Can companies use arbitration clauses and class-action waiver provisions to mitigate the risk of CCPA-related class actions?
More than likely.
The CCPA states that consumers may seek, on “an individual or class-wide” basis, actual damages, statutory damages, or injunctive or declaratory relief following certain types of data security breaches.1 The CCPA further states that “[a]ny provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under [the CCPA], including, but not limited to, any right to a remedy or means of enforcement” is “void and unenforceable.”2 The reference to contract provisions limiting consumer rights as being void and unenforceable has led some plaintiffs’ attorneys to suggest that the California legislature intended to invalidate the use of arbitration and class action waiver clauses in contracts as those provisions might prevent consumers from proceeding on a “class-wide” basis.
Despite the language in the CCPA, the United States Supreme Court has consistently affirmed the strong federal policy favoring arbitration and the enforceability of class action waivers in arbitration agreements. In the landmark case of AT&T Mobility LLC v. Concepcion, 563 U.S. 333 (2011), the Supreme Court explained that the Federal Arbitration Act (“FAA”) was specifically designed to preempt state laws that undermine the goal of the FAA to promote arbitration. Furthermore in Sanchez v. Valencia Holding Co., 61 Cal. 4th 899 (2015), the California Supreme Court determined that class action waiver provisions within contracts are enforceable even if a state law appears to provide for class action type recovery.
As a result, and based upon the holdings in Concepcion and Sanchez, there is a strong argument that the CCPA will not be interpreted as preventing consumers from entering into arbitration agreements or from agreeing to waive their ability to proceed in class actions.
CCPA Privacy FAQs: Can a company be sued under the CCPA for failing to honor a deletion request?
No.
Section 1798.150 of the CCPA permits consumers to “institute a civil action” only where consumer “nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure.”1 The CCPA does not provide a private right of action, nor does it provide statutory damages, if a company violates its obligation to delete personal information about a consumer after receiving a deletion request.2
The California Unfair Competition Law (“UCL”) defines “unfair competition” as including “any unlawful, unfair, or fraudulent business act or practice.”3 Plaintiffs’ attorneys in California have historically attempted to use the text of the UCL to bring suit against companies that allegedly violated any other California or federal law arguing that the secondary violation constituted an “unlawful” practice for which the UCL might permit recovery. It is unlikely, however, that such a strategy would succeed in connection with the CCPA as the Act expressly states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”4
An amendment to the CCPA – Senate Bill 561 – has been proposed which, if passed, would extend the private right of action, and the ability for plaintiffs’ attorneys to seek statutory damages, to all alleged violations of the CCPA. While the amendment received the endorsement of the California Attorney General, on May 16, 2019, it was held in committee under submission pending fiscal review. As a practical matter this means that the amendment will more than likely not be enacted this year, although it could come back for a vote after 2019.
The net result is that the CCPA, as it currently stands, will not permit consumers to sue businesses that are alleged to have failed to honor deletion requests, and it is unlikely that courts will permit such suits through the auspices of the UCL. The California legislature could, however, decide at any time to amend the CCPA to provide a private right of action in connection with deletion requests.
CCPA Privacy FAQs: Can a company be sued under the CCPA for failing to honor an access request?
No.
Section 1798.150 of the CCPA permits consumers to “institute a civil action” only where consumer “nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure.” 1 The CCPA does not provide a private right of action, nor does it provide statutory damages, if a company violates its obligations to disclose to consumers information about their data upon request, or provide “the specific pieces of personal information” collected about a consumer.2
The California Unfair Competition Law (“UCL”) defines “unfair competition” as including “any unlawful, unfair, or fraudulent business act or practice.”3 Plaintiffs’ attorneys in California have historically attempted to use the text of the UCL to bring suit against companies that allegedly violated any other California or federal law arguing that the secondary violation constituted an “unlawful” practice for which the UCL might permit recovery. It is unlikely, however, that such a strategy would succeed in connection with the CCPA as the Act expressly states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”4
An amendment to the CCPA – Senate Bill 561 – has been proposed which, if passed, would extend the private right of action, and the ability for plaintiffs’ attorneys to seek statutory damages, to all alleged violations of the CCPA. While the amendment received the endorsement of the California Attorney General, on May 16, 2019, it was held in committee under submission pending fiscal review. As a practical matter, this means that the amendment will more than likely not be enacted this year, although it could come back for a vote after 2019.
The net result is that the CCPA, as it currently stands, will not permit consumers to sue businesses that are alleged to have failed to honor access requests, and it is unlikely that courts will permit such suits through the auspices of the UCL. The California legislature could, however, decide at any time to amend the CCPA to provide a private right of action in connection with access requests.
CCPA Privacy FAQs: Can a company be sued under the CCPA for failing to post a privacy notice?
No.
Section 1798.150 of the CCPA permits consumers to “institute a civil action” only where consumer “nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure.”1 The CCPA does not provide a private right of action, nor does it provide statutory damages, if a company violates its obligations to provide notice concerning its privacy practices.2
It should be noted that the California Unfair Competition Law (“UCL”) defines “unfair competition” as including “any unlawful, unfair, or fraudulent business act or practice.”3 Plaintiffs’ attorneys in California have historically attempted to use the text of the UCL to bring suit against companies that allegedly violated any other California or federal law, arguing that the secondary violation constituted an “unlawful” practice for which the UCL might permit recovery. It is unlikely, however, that such a strategy would succeed in connection with the CCPA, as the Act expressly states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”4
An amendment to the CCPA – Senate Bill 561 – has been proposed which, if passed, would extend the private right of action and the ability for plaintiffs’ attorneys to seek statutory damages to all alleged violations of the CCPA. While the amendment received the endorsement of the California Attorney General, on May 16, 2019, it was held in committee under submission pending fiscal review. As a practical matter, this means that the amendment will more than likely not be enacted this year, although it could come back for a vote after 2019.
The net result is that the CCPA, as it currently stands, will not permit consumers to sue businesses that fail to post a privacy notice, and it is unlikely that courts will permit such suits through the auspices of the UCL. The California legislature could, however, decide at any time to amend the CCPA to provide a private right of action.
