If you want to avoid unnecessary legal exposure, you must take prompt steps to comply with this law. Even if you are not subject to the EU’s General Data Protection Regulation, if you are collecting information from individuals, you must address the need for compliance. If you have complied with the GDPR, there will be relatively little left to do to comply with the CCPA, but some action is likely required.
Inevitable Burden. There are de minimus standards for application of the CCPA, which we are happy to discuss as appropriate. However, with the efforts in other states and Congress to adopt similar legislation, current compliance with the CCPA is likely to be the most efficient way to reduce the risk of a regulatory or private plaintiff challenge during the next few years. That is, even if one is not immediately subject to CCPA itself, there is a good chance that in short order, they will be subject to similar requirements in other states or under federal legislation. In the current highly charged political climate, privacy issues have merged as a major topic in the presidential campaign and in Congress, and will be a high priority for regulators and the plaintiffs’ bar under private rights of action which are created by the CCPA and likely, other legislation.
The current clamor about privacy is all about ensuring that consumers fully understand and agree with the collection and use of their information.
Even if complete compliance is not feasible, substantial compliance is likely to be a useful way of ‘staying off the radar’ of those seeking to pursue legal claims. It is likely to be more efficient to simply comply with the California law, which is likely to be a model for other states than to try to weave through provisions of and exceptions to other laws.
The definition of ‘personal data’ under CCPA is very broad and, like GDPR, includes IP address; any data you collect from a website through cookies or otherwise counts as personal data even if you don’t have a name and email address to go with it.
Working with Someone Else’s Data. The reference to ‘you’ warrants some comment. In our practices, we are often told that someone need not comply with the CCPA since the personal data in question is collected by someone else, such as their own client. We respectfully, but emphatically, disagree. While there has been no litigation under the CCPA to test this view (and minimal regulatory guidance), anyone having access to data which is thought by its subject to have been improperly collected or misused will be a potential defendant in such a claim, and it is quite possible that a court could impose liability upon all of such parties, regardless of who originally collected the data. In our view, it is much better to avoid situations where data is improperly collected or used than to have to litigate who is responsible for such activity.
Steps to Take. What specific steps should be pursued in the next several months? This will certainly involve not only a makeover of privacy policies, but also a number of other changes in practice:
- Data mapping: who is collecting data from individuals and where is it being stored and processed (including web hosts)? A formal written summary is necessary.
- Genuine consent in privacy policies to above; this means opt in through checkboxes [no pre-checking! https://www.fisherbroyles.com/googles-gdpr-misstep-what-it-means-for-your-business/ and not opt out;
- Where applicable, such as sending email or text coupons to those who are near a retail establishment or designated location within store, special disclosure of and consent to use of geo-location data through GPS devices in cars or phones, Bluetooth beacons or otherwise;
- Where computer cookies are used for any purpose, presentation of ‘cookie banners’ with opt-in mechanism
- Long-term preservation and recording of such consents in a manner which is usable if a legal challenge does occur;
- Encryption of personal information, both in transit and when stored; as both a risk mitigation and a legal compliance mechanism, this is invaluable;
- Where you are getting data from the original collector, there needs to be proper due diligence by those with privacy law knowledge as to how it is collected, supported by contractual warranties, indemnities and cyber-liability insurance;
- Consideration of placement of DO NOT SELL button on website: unclear if this is required if no sales/sharing are to occur, but must be monitored; this is an important distinction between CCPA and GDPR;
- Be prepared through designation of appropriate managers and proper language in agreements with sub-processors (Data Processing Agreements or DPAs) to respond to data subject requests for the deletion of their data. Having your data map at the ready and your DPAs in place will facilitate compliance;
- In service and consulting agreements going in both directions, be especially mindful of warranty, indemnity and liability limitation/disclaimer provisions pertaining to data collection and use.
Our Privacy partners are pleased to work with you to develop the most efficient and orderly strategy for compliance.
About FisherBroyles, LLP
Founded in 2002, FisherBroyles, LLP is the first and world’s largest distributed law firm partnership. The Next Generation Law Firm® has grown to over 225 attorneys in 22 offices nationwide. The FisherBroyles’ efficient and cost-effective Law Firm 2.0® model leverages talent and technology instead of unnecessary overhead that does not add value to our clients, all without sacrificing BigLaw quality. Visit our website at www.fisherbroyles.com to learn more about our firm’s unique approach and how we can best meet your legal needs.
These materials have been prepared for informational purposes only, are not legal advice, and under rules applicable to the professional conduct of attorneys in various jurisdictions may be considered advertising materials. This information is not intended to create an attorney-client or similar relationship. Whether you need legal services and which lawyer you select are important decisions that should not be based on these materials alone.
© 2019 FisherBroyles LLP