data privacyKey Point: SB 561, which would have expanded the CCPA’s private right of action, has failed.

According to multiple reports, SB 561 failed to pass the California Senate on Thursday. The failure of SB 561 is a significant victory for businesses as the bill would have expanded the California Consumer Privacy Act’s (“CCPA”) private right of action to allow individual consumers to sue businesses for violations of the CCPA’s privacy-related rights. The current version of the CCPA only allows individual consumers to sue for certain types of data breaches and leaves enforcement of the CCPA’s privacy-related rights to the California Attorney General’s office. SB 561 was backed by the California Attorney General’s office and privacy-rights organizations. It was strongly opposed by business interests. You can read more about SB 561’s failure here and here.

Over the next few months, Husch Blackwell’s privacy and data security blog will continue to provide updates on the CCPA. Register here to stay up-to-date on all of the latest news. Husch also will be hosting a webinar on June 5 to provide an update on the CCPA’s amendment process. Click here for more information and to register.

While SB 561’s failure is certainly a welcome outcome for businesses subject to the CCPA, it does not mean that businesses can slow down on their compliance efforts. The CCPA still allows the Attorney General’s office to seek $2,500 per “violation” and $7,500 per each intentional violation. If those amounts are applied on a per consumer or per day basis, the potential damages could be substantial. Additionally, the CCPA allows consumers to seek statutory damages of between $100 and $750 “per consumer per incident” for data breaches due to a business’s failure to implement and maintain reasonable security procedures and practices.

However, businesses can breath a little easier knowing that the CCPA will not unleash endless class actions.

 

data privacyOn June 5, Husch Blackwell’s privacy and data security practice group will host another webinar on the California Consumer Privacy Act (CCPA). In this webinar, we will:

  • Provide a brief overview of the CCPA and its requirements
  • Analyze the current proposed amendments and how they would modify the CCPA
  • Discuss the proposed amendments that have failed
  • Examine the Attorney General’s anticipated regulations
  • Provide an update on other proposed state privacy laws

 

Click here for more information and to register.

Texas flagAs we previously reported, the Texas legislature has been considering two bills directed at addressing consumer privacy. Those bills were proposed in the wake of last year’s enactment of the California Consumer Privacy Act.

On May 7, 2019, the Texas House voted overwhelmingly to pass one of those bills – HB 4390 – however, the version it passed was significantly amended and will no longer provide any privacy rights to Texas residents.

Specifically, the engrossed version only would establish a Texas Privacy Protection Advisory Council to “study data privacy laws in this state.” It also would amend the Texas breach notification statute to require notification to affected individuals no later than 60 days after a person determines that a breach occurred.  The current version of the breach notification statute does not specify a set number of days for providing notice.  Additionally, the bill would require that notice be provided to Texas’s Attorney General in certain circumstances. If the bill becomes law, the Council would be required to report its findings to the legislature no later than September 1, 2020.  The bill is now under consideration in the Senate.

The other proposed bill – HB 4518 – was left pending in committee on April 2, 2019.

The last day of the Texas legislative session is May 27, 2019. Notably, the Texas legislature meets only every other year.

Over the next few months, Husch Blackwell’s privacy and data security blog will continue to provide updates on proposed state privacy laws.  Register here to stay up-to-date on these bills.

In the end, it appears that the Texas legislature is going to punt on passing anything this year, do its homework, and come back with all new privacy legislation in 2021. This has become a consistent theme across the country as privacy bills proposed in other states such as Washington and Maryland have failed to become law.

data privacy[Update:  After publication of the below post, AB 1035 was amended to remove the below-referenced language. The fact that the California legislature considered defining what constitutes “reasonable security procedures and practices” for purposes of the CCPA’s private right of action but, at least as of now, did not proceed with such legislation leaves businesses subject to the CCPA with little to no legislative direction as to how they can demonstrate that they are undertaking reasonable security procedures and practices. It also exposes the CCPA to the argument that the subject language is void for vagueness. Given the substantial penalties businesses are exposed to under the CCPA’s private right of action, the failure of the legislature to address this issue is notable especially considering that Ohio implemented legislation last year that California could have used as a guide.]

Given the near ubiquitous coverage of proposed CCPA amendments, it may be hard to believe that any bill could fly under the radar, but that appears to be the case with AB 1035, which would amend the CCPA’s private right of action to link “reasonable security procedures and practices” to NIST standards.

By way of background, § 1798.150 of the CCPA creates a private cause of action for any “consumer whose nonencrypted or nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information . . . .” For such violations, consumers are authorized to recover “not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.”

However, one significant problem with that provision is that no one quite knows what constitutes “reasonable security procedures and practices.” For guidance, privacy and information security professionals have often relied on the California Attorney General Office’s 2016 Data Breach Report, which states:

The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.

AB 1035, however, would amend § 1798.150 to include the following new definition:

As used in paragraph (1), “reasonable security procedures and practices” include, but are not limited to, a cybersecurity program that reasonably conforms to the current version, or a version that has been revised within the one-year period before the date of a security breach, of any of the following:

(A) The Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST).

(B) NIST Special Publication 800-171.

The bill would also amend California’s information security statute, California Civil Code § 1798.81.5, to include the same definition.

AB 1035’s use of the phrase “include, but are not limited to” and its omission of the CIS Controls from the enumerated list of conforming programs is likely to create confusion and risk for organizations that invested resources to abide by the Attorney General Office’s guidance.

The bill’s narrow focus on NIST also ignores that there are other information security standards – such as ISO27001 – that are routinely used by organizations to demonstrate information security compliance. By comparison, when Ohio recently created a safe harbor for certain data breach-related claims it included not only NIST standards but also the CIS Controls and ISO2700 family, among others.

The bill’s preamble explains the proposed amendment as follows:

Existing law requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law, the California Consumer Privacy Act of 2018, beginning on January 1, 2020, grants a consumer various rights with regard to personal information relating to that consumer that is held by a business, including the right to know what personal information is collected by a business and to have information held by that business deleted, as specified. The act specifically authorizes a consumer whose nonencrypted or nonredacted personal information, as defined, is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s failure to maintain reasonable security procedures and practices appropriate to the nature of the information to institute a civil action for various damages.

This bill would define “reasonable security procedures and practices” for the purposes of those provisions to include a cybersecurity program that reasonably conforms to specified standards published by the National Institute of Standards and Technology.

Although the bill is a long way from becoming law, it did pass unanimously out of committee on April 30th with one abstention. Over the next few months, Husch Blackwell’s privacy and data security blog will continue to provide updates on AB 1035 as well as other proposed CCPA amendments.  Register here to stay up-to-date on these bills.

Finally, it should be noted that AB 1035 is one of two bills directed at amending the CCPA’s private right of action. The other bill – SB 561 – would expand the private right of action to cover violations of the CCPA’s privacy rights, not just for data breaches.

data privacyAs we first reported in February, the Nevada legislature has been considering legislation that would amend its online privacy notice statutes, NRS 603A.300 to 360. Among other things, Nevada’s existing law requires “operators” to provide a notice to consumers that (1) identifies the types of information the operator collects online, (2) describes the process (if any) for consumers to review or request changes to their information, (3) describes the process by which the operator notifies consumers of changes to the notice, and (4) discloses whether a third party may collect covered information about an individual’s online activities over time and across different Internet websites or online services.

As originally proposed, Senate Bill 220 would have supplemented that existing law by allowing consumers to submit notices to businesses directing them not to sell any personal information the business has collected or will collect about the consumer (i.e., an opt-out). The bill also would have created a private right of action to enforce violations.

On April 23, 2019, the Nevada Senate voted unanimously to pass Senate Bill 220. However, the version of the bill passed by the Senate was significantly amended and watered-down.

Although the amended bill still allows consumers to opt-out of the sale of their information to third parties, that provision is no longer enforceable through a private right of action.

The amended bill also defines “sale” to mean “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” The bill then provides five exceptions, including the disclosure of information to processors and the disclosure of “covered information by an operator to a person for purposes that are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator.”

Those familiar with the California Consumer Privacy Act’s opt-out provision will appreciate that Nevada’s proposed version is much more business-friendly and will likely only apply in very limited situations.

Notably, the amended bill also re-defines the term “operator” to exclude financial institutions subject to the Gramm-Leach-Bliley Act, HIPAA covered entities, and manufacturers of motor vehicles (if certain conditions are met). In so doing, the amended bill would exclude those entities not just from the new opt-out requirements but from all obligations under NRS 603A.300 to 360. Therefore, those entities would actually have less obligations than under current law.

In short, those looking for ground-breaking privacy legislation will not find it in Nevada.

The bill is currently under consideration in the Nevada Assembly.

To stay up-to-date on this bill as well other privacy law developments, register for Husch Blackwell’s privacy and data security blog by clicking here.

Consistent with the cliché that “everything’s bigger in Texas,” the Texas legislature has introduced not one, but two separate bills relating to the privacy of personal information. Although still in their nascent stages, both bills are following California’s lead in creating enhanced and stringent privacy protections for individual consumers.

Continue Reading The Eyes (and Privacy Laws) of Texas Are Upon You…

A surprise legislative storm ripped through Olympia, Washington last week, and the proposed Washington Privacy Act (SB-5376) took the brunt of the damage. The bill sailed through the Democrat-controlled Washington State Senate on a vote of 46-1, but encountered surprise headwinds in the Democrat-controlled State House.  The House failed to vote on the bill before the April 17th deadline for taking action on non-budget legislation.

Although there is still a chance that SB-5376 can be kept alive until the Legislature adjourns on April 28, the bill’s failure to pass the House is a significant blow for some privacy advocates who saw Washington State building upon the California and European Union privacy laws. State Senator Guy Palumbo, a co-sponsor of SB-5376 lamented the impasse as a “case of the perfect being the enemy of the good.”

The impasse apparently centered on facial recognition technology and the fact legislators invited technology companies to participate in reconciling the Senate and proposed House language, but did not invite consumer advocacy groups.

Ironically, this development could be considered bad news for the companies who would be regulated by privacy regulation, because the forecast demise of this legislation weakens the argument that Congress needs to pass federal legislation to eliminate a patchwork of state laws affecting interstate commerce.

data privacyAlthough there certainly will be more bills proposed to amend the California Consumer Privacy Act (CCPA), there already are a significant number of bills that have been working their way through the legislative process. One of these bills – SB561, which would expand the CCPA’s private right of action – received widespread attention when it was introduced in February. However, SB561 is one of only 18 bills that would amend or supplement the CCPA. Many of these bills deal with important amendments to the CCPA that privacy law experts have been requesting since it was first enacted last summer.

In the below post, we identify and analyze these bills. In doing so, we first provide a summary of the most significant proposed changes and takeaways. We then provide a table linking to each bill, identifying the issue to which it is directed, and providing an analysis of the bill’s proposed changes.

Over the next few months, Husch Blackwell’s privacy and data security blog will periodically update our work as new bills are proposed. Register here to stay up-to-date on these changes.

Summary

No Reason to Delay Compliance Efforts:  Entities that are delaying compliance efforts in the expectation of widespread changes to the CCPA will be disappointed. None of the proposed bills seeks to remove the CCPA’s core privacy rights (i.e., right to access, right to be forgotten, right to opt-out) or make a change to the CCPA’s terms that would justify taking a “wait-and-see” approach.

