Search right to access

The California Privacy Protection Act (CPRA) amended the California Consumer Privacy Act (CCPA) and has an operative date of January 1, 2023. The CPRA introduces new compliance obligations including a requirement that businesses conduct risk assessments. While many U.S. companies currently conduct risk assessments for compliance with state “reasonable safeguards” statutes (e.g., Florida, Texas, Illinois, Massachusetts, New York) or the HIPAA Security Rule, the CPRA risk assessment has a different focus. This risk assessment requirement is similar to the EU General Data Protection’s (GDPR) data protection impact assessment (DPIA).

The goal of conducting a CPRA risk assessment is to restrict or prohibit the processing of personal information where the risks to a consumer’s privacy outweigh any benefits to the consumer, business, stakeholders, and public. Notably, the CPRA does not limit risk assessments to activities involving the processing of sensitive data. In addition to conducting the actual risk assessment, this process will require a preliminary determination of which data processing activities may present a significant risk to privacy rights. The business must document these risk assessments for submission to the California Privacy Protection Agency on a regular basis.

Under the CPRA, the documented risk assessment shall:

  • include whether the processing involves consumers’ sensitive personal information (e.g., social security, driver’s license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number in combination with security or access code, password, or credentials for account; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership; contents of mail, email, and text messages unless the business is the intended recipient of the communication; genetic data; biometric information processed for the purpose of uniquely identifying a consumer; information related to health, sex life or orientation); and
  • identify and weigh the benefits to the business, consumer, other stakeholders, and the public from the processing against the potential risks to the rights of the consumer whose data is being processed.

The CPRA directs the California Attorney General and California Privacy Protection Agency to issue implementing regulations, including regulations related to risk assessments. These regulations must be adopted by July 1, 2022 and will likely provide further guidance on the scope of and process for conducting and documenting risk assessments.

Complying with the CPRA will require expanded data mapping and advance planning, some of which may occur prior to issuance of the implementing regulations. During this time, businesses may find the GDPR instructive, particularly since the CCPA and CPRA borrow liberally from the regulation.

Under the GDPR and related guidelines, a DPIA is required or recommended where data processing is likely to result in a high risk to the privacy rights of individuals. This includes activities that

  • use automated processing, including profiling, to evaluate an individual’s personal aspects and on which decisions are based that produce significant effects
  • include large scale processing of sensitive data
  • process data on a large scale
  • match or combine datasets
  • process data of vulnerable individuals (e.g., children)
  • innovate or use new technologies

The DPIA must document and include

  • a description of the processing operations
  • the purposes of the processing
  • the legitimate interest pursued by the business, where applicable
  • an assessment of the necessity and proportionality of the processing activity in relation to the purposes
  • an assessment of the risks to the individual’s privacy rights
  • measures designed to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data

The CCPA and CPRA currently exclude employee personal information from certain provisions (e.g., the right to opt out, right to delete). This carve-out exempts employee personal information from the risk assessment requirement outlined above; however, the carve-out is due to expire on January 1, 2023. As businesses begin developing their risk assessment programs, they will want to monitor whether this exclusion for employee information will be extended and/or amended and how it might impact the risk assessment process.

As noted above, the operative date of the CPRA is January 1, 2023. Implementing regulations must be adopted by July 1, 2022 and civil and administrative enforcement activity can commence on July 1, 2023.

For additional information on the CPRA, please reach out to a member of our Privacy, Data and Cybersecurity practice group or check out our CPRA blog series.

Will Florida be the next state to enact a comprehensive consumer privacy law? It sure is starting to look like a viable possibility.  With the California Consumer Privacy Act (“CCPA”) in full effect, and the recent enactment of Virginia’s Consumer Data Protection Act (“CDPA”), there has been a flurry of state privacy legislative proposals since the start of 2021, with Florida leading the way.  Backed by Governor Ron DeSantis,   Florida House Bill 969 (HB 969) would create new obligations for covered businesses and greatly expand consumers’ rights concerning their personal information, such as a right to notice about a business’s data collection and selling practices.

Florida’s HB 969 was originally introduced in February (a full overview of the initial bill is available here), and has continued to move swiftly through the legislative process. On April 21, the a slightly revised version of the bill passed the Florida House of Representatives by a 118 – 1 vote, expanding the scope of the private cause of action, changing the effective date and modifying the scope of companies subject to the law.

Here are the key changes made to HB 969 since originally introduced:

Significantly, and similar to the California Consumer Privacy Act (CCPA), HB 969 would establish a private cause of action for consumers affected by a data breach involving certain personal information when reasonable safeguards were not in place to protect that information. More expansive than the CCPA, however, a private cause of action would now also be available to consumers for a company’s failure to comply with deletion, opt-out and correction requests.  Conversely, Virginia’s CDPA lacks a private cause of action in its entirety, and the state’s attorney general has exclusive enforcement authority.

Second, if passed, HB 969 would go into effect on July 1, 2022 – instead of the originally proposed January 1, 2022.  And finally, initially, HB 969 stated that the law would apply to for profit businesses that conduct business in Florida, collect personal information about consumers, and satisfy at least one of the following threshold requirements:

  1. The business has global annual gross revenues over $25 million (adjusted to reflect any increase in the consumer price index); or
  2. The business annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of at least 50,000 consumers, households, or devices; or
  3. The business derives at least half of its global annual revenues from selling or sharing personal information about consumers.

Instead, HB 969 now stipulates that the law would only apply to for profit businesses that satisfy at least two the above threshold requirements.  In addition, the revised bill increased the annual gross revenues threshold from over $25 million to over $50 million.

Florida seems to be leading the way as the next state  poised to enact a consumer privacy law, but it is not alone.  The International Association of Privacy Professionals (IAPP) has observed, “State-Level momentum for comprehensive privacy bills is at an all-time high.” The IAPP maintains a map of state consumer privacy legislative activity, with in-depth analysis comparing key provisions. There are currently at least 14 states with consumer privacy bills undergoing the legislative process, and several other states where bills were introduced but died in committee or were postponed.  One key state to keep an eye on is Washington. For three consecutive years, the Washington state legislature has introduced versions of the WPA. In 2019, the bill failed in the Assembly. In 2020, the Assembly passed an amended version of the bill, but the two chambers failed to reach a compromise regarding enforcement provisions. Currently in cross committee, the WPA would impose GDPR-like requirements on businesses that collect personal information related to Washington residents. In addition to requirements for notice and consumer rights such as access, deletion, and rectification, the WPA would impose restrictions on use of automatic profiling and facial recognition.

States across the country are contemplating ways to enhance their data privacy and security protections. Organizations, regardless of their location, should be assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs.

In a recent employee termination case, the Third Circuit Court of Appeals recently upheld the dismissal of race discrimination claims by a bank employee who was terminated due to a social media post.

Plaintiff, a Caucasian woman, was employed as a project manager in her employer’s wealth management department.  In June 2018, a public news article on a social media site reported on the arrest of a local politician who allegedly drove a car through a crowd of demonstrators protesting the shooting death of Antwon Rose, Jr., a young, African-American male, by police officers.  Plaintiff publicly commented on the article under her own social media account, “[t]otal BS.  He should have taken a bus to plow thru.”  Plaintiff’s social media account publicly stated that she was employee of the bank.

The bank was not monitoring plaintiff’s social media account and was not aware of the post until offended users of the social media platform flooded the bank, and even its executive officers, with complaints.  Plaintiff was terminated after an investigation that found her post violated the bank’s conduct and social media policies.

The District Court agreed that plaintiff violated the bank’s policies and granted summary judgment in its favor.  In doing so, it rejected plaintiff’s attempts to point to African-American employees who were not terminated for their social media posts.  The Court specifically found those individuals were not similarly situated because, among other things, their posts did not advocate violence, were not made in the comments section of a public news story, and did not result in a “public outcry.” The Third Circuit affirmed the dismissal and agreed the alleged comparators were not similarly situated.  The Court specifically agreed plaintiff’s post was far more egregious than those of the alleged comparators and was far more likely to harm to the bank’s reputation.

Over the past few years, states around the country have enacted laws limiting an employer’s ability to access the personal social media accounts of job applicants and employees. However, these laws generally do not prohibit employers from conducting certain investigations, such as to ensure compliance with state or federal laws, regulatory requirements or prohibitions against work-related employee misconduct based on the receipt of specific information about activity on an employee or applicant’s personal online account. Employers also may monitor, review, access or block electronic data stored on an electronic communications device paid for, in whole or in part, by the employer, or traveling through or stored on the employer’s network.

When companies are faced with adverse social media activity or campaigns, whether it be by employees, customers, bloggers, etc., they frequently are unprepared to take the appropriate steps to investigate, or to weigh the legal, business, reputational, and related risks in deciding what actions, if any, to take. For this reason, it is important to have a clear workplace social media policy in place to help prevent the likelihood of an incident or at least limit its impact. But while courts and the National Labor Relations Board (NLRB) seem to be employer friendly of late in approval of such policies, it is important to tread carefully, aiming to develop a policy that achieves the company’s legitimate business interests without compromising its employees’ right to privacy under statutory and common law and rights related to freedom of speech. Employers should continue to exercise care  when addressing and/or responding to their employees’ social media usage.  Jackson Lewis attorneys are available to assist with those and other issues and formulate preventative strategies that mitigate risk.

Today, the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) issued much anticipated cybersecurity guidance for employee retirement plans. This comes more than four and a half years after the ERISA Advisory Council, a 15-member body appointed by the Secretary of Labor to provide guidance on employee benefit plans, shared with the federal Department of Labor some considerations concerning cybersecurity. The essence of today’s guidance:

Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.

What that obligation means at this point is at least what EBSA set out in the following materials on its website, although the “Online Security Tips” are directed more to plan participants than plan fiduciaries:

Acknowledging ERISA-covered plans hold “millions of dollars or more in assets and maintain personal data on participants,” EBSA’s guidance lists a range of best practices for use by plan recordkeepers and service providers responsible for plan-related IT systems and data, as well as plan fiduciaries having the duty to make prudent decisions when evaluating and selecting plan service providers. Some of the EBSA’s best practices include:

  • Maintain a formal, well documented cybersecurity program.
  • Conduct prudent annual risk assessments.
  • Implement a reliable annual third-party audit of security controls.
  • Follow strong access control procedures.
  • Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
  • Conduct periodic cybersecurity awareness training.
  • Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
  • Encrypt sensitive data, stored and in transit.

The EBSA fleshes out each of these best practices to give recordkeepers, service providers, and plan fiduciaries more guidance when developing their own policies and procedures. It is worth noting these best practices are not dissimilar to other, well-known frameworks designed to protect personal data. So, organizations that have engaged in efforts to comply with, for example, the HIPAA privacy and security rules for group health plans, the Massachusetts data security regulations, or the NY SHIELD Act will have a head start taking similar steps concerning their retirement plans and/or their services to plans.

Selecting ERISA plan service providers has long been an important fiduciary function for plan fiduciaries. In its guidance, EBSA offers key cybersecurity issues to account for when selecting service providers, including the following:

  • Ask about the service provider’s information security standards, practices and policies, and audit results, and compare them to the industry standards adopted by other financial institutions. Plan sponsors may assume that a service provider referred from a trusted source with compelling marketing materials would have put in place appropriate cybersecurity safeguards. As the saying goes, “Trust, but verify.” This also applies to all third-party plan providers, even large, well-known organizations.
  • Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard.
  • Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded. As these incidents are often reported, consider reviewing news accounts of the service provider’s response to the incident.
  • Investigate whether the service provider might have cyber insurance that would cover losses caused by cybersecurity and identity theft breaches, including misconduct by the service provider’s own employees or contractors, or a third party hijacking a plan participant’s account.
  • Consider the willingness of the service provider to include contract terms requiring ongoing compliance with cybersecurity, clear rules concerning use and disclosure of personal information, responsibility for security breaches, and other key terms addressing exposure to the plan, plan sponsor, and participants.

It is important to note that no set of safeguards will prevent all data breaches and no amount of due diligence will result in the selection of a flawless service provider. In many cases, a data breach experienced by a plan service provider may not warrant moving away from that provider. Here are some reasons why.

Third-party plan service providers and plan fiduciaries should begin taking reasonable and prudent steps to implement safeguards that will adequately protect plan data. EBSA’s guidance should help the responsible parties get there, along with the plan fiduciaries and plan sponsors’ trusted counsel and other advisors.

COVID-19 drove many formerly in-person interactions onto a variety of video conferencing platforms.  But as millions of vaccinations are administered each day, and case numbers decline, it’s now possible to imagine and plan for the time when conducting business over video will no longer be mandatory.

For many organizations, though, COVID-19 has led to an epiphany that will very likely outlast the pandemic: Many aspects of work can be conducted remotely, without any drop in productivity and with enormous advances in convenience and geographic reach.

An organization based in Chicago, for instance, no longer needs to limit its pool of job candidates to those willing to relocate to that city, and no longer needs to fly candidates in – at great expense – for in-person interviews.  Instead, the organization can expand the scope of its search to include candidates who live – and plan to remain – in distant locations like Austin, Denver, Miami, and Nashville, and can interview those candidates by video conference.

What’s more, video conferencing platforms allow an organization to record those interviews, thereby potentially reducing biases and errors in its interview processes by creating far more reliable records of what transpired during each interview.  The benefits don’t end there.  The organization can then use its archive of video interviews to evaluate which interview styles and questions were most effective in screening candidates and can use the videos to train its staff on best practices for conducting future interviews.

But there’s a catch: In addition to potential concerns that the recordings may create unhelpful or even harmful “evidence,” video recording job interviews may also expose organizations to significant data privacy and security risk – risk which can and must be managed through thoughtful policies and procedures.

Risks

  1. Candidates in other states or countries may bring their jurisdictions’ data privacy and security obligations with them. Many data privacy and security laws are tied to the location or residence of the data subject (e.g., the job candidate); not the location of the data controller (e.g., the organization conducting the search).  If your organization records interviews of candidates residing in California or the EU, for instance, it may be subject to obligations under the CCPA or GDPR, respectively.  Both of these laws generally require the provision of certain privacy notices and, in the case of the GDPR, grant to data subjects an expansive set of rights related to the collection, use, disclosure, and retention of their data.  (Beginning in January 2023, when a new California law, the CPRA, takes effect, California candidates will have similarly expansive rights.)
  2. Interview recordings will likely contain far more personal information than the notes or memos generated during or after in-person interviews. Interview discussions can be wide-ranging, often touching on subjects that may qualify as personal information under applicable law – including information that would rarely make it into written records of that discussion.  For instance, even if not asked, the candidate might discuss her own or a family member’s medical condition, or she might directly or indirectly indicate her religious affiliation or sexual orientation.  And even when discussion focuses on more mundane topics – like educational and work histories – the information collected may trigger privacy obligations under expansive privacy regimes like the CCPA, CPRA, and GDPR.
  3. Complying with purpose limitations. The CCPA and GDPR require organizations to disclose to data subjects the purposes for which their personal information is used.  And, in the case of the GDPR, the organization may be required to assess whether its own purposes for using the personal information may be overridden by competing interests of the data subject.  The obvious, likely unobjectionable, purpose for recording a video interview is to better evaluate the candidate at issue.  But if the organization subsequently decides to use the recording for training or marketing, it could incur obligations to provide additional disclosures, obtain additional consent, and/or conduct additional analysis.
  4. Ensuring all parties consent. About a dozen US states require consent of both parties to record a conversation.  An organization conducting interviews by video conference must therefore be mindful that, prior to recording the interview, it should obtain consent from both the candidate and the employees involved in conducting the interview.
  5. Ensuring video interviews are adequately secured. Data breaches have become an enormous source of liability for most organizations.  It is not unusual for breaches to stem from systems or databases that an organization overlooked when designing its data security program because they weren’t obvious repositories of sensitive information.  An archive of interview videos could easily fall into that category.

Mitigation Strategies

  1. Conduct scope analysis. Given the proliferation of data privacy and security laws – Virginia recently passed an expansive new privacy law, and Colorado, Florida, New York, and other states may soon follow suit – and the fact that many of these laws are tied to the location or residence of the data subject, determining which laws will govern your organization’s recording of video interviews is a critical first step.
  2. Ensure you provide requisite privacy notices. If applicable, based on your organization’s scope analysis, provide privacy notices to interviewees prior to their interview.  Where the CCPA applies, for instance, your organization will likely need to provide a “notice at collection” to candidates, disclosing to them the categories of personal information that your organization collects about job applicants and the purposes for which it uses that information.
  3. Prepare to respond to requests for access, deletion, and rectification. If the GDPR applies, candidates may be entitled to request that your organization grant them access to their interview recordings, that it delete those recordings, or that it permit candidates to correct inaccurate information in the recordings.  In California – the CPRA – will begin imposing similar requirements when it takes effect.
  4. Collect requisite consent. Your organization will, in most instances, be able to address applicable obligations to obtain consent to record video interviews by taking two relatively simple steps.  First, it should develop a policy placing all employees who conduct video interviews on notice that those interviews will be recorded and collect from each employee an acknowledgment of receipt of that notice.  Second, it should train applicable employees to advise candidates at the start of each interview that the interview will be recorded for specified purposes (e.g., to improve the quality of the organization’s interview processes).
  5. Develop policies and procedures to ensure proper use, disclosure, security, and retention. To comply with the GDPR, CCPA, and other data privacy and security laws, your organization should  ensure that it has policies and procedures in place to regulate how interview recordings are used, who has access to them, to whom they’re disclosed, where they’re stored, and how long they’re kept.  For instance, your organization may need to develop policies to prevent the use of interview recordings for purposes not previously disclosed; to restrict access to the recordings to employees with a legitimate need; to limit disclosure of the recordings to trusted third-parties with whom it has proper contractual protections in place; and to ensure the recordings are securely destroyed in accordance with the organization’s record retention policy.

With good reason, many organizations are intrigued by the prospect of recording video interviews – along with other video communications – for future use.  For organizations engaging in this practice, or planning to, however, it’s important to be mindful of the associated risks.  These risks will not, in most instances, be prohibitive, but they require careful consideration and the implementation of thoughtful mitigation strategies.

How To Do a Colorado DMV Change of Address | Moving.comColorado recently became the latest state to consider a comprehensive consumer privacy law.  On March 19, 2021, Colorado State Senators Rodriguez and Lundeen introduced SB 21-190, entitled “an Act Concerning additional protection of data relating to personal privacy”. Following California’s bold example of the California Consumer Privacy Act (“CCPA”) effective since January 2020, Virginia recently passed its own robust privacy law, the Consumer Data Protection Act (“CDPA”), and New York, as well as other states, like Florida, appear poised to follow suit.  Furthermore, California is expanding protections provided by the CCPA, with the California Privacy Rights Act (CPRA) – approved by California voters under Proposition 24 in the November election.

Unsurprisingly, Colorado’s SB 21-190 generally tracks the CCPA, CPDA, CPRA and the EU General Data Protection Regulation (GDPR).  Key elements of the Colorado bill include:

  • Jurisdictional Scope. SB 21-190 would apply to legal entities that conduct business or produce products or services that are intentionally targeted to Colorado residents and that either:
    • Control or process personal data of more than 100,000 consumers per calendar year; or
    • Derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.
  • Exemptions. SB 21-190 includes various exemptions related to healthcare entities and health data, such as protected health information under HIPAA, patient identifying information maintains by certain substance abuse treatment facilities, and identifiable private information collected in connection with human subject research. Additional exemptions include without limitation personal data collected for the purposes of the Gramm Leach Bliley Act (GLBA), Driver’s Privacy Protection Act (DPPA), Children’s Online Privacy Protection Act (COPPA), Family Educational Rights Act and Privacy Act. Finally, data maintained for employment records purposes are exempted as well.
  • Personal Data. Similar to its counterparts, Colorado’s SB 21-190 broadly defines personal data to mean “information that is linked or reasonably linkable to an identified or identifiable individual.”
  • Sensitive Data. Like the CPDA, CPRA and GDPR, SB 21-190 includes a category for “sensitive data”. This is defined as “personal data revealing racial or ethical origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status OR genetic or biometric data that may be processed for the purpose of uniquely identifying an individual OR personal data from a known child”. As with Virginia’s CPDA, there are two key compliance obligations related to “sensitive data”.  First, sensitive data cannot be processed without obtaining consumer consent, or in the case of a known child or student, without obtaining consent from a parent or lawful guardian.  Second, the controller must conduct and document a data protection assessment specifically for the processing of sensitive data.
  • Protected Persons. SB 21-190 defines “consumer” as an “individual who is a Colorado resident acting only in an individual or household context”. The Colorado bill states that the definition of consumer does not include “an individual acting in a commercial or employment context”.
  • Consumer Rights. Under SB 21-190, consumers have the right to opt out of the processing of their personal data; access, correct, or delete the data; or obtain a portable copy of the data.
  • Data Protection Assessments. Akin to Virginia’s CPDA, the Colorado bill requires data controllers to conduct a data protection assessment for each of their processing activities involving personal data that presents a heightened risk of harm to consumers, such as processing for purposes of targeted advertising or processing sensitive data (as mentioned above).
  • Enforcement. If enacted, SB 21-190 would only be enforceable by the Colorado attorney general or district attorneys. A violation of law could result in a civil penalty of not more than $2,000 for each such violation (not to exceed $500,000 for any related series of violations), or injunction.

Colorado’s SB 21-190 is in the early stages of the legislative process, still it signals the continued momentum building in states across the country to enhance consumer data privacy and security protections. Organizations, regardless of their location, should be carefully assessing their data collection activities, developing policies and procedures to address their evolving compliance obligations and data-related risks, and training their workforce on effective implementation of those policies and procedures.

Virginia may be the first state to follow California’s lead on consumer privacy legislation, but it certainly will not be the last. The International Association of Privacy Professionals (IAPP) observed, “State-Level momentum for comprehensive privacy bills is at an all-time high.” The IAPP maintains a map of state consumer privacy legislative activity, with in-depth analysis comparing key provisions. We discuss the Virginia legislation here, along with legislative activity in several other states that seem likely to pass. It was California that enacted the first data breach notification law which became effective in 2003. In about 15 years’ time, all U.S. states have such a law, as well as many jurisdictions around the world.

Whether it is the pending Virginia Consumer Data Protection Act (VCDPA), the California Consumer Privacy Act (CCPA), or a similar framework, there are several features that should be considered when examining the effects of such laws on an organization:

  • Does the law apply? Neither the CCPA nor the VCDPA apply to all organizations doing business in the state. But, they may apply more broadly than initially assumed, including organizations without locations in the particular state. Also, some entities that control or are controlled by covered businesses also could become subject to one of these laws even if such entities would not otherwise fall into the law’s scope. Finally, data privacy and security laws increasingly reach third-party service providers to covered organizations either directly or indirectly through contracts that covered organizations must put in place.
  • Are we exempt? Perhaps just as important as whether an organization is covered by one of these laws is the question of whether an exemption applies. It is important to know that while an organization may not be exempt as a whole, certain classifications data it maintains may be. For example, under the CCPA, “protected health information” covered by the Health Insurance Portability and Accountability Act (HIPAA) is generally exempt from the law. Of course, that information comes with its own compliance obligations!
  • What is Personal Information? Assuming an organization is covered by the law, the next question it may want to ask is what data is covered. As we have discussed, there are various definitions and understandings of personal information.  Similar to the CCPA and General Data Protection Regulation (GDPR), the VCDPA would define personal data broadly to include “any information that is linked or reasonably linkable to an identified or identifiable natural person.” Again, this broad definition should be read together with potential exemptions to obtain a firm understanding of the information within the scope of the law’s protections. In some cases, such as under the GDPR, and the amendment to the CCPA, the California Privacy Rights Act, there is a subset of personal information that comes with even more protections. Often referred to as “sensitive personal information,” this category can include personally identifiable information such as racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, and geolocation data. Of course, covered organizations with these categories of data would need to understand those additional requirements.
  • Who is protected? It is not enough to know what kind of information that is “personal information,” covered organizations also need to know whose personal information is protected under the law. Several of these laws protect “consumers” defined generally as natural persons who reside in the jurisdiction. Basing the analysis solely on the word “consumer” and assuming that does not include employees, students, website visitors, etc. might be a mistake. Some frameworks have specific exclusions for these and other categories, others do not.
  • What rights do protected persons have? Ostensibly, a key purpose for this kind of privacy legislation is to empower individuals with respect to their personal information. That is, to give them more access to and control over their data that is collected, used, disclosed, maintained, and sold . To effectively comply with these measures, covered organizations need to understand the kinds of rights granted. These rights can include:
    • The right to know what personal information is collected and processed, why, and to access such personal information
    • To right to correct inaccuracies in the personal information
    • To right to delete personal information
    • The right to limit processing of personal information
    • The right to opt out of the processing or sale of personal information
  • Can my organization be sued for violations of the law? It is important to understand the consequences of failing to comply with any law. The flood of litigation under the Illinois Biometric Information Privacy Act (BIPA) which permits substantial recovery for failing to comply with notice and other requirements, even without a showing of actual harm, confirms the importance of examining this issue. Several of these privacy frameworks, including the CCPA and legislation supported by Governor DeSantis in Florida, include a private right of action in connection with data breaches.
  • How will the law be enforce? Related to the question of whether consumers can sue for violations is how the law will be enforced, what are the potential penalties, and how are they measured. In most cases, enforcement rests with the state’s Attorney General’s office. Often, the law requires covered organizations be provided written notice of any violation and a period of time to cure the violation. Compliance can be challenging so covered organizations should be aware of a law’s enforcement scheme so that in cases where their compliance efforts may not be perfect, they have a plan in place for quickly acting on such notices and curing any violations.

Answering these questions is certainly not the end of the analysis. For example, if covered, there are a whole host of additional questions organizations need to ask in order to evaluate compliance needs, allocate resources, identify affected business units, weigh risk management objectives, manage vendor compliance, and implement new policies and procedures, as needed. However, these questions can help to sharpen the big picture on the effect one or more of these privacy laws may have on your organization.

 

The CCPA has reached the one-year mark. This is a good time for businesses to review the success of their compliance programs and recalibrate for the CCPA’s second year. Here are a few suggestions to kick off that review:

  1. Privacy Policies. The CCPA requires a business to update the information in its privacy policy or any California-specific description of consumers’ privacy rights at least once every twelve months. If a business has not already done so, now is a good time to review both online and offline data collection practices to ensure privacy policies accurately disclose, at a minimum, the categories of personal information (“PI”) it collected in the preceding 12 months, the categories of PI it sold in the preceding twelve months, and the categories of PI it disclosed for a business purpose in the last 12 months.

Given the challenges of the last several months, a business may be collecting PI beyond what it currently discloses in its privacy policies. For example, a company may need to update its privacy policies to disclose the collection and use of COVID-19 related screening information, biometric information, or PI collected as a result of remote work situations.

If the business needs to update its privacy policy to reflect additional data collection activities, it will likely need to update its “notices at collection”, including employee and job applicant privacy notices.

  1. Employee training. The CCPA provides that a business shall ensure all individuals responsible for handling inquiries on consumer rights, the businesses’ privacy practices, or its compliance with the CCPA are informed of applicable CCPA requirements. Businesses will want to review their training programs to ensure they now include appropriate CCPA related training; determine whether employee handbooks and manuals have been updated accordingly; and, document that relevant employees have received training.
  2. Reasonable Safeguards. The CCPA does not currently impose an affirmative obligation on a business to implement reasonable safeguards to protect consumer PI; however, it provides a consumer private right of action where the consumer’s PI has been involved in a data breach resulting from the business’s failure to implement reasonable security safeguards. As a best practice, a business will want to review whether it has performed a risk assessment, at least annually, to identify new or enhanced risks, threats, or vulnerabilities to its systems or the PI it collects or maintains; whether it has reviewed and updated its written information security program and data retention schedule; and whether it has practiced its incident response plan.

CCPA compliance is an ongoing activity and these three action items are particularly worthy of review at the one-year mark. However, further year-end review might also include an assessment of the business’s website’s accessibility; confirmation that service provider agreements have been amended to satisfy the CCPA, where appropriate; and all new service provider contracts include relevant CCPA provisions.

Although this post is focused on the CCPA, it is important to note that California recently passed the Consumer Privacy Rights Act (“CPRA”). The CPRA supplements and amends the CCPA. Two CPRA provisions are worth noting as they relate to items on this action item list. First, effective January 1, 2023, businesses will have an affirmative obligation to implement reasonable safeguards. Second, businesses will be required to disclose their collection and use of “sensitive personal information” and shall permit individuals to limit the business’s use of this information in certain circumstances. By adding these new provisions, the CPRA builds upon and expands the CCPA, inching it a bit closer to the EU General Data Protection Regulation.

Record retention and records management policies are key elements for a company’s data protection program. Numerous recently enacted, or amended, data protection laws adopt data retention or storage limitation principles to safeguard personal information. Companies that do not have clearly defined record retention practices should take notice. Companies with existing practices should review those practices to ensure they comply with applicable legislation and their information security program.

The recently passed California Privacy Rights Act of 2020 (CPRA), which amends and supplements the California Consumer Privacy Act (CCPA), adopts the EU General Data Protection Regulation (GDPR) storage limitation principle. Under the GDPR, record retention practices play a significant role; storage limitation is a key data processing principle. Personal data must be stored only as long as needed to achieve the articulated purpose for which it was collected, thus ensuring the retention period is limited to a strict minimum. The goal is to minimize risks to the privacy and security of the personal data. The longer a business retains personal data, the more opportunity exists for unauthorized and perhaps unlawful access, use, or disclosure of that data. EU regulators have emphasized the importance of storage limitation in various GDPR enforcement actions, including a €14.5 million fine assessed by the Berlin Commissioner for Data Protection and Freedom of Information for improper data storage and retention.

Similarly, under the CPRA, a business shall not retain a consumer’s personal information for longer than is reasonably necessary for the stated purpose it was collected. (Comparable to the GDPR, the business must also disclose to the individual the length of time it intends to retain the data, or if that is not possible, the criteria it uses to determine such period.) A failure to implement and comply with an appropriate data retention and disposal schedule may result in a violation of the CPRA’s storage limitation principle.

A company’s data retention practices may be exposed in various ways. For purposes of the CPRA, a California regulator may examine a business’s data retention practices, or the absence of, when investigating a consumer complaint. For example, a consumer may exercise their right to know what personal information a business maintains about him or her.  In response, the business may disclose that it maintains personal information the consumer believes is no longer needed for the purpose it was collected, such as when the consumer is no longer a member of the business’ loyalty program. Or, a business may notify the consumer of a data breach affecting their personal information. The consumer may take the position the business no longer needed this information for the purpose it was collected. Alternatively, in the course of investigating a data breach to determine whether the business failed to implement reasonable safeguards, an enforcement agency may discover the business retained personal information for longer than the agency believes was reasonable. This might also be discovered when a consumer brings a private cause of action alleging the business’s failure to implement reasonable safeguards resulted in the unauthorized access or disclosure of their information in a data breach.

A company’s failure to retain personal information for only as long as needed to satisfy the specific, stated purpose for which it was collected may violate the CPRA storage limitation principle. However, the CPRA also imposes an affirmative duty on a business to implement reasonable safeguards to protect personal information from unauthorized or illegal access, destruction, use, modification or disclosure. Enforcement bodies may view storage limitation practices as a basic reasonable safeguard and the failure to implement or follow storage limitations may also constitute a violation of this affirmative duty.

The Federal Trade Commission took such a position in a complaint alleging unfair acts or practices in relation to a personal data breach. The FTC alleged a U.S. technology business failed to implement reasonable safeguards which enabled a hacker to access consumer personal information. In its complaint, the FTC listed several data security practices the business engaged in, including the failure to have a systematic process for inventorying and deleting consumers’ personal information when no longer needed, which it argues were unreasonable. The 2019 settlement agreement requires the company to implement an information security program to address the security failures raised in the complaint.

Currently, over twenty states including Florida, Texas and Illinois have laws requiring businesses that collect and maintain personal information to implement reasonable safeguards to protect that data. Although the majority of these statutes do not define reasonable safeguards, it is likely that state attorneys general will agree with the FTC’s position that deleting personal information when no longer needed is a “reasonable, low-cost, and readily available security” safeguard.

Over thirty states, including California, New York and Colorado have enacted laws requiring businesses to securely dispose of records containing certain personal information when no longer needed. Compliance with these laws necessitates developing and adhering to appropriate data retention schedules and records management policies. However, unlike the CPRA, the storage limitations imposed by these laws are not tied expressly to completion of the specific purpose for which the data was obtained.

Prolonged data retention creates heightened risk to the privacy and security of the personal information a company maintains. Minimizing that risk, and reducing potential liability, necessitates understanding existing records management, data retention, and data destruction practices. With the increased statutory focus on record retention and, in some cases, movement toward more restrictive storage limitations, companies will want to review or develop an informed data retention schedule, identify any contractual, statutory or operational needs for retaining personal data, and determine whether the company retains stale or legacy data. As with any data protection activity, these steps will be most effective when performed by an interdisciplinary team.

For more information on the CPRA or data protection best practices, please see our blog https://www.workplaceprivacyreport.com/.

The California Privacy Rights Act of 2020 (CPRA) becomes operative on January 1, 2023. Among its numerous amendments and additions to the existing California Consumer Privacy Act (CCPA), the CPRA expands the definition of Personal Information. Specifically, it adds the category of Sensitive Personal Information. This new category tracks the EU General Data Protection Regulation’s definition of Special Category Data, adds data elements commonly viewed in the U.S. as sensitive, and introduces a new twist by including the contents of a consumer’s mail, email, and text messages.

The CPRA broadly defines Sensitive Personal Information as Personal Information that is not publicly available and reveals:

  • a consumer’s social security, driver’s license, state identification card, or passport number;
  • a consumer’s account log-In, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
  • a consumer’s precise geolocation;
  • a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership;
  • the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication;
  •  a consumer’s genetic data; and
  • the processing of biometric information for the purpose of uniquely identifying a consumer;
  •  personal information collected and analyzed concerning a consumer’s health; or
  • personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

The addition of this new category of Personal Information creates two primary obligations for businesses. First, a business will need to include Sensitive Personal Information in its notice at collection to consumers, including job applicants and employees, and in any online privacy policy or CA specific description of consumer rights. Under the CPRA, this notice must now also disclose the categories of Sensitive Personal Information to be collected, the purposes for which they will be used, whether this information will be sold or shared, and the length of time the business intends to retain each category of Sensitive Personal Information.

Second, when a business collects or processes Sensitive Personal Information for the purpose of “inferring characteristics” about a consumer, it may only do so to provide services or goods requested by the consumer, for limited purposes enumerated by the CPRA, and as authorized by future implementation regulations. If the business intends to use or disclose this information for any other purpose, it must provide the consumer with notice of the intended use or disclosure and the consumer’s right to limit this use or disclosure. To facilitate exercising this right, a business must provide the consumer with an opt out mechanism entitled “Limit the Use of My Sensitive Personal Information.” Sensitive Personal Information that is not collected or processed for the purpose of inferring a consumer’s characteristics is not subject to this right to limit its use or disclosure.

Although the GDPR and CPRA share similar definitions of sensitive data, there are two significant differences worth noting. The GDPR prohibits collecting and processing Special Category Data absent receiving the explicit, informed, affirmative (i.e., opt in) consent of the individual to do so, or pursuant to limited circumstances enumerated in the GDPR. In contrast, the CPRA permits collecting and processing Sensitive Personal Information. However, the consumer may limit (i.e., opt out of) the use and disclosure of this data when a business collects it for the purpose of inferring the consumer’s characteristics and will use or disclose it beyond what is necessary to provide requested service or goods to the consumer, and as narrowly permitted by the CCPA and any implementation regulations.

In anticipation of January 1, 2023, preparations should include revisiting or expanding existing data mapping activities to identify the collection of Sensitive Personal Information, reviewing the purpose for collecting this information and how the business uses or discloses it, and determining whether its use or disclosure is permitted or authorized by the CPRA. Similar to preparations for the CCPA, this will require an interdisciplinary team with a broad understanding of business operations. Any team should include members familiar with the business’ advertising, marketing, and website data collection activities to help identify where Sensitive Personal Information may be collected for the purpose of inferring consumer characteristics.

For additional information on the CPRA, please reach out to a member of the Jackson Lewis Privacy, Data and Cybersecurity practice group or check out our CPRA blog series: