California Consumer Privacy Act

In June of this year, California passed the California Consumer Privacy Act (CCPA) giving California residents specific rights related to their online privacy, similar to those proscribed by GDPR. The law was passed hastily to avoid a stricter ballot measure on the subject, but Governor Brown recently signed a bill amending the law.

Many of the amendments clarify some of the CCPA’s “technical” errors, such as solidifying that the Act should not be enforced to contradict the California Constitution. The most significant change, however, deals with the enforcement of the Act. Although Section 1798.198 makes the Act operative on January 1, 2020, the newly-added Section 1798.185(7)(c) prevents the Attorney General from bringing an enforcement action under the Act until July 1, 2020, or six months after the final regulations made pursuant to the Act are published, whichever is sooner. Thus, although the effective date is January of 2020, the California Attorney General may not be able to bring enforcement actions until up to six months after the enactment date, depending on when the office promulgates regulations. The amendments also extend the date by which the Attorney General must promulgate regulations from January 1, 2020 to July 1, 2020.

Another point worth noting is that the amendments remove the requirement for a private plaintiff to inform the Attorney General of a claim he or she has brought to enforce his or her private cause of action under the Act. This eliminates the ability of the Attorney General to bring its own action in lieu of a private one.

Additional changes include specifying additional laws to which the Act does not apply, including: (1) the Confidentiality of Medication Information Act or regulations promulgated in response to HIPAA, or the Health Information Technology for Economic and Clinical Health Act; (2) the Federal Policy for Protection of Human Subjects; and (3) the California Financial Information Privacy Act. The amendments also limit the civil penalty to $2,500 per violation, or $7,500 for each intentional violation.

Although this bill has clarified some issues with the original law, this will likely not be the last set of amendments to the CCPA before it goes into effect. We will keep you posted.

 

Yesterday, the California legislature passed SB-327, a bill intended to regulate the security of internet-connected devices.  Unlike the California Consumer Privacy Act (CCPA), SB-327 is significantly more narrow.  As enacted, the bill is a “lighter” version of what was first introduced and amended in 2017 (which, at that time, would have included certain disclosure and consent requirements for connected devices).

At its core, SB-327 requires connected devices to be equipped with “reasonable security features” that are:

  1. appropriate to the nature and function of the device;
  2. appropriate to the information it may collect, contain, or transmit; and
  3. designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

Subject to the above, if a connected device is equipped with a means for authentication outside a local area network, this is considered a “reasonable security feature” if either: (a) the preprogrammed password is unique to each device manufactured; or (b) the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time. These requirements, of course, are in addition to any duties or obligations imposed under other laws (i.e., CCPA).

The term “connected device” is defined as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” Pretty much every device connected to the Internet is assigned either an IP address or Bluetooth address when it is connected. This can include, for example, anything from computers, tablets, and mobile devices, to smart watches, smart home hubs, or app-controlled toys.

The bill does not provide a private right of action. Only the Attorney General, a city attorney, a county counsel, or a district attorney can enforce the law, and the bill does not address (either directly or by implication) any specific penalties or remedies that may be sought by these entities. However, it’s possible that we see the requirement to implement reasonable security measures asserted as a basis for a legal duty in conjunction with other claims (either by the AG or consumers).

The bill was ordered to engrossing and enrolling. If signed by Governor Brown, the law would become effective on January 1, 2020 (same day as the CCPA).

Just when you think you’ve tackled the Wild, Wild West of GDPR and privacy compliance, California decides to mix it all up again.

This November 6th, California voters will decide on the California Consumer Privacy Act (“Act”), a statewide ballot proposition intended to give California consumers more “rights” with respect to personal information (“PII”) collected from or about them.  Much like CalOPPA, California’s Do-Not-Track and Shine the Light laws, the Act will have broader consequences for companies operating nationwide.

The Act provides certain consumer “rights” and requires companies to disclose the categories of PII collected, and identify with whom the PII is shared or sold. It also includes a right to prevent the sale of PII to third parties, and imposes requirements on businesses to safeguard PII.  If passed, the Act would take effect on November 7, 2018, but would apply to PII collected or sold by a business on or after nine (9) months from the effective date – i.e., on August 7, 2019.

Who is Covered?

The Act is intended to cover businesses that earn $50 million a year in revenue, or businesses that “sell” PII either by (1) selling 100,000 consumer’s records each year, or (2) deriving 50% of their annual revenue by selling PII. These categories of businesses must comply if they collect or sell Californians’ PII, regardless of whether they are located in California, a different state, or even a different country. Continue Reading SADDLE UP AMERICA: California Aims to Pass its Own GDPR Law