CCPA Privacy FAQs: Can a company be sued under the CCPA for failing to post a “do not sell my personal information” link?
No.
Section 1798.150 of the CCPA permits consumers to “institute a civil action” only where consumer “nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure.”1 The CCPA does not provide a private right of action, nor does it provide statutory damages, if a company violates its obligation to include a “do not sell my personal information” link on the company’s homepage.2
The California Unfair Competition Law (“UCL”) defines “unfair competition” as including “any unlawful, unfair, or fraudulent business act or practice.”3 Plaintiffs’ attorneys in California have historically attempted to use the text of the UCL to bring suit against companies that allegedly violated any other California or federal law arguing that the secondary violation constituted an “unlawful” practice for which the UCL might permit recovery. It is unlikely, however, that such a strategy would succeed in connection with the CCPA, as the Act expressly states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”4
An amendment to the CCPA – Senate Bill 561 – has been proposed, which, if passed, would extend the private right of action and the ability for plaintiffs’ attorneys to seek statutory damages for all alleged violations of the CCPA. While the amendment received the endorsement of the California Attorney General, on May 16, 2019, it was held in committee under submission pending fiscal review.
The net result is that the CCPA, as it currently stands, will not permit consumers to sue businesses that are alleged to have failed to include a “do not sell my personal information” link, and it is unlikely that courts will permit such suits through the auspices of the UCL. The California legislature could, however, decide at any time to amend the CCPA to provide a private right of action in connection with a failure to include the opt-out link on webpages.
CCPA Privacy FAQs: Can a company decide whether to deidentify information or delete information if it receives a ‘right to be forgotten’ request?
Yes.
The CCPA states that people have a right to request that a business “delete any personal information about the consumer which the business has collected from the consumer.”1 Although the CCPA does not define what it means to “delete” information or specify how a business must carry out a deletion request, California courts are likely to accept at least two approaches to deletion.
First, a business that receives a deletion request may choose to erase, shred, or irrevocably destroy the entirety of a record that contains personal information. As part of that destruction, any personal information contained within the record will, necessarily, be “deleted.”
Second, California courts are likely to accept the anonymization or de-identification of information as a form deletion. Among other things, a separate California statute (the “California data destruction statute”), which predates the CCPA, requires that businesses take “reasonable steps” to dispose of customer records that “contain[] personal information.”2 That statute recognizes that a customer record can be “dispos[ed]” of without its complete erasure by “modifying the personal information within the record to make it unreadable or undecipherable through any means.”3 As a result, if a business maintains a record, but modifies the portion of the record that contains “personal information” (e.g., deletes, redacts, replaces, or anonymizes name, address, Social Security Number, etc.), its actions conform to the California data destruction statute. A strong argument can be made that a business that complies with the destruction standard under the California data destruction statute should be deemed to be in compliance with the deletion requirements of the CCPA, and, as a result, the removal of the portion of a record that contains personal information is sufficient to “delete” such information. This approach is further supported by the fact that the CCPA expressly states that it does not impose any restriction on a business that “retain[s]” information that is “deidentified.”4 As a result, if a business de-identifies a record by modifying the personal information within it such that the personal information is no longer associated with an identified individual, the further retention of the record (i.e., the record absent the personal information) is not prohibited by the CCPA.5
It is worth noting that the use of de-identification or anonymization techniques to remove personal information from a record is also consistent with other California consumer protection statutes. Specifically, in 2015, California enacted a statute that required operators of websites and mobile apps directed towards minors to “remove” content that a minor posted on a website if requested (the California “Erasure Button Law”).6 The Erasure Button Law specifically states that a company is not required to “erase or otherwise eliminate” such information if “the operator anonymizes the content or information” such that it “cannot be individually identified.”7
CCPA Privacy FAQs: If a company experiences a data security breach, and receives a “Right to be Forgotten” request from a data subject whose information was involved, does the company have to delete the information that they have about the individual?
Typically not.
When investigating a data security incident, companies are often focused on determining whether there has been unauthorized access or acquisition to personal data, and, if so, which data subjects were impacted. As part of that investigation, companies typically create records that indicate which data subjects were, or were not, impacted by the incident, and attempt to create copies of the records that might have been impacted.
If a company notifies individuals about a data breach, it is not uncommon for some portion of the notified individuals to request that the company delete the information held about them. Such requests raise an inherent conflict. On the one hand, the data subject may no longer wish their information to be in the hands of the company – particularly if they perceive that the company’s security may be inadequate or may have contributed to the data breach. On the other hand, the company has a strong interest in maintaining records relating to the security incident. For example, if a data subject were to bring an action against a company for damages as a result of the security incident, the company has an interest in being able to refer to its internal records to determine if the data subject’s information was involved in the incident, and, if so, what types of data fields may have been impacted. Similarly, if a third party is responsible for a data breach, a company may need the evidence (in an unaltered and authenticated state) in order to bring suit against the third party, or to aid in a criminal prosecution against the individual. The GDPR resolves the conflict by allowing a company to keep personal data – despite a data subject’s request that it be deleted – if data is “necessary . . . for the establishment, exercise or defence of legal claims.”1
In some circumstances, data relating to a breach may no longer be necessary for the purpose of establishing a claim or defense (e.g., if the attacker has already been prosecuted, or the statute of limitations for a third party to bring a claim relating to the incident has expired). In such situations, whether a company must comply with a deletion request depends on the context of a particular incident and whether one of the following criteria applies:
- Companies must delete data upon request if data is no longer necessary. If the personal data that was collected by a company about an individual is “no longer necessary in relation to the purposes for which [it was] collected,” the company typically must honor a right to be forgotten request.2 As a result, if the company no longer needs the data to establish a legal defense or claim, and the data is no longer necessary for the purposes of its original collection, the request to delete should be honored.
- Companies must delete data upon request if the data was processed based solely on consent. If a company’s sole basis for processing data was the consent of the individual, the company is typically required to honor a right to be forgotten request, which might for all practical purposes be viewed as a revocation of that consent. Conversely, if processing is based on an additional permissible purpose (g., performance of a contract) the right to be forgotten request does not necessarily have to be granted.
