The California Consumer Privacy Act of 2018

Size: px

Start display at page:

Download "The California Consumer Privacy Act of 2018"

Julie Jenkins
5 years ago
Views:

1 The California Consumer Privacy Act of 2018 Kevin Gould SVP & Director State Government Relations California Bankers Association Nancy Thomas Partner Morrison & Foerster LLP

2 The California Consumer Privacy Act Arguably the most significant U.S. privacy development ever Replaced the controversial privacy ballot initiative Fast-tracked from introduction to enactment (plus subsequent amendments passed in August) Attorney General rulemaking to come (and government affairs efforts to continue in 2019) Operative on January 1, 2020, Attorney General enforcement by at least July 1,

3 CCPA Privacy Rights Right to know/access Right to deletion Right to opt out of sale Right to be free from discrimination Right to sue 2

submit request to the Attorney General for title and summary Proponents submit

4 How Did We Get Here? Date October 12, 2017 May 2, 2018 June 21, 2018 June 28, 2018 Event Proponents submit request to the Attorney General for title and summary Proponents submit 629,000 signatures to the Secretary of State only 365,880 required by law AB 375 amended to include provisions of the Act AB 375 signed by the governor 3

5 Why Did It Happen That Way? Establishing the ability to withdraw - Senate Bill 1253, Chapter 697, Statutes of 2014 Potential for legislative compromise The 72-hour rule Proposition 54, Article IV, Section 8(b) of the California Constitution Capacity to subsequently amend state law and the commitment to revise 4

6 Loose Ends unprecedented consumer protections Alastair Mactaggart, Chairman of Californians for Consumer Privacy the full implications of the hastily passed AB 375 are far from being fully understood Coalition of Business Interests, including CBA 5

7 Amendments Round 1 SB1121 considered in Committee Legislature in recess from Legislation must pass both Houses by Focus on technical amendments Expanding Gramm-Leach-Bliley Act exception Clarifying and narrowing private right of action Changing AG provisions, including removal of consumer notification requirement, clarifying AG remedies, extending deadline for regulations, and delaying authority to bring enforcement actions SB1121 passed on August 31,

8 What Is on the Horizon? Commitment to a fair legislative process in 2019 Competing interests Opportunity to improve or complicate Right to delete financial information Rulemaking by the Attorney General Potential model state legislation Prompting of a national conversation 7

9 Scope GLBA Exception Strengthened by amendment to remove conflict language (e) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law ), and implementing regulations, if it is in conflict with that law. or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section Customer & Consumer CCPA GLBA Consumer PI PI 8

Consumer Broader Than Customer A natural person who is a CA resident A resident includes any individual who is: In CA for other than a temporary or transitory purpose; or Domiciled in CA, but outside

10 Consumer Broader Than Customer A natural person who is a CA resident A resident includes any individual who is: In CA for other than a temporary or transitory purpose; or Domiciled in CA, but outside of CA for a temporary or transitory purpose No customer-type nexus needed Includes employees, individuals associated with commercial customers, independent contractors, and visitors to corporate facilities Compare with GLBA current, former, or prospective consumer or customer Financial institutions will have to decide if they want to limit the Act s rights to CA residents or expand beyond CA 9

11 Notice Obligations 1. Just-in-time notice? 2. Privacy policies 3. Consumer-specific disclosures upon request 10

12 Just-in-Time Notice? At or before the point of collection, a financial institution must inform a consumer of: The categories of PI to be collected; and The purposes for which the PI will be used May not collect additional categories of PI or use collected PI for additional purposes without providing the consumer with notice 11

13 Privacy Policies Online privacy policies and California-specific description of consumers privacy rights Required content Description of consumer privacy rights Categories of PI collected, sold, and disclosed for a business purpose in the past 12 months Methods for submitting requests Updated at least once every 12 months 12

14 Disclosures Upon Request Two separate rights to request information The collection disclosure The sharing disclosure Consumer-specific disclosures Focused on: What PI was collected, from whom, and for what purpose What PI was sold or disclosed for a business purpose and to whom The specific pieces of PI collected about the consumer 13

15 Providing Access to Specific PI A consumer has a right, twice a year, to request that a financial institution provide the consumer with [t]he specific pieces of personal information collected about the consumer Greatly impacted by the breadth of the definition of PI (e.g., audio and video) Only the PI collected in the past 12 months The disclosure must be provided free of charge and within 45 days of the request in a readily useable format that is also portable 14

Right to Deletion A consumer has the right to request that a financial institution delete any PI about the consumer that the financial institution has collected from the consumer