Comments to the final California Consumer Privacy Act regulations asked how franchisor/franchisee compliance with CCPA works?

  • Does CCPA apply to the franchisee for collecting data on behalf of the franchisor?
  • How is the franchisor supposed to calculate its revenues for the purpose of the $25 million applicability threshold?
The California Attorney General Responded:
  •  The regulation provides general guidance for CCPA compliance.
  • Further analysis is necessary before proposing a regulation that provides guidance specific to the franchisor/franchisee relationship and the statutory definition of “business” in CCPA.

CCPA Final Regs Franchise Odia Kagan

Compliance takeaways from the International Association of Privacy Professionals (IAPP) California Consumer Privacy Act (CCPA) Enforcement Keynote Session:

  • It is important for businesses to understand the law. It is complex and has many nuances.
  • Your customers are looking, your competitors, your employees are looking, and the CA AG is looking at the private class actions to see if there is something they should independently enforce. You will have a hard time navigating without being compliant with CCPA.

View a video of the presentation.

Comments to the final California Consumer Privacy Act regulations asked if the  CCPA carve-out regarding the Gramm Leach Bliley Act (GLBA), the data protection law governing US financial institutions, applies to:

  1. Financial institutions under GLBA
  2. Service providers that must comply with GLBA
  3. Sources of information that are subject to GLBA
The California Attorney General’s Answer: No.

The exemption does not extend to entities subject to GLBA , nor to sources subject to GLBA. Rather, it applies to personal information collected, processed, sold or disclosure pursuant to GLBA (or California Financial Information Privacy Act (CFIPA).

CCPA Final Regs CCPA and GLBA Odia Kagan

Comments on the final California Consumer Privacy Act (CCPA) regulations asked if data brokers should be required to identify the factors they use in algorithmic decision making practices that affect the consumer, such as consumer scores?

The California Attorney General responded:
  • Inferences derived from personal information to create a profile about a consumer are personal information under CCPA.
  • If a data broker collects this type of personal information – they would need to disclose it in a response to a verifiable access request.
  • Per the CCPA regs, information provided under CCPA – this needs to be provided in a manner that provides consumers a meaningful understanding of the information being collected.

Not quite the limitation on automated processing in Article 22 of the European Union’s General Data Protection Regulation (GDPR), but close to the Article 13 GDPR requirement about disclosing automated decision making and profiling and providing “meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.”

Closer still if profiling is tied with a financial incentive program with respect to which CCPA requires additional detail.

CCPA Final Regs Algorithmic Transparency Odia Kagan

Is winter coming to cross-border transfer of personal data from the European Union (EU)?

In anticipation of the Court of Justice of the European Union decision in the Schrems II case, companies should consider what they would do if either or both EU-U.S. Privacy Shield and Standard Contractual Clauses are invalidated.

Details from Bloomberg Law.

Comments to the California Consumer Privacy Act (CCPA) final regulations asked: “If you get an access request and you know that the underlying motive for it is to conduct discovery for the purpose of contemplated litigation, do you have to comply with the access request?”

The California Attorney General’s Response: Yes. There is no exception that lets you refuse for this reason.

This is very much in line with European Union supervisory authorities’ approach and some case law regarding this question.

See this case from the England and Wales Court of Appeal for example.

No alternative text description for this image

Per the German DSK (the Conference of Independent German Federal and State Data Protection Supervisory Authorities), emails need to be encrypted in order to meet the minimum requirements of Article 32 of the General Data Protection Regulation (GDPR).

This means:
  • TLS (transport layer encryption) at minimum
  • Additional measures like end-to-end encryption and qualified transport encryption if sensitive data is being sent
  • Controllers must implement a policy that enables all employees who use e-mail communication and similar media to determine which safeguards need to be taken for each medium and class of communication or transmitted personal data.
  • They must regularly monitor compliance with this policy.
  • They must notify recipients so that they can adapt to the technical conditions and implement any technical precautions they may need to take for their part.

Read the full advisory.

To extend or not to extend?

AB 1281, extending the employee and B2B exemptions for the California Consumer Privacy Act, has been amended in the California Senate.

Previously a bill dealing with limitations on facial recognition, the legislation now focuses only on the CCPA exemptions.

If passed, the exemption, currently set to expire on January 1, 2021 will be extended until January 1, 2022. Credit for the news to colleague Alanna Elinoff.

Read the full text of the bill.

Under the California Consumer Privacy Act (CCPA), a data breach resulting from a lack of “reasonable security procedures and practices” gives rise to a private right of action (e.g. for a class action lawsuit).

Comments to the final CCPA Regulations asked the California Attorney General for more explicit guidance as to what constitutes such measures.

The answer: This is a fact specific determination and would be too limiting to prescribe.

What to do in the meantime?
  • Use a known data protection framework: e.g. NIST CSF or ISO 27001.
  • Apply the CIS Top 20 framework which the CA AG mentioned in the CA AG’s 2016 data breach report.
  • Look to FTC guidance in “Start with Security,” “Stick with Security” and the recent FTC enforcement actions.
  •  Look to industry standards but assess them for reasonableness (regarding verification of identity, the AG noted that industry standards may not be adequate or fully updated).

CCPA Final Regs Reasonable Measures Odia Kagan

Commenters on the final California Consumer Privacy Act (CCPA) regulations asked what happens if you map your third party sharing and implement a process but still inadvertently sell personal information as such term is defined in CCPA?

The California Attorney General responded: This is not an exception to the definition of sale but if you really have a process, and implement it and follow it, the Office of Attorney General may exercise prosecutorial discretion and not enforce.

CCPA Final Regs Inadvertent Sale Odia Kagan