- Companies must delete data upon request if the data was processed based upon the controller’s legitimate interest, and that interest is outweighed by the data subject’s rights. When processing is based upon a company’s legitimate interest, a data subject has a right to request deletion unless the interest of a controller or a third party is demonstrably “overriding.”3 Whether or not the company’s interest in continuing to keep the information, or the data subject’s interest in having it deleted, control may depend on the precise reasons both parties have for keeping (or deleting) the information.
Like the GDPR, the CCPA contains an exception that permits a company to refuse a deletion request if the information is needed to “[e]xercise or defend legal claims.”4 The CCPA also contains an exception that permits the retention of the information if it is “necessary” to “prosecute those responsible for” a security incident,5 if it is needed for “internal uses that are reasonably aligned with the expectations of the consumer,”6 or if it is necessary for the business to use it internally in a manner that is “compatible with the context in which the consumer provided the information.”7
CCPA Privacy FAQs: Is a Service Provider Responsible if its Client Violates the CCPA?
No.
In order to be considered a “service provider” for the purposes of the CCPA, a vendor must be bound by a written contract that prohibits it from:
- retaining the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”
- using the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,” or
- disclosing the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title.”
If a service provider negotiates an agreement with a client that contains the three provisions above, the CCPA states that the service provider will “not be liable” in the event that it’s client fails to fulfil the client’s obligations as a “business” under the Act. So, for example, a service provider should not be liable if its client fails to post a privacy notice, inaccurately describes its sharing practices, or fails to disclose that it has transferred personal information to the service provider.
CCPA Privacy FAQs: So what is with the CCPA’s deadline? Is it, or is it not, going into force on January 1, 2020?
There is a good deal of confusion about when the CCPA actually “becomes law.” The confusion is due, in large part, to a lack of drafting clarity presumably caused by the hasty drafting of the Act.1
The CCPA includes the following references to deadlines:
| Issue | Description | Date |
| Enacted | Date that the law was enacted. | June 28, 2018 |
| Operative | Date that the law becomes “operative.”2 | January 1, 2020 |
| Enforceable by private suit | Date that individuals can bring suit for an alleged violation of the data security provisions.3 | January 1, 2020 |
| Attorney General Mandatory Regulations | Date by which the Attorney General must “adopt” regulations on mandatory topics.4 | On, or before, July 1, 2020 |
| Attorney General Discretionary Regulations | Date by which the Attorney General can adopt additional regulations on other topics that may “further the purposes” of the CCPA | No deadline |
| Attorney General Enforcement Actions | Date by which the Attorney General can bring an enforcement action under the CCPA.5 | July 1, 2020 (unless final regulations are published sooner) |
In summary, although the statute becomes “operative” on January 1, 2020, the only enforcement of the statute as of that date relates to suits involving data security breaches. A company cannot be a defendant in a civil action for the privacy-oriented provisions of the CCPA until July of 2020 – at which time the Attorney General can bring enforcement actions premised on any provision of the CCPA (regardless of whether such a provision relates to privacy or security, or one of the Attorney General’s regulations).
The timeline created by California legislature has raised questions about whether the Attorney General is prohibited from initiating an enforcement action until July 1, 2020 (i.e., prohibited from filing a lawsuit until that date), or whether the Attorney General is prohibited from bringing an enforcement action for conduct that occurs prior to July 1, 2020. In other words, the CCPA is ambiguous about whether companies that violate the privacy provisions of the Act on January 1, 2020 are immune from liability, or could be subject to an enforcement action initiated on July 1, 2020, as the January conduct would fall within the scope of the four year statute of limitations that applies to an Attorney General initiated suit.6 While the text of the Act is ambiguous, a strong argument could be made that the intent of the legislature in building a delayed enforcement period into the statute was to provide businesses with time – between when the statutorily mandated interpretative guidance is first proposed and when it is approved as a final rule – to process that guidance, and take steps to come into compliance. In addition, the Attorney General has not given any indication to-date that he intends to bring enforcement actions premised on conduct that occurs between January 1, 2020 and the final publication of regulations. The net result is that while the Attorney General might theoretically attempt to bring a suit under the CCPA on July 1, 2020 for conduct that occurred before July 1, 2020, as a practical matter, it is highly unlikely that he will attempt to do so, and dubious that such an attempt, if made, would be successful.
CCPA Privacy FAQs: What is the statutory penalty for violation of the CCPA where there is no private right of action?
$2,500 for each violation and $7,500 for each intentional violation.
The CCPA only provides a private right of action to any consumer whose unencrypted sensitive-category information has been breached as a result of a business’s violation of its duty to “implement and maintain reasonable security procedures and practices.”1 But the California Attorney General may bring a civil action against any entity violating the act. Specifically, the CCPA provides that “[a]ny business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.”2 The same section provides that these civil penalties may be assessed and recovered exclusively by the California Attorney General.
CCPA Security FAQs: Are businesses strictly liable if a data breach occurs?
No.
The CCPA permits consumers to bring suit if a data breach occurs that was “a result of” the business failing to “implement and maintain reasonable security procedures and practices . . . .” 1 As a result, strict liability should not attach simply because a data breach occurred. Put differently, a plaintiff must prove both that the breach was a result of the business’s security procedures and that those procedures were not reasonable given a number of factors such as the type of data that the business collected, the industry segment, the size of the business, the type of breach that occurred, etc.
1. Cal. Civil Code 1798.150(a)(1).
CCPA Security FAQs: Can a consumer bring suit in a California state court under the CCPA even if they were not injured by a data breach?
Yes, if they satisfy the elements of a CCPA data breach claim.
Section 1798.150 of the CCPA permits consumers to “institute a civil action” if the consumer’s “personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure,” and where that unauthorized access was “a result of the business’s violation” of a duty to “implement and maintain reasonable security procedures and practices …”
As a result, there appear to be five elements necessary to establish a claim under the CCPA:
- A business incurred a data breach;
- The data breach involved a sensitive category of information identified in Cal. Civil Code Section 1798.81.5;
- The business had a legal duty to protect the personal information from breach;
- The business failed to implement reasonable security procedures and practices; and
- The business’s failure resulted in (i.e., caused) the data breach.
Absent from these elements is a requirement that the affected consumer have suffered any injury as a result of the data breach. In fact, the CCPA provides that an affected consumer may recover “damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty [dollars] ($750) per consumer per incident or actual damages, whichever is greater.”1 And unlike Article III of the U.S. Constitution, which requires a plaintiff to establish standing to bring suit, the California Constitution empowers state courts to adjudicate any “cause” brought before them.2 As a result, a consumer whose personal information was subject to a data breach (and who meets the other elements set forth above) may bring suit in California state court even if they were not injured by the data breach.
CCPA Security FAQs: Does a consumer have to establish injury to bring suit in federal court in California under the CCPA?
Yes.
Section 1798.150 of the CCPA permits consumers to “institute a civil action” if the consumer’s “personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure,” and where that unauthorized access was “a result of the business’s violation” of a duty to “implement and maintain reasonable security procedures and practices …”1
However, a plaintiff suing in federal court must establish she has standing under Article III of the U.S. Constitution. Article III standing requires (1) an injury-in-fact, (2) fairly traceable to the challenged conduct, (3) that is likely to be redressed by a favorable judgment. The U.S. Supreme Court has held that the alleged of a statutory right does not automatically satisfy the injury-in-fact requirement just because a statute authorizes a person to sue to vindicate that right. Rather, to constitute an injury-in-fact, plaintiff’s injury must be both concrete and particularized, and these requirements are to be evaluated separately, even when the plaintiff asserts a statutory violation. Concrete injuries can be tangible or intangible, but when the injury is intangible, the mere fact that a cause of action exists in law does not confer Article III standing. Instead, the intangible injury must be real and have a close relationship to traditional, common law harms.2
A consumer whose personal information is subject to a data breach but who has not been injured at all by the data breach – for example, where the consumer has not suffered actual fraud and cannot establish a substantial likelihood of future identity theft – cannot establish she meets the standing requirements of Article III and will not be able to pursue her claim in federal court. On the other hand, the standard of pleading required to establish injury-in-fact may be quite low; for example, if a consumer alleges she suffered anxiety resulting from unauthorized access to her data, or that she spent time freezing her credit and reviewing her credit reports, some federal courts may consider that sufficient to establish standing.
1. Cal. Civil Code 1798.150(a)(1).
2. Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016).
CCPA Security FAQs: Does the CCPA identify a minimum statutory damage that must be awarded?
Yes.
Section 1798.150 of the CCPA permits consumers to “institute a civil action” if consumer “personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure,” and where that unauthorized access was “a result of the business’s violation” of a duty to “implement and maintain reasonable security procedures and practices . . . .” 1 If a plaintiff is successful in bringing such a suit, the CCPA states that the plaintiff can recover damages “in an amount not less than one hundred dollars ($100) . . . per consumer per incident. . . .”2
CCPA Security FAQs: Does the CCPA open financial institutions to increased litigation?
Yes.
While the CCPA provides a partial exemption for information collected by financial institutions that is subject to the Gramm Leach Bliley Act (e.g., information about individuals who have obtained personal financial products from the institution), that exemption does not apply to Section 1798.150 of the CCPA which confers a private right of action on consumers to seek statutory damages against a business following a data security breach.1 It is worth noting that the relatively narrow scope of the financial institution exemption within the CCPA contrasts with broader exemptions provided to financial institutions by other states. For example, the following compares the financial institution exemption provided in the CCPA with the broader exemption provided in Nevada’s online privacy statute:
| CCPA | Nevada Online Privacy Notice Statute |
| Statute does not apply to “personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations . . . . This subdivision shall not apply to Section 1798.150 [of the CCPA].2 | Statute does not apply to “A financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., and the regulations adopted pursuant thereto.3 |
CCPA Security FAQs: Does the CCPA Open Health Care Providers to Increased Litigation?
Probably not.
The CCPA exempts any health care provider or “covered entity” that is governed by the Health Insurance Portability and Accountability Act (“HIPAA”),1 and it exempts “protected health information that is collected by a covered entity or business associate” subject to the HIPAA Security Rule.2 Unlike the exemption provided to other industries (e.g., financial institutions), the exemption provided to health care providers, other covered entities, and business associates appears to cover all aspects of the CCPA including the ability of a Californian to bring a private right of action following a data breach, or seek statutory damages.
CCPA Security FAQs: Does the CCPA open insurance companies to increased litigation?
Yes.
The CCPA provides a partial exemption for information collected by financial institutions that are subject to the Gramm Leach Bliley Act (e.g., information about individuals who have obtained personal financial products from the institution). Insurance companies are generally considered “financial institutions” subject to the Gramm Leach Bliley Act, as well as any regulations imposed by state insurance commissioners pursuant to the Act. While the CCPA’s financial institution exemption provides some protection to insurers, that exemption does not apply to Section 1798.150 of the CCPA, which confers a private right of action on consumers to seek statutory damages against a business following a data security breach.1 It is worth noting that the relatively narrow scope of the financial institution exemption within the CCPA contrasts with broader exemptions provided to financial institutions by other states. For example, the following compares the financial institution exemption provided in the CCPA with the broader exemption provided in Nevada’s online privacy statute:
| CCPA | Nevada Online Privacy Notice Statute |
| Statute does not apply to “personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations . . . . This subdivision shall not apply to Section 1798.150 [the data breach right of action of the CCPA].2 | Statute does not apply to “A financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., and the regulations adopted pursuant thereto.3 |
CCPA Security FAQs: What factors will courts look to when determining what statutory damages to award?
Section 1798.150 of the CCPA permits consumers to “institute a civil action” if consumer “personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure,” and where that unauthorized access was “a result of the business’s violation” of a duty to “implement and maintain reasonable security procedures and practices . . . .” 1 If a plaintiff is successful in bringing such a suit, the statute instructs a court to examine some, or all, of the following factors when determining the statutory damages to which the plaintiff may be entitled:
- Nature of the misconduct;
- Seriousness of the misconduct;
- Number of violations;
- Persistence of the misconduct;
- Length of time over which the misconduct occurred;
- Willfulness of the defendant’s misconduct; and
- Defendant’s assets, liabilities, and net worth.2
Do financial institutions need to comply with the CCPA with respect to all consumer information?
No, with a caveat.
The CCPA does not to apply to “personal information collected, processed, sold, or disclosed pursuant to the Gramm Leach Bliley Act (GLBA) and implementing regulations.” The GLBA regulates privacy and security for financial institutions and applies to more than just banks, including mortgage brokers, non-bank lenders, personal property or real estate appraisers, professional tax preparers, auto-dealers that extend credit, and insurance companies.
The GLBA imposes privacy requirements – and therefore would preempt application of the CCPA – when financial institutions collect “nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes.”1 Note that the qualifier “who obtain” is somewhat misleading. Under the GLBA, “consumer” includes individuals who applied for, but did not obtain, financial products, including:
- Individuals who apply for credit, regardless of whether the credit is extended;
- Individuals who provide non-public personal information to the financial institution in order to obtain a determination about whether they may qualify for a loan, regardless of whether the loan is extended;
- Individuals who provide non-public personal information in connection with obtaining or seeking to obtain financial, investment, or economic advisory services, regardless of whether they establish an advisory relationship.
GLBA does not apply, and therefore would not preempt application of the CCPA, to the following situations:
- When financial institutions collect information about individuals “who obtain financial products or services for business, commercial, or agricultural purposes” – such as information collected when providing commercial loans, commercial checking accounts or other B2B services;2
- When financial institutions collect information from an individual who is not applying for a financial product or seeking to obtain financial services, such as website data or marketing leads generated by third parties where the individual hasn’t applied for a product;
- When financial institutions possess personal information about individuals who are consumers of another financial institution for which the financial institution is acting as an agent or providing processing or for which it is providing other services;
- When the financial institution is designated by an individual as the trustee for a trust;
- If an individual is a participant or beneficiary of an employee benefit plan sponsored by the financial institution;
- Personal information about financial institution employees (subject to the CCPA beginning in 2021).
Note that the partial exemption applies to privacy requirements under the CCPA only. A financial institution is still subject to being sued and defending against actual or statutory damages under Section 1798.150 of the CCPA if a business fails to implement and maintain reasonable security to protect certain sensitive categories of personal information.
Does the CCPA apply to the personal information of employees?
Yes.
The CCPA applies to personal information held about “consumers” – a term which is defined as referring to any resident of California.1 As a result, if a business is governed by the CCPA, the rights conferred by the statute apply to the business’s employees.
While the CCPA applies to data collected about employees, the California legislature passed an amendment in 2019 (Senate Bill 25) that effectively phased-in the rights afforded to employees over the course of 2020. Pursuant to the amendment, those provisions of the CCPA found within Sections 100(b) and 150 applied immediately to employees.2 These included the obligation that a business inform an employee “at or before the point of collection” of the personal information to be collected and the purposes for which the information will be used.3 They also included the ability of an employee to bring suit if an employer failed to adequately protect sensitive category information.5 Employee’s personal information was exempted from other provisions of the CCPA until January 1, 2021 (e.g., access rights, deletion rights, sale rights, etc.).5
How many deletion requests can a consumer send to a business each year?
The CCPA does not specify how many deletion requests a consumer can send to a business each year. However, it does permit businesses to “refuse to act on” a deletion request if a consumer’s requests become “unfounded or excessive.”1 The Act specifically calls out “repetitive” requests as an example of an excessive practice.2 If a dispute arises between a business and a consumer regarding whether a particular quantity of requests is, or is not, excessive, the CCPA states that the “business shall bear the burden of demonstrating” that the quantity received is “manifestly . . . excessive.”3 One method that businesses may consider adopting when determining whether deletion requests are excessive, or in demonstrating that excessiveness, is to compare the quantity of deletion requests received from a particular consumer, with the quantity of deletion requests received from other consumers. To the extent that a particular consumer’s quantity of requests significantly departs from the behavior of most (or all) other consumers, a strong argument could be made that the requests have become repetitive and excessive.
If a business receives a right to be forgotten request from an employee, or a former employee, does it have to delete the requestor’s information?
Not necessarily.
As an initial matter, employees that are residents of California will not qualify as full “consumers” under the law until January 1, 2021. Pursuant to an amendment to the CCPA enacted in 2019, the title shall not apply to “[p]ersonal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business.”1 As of the date of this writing, this provision will expire on January 1, 2021, and employees will be considered full “consumers” under CCPA on that date.
That said, assuming that employees are consumers, there are a number of exceptions to the consumer’s right to deletion that may be applications. Specifically, the business may argue that the employee’s request for deletion cannot be granted based on one or more statutory exceptions outlined above. In particular, the business may argue that it has a legal obligation to retain the data, and that the data is required to carry out a transaction with the employee.2 This list is by no means exhaustive. Finally, it should be noted that even apart from the specific exceptions to the consumer’s right to deletion articulated in section 1798.105 of CCPA, the business also is not required to take any action that would violate other state or federal obligations imposed upon it, including federal employment laws.3
In response to an access request, does a company have to produce all of the information that it has about an individual?
Maybe.
The CCPA requires a business to respond to an access request by disclosing all information that it has “collected” about a consumer in the previous 12 months.1 Unlike the CCPA’s treatment of a business’s obligation to delete information, the Act provides very few exceptions to a business’s obligation to provide access to information.
Although the “access” obligation is undoubtedly broad, it is somewhat limited by how the CCPA interacts with other statutes, rights, and other obligations. Under the CCPA:
- The rights of one consumer “shall not adversely affect the rights…of other consumers,2 and
- Individuals whose information has been subject to “an unauthorized access…or disclosure” can recover statutory damages.3
A business’s response to an access request must take these provisions into consideration. For example, a business may not be able to provide access to CCTV footage if there is a third party in the video, as this would infringe upon the third party’s privacy rights. Similarly, a business may not be able to provide access to internal documents regarding a consumer as it could be construed as an unauthorized disclosure of the document creator’s personal information.
A case could also be made that the right of “access” is somewhat limited by the term “collect.” Under the CCPA, “collect” means:
[B]uying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.4
Arguably, this definition does not include information that is “created” internally, even if it relates to the consumer. At face value, all of the terms describing “collect” refer to information that already exists, so information that is “created” by the business may not need to be disclosed. Internally developed or created information may include:
- Inferences about a consumer
- Background programming
- Background responses (e.g., internal responses to consumer requests and/or consumer activity)
- Internal information unrelated to the consumer (e.g., background data describing a web page that the consumer navigated to)
- Internal notes about a consumer
For example, if a consumer contacts a retailer to request a purchase return, some information relating to the return is “collected” and some is not. The information given to the retailer during the request phase ̶ such as the consumer’s name, phone number, mailing address, and the request made ̶ is certainly “collected” under the CCPA and would need to be disclosed pursuant to an access request. Other information generated after the request is made ̶ such as internal return protocols, the refund date, the retailer’s response to the consumer, fraud detection protocols, internal notes, and inferences made about the consumer’s purchasing behavior ̶ is arguably not “collected” under the CCPA and would not need to be disclosed pursuant to an access request.
In response to an access request, does a company have to produce information about its transactions and experiences with an individual?
The CCPA requires a business to respond to an access request by disclosing all information that it has “collected” about a consumer in the previous 12 months.1 Unlike the CCPA’s treatment of a business’s obligation to delete information, the Act provides very few exceptions to a business’s obligation to provide access to information.
Although the “access” obligation is undoubtedly broad, it is somewhat limited by how the CCPA interacts with other statutes, rights, and other obligations. Under the CCPA:
- The rights of one consumer “shall not adversely affect the rights…of other consumers,2 and
- Individuals whose information has been subject to “an unauthorized access…or disclosure” can recover statutory damages.3
A business’s response to an access request must take these provisions into consideration. For example, a business may not be able to provide access to internal documents regarding a consumer (i.e. internal notes about a customer service representative’s experience with the consumer) as it could be construed as an unauthorized disclosure of the document creator’s personal information.
A case could also be made that the right of “access” is somewhat limited by the term “collect.” Under the CCPA, “collect” means:
[B]uying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.4
Arguably, this definition does not include information that is “created” internally, even if it relates to the consumer. At face value, all of the terms describing “collect” refer to information that already exists, so information that is “created” by the business may not need to be disclosed. Internally developed or created information may include:
- Inferences about a consumer
- Background responses (e.g., internal responses to consumer requests and/or consumer activity)
- Internal notes about a consumer
For example, if a consumer contacts a retailer to request a purchase return, some information relating to the return is “collected” and some is not. The information given to the retailer during the request phase ̶ such as the consumer’s name, phone number, mailing address, and the request made ̶ is certainly “collected” under the CCPA and would need to be disclosed pursuant to an access request. Other information generated after the request is made ̶ such as internal return protocols, the refund date, the retailer’s response to the consumer, fraud detection protocols, internal notes, and inferences made about the consumer’s purchasing behavior ̶ is arguably not “collected” under the CCPA and would not need to be disclosed pursuant to an access request.
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1.1798.100(b).
2. 1798.145(j).
3. 1798.150(a).
4. 1798.140(e).
In response to an access request, does a company have to produce its internal notes relating to an individual?
Maybe.
The CCPA requires a business to respond to an access request by disclosing all information that it has “collected” about a consumer in the previous 12 months.1 Unlike the CCPA’s treatment of a business’s obligation to delete information, the Act provides very few exceptions to a business’s obligation to provide access to information.
Although the “access” obligation is undoubtedly broad, it is somewhat limited by how the CCPA interacts with other statutes, rights, and other obligations. Under the CCPA:
- The rights of one consumer “shall not adversely affect the rights…of other consumers,2 and
- Individuals whose information has been subject to “an unauthorized access…or disclosure” can recover statutory damages.3
A business’s response to an access request must take these provisions into consideration. For example, a business may not be able to provide access to internal documents regarding a consumer (i.e. internal notes about a customer service representative’s experience with the consumer) as it could be construed as an unauthorized disclosure of the document creator’s personal information.
A case could also be made that the right of “access” is somewhat limited by the term “collect.” Under the CCPA, “collect” means:
[B]uying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.4
Arguably, this definition does not include information that is “created” internally, even if it relates to the consumer. At face value, all of the terms describing “collect” refer to information that already exists, so information that is “created” by the business may not need to be disclosed. Internally developed or created information may include:
- Inferences about a consumer
- Background responses (e.g., internal responses to consumer requests and/or consumer activity)
- Internal notes about a consumer
For example, if a consumer contacts a retailer to request a purchase return, some information relating to the return is “collected” and some is not. The information given to the retailer during the request phase ̶ such as the consumer’s name, phone number, mailing address, and the request made ̶ is certainly “collected” under the CCPA and would need to be disclosed pursuant to an access request. Other information generated after the request is made ̶ such as internal return protocols, the refund date, the retailer’s response to the consumer, fraud detection protocols, internal notes, and inferences made about the consumer’s purchasing behavior ̶ is arguably not “collected” under the CCPA and would not need to be disclosed pursuant to an access request.
In response to an access request, does a company have to produce its own work product?
Maybe.
The CCPA requires a business to respond to an access request by disclosing all information that it has “collected” about a consumer in the previous 12 months.1 Unlike the CCPA’s treatment of a business’s obligation to delete information, the Act provides very few exceptions to a business’s obligation to provide access to information.
Although the “access” obligation is undoubtedly broad, it is somewhat limited by how the CCPA interacts with other statutes, rights, and other obligations. Under the CCPA:
- The rights of one consumer “shall not adversely affect the rights…of other consumers,2 and
- Individuals whose information has been subject to “an unauthorized access…or disclosure” can recover statutory damages.3
A business’s response to an access request must take these provisions into consideration. For example, a business may not be able to provide access to internal documents regarding a consumer as it could be construed as an unauthorized disclosure of the document creator’s personal information.
A case could also be made that the right of “access” is somewhat limited by the term “collect.” Under the CCPA, “collect” means:
[B]uying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.4
Arguably, this definition does not include information that is “created” internally, even if it relates to the consumer. At face value, all of the terms describing “collect” refer to information that already exists, so information that is “created” by the business may not need to be disclosed. Internally developed or created information may include:
- Inferences about a consumer
- Background programming
- Background responses (e.g., internal responses to consumer requests and/or consumer activity)
- Internal information unrelated to the consumer (e.g., background data describing a web page that the consumer navigated to)
- Internal notes about a consumer
For example, if a consumer contacts a retailer to request a purchase return, some information relating to the return is “collected” and some is not. The information given to the retailer during the request phase ̶ such as the consumer’s name, phone number, mailing address, and the request made ̶ is certainly “collected” under the CCPA and would need to be disclosed pursuant to an access request. Other information generated after the request is made ̶ such as internal return protocols, the refund date, the retailer’s response to the consumer, fraud detection protocols, internal notes, and inferences made about the consumer’s purchasing behavior ̶ is arguably not “collected” under the CCPA and would not need to be disclosed pursuant to an access request.
Is encrypted data out of the scope of the CCPA?
In some cases yes, and in other cases no.
The CCPA defines “personal information” as information that, among other things, “is capable of being associated with” a particular consumer.1 Conversely, the CCPA refers to information as “deidentified” if it “cannot reasonably” be “associated with” a particular consumer.2
In situations in which a company encrypts personal information, but maintains the means to decrypt the information (e.g., a password or an encryption key), an argument exists that while the encrypted information remains in the possession of the business, it is “capable” of being associated with a consumer. In such a situation, most of the requirements of the CCPA would apply with one important exception. The private right of action conferred by the CCPA to bring suit following a data breach only applies in the context of “nonencrypted” information that has been disclosed.3 As a result, if the business accidentally disclosed the encrypted information (or if the encrypted information were accessed by a malicious third party), the business should not be liable for the statutory liquidated damages identified in the Act.
In situations in which a company receives, stores, or transmits encrypted information, but does not have the means to decrypt it (e.g., acts simply as a transmission conduit), a strong argument exists that the information “cannot reasonably” be associated with a particular consumer and, as a result, is not personal information subject to the CCPA.
In comparison to the CCPA, the European GDPR recognizes encryption as a security technique that may help keep personal data safe, but the GDPR does not state that encrypted data is no longer personal data; nor does the GDPR state that encrypted data is not governed by the Regulation.4 To the contrary, the Article 29 Working Party5 held the opinion that encryption does not “per se lend[ ] itself to the goal of making a data subject unidentifiable” and “it does not necessarily result in anonymisation.”6
Is it possible for a token to still be considered “personal information?”
Maybe.
“Tokenization” refers to the process by which you replace one value (e.g., a credit card number) with another value that would have “reduced usefulness” for an unauthorized party (e.g., a random value used to replace the credit card number).1 In some instances, tokens are created through the use of algorithms, such as hashing techniques.
Whether personal information that has been tokenized is still considered “personal information” depends upon the particular law or regulation at issue.
In the context of the CCPA, information is not “personal information” if it has been “deidentified.”2 Deidentification means that the data “cannot reasonable identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.”3 A strong argument could be made that data that is fully tokenized, and no longer is connected to a particular consumer, cannot reasonably be associated with an individual. That argument is strengthened under the CCPA if a business takes the following four steps to help ensure that the tokenized data will not be re-identified:4
- Implement technical safeguards that prohibit reidentification. Technical safeguards may include the process, or techniques, by which tokens are assigned. For example, a business might take steps to randomly generate tokens, or ensure that tokens are not assigned sequentially in a manner that might allow a third party to guess to whom the token relates.
- Implement business processes that specifically prohibit reidentification. This might include an internal policy or procedure that separates tokens from any “key” that might allow an individual to match a token to a consumer.
- Implement business processes to prevent inadvertent release of deidentified information. This might include a policy against disclosing information about individuals even if the names of the individuals have been replaced with tokens.
- Make no attempt to reidentify the information. As a functional matter, this entails taking steps to prohibit reidentification by the business’s employees.
In comparison, in the context of the European GDPR, the Article 29 Working Party5 has stated that even when a token is created by choosing a random number (i.e., it is not derived using an algorithm), the resulting token typically does not make it impossible to re-identify the data and, as a result, the token is best described as “pseudonymized” data which would still be “personal data” subject to the GDPR.6
Is it possible for data that has undergone hashing to still be considered “personal information?”
Maybe.
Hashing refers to the process of using an algorithm to transform data of any size into a unique fixed sized output (e.g., combination of numbers). To put it in layman’s term, some piece of information (e.g., a name) is run through an equation that creates a unique string of characters. Anytime the exact same name is run through the equation, the same unique string of characters will be created. If a different name (or even the same name spelled differently) is run through the equation, an entirely different string of characters will emerge.
While the output of a hash cannot be immediately reversed to “decode” the information, if the range of input values that were submitted into the hash algorithm are known, they can be replayed through the hash algorithm until there is a matching output. The matching output would then confirm, or indicate, what the initial input had been. For instance, if a Social Security Number was hashed, the number might be reverse engineered by hashing all possible Social Security Numbers and comparing the resulting values. When a match is found, someone would know what the initial Social Security Number that created the hash string was. The net result is that while hash functions are designed to mask personal data, they can be subject to brute force attacks.
Whether a hash value in and of itself is considered “personal information” depends upon the particular law or regulation at issue.
In the context of the CCPA, information is not “personal information” if it has been “deidentified.”1 Deidentification means that the data “cannot reasonable identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.”2 An argument could be made that data once hashed cannot reasonably be associated with an individual. That argument is strengthened under the CCPA if a business takes the following four steps to help ensure that the hashed data will not be re-identified:3
- Implement technical safeguard that prohibit reidentification. Technical safeguards may include the process or techniques by which data has been deidentified. For example, this might include the hashing algorithm being used, or combining the hashed algorithm with other techniques that are designed to further obfuscate information (e.g., salting).4
- Implement business processes that specifically prohibit reidentification. This might include an internal policy or procedure that prevents employees or vendors from attempting to reidentify data or reverse hashed values.
- Implement business processes to prevent inadvertent release of deidentified information. This might include a policy against disclosing hashed values to the public.
- Make no attempt to reidentify the information. As a functional matter, this entails taking steps to prohibit reidentification by the business’s employees.
In comparison, in the context of the European GDPR, the Article 29 Working Party5 considered hashing to be a technique for pseudonymization that “reduces the linkability of a dataset with the original identity of a data subject” and thus “is a useful security measure,” but is “not a method of anonymisation.6 In other words, from the perspective of the Article 29 Working Party while hashing might be a useful security technique it was not sufficient to convert “personal data” into deidentified data.
Is it possible for data that has undergone salted-hashing to still be considered “personal information?”
Maybe.
“Salting” refers to the insertion of a random value (e.g., a number or a letter) into personal data before that data is hashed.
Whether personal information that has undergone salting and hashing is still considered “personal information” depends upon the particular law or regulation at issue.
In the context of the CCPA, information is not “personal information” if it has been “deidentified.”1 Deidentification means that the data “cannot reasonable identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.”2 A strong argument could be made that data that is salted and then hashed cannot reasonably be associated with an individual. That argument is strengthened under the CCPA if a business takes the following four steps to help ensure that the salted and hashed data will not be re-identified:3
- Implement technical safeguard that prohibit reidentification. Technical safeguards may include the process or techniques by which data has been deidentified. For example, this might include the hashing algorithm being used or the number of characters inserted as part of the salting process.4
- Implement business processes that specifically prohibit reidentification. This might include an internal policy or procedure that prevents employees or vendors from attempting to reidentify data or reverse the salted and hashed values.
- Implement business processes to prevent inadvertent release of deidentified information. This might include a policy against disclosing hashed values to the public.
- Make no attempt to reidentify the information. As a functional matter, this entails taking steps to prohibit reidentification by the business’s employees.
In comparison, in the context of the European GDPR the Article 29 Working Party5 has stated that while the technique of salting and then hashing data “reduce[s] the likelihood of deriving the input value,” because “calculating the original attribute value hidden behind the result of a salted hash function may still be feasible within reasonable means,” the salted-hashed output should be considered pseudonymized data that remains subject to the GDPR.6
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. CCPA, Section 1798.145(a)(5).
2. CCPA, Section 1798.140(h).
3. CCPA, Section 1798.140(v).
4. Salting refers to the insertion of characters into data before it is hashed to make brute force reidentification more difficult.
5. The Article 29 Working Party was the predecessor to the European Data Protection Board.
6. Article 29 Working Party, WP 216: Opinion 05/2014 on Anonymisation Techniques at 20 (adopted 10 April 2014).
Under US law, can an employer share with public health authorities the names of employees infected with a contagious disease?
- The CCPA requires that a business include within its notice of collection and/or privacy notice a general disclosure that informs employees of the business purposes for which their information was collected. While it is not certain whether disclosure to a public health authority would be considered a “business purpose,” businesses should consider stating within their privacy notices that information may be shared with federal, state, or local government agencies for the purpose of protecting employees, protecting the public, or protecting other individuals.2
- In the event that an employee submits an access request upon the business, the CCPA requires (beginning on January 1, 2021) that the business state what information was “disclosed for a business purpose.”3 While it is not certain whether disclosure to a public health authority would be considered a “business purpose,” businesses should consider stating in response to an access request that information was shared with a government agency and identifying the categories of information that were shared.4
It is important to note that other federal or state labor and employment laws likely preclude a business from sharing information about potentially contagious employees with public health authorities. For example, the federal Americans with Disabilities Act requires that any information which is obtained as part of a voluntary medical examination, or as part of voluntarily collecting medical information from an employee, be kept “confidential.”5 Although this confidentiality requirement is subject to certain exceptions, the only government-related exception permits disclosure upon request to “government official investigating compliance with [the ADA].”6 Thus the ADA may prohibit a business from voluntarily disclosing information about an infected employee to state or local public health agencies. As a practical matter, most infectious diseases are identified by medical providers who may have an independent obligation to report the infection to public health authorities (e.g., the Center for Disease Control). As a result, public health authorities should not be reliant upon a company to provide information about infected individuals.
What does a Human Resources Director need to know about the CCPA?
- Privacy notices. Under the CCPA, employers are required to provide California employees with privacy notices that, among other things, itemize the categories of personal information collected, shared, and sold about the employee.1
- Access rights. Under the CCPA, California employees are permitted to request access to the personal information that the employer has collected about the employee.2
- Deletion rights. Under the CCPA, California employees are permitted to request the deletion of the personal information that the employer has collected from the employee.3 Note that the CCPA does not require that employers grant such requests in all situations.
- HR benefits providers. Under the CCPA, an employer must stake steps to verify that by providing personal information about California employees to benefits providers it is not “selling” personal information as that term is defined in the statute. If a sale does occur, the employer must disclose the sale to the employee and offer them the ability to opt-out of the sale through a “Do Not Sell” mechanism.
- Data security breach. Under the CCPA, if the sensitive information of a California employee (e.g., Social Security Number) is breached as a result of the employer’s inadequate data security, an employee may be able to initiate suit to recover statutory liquidated damages.4
What is the maximum penalty that may be asserted by the California Attorney General for a violation of CCPA?
$7,500 per violation.
There is no private right of action for violations of the CCPA related to an individual’s right to be forgotten. The CCPA provides that the maximum fine that may be imposed by the Attorney General is $7,500 “for each intentional violation.”1 That said, it remains to be seen how such “violations” will be computed by the Attorney General.