Fixing the Deidentification Exemption: A number of the bills seek to fix the CCPA’s treatment of deidentified and aggregate data by fixing a typo in the last sentence of the CCPA’s definition of “personal information.” The statute incorrectly states that “publicly available” does not include deidentified or aggregate consumer information when it should state that “personal information” does not include such information. One of the bills also would modify the definition of “deidentified.” That change is presumably in response to criticism from privacy experts that the CCPA’s definition is out of alignment with other privacy laws.

Employment Information: AB25 would modify the definition of “consumer” to exclude certain employment-related information. Those who have closely-monitored the CCPA have anticipated that the legislature would likely remove employment-related information from its coverage. Notably, however, the current draft of the bill does not remove professional or employment-related information from the definition of “personal information.”

Removal of Household: AB873 would delete the word “household” and the phrase “is capable of being associated with” from the definition of “personal information.” The CCPA does not define “household,” which has added to the ambiguity of the definition of personal information. Notably, the bill does not remove the term “household” from other places in the CCPA, such as the definition of “business.”

Private Right of Action: As noted, SB561, which is backed by the Attorney General’s office, would expand the private right of action to cover the CCPA’s privacy-related rights.

Tag Along Bills: A number of bills seek to add new statutory provisions that would supplement the CCPA. This includes bills on data brokers, facial recognition technology, social networking services, and providing disclosures regarding the monetary value of consumer data.

Analysis

Bill Topic
Analysis
AB25 Exclusion of Certain Employment Information from Definition of Consumer The bill would exclude from the definition of “consumer” “a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant or as an employee, contractor, or agent, on behalf of the business, to the extent their personal information is used for purposes compatible with the context of the person’s activities for the business as a job applicant, employee, contractor, or agent of the business.”
AB288 Social Networking Service The bill would require a social networking service to provide users that close their accounts the option of having their personally identifiable information permanently removed from the company’s database and records. Users also would be able to prohibit the service from selling that information to, or exchanging that information with, a third party in the future, subject to certain exceptions. The bill would authorize a consumer to sue the service for a violation. The bill would supplement the CCPA by adding §§ 1798.90.7 and .75 to the Civil Code.
AB846 Non-discrimination Provision The bill would amend § 1798.125, which currently prohibits a business from discriminating against a consumer if the consumer exercises any of their CCPA rights. The current version of the amendment would provide that businesses could offer gift cards, discounts, payments, or other benefits associated with a loyalty or rewards program as compensation for the collection, sale, or retention of personal information. A business would be required to provide a notice that clearly describes the material terms of the incentive program, the consumer would have to give opt-in consent prior to entering into the incentive program, and the consent could be revoked at any time.
AB873 Deidentification / Removal of Household from Definition of Personal Information

The bill would amend the CCPA’s much-criticized definition of “deidentified” to be “information that does not reasonably identify or link, directly or indirectly, to a particular consumer, provided that the business makes no attempt to reidentify the information, and takes reasonable technical and administrative measures designed to: (1) Ensure that the data is deidentified. (2) Publicly commit to maintain and use the data in a deidentified form. (3) Contractually prohibit recipients of the data from trying to reidentify the data.”

The bill also would remove “household” and the phrase “is capable of being associated with” from the definition of personal information.

Additionally, the bill would make the following change to 1798.145(i): “This title shall not be construed to require a business to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information. personally identified form.

AB874 Correct Definition of Personal Information The bill would correct the definition of “personal information” to clarify that it does not include deidentified or aggregate consumer information.  The bill would also redefine “publicly available” by removing the following sentence:  “Information is not ‘publicly available’ if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.”
AB950 Disclosure of Monetary Value of Consumer Data

The bill would require a business that collects a California resident’s consumer data to disclose to the consumer the monetary value to the business of the data. A business also would be required to include that information in its online privacy policy. Further, a business would be required to disclose any use of a consumer’s data that is not directly or exclusively related to the service that the consumer has contracted the business to provide.

The bill would also require a business that collects a California resident’s consumer data, and that sells that data, to disclose to the consumer the average price it is paid for a consumer’s data and to disclose to the consumer the actual price it was paid for a consumer’s data upon receipt of a verifiable request for that information from the consumer.

The bill would supplement the CCPA by adding §§ 1798.91.01 and .02 to the Civil Code.

AB981 Exemption The bill would exempt insurance institutions, agents, and support organizations to which the Insurance Information and Privacy Protection Act applies from the CCPA.
AB1146 Exemption The bill would make the following change in § 1798.145(g): “This title shall not apply to vehicle information, including ownership information, shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicle’s manufacturer, manufacturer branch, distributor, distributor branch, or affiliate, as defined in Section 672 of the Vehicle Code, if the vehicle information is share shared pursuant to, or in anticipation of, a vehicle repair relating to warranty work or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code.”
AB1202 Data Brokers

The bill would require “data brokers” to register with, and disclose certain information to, the California Attorney General. A data broker is defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The bill excludes certain entities such as financial institutions subject to the Gramm-Leach-Bliley Act. Data brokers would be required to provide consumers with the right to opt-out of the sale of their personal information and any other rights afforded by the CCPA.

The proposed legislation would supplement the CCPA by adding §§ 1798.99.82 and 84 to the Civil Code.

AB1281 Facial Recognition Technology This bill would add § 1798.300 to the Civil Code and require a business in California that uses facial recognition technology to disclose that usage in a physical sign that is clear and conspicuous at the entrance of every location that uses facial recognition technology. The bill would consider a violation of its provisions to be unfair competition within the meaning of the Unfair Competition Law.
AB1355 Correct Definition of Personal Information The bill would correct the definition of personal information to clarify that deidentified and aggregate data is not personal information. The bill also would make a number of grammatical, non-substantive changes.
AB1416 Exemption The bill would amend § 1798.145(a)(4) to provide that the CCPA does not restrict a business’s ability to collect, use, retain, sell, or disclose personal information to (a) exercise, defend, or protect against legal claims, (b) protect against or prevent fraud or unauthorized transactions, (c) protect against or prevent security incidents, or other malicious, deceptive, or illegal activity, or (d) investigate, report, or prosecute those responsible for fraudulent or illegal activity.
AB1564 Methods for Receiving Requests This bill would modify § 1798.130 to provide that a business can make a toll-free number or email address available for submitting requests or a website (if the business has a website).
AB1758 Grammatical Change The bill would make the following grammatical change in § 1798.100(e): “This section shall not require a business to retain any personal information collected for a single, one-time transaction, if such that information is not sold or retained by the business or to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.”
AB1760 Grammatical Change The bill would make the following grammatical change in § 1798.105(a): “A consumer shall have the right to request that a business delete any personal information about the consumer which that the business has collected from the consumer.”
SB561 Private Right of Action The bill would create a private right of action for violations of the CCPA, and eliminate the 30-day cure period. It also would replace the provision allowing businesses or third parties to seek the opinion of the AG’s office with a provision providing that the AG’s office “may publish materials that provide businesses and others with general guidance on how to comply” with the CCPA.
SB752 Grammatical Change The bill would make the following grammatical change in § 1798.125(b)(1): “A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by from the consumer’s data.”
SB753 Grammatical Change The bill would change “Internet” to “internet” and “Internet Web” to “internet web” in § 1798.135(a)(1) and (2).

 

Recently, I had the pleasure of being interviewed by Julia Kerrigan, an articulate and insightful young journalist writing for her high school paper, The Dart. In my mind (that’s foreshadowing the challenges caused by my ego-centricity dear reader), the point of the conversation was for me to provide Julia with a primer on information privacy and security issues so that she could weave into her article a few observations from a so-called expert.

Continue Reading Cybersecurity Through a Generation Z Lens: The Privacy and Security Issues that Keep Teens up at Night