california consumer privacy act (ccpa) workshop
TRANSCRIPT
Fall | October 2020
California Consumer Privacy Act (CCPA) Workshop
Mary Canter
Legal Counsel, Spotify
Lothar Determann
Partner
International Commercial
lothar.determann
@bakermckenzie.com
Teresa Michaud
Partner
Dispute Resolution
teresa.michaud
@bakermckenzie.com
Ed Totino
Partner
Dispute Resolution
edward.totino
@bakermckenzie.com
Speakers
Agenda
1 CCPA Overview
2 Top 10 CCPA Action Items
3 Responding To Consumer Requests
4 Operationalizing CCPA Requirements
5 CPRA Impact
6 CCPA Litigation
7 Other Privacy Litigation Risks
8 Mitigating Litigation Risks
I am convinced that there are only two types of
companies: those that have been hacked and those
that will be. And even they are converging into one
category: companies that have been hacked and will
be hacked again.
- FBI Director Robert Mueller, 3/1/12
1
CCPA Overview
California Consumer Privacy Act of 2018
Effective – January 1, 2020; Enforcement – July 1, 2020
Look-back to January 1, 2019
AG Regulations finalized August 14, 2020
Data broker registration requirements January 31, 2020 (and following years)
Delays for certain requirements re. B2B and employee information
Applies to companies worldwide, B2C and B2B
Disclosure requirements, opt-in, opt-out re. "selling of personal information"
New consumer rights to access, deletion, and porting of personal data
New penalties
New statutory damages in case of data security breaches
2
Top 10 CCPA Action Items
Top 10 CCPA Action Items
01
02
03
04
05
06
07
08
09
10
Decide whether to sell or not to sell with key stakeholders in the
company
If you decide to sell (or can't avoid selling personal information) post
"do not sell my personal information link" on every website and
create simple opt-out mechanism
Post a privacy policy and notices in compliance with the Final
Regulations of the California Attorney General
Prepare privacy notices for all situations where your company collects
personal information from California residents (e.g., from website visitors,
employees, job candidates, contractors, and vendors) and ensure that such
notices are issued to California residents at or before the point that collects
their personal information
Notify vendors and business partners not to sell (effective January 1,
2019) and update contracts to eliminate/avoid selling of personal
information
Decide whether to sell or not to sell with key
stakeholders in the company
Conduct CCPA trainings
Determine whether you have to provide a
"notice of financial incentive"
Update intercompany agreements
Monitor statutory amendments and
enforcement actions
3
Responding to Consumer Requests
How to comply? Disclosure
Categories of third parties receiving PI
Description of the rights to access, deletion, to obtain information about
disclosures, to opt out of sales, and not to be discriminated against
If PI is sold: Fact that PI collected may be sold and clear and conspicuous
link, titled "Do Not Sell My Personal Information", to webpage that enables
opt-out
Method(s) for submitting requests including, at a minimum, toll-free
telephone number and, where maintained by the business, website address
Disclose:
How to comply? Access and Deletion
Implement processes and policies to
verify the identity of individuals making requests
timely provide portable copies via "account" (can include multiple
communication lines)
delete personal information or claim statutory exception
1) Complete the transaction for which the personal information was collected,
provide a good or service requested by the consumer, or reasonably anticipated
within the context of a business's ongoing business relationship with the
consumer, or otherwise perform a contract between the business and the
consumer.
2) Detect security incidents, protect against malicious, deceptive, fraudulent, or
illegal activity; or prosecute those responsible for that activity.
3) Debug to identify and repair errors that impair existing intended functionality.
4) Exercise free speech, ensure the right of another consumer to exercise his or her
right of free speech, or exercise another right provided for by law.
Access, deletion rights:
How to comply? Access and Deletion
5) Comply with the California Electronic Communications Privacy Act pursuant to
Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal
Code.
6) Engage in public or peer-reviewed scientific, historical, or statistical research in
the public interest that adheres to all other applicable ethics and privacy laws,
when the businesses' deletion of the information is likely to render impossible or
seriously impair the achievement of such research, if the consumer has
provided informed consent.
7) To enable solely internal uses that are reasonably aligned with the expectations
of the consumer based on the consumer's relationship with the business.
8) Comply with a legal obligation.
9) Otherwise use the consumer's personal information, internally, in a lawful
manner that is compatible with the context in which the consumer provided the
information.
obtain assistance of service providers
4
Operationalizing the CCPA
5
CPRA Impact
Key Action Items for CPRA Compliance
New link: New link on website would be required if company shares
personal information for purposes of cross-context behavioral advertising
New Service Provider Contracts: Service provider contracts would
have to address direct obligations to assist businesses with CPRA
compliance activities
Revised notices: At collection companies would have to state if
personal information is sold or "shared" and retention period per category
of information or "criteria"
CPRA CCPA GDPR
Data Rights
Access,
Deletion (+Business Notification Duty)
Portability,
Say No to Sale,
Rectification
Limit Use of Sensitive Personal Information
Access,
Deletion,
Portability (Implied),
Say No to Sale
Non-Discrimination
Access,
Deletion,
Portability,
Say No to Sale (Implied under right of
objection),
Rectification
Limit Use of Sensitive Personal Information
Requires "Do Not Sell My
Personal Information" Button
Yes (+Do not share personal information for cross-
context behavioral advertising)Yes No
Service Provider Contracts
Characterize recipient as service provider or
contractor, more prescriptive provisions regarding what
agreements with contractors should contain, direct
obligations on service providers to assist business with
CPRA compliance activities
Prohibit disclosure, use, retaining or selling
personal information, certification
requirements, security practices
Processor requirements under Article 28 of
the GDPR, SCCs 2010
Storage Limitation Yes No Yes
Data Minimization Yes No Yes
High Risk Processors Required
to Perform Risk AssessmentsYes No Yes
Penalties for Stolen Email +
PasswordYes No Yes
Right to Opt Out of Advertisers
Using GeolocationYes No Yes
Covers Employees Retroactively Extends Delay Until January 1, 2023Delayed Implementation Until January 1,
2021Yes
Dedicated Enforcement
Agency/AuthorityYes No Yes
CPRA against CCPA and GDPR
6
CCPA Litigation
Trends
Over 40 actions as of
September 1, 2020
1. Unfair Competition Law
2. Negligence Per Se Claims
incorporating CCPA standards of
care
3. Actions asserted directly under the
CCPA.
3 main categories of non-data
breach lawsuits – Unsuccessful
So Far
Increase of appx. 30% of a lawsuit
after a data breach
Sanctions and remedies
$7,500per intentional
violation
$2,500 for
unintentional violations,
if the company fails to
cure the unintentional
violation within 30 days
of notice
Cal State AG,
Consumer Privacy Fund
Sanctions and remedies
New cause of action: statutory damages for data
security breaches
New definition of data security breach: "unauthorized access
and exfiltration, theft, or disclosure as a result of the business'
violation of the duty to implement and maintain reasonable
security procedures and practices"
Narrower definition of "personal information" in this context:
SSNs, credit card/account numbers, medical information
Statutory damages $100-$750 per incident, per consumer
Class Action Lawsuits for Data Breaches
Statutory damages of between $100 to $750 per consumer per incident for breaches (or actual
damages if greater), if
the data is not encrypted or redacted, and
the business did not have reasonable security practices and procedures
no risk of harm required (may violate due process)
but this would allow for very expensive eDiscovery and trigger nuisance lawsuits after many
reportable breaches
Plaintiffs must provide the business with 30 days' written notice identifying the specific
provisions violated
30 day cure period after notice but difficult in most breaches
CCPA Data Breach Cause of Action
Any of the above combination of data elements
Subject to an unauthorized access and exfiltration, theft, or disclosure
Access is required → maybe not a laptop theft or accidentally emailing the info to the
wrong address?
Resulting from "the business's violation of the duty to implement and maintain reasonable
security procedures and practices appropriate to the nature of the information"
Invites broad discovery into business' security program -- an eDiscovery nightmare
Elements
CCPA Defenses
Defenses Encryption
Redaction
30 day right to
cure – get your
data back!?
Other Prevention Deletion of breach
notice data
elements
Use of class action
waivers – CCPA
purports to prevent
these, but federal
FAA law preempts
Other Risk
Management Obtain certification
you follow an
accepted security
standard
Cyber insurance
7
Other Privacy Litigation Risks
Recent CA Privacy Timeline
CCPA Regulations
became final on
August 14, 2020
CCPA New
Exemptions for
Medical and Health
Information
California Invasion
of Privacy Act
– Smith v LoanMe Inc.
Anti-Spam lawsuits
on the rise
CPRA Qualifies for
the November
Ballot
Privacy Litigation Trends
California Invasion of Privacy Act (Cal. Penal Code §§ 630, et seq.)
Class actions started around 2006 when California expanded its
law to interstate telephone calls
California Shine the Light Law (Cal. Civil Code § 1798.83)
Cases filed when statute first became effective in 2005, faded
away, and recently began to be filed again
California Anti-Spam (Cal. Business & Professions Code § 17529,
et seq.)
CAN-SPAM Preemption
Increasing number of cases filed attempting to avoid preemption
Data Breach Litigation
Around 50 to 100 class action filed per year pre-CCPA
California Invasion of Privacy Act
Penal Code Section 632.
a) A person who, intentionally and without the consent of all parties to a confidential communication,
uses an electronic amplifying or recording device to eavesdrop upon or record the confidential
communication, whether the communication is carried on among the parties in the presence of one
another or by means of a telegraph, telephone, or other device, except a radio, shall be punished by a
fine not exceeding two thousand five hundred dollars ($2,500) per violation, or imprisonment in a
county jail not exceeding one year, or in the state prison, or by both that fine and imprisonment. . . .
c) For the purposes of this section, "confidential communication" means any communication carried on
in circumstances as may reasonably indicate that any party to the communication desires it to be
confined to the parties thereto, but excludes a communication made in a public gathering or in any
legislative, judicial, executive, or administrative proceeding open to the public, or in any other
circumstance in which the parties to the communication may reasonably expect that the
communication may be overheard or recorded.
Penal Code Section 632.7
a) Every person who, without the consent of all parties to a communication, intercepts or
receives and intentionally records, or assists in the interception or reception and
intentional recordation of, a communication transmitted between two cellular radio
telephones, a cellular radio telephone and a landline telephone, two cordless
telephones, a cordless telephone and a landline telephone, or a cordless telephone and
a cellular radio telephone, shall be punished by a fine not exceeding two thousand five
hundred dollars ($2,500), or by imprisonment in a county jail not exceeding one year, or
in the state prison, or by both that fine and imprisonment. . . . .
c) (3) "Communication" includes, but is not limited to, communications transmitted by
voice, data, or image, including facsimile
Penal Code Section 637.2
a) Any person who has been injured by a violation of this chapter may bring an action
against the person who committed the violation for the greater of the following amounts:
(1) Five thousand dollars ($5,000) per violation. [or] (2) Three times the amount of actual
damages, if any, sustained by the plaintiff.
California Unsolicited Commercial Email
Business & Professions Code Section 17529.5
(a) It is unlawful for any person or entity to advertise in a commercial e-mail advertisement either sent from California or
sent to a California electronic mail address under any of the following circumstances:
(1) The e-mail advertisement contains or is accompanied by a third-party's domain name without the permission of the
third party.
(2) The e-mail advertisement contains or is accompanied by falsified, misrepresented, or forged header information.
This paragraph does not apply to truthful information used by a third party who has been lawfully authorized by the
advertiser to use that information.
(3) The e-mail advertisement has a subject line that a person knows would be likely to mislead a recipient, acting
reasonably under the circumstances, about a material fact regarding the contents or subject matter of the message.
CAN-SPAM Preemption
15 USC § 7707 (b)(2)(B) exception to preemption
This chapter shall not be construed to preempt the applicability of— (B) other State laws to the extent that those laws
relate to acts of fraud or computer crime.
8
Mitigating Litigation Risks
Mitigating Litigation Risks
CA Specific
Notices
Class Action
Waivers
Choice of Law
and Venue
Judicial
Reference
Clauses
Limitations of
Liability and
Indemnity
Strategic
Variability
Mitigation of Class Action Risk
Before data
breach
Protection via terms and
conditions – arbitration
provisions with class
action waivers
Certifications / Surveys /
Audits showing reasonable
security measures in place
Introduce variation in
practices if possible to limit
size of potential class
After data breach
After data
breach
Attempt cure of data
breach and provide
consumer notice of cure
Argue that stopping further
data breach is cure
Argue that improving
security measures and
improving encryption is
cure
After lawsuit
filed
If in California court, try to
remove to federal court
Early motions to dismiss or
strike class definitions to
limit size of class / class
discovery
Questions
bakermckenzie.com
Baker & McKenzie Compliance Consulting LLC provides compliance management and support services and does not
provide legal advice or services. Baker & McKenzie Compliance Consulting LLC is a corporation wholly owned by Baker
& McKenzie LLP, a member firm of Baker & McKenzie International, a global law firm with member law firms around the
world. In accordance with the common terminology used in professional service organizations, reference to a "partner"
means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of
any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not
guarantee a similar outcome.
© 2020 Baker & McKenzie Compliance Consulting LLC