Organizations should have already assessed whether their business is subject to the new law and if so, taken steps to ensure compliance.  Likely, one of the most difficult compliance areas of the CCPA is responding to consumer requests to know the personal information a business collects about them.  Under the CCPA consumers have the right to know what personal information a business is collecting about them.  The information must be made available, free of charge, within 45 days, although extensions are available in limited circumstances. The business’s response to a request to know must be in a “readily useable format that allows the consumer to transmit this information to another entity without hindrance.” In addition, in October of 2019, as required by the CCPA, Attorney General Xavier Becerra announced Proposed Regulations that operationalize the new law and provide clarity and specificity to assist in implementation of the CCPA. The Proposed Regulations, which were recently updated, have yet to be finalized, but as is, have a technical and substantive impact on the consumer request to know process.

The CCPA defines “personal information” very broadly, which is the reason consumer requests to know are particularly cumbersome for businesses. Per the statute, personal information is that which “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”   This definition includes the types of personal information we are used to seeing, including Social Security numbers and driver’s license numbers, it also includes a person’s name and address (physical and email). In addition, it may include less obvious things like the person’s browsing history, biometric data, and geolocation data.

The following are practical tips for handling consumer requests to know:

Preparing for compliance

  • Identification of process owner: Organizations should designate a person or team to handle requests to know.
  • Develop an effective process: Organizations should have clear internal policies and procedures for responding to requests. Like the discovery process in litigation, reviewing data in response to a request can be incredibly burdensome. Personal information must be transmitted securely and all deleted information must be permanently erased, deidentified or aggregated. Organizations may want to employ technology and outside partners to make this process more efficient. For example, current technology is available to make files more easily searchable, to extract key metadata, and to remove duplicate files to eliminate redundancy. In addition, organizations must maintain records of consumer requests for at least 24 months, and these records generally cannot be used for any other purpose.
  • Training: The response team (which may include third party service providers if applicable), and other key staff and management involved in handling requests must receive training on what a consumer may request and the organization’s policies and procedures for responding to requests.
  • Data mapping: Organizations should have an easy-to-access file of what personal data it is storing, why it has the data, how it uses the data, with whom it shares the data, how long it retains the data, and where it is located.
  • Provide a method for requests: Under the CCPA, organizations are required to create at least two designated methods for submitting disclosure requests, including, at minimum, a toll-free number and another acceptable method, such as an email address. Organizations should provide clear direction on how to submit requests to know and should not make the process difficult, as this could lead to fines for non-compliance.

Responding to a request

  • Ensure request is valid: To comply with requests to know, organizations need verification and authentication processes to confirm the identity of the consumer making the request and the validity of the request. A request made by a third party on behalf of someone else should be refused without written authority. The Proposed Regulations require organizations to establish, document and comply with reasonable methods for verifying the identity of the consumer. There are also several factors for determining the “reasonable” identity verification method:
    • The type, sensitivity and value of the personal information collected;
    • The risk of harm to the consumer posed by unauthorized access or deletion;
    • The likelihood that fraudulent or malicious actors would seek the personal information;
    • Whether the personal information the consumer must provide in order to verify their identity is easily spoofed or fabricated;
    • The manner in which the business interacts with the consumer; and
    • Available technology for verification.

If the identity of the consumer cannot be verified, the individual submitting the request must be informed that the request cannot be verified. Moreover organizations must implement reasonable security measures to detect fraudulent identity verification activity and prevent unauthorized access to these records. Note that there are separate verification requirements if the organization maintains a password-protected account with the consumer. Organizations should not collect additional data during the verification process. Instead, they should rely on existing credentials. For example, if, during the period it collected the data, the organization required a dedicated user name, it should use this to verify the requester. We will be addressing some of these issues in other posts; check out one of our recent blog posts on the topic available here.

  • Narrow the search: Ideally, requests to know should be as specific as possible, and organizations should work with the requestor to narrow the scope as much as possible. For example, if a consumer requests all personal information ever collected by the organization, the search could be vast. But if the organization works with the consumer to determine the specific matter of the consumer’s concern, the requesting consumer may agree to narrow the scope of the request.
  • Determine universe of data that should be searched: This may include electronic records, emails, archived information, information stored on organizational databases and paper files. The CCPA requires disclosure of certain information in response to a request to know, including the source, the purpose for collection and any third parties with which the data is shared, among others; organizations should ensure they are disclosing all required information.
  • Ensure response is timely: Organizations must confirm receipt of a request within 10 business days and respond to the request within 45 calendar days from the time the request is received, not from when the request is verified although an extension may be possible. It can take a considerable amount of time to respond to a request, and this is a short timeframe. Thus, organizations should begin work on the request as soon as it is received.
  • Review response to ensure it does not contain the personal information of others: The individual is only entitled to their own personal data, and organizations must redact any documents or information related to another individual, unless that individual has provided consent. This becomes complicated in the context of joint household requests. Under the CCPA, all members of a household can jointly request to know or delete specific pieces of personal information for the household. While the household request was referenced in the CCPA, only in the update to the Proposed Regulations has procedures for this request been addressed – businesses may respond to household requests only if all consumers of the household jointly make the request, the business verifies the identity of each consumer, and verifies that each is current household member. If a member of the household is under 13 years of age, there must be verifiable parental consent before compliance with the request.
  • Monitor compliance: Compliance with company policies and procedures for responding to requests should be periodically audited.

It should be noted that under the CCPA consumers are allotted several rights in regards to their personal information, including, for example the “right to delete” the information businesses have collected about them, and while the practical tips described above are particularly geared towards a consumer’s “right to know”, the underlying principles generally can be applied to other forms of consumer requests as well.

In addition, as of now, businesses are exempt from most CCPA obligations in regards to their employees – the exclusion includes information collected “by a business in the course of the natural person acting as a job applicant to, an employee of, director of, officer of, medical staff member of, or contractor of that business” (see more on this in a recent blog post discussing employees under the CCPA). As of now, however, this exemption sunsets on January 1, 2021, and while it is not clear what will be, considering the current direction of privacy law, it seems likely that there will be more and not less privacy protections for employees by the end of 2020.

Check out some of our other CCPA resources for more practical insights and tips:

Two More Significant Rulings for TCPA Litigation – Eleventh and Seventh Circuits Narrowly Interpret ATDS

In back-to-back decisions bound to have significant impact on Telephone Consumer Protection Act (TCPA) class action litigation, the Eleventh and Seventh Circuit Courts recently reached similar conclusions, narrowly holding that the TCPA’s definition of Automatic Telephone Dialing System (ATDS) only includes equipment that is capable of storing or producing numbers using a “random or sequential” number generator, excluding most “smartphone age” dialers. Each court expressly rejected the Ninth Circuit’s more expansive interpretation from a ruling in 2018, concluding that the TCPA covers any dialer that calls from a stored list of numbers “automatically”. These decisions are significant as most technologies in use today only dial numbers from predetermined lists of numbers.

One of the most complex issues under the TCPA is determining whether the technology utilized qualifies as an ATDS. The TCPA prohibits using an ATDS to make calls to cell phone numbers, absent prior consent of the called party.  The complexity lies with the TCPA’s definition of an ATDS as: equipment which has the capacity (A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.

When the TCPA was enacted in 1991, most American consumers were using landline phones, and Congress could not begin to contemplate the evolution of the mobile phone.  The Federal Communications Commission (FCC) with its 2015 Declaratory Ruling & Order (2015 Order), attempted to provide clarifications on the TCPA for the mobile era, including the definition of ATDS and what devices qualify. The 2015 Order only complicated matters further, providing an expansive interpretation for what constitutes an ATDS, and sparking a surge of TCPA lawsuits in recent years. The FCC’s expansive definition in the 2015 Order was set aside by the D.C. Circuit Court in March 2018.

The Eleventh Circuit three-judge panel opinion concluded simply, “In the age of smartphones, it’s hard to think of a phone that does not have the capacity to automatically dial telephone numbers stored in a list, giving §227 [of the TCPA] an ‘eye-popping sweep’…Suddenly an unsolicited call using voice activated software (think Siri, Cortana, Alexa), or an automatic ‘I’m driving’ text message could be a violation worth $500…Not everyone is a telemarketer, not even in America.”

In the case before the Eleventh Circuit, the plaintiffs alleged that they had received over a dozen unsolicited calls over a one-year period, from the defendants . While the defendants acknowledged that that they had indeed placed the calls, they argued that this was not a TCPA violation, as their calling system required too much “human intervention” to qualify as an ATDS. The Court agreed with the defendants, finding that in each element of the calling system, there was a “human’s involvement” – from the marketing team creating a “set of parameters” regarding who they intended to contact, to a team of employees programing the “criteria” into the system, a team that reviews the final call list, and finally a team that presses a button labeled “make the call”. “Unless and until the employee presses this button, no call goes out…far from automatically dialing phone numbers, this system requires human involvement to do everything except press the numbers on a phone.”

Last week, less than one month after the Eleventh Circuit’s ruling, the Seventh Circuit, with a similar fact pattern reached a similar conclusion. The Seventh Circuit noted that accepting the plaintiffs’ arguments against the defendant’s dialing system would have “far-reach consequences…it would create liability for every text message sent from an iPhone. That is sweeping restriction on private consumer conduct that is inconsistent with the statute’s narrower focus”. The Seventh Circuit also emphasized the historical intention of the TCPA.

“The [defendant’s] system, like others commonly used today, pulls and dials numbers from an existing database of customers rather than randomly generating them.. ..  Determining whether such systems meet the statutory definition has forced courts to confront an awkwardness in the statutory language that apparently didn’t matter much when the statute was enacted: it’s not obvious what the phrase “using a random or sequential number generator” modifies. The answer to that question dictates whether the definition captures only the technology that predominated in 1991 or is broad enough to encompass some of the modern, database‐focused systems.”

As we reported last week, several petitions are currently before the Supreme Court addressing issues with the TCPA, all with the potential to significantly impact the future of TCPA class action litigation. Particularly relevant to the Eleventh and Seventh Circuit rulings, back in October of 2019, the Court was petitioned to review the following issues: 1) whether the TCPA’s prohibition on calls made by an ATDS is an unconstitutional restriction of speech, and if so whether the proper remedy is to broaden the prohibition to abridge more speech, and 2) whether the definition of “ATDS” in the TCPA encompasses any device that can “store” and “automatically dial” telephone numbers, even if the device does not “us[e] a random or sequential number generator.” The Court has still not announced whether it will accept this petition.

The future of the TCPA remains uncertain, and 2020 will hopefully provide clarity for organizations facing TCPA class action litigation. While it appears that courts are generally leaning towards the narrowing of the TCPA in a myriad of aspects, organizations are still advised to err on the side of caution, during this period of uncertainty, when implementing and updating telemarketing and/or automatic dialing practices.

New York Adopts New Data Security and Privacy Regulations for Schools and Their Vendors

We observed in a post on this blog that government agencies, businesses, hospitals, universities and school districts are frequent targets of data breaches that can affect millions of individuals.   Cyberattacks on school districts continue to appear in the news. In January, students in the Pittsburg Unified School District (California) were left without internet access as a result of a ransomware attack, which compromised the schools’ servers and email. The Richmond Community Schools in Michigan suffered a similar cyber attack when threat actors infiltrated and locked down the schools’ servers and demanded a $10,000 ransom to return control of those servers.

The cyberattacks are compromising school vendors, too. In December, a student hacker committed a “brute force” attack on Naviance, an ed-tech provider that collects sensitive information on behalf of school districts throughout the United States. The attack on Naviance exposed the personal information of approximately 6,000 students. There are countless stories of other ed-tech providers sustaining similar cyberattacks.

It comes as no surprise in face of these cyberattacks that New York State regulators are taking action to protect personal information that schools and their vendors collect and maintain. We reported on this blog that the New York State Department of Education (“SED”) proposed new regulations (“Regulations”) to require school districts and state-supported schools to develop and implement robust data security and privacy programs to protect any personally identifiable information (“PII”) relating to students, teachers and principals. On January 14, 2020, the Board of Regents formally adopted the Regulations (which were modified since their initial publication). The Regulations were effective January 29, 2020.

While broad in scope, the Regulations include several requirements that are particularly noteworthy for schools and their vendors. They include:

  • School contracts – including “click wrap” agreements — with vendors who receive PII must state that the vendor will maintain all information in accordance with federal and state law and the school’s security and privacy policy.
  • Schools must include a Parent’s Bill of Rights in every contract with vendors who receive PII.
  • All schools must follow the National Institute for Standards and Technology Cybersecurity Framework (“NIST CSF”) as the standard for data security and privacy.
  • All schools must adopt by July 1, 2020 a data security and privacy policy that implements the requirements of the Regulations and aligns with NIST CSF.
  • Schools must publish their data security and privacy policies on their websites.
  • Schools must provide data privacy and security awareness training to officers and employees with access to PII.
  • Schools must designate a Data Protection Officer (“DPO”) who is responsible for the compliance program and to otherwise serve as a point of contact for the schools on data security and privacy matters.
  • Vendors that suffer a breach of PII must notify the affected schools within seven (7) calendar days; the schools must in turn notify SED within ten (10) calendar days of receipt of notification of a breach from the vendor; and the schools must notify the affected individuals of the breach without unreasonable delay but in no case later than sixty (60) days of discovery or receipt of breach notification from the vendor.

These Regulations certainly impose many new obligations on schools. Schools are urged to contact qualified legal counsel as they begin to develop and implement a comprehensive data security and privacy compliance program to comply with the mandates of the new Regulations.































4822-0398-2004, v. 1

The Supreme Court and the Future of the TCPA

In a decision that may have significant impact on businesses that face Telephone Consumer Protect Act (“TCPA”) related class action litigation, the Supreme Court recently accepted certiorari of a petition to rule on the constitutionality of the TCPA. The Court agreed to review a ruling of the Fourth Circuit which held that a TCPA exemption for government debt collectors was in violation of the First Amendment.

Specifically, the Supreme Court will address the issue of whether the government-debt exception to the TCPA’s automated-call restriction violates the First Amendment, and whether the proper remedy for any constitutional violation is to sever the exception from the remainder of the statute. The Fourth Circuit concluded that the government-debt exception was unconstitutional, and to sever the government-debt exception but leave untouched the TCPA’s general restriction on calls made with an “automatic telephone dialing system” (“ATDS”). It is still unclear whether the Supreme Court will only address severing the government-debt exception, or the constitutionality of the TCPA in its entirety.

This is not the first time, of late, that the Supreme Court has been petitioned to address the constitutionality of the TCPA. Back in October of 2019, the Court was petitioned to review the following issues: 1) whether the TCPA’s prohibition on calls made by ATDS is an unconstitutional restriction of speech, and if so whether the proper remedy is to broaden the prohibition to abridge more speech, and 2) whether the definition of “ATDS” in the TCPA encompasses any device that can “store” and “automatically dial” telephone numbers, even if the device does not “us[e] a random or sequential number generator.” The Court has still not announced whether it will accept this petition.

When the TCPA was enacted in 1991, most American consumers were using landline phones, and Congress could not begin to contemplate the evolution of the mobile phone. The TCPA defines ATDS as “equipment which has the capacity—(A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.” 47 U.S.C § 227(a)(1).  In 2015, the Federal Communications Commission (FCC) issued its 2015 Declaratory Ruling & Order (2015 Order), concerning clarifications on the TCPA for the mobile era, including the definition of “Automatic Telephone Dialing System” (ATDS) and what devices qualify. The 2015 Order only complicated matters further, providing an expansive interpretation for what constitutes an ATDS, and sparking a surge of TCPA lawsuits in recent years.

In 2018, the U.S. Court of Appeals for the District of Columbia set aside the FCC’s expansive interpretation of what constitutes an ATDS and its approach to consent of reassigned wireless numbers. Since that decision, a circuit split has developed with the Third Circuit ruling that a dialer is not an ATDS unless it has the present ability to randomly or sequentially generate numbers and to dial them and the Ninth Circuit adopting a broader reading holding that the definition of ATDS includes any equipment that has the capacity to store random numbers and dial them, even if it cannot generate numbers randomly or sequentially. In February of 2019, a petition of writ of certiorari was filed with Supreme Court, to review the Ninth Circuit panel’s decision, but shortly after the parties reached a settlement agreement. Given the circuit split over the definition of ATDS under the TCPA, the issue is ripe for the Supreme Court to address.

There has been great uncertainty surrounding TCPA litigation in recent years, and 2020 may be the year organizations facing such litigation finally get some clarity on key issues. In the meantime organizations are advised to implement and update their telemarketing and/or automatic dialing practices to ensure TCPA compliance.

CA Attorney General Updates CCPA Proposed Regulations

Many businesses and their service providers have been awaiting final guidance from the California Attorney General concerning the California Consumer Privacy Act (CCPA). When news came last Friday of a regulatory update (“Update”), there may have been some initial disappointment that the Update did not announce final regulations, but only revisions to existing proposed regulations issued last year and a new comment period (ending February 24, instructions to submit comments here). However, while final regulations are still sometime away, initial disappointment may be softened by some of the Update’s revisions.

Based on our initial review of the Update, below are some key changes to the proposed regulations:

  • The Update would add guidance for interpreting defined terms under the CCPA. Specifically, the Update clarifies that determining whether information is “personal information” depends on whether the business maintains the information in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” This guidance and the example provided below would address concerns many have regarding information businesses collect online.

For example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.”

  • The proposed regulations confirmed the requirement for online notices to be accessible, but the Update would require generally recognized industry standards be followed, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Consortium.
  • The proposed regulations provided businesses could not use personal information for “any purpose other than disclosed in the notice at collection.” The Update would establish a less strict standard – “a purpose materially different than disclosed in the notice at collection.”
  • With regard to the contents of the notice at collection, the proposed regulations required (i) a list of the categories of personal information to be collected, and (ii) for each category, the business or commercial purposes for which it will be used. The Update would remove the requirement to list the purposes of use for each category. In other words, it appears it would be sufficient to list the business or commercial purposes for using all of the categories of personal information, not each one individually. This change would significantly simplify the notice at collection, and would be extended to the privacy policy as well.
  • With regard to notices at collection for employment-related data, a “Do Not Sell My Personal Information” link would not be required. Additionally, the notice could link to the business’s privacy policies for employees, applicants, etc., rather than consumers.
  • The Update provides for an optional “Opt-Out Button.”
  • Proposed regulations required a two-step process for online requests to delete personal information. The Update would make that two-step process optional.
  • With regard to the general requirement to make two or more designated methods available for submitting requests to know, the Update would relax the specific methods. At least one still must be a toll-free number. However, for website operators, the second need not be an interactive webform and could be an email address.
  • The Update also tweaks the timing of certain notice requirements. For example, when confirming receipt of a request to delete or a right to know, the business would have 10 business days, while responses to such requests generally would be due in 45 calendar
  • Under the Update, a business would not be required to search for personal information in response to a request to know if the business: (i) does not maintain personal information in a searchable or reasonable accessible format, (ii) maintains the personal information only for legal or compliance purposes, (iii) does not sell the information or use it for a commercial purpose, and (iv) describes to the consumer the categories of records not searched because it satisfied the three conditions above.
  • The Update would clarify that service providers that receive requests to know or to delete either can respond on behalf of the business or inform the consumer that it cannot act on the request because it is a service provider.

Businesses still need to monitor the development of CCPA regulation, but the Update would seem to provide some clarity and/or relief on some points. Also, there is a new opportunity to voice concerns and pose questions concerning the guidance thus far.

CCPA Data Breach Class Action Litigation Begins

Image result for CCPA class actionAs reported by Bloomberg Law, data breach class action litigation has begun under the California Consumer Privacy Act (CCPA). Filed in the Northern District of California, San Francisco Division, a putative class action lawsuit against Hanna Andersson, LLC and its ecommerce platform provider,, alleges negligence and a failure to maintain reasonable safeguards, among other things, leading to a data breach. The complaint specifically seeks recovery under the CCPA – Cal. Civ. Code § 1798.100, et seq.

The complaint alleges a familiar story – in the latter part of 2019, hackers compromised the retailer’s website with malware enabling the hackers to scrape names, billing and shipping addresses, payment card numbers, CVV codes, and credit card expiration dates of thousands of the retailer’s customers. Hanna Andersson notified affected persons of the breach on January 15, 2020, and the complaint was filed on February 3, 2020.

Whether the complaint alleges sufficient harm for the case to proceed will be for the court to determine, but under the CCPA that may not be necessary.  The new California law authorizes a private cause of action against covered businesses if a failure to implement reasonable safeguards to protect personal information results in a data breach. Cal. Civ. Code § 1798.150. If successful, a plaintiff can recover statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper.

To bring an action for statutory damages under the CCPA, consumers must first notify the business of the alleged violation. The business then has thirty days to cure the violation and provide the consumer with “an express written statement that the violations have been cured and that no further violations shall occur.” It does not appear an opportunity to cure was provided in this case. Also, the breach reportedly occurred in 2019, before the CCPA became effective (January 1, 2020).

Regardless of the outcome of this case, certainly one we will be watching, it should serve as an important reminder for businesses to ensure they have reasonable safeguards in place to protect personal information. Under California law,

A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

Cal. Civ. Code § 1798.81.5(b).

But, the meaning of “reasonable safeguards” is not entirely clear in California.  One place to look is in the California Data Breach Report (Report) former California Attorney General, Kamala D. Harris, issued in February, 2016. According to the Report, an organization’s failure to implement all of the 20 controls set forth in the Center for Internet Security’s Critical Security Controls constitutes a lack of reasonable security.

It is not clear that adherence to those controls will provide a sufficient basis to defend a business from an action under the CCPA relating to a data breach. But, those controls might be a good place to start. It also is important to understand how those safeguards should be applied.

First, the CCPA’s private right of action for data breaches applies with respect to personal information of consumers and employees, applicants, officers, etc. Personal information of consumers and employees often resides on different systems, subject to access by different users, and collected, processed, and stored by different third party service providers. Thus, it is important to think broadly when safeguarding personal information that could trigger a class action under this section.

Second, “personal information” for purposes of the “reasonable safeguards” requirement is much narrower than the general definition of personal information for CCPA purposes. Specifically, the private right of action under Cal. Civ. Code § 1798.150 extend only to personal information, “as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5.” This means:

(A)  An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

(i) Social security number.

(ii) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.

(iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

(iv) Medical information.

(v) Health insurance information.

(vi) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.

similar cause of action exists under an Illinois privacy law that you might have heard about, the Illinois Biometric Information Privacy Act or “BIPA.” That provision has resulted in a flood of litigation, including putative class actions, seeking to recover statutory damages for plaintiffs who allege their biometric information has been collected and/or disclosed in violation of the statute. As data breaches continue to plague businesses across the country, including those subject to the CCPA, ensuring reasonable safeguards are in place may be the best defense.

Verifying CCPA Requests to Know and Requests to Delete

With the California Consumer Privacy Act (CCPA) effective for nearly one month, businesses continue to grapple with the many components of this new privacy framework. A key component of the CCPA is granting consumers the right to request information about and to exercise some control over their personal information. Developing sufficient mechanisms to receive, process and respond to these requests is a central and complex area of compliance for businesses. One aspect of processing consumer requests requires verifying the identity of the individuals making the requests, and their authority to be making the request.

The CCPA directed the State’s Attorney General to establish rules and procedures to govern a business’s determination that certain requests received from a consumer is a “verifiable consumer request.” In fact, the statute provides that businesses are not obligated to provide information to consumers if the business cannot verify the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer. On October 10, 2019, the California Attorney General’s (AG) office issued proposed regulations which, among other things, begin to address how businesses can structure procedures for verifying consumers when they seek to exercise their “Right to Know” and “Right to Delete.”

So how does a company verify a consumer’s identity? In this post, we address the general rules, bearing in mind they may change when the Attorney General’s office finalizes its regulations.

General Rules

Currently, businesses have some flexibility in determining the method by which they verify a consumer’s identity, although there are some basic guidelines they must follow:

  • Where they can feasibly do so, businesses should match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business.
  • Businesses should avoid collecting certain types of sensitive personal (e.g. SSN, government IDs, financial information, medical and health information, and biometric data), unless it is necessary to verify. See Civ. Code Sec. 1798.81.5(d).
  • Shape the verification method based on certain factors, such as: 1) type, sensitivity or value of personal information, 2) risk of harm to the consumer posed by unauthorized access or deletion, 3) likelihood that bad actors would seek the information, 4) vulnerability to being spoofed or fabricated, 5) manner in which the business interacts with the consumer, and 6) available technology for verification.
  • If the business uses a third-party identity verification service, be sure it complies with the CCPA rules for verification. Additionally, businesses should ensure these service providers maintain reasonable safeguards to protect the personal information they process in the course of verification.


The guidelines proposed by the AG’s office regarding verification boils down to “reasonableness” as it gives businesses a wide range of discretion and flexibility to establish a workable method that fits the business’ operation and financial capabilities. After establishing a “reasonable” method, the business has to document and comply with the method they have established.

Depending on the business’ capabilities, they can match the categories of information the consumer provides with the information the business already possesses or utilize a third-party verification service provider. Either way, businesses should refrain from requesting additional information for verification, unless doing so is necessary to protect the consumer.

Once the business has considered these items, they can get to work on shaping specific procedures for verification taking into account issues such as:

  • Who can make requests
  • Account holders versus non-account
  • “Requests to Know” versus “Requests to Delete”
  • Requests for categories of information versus specific pieces of information
  • Use of Authorized Agents

Please stay tuned as we address these in future blog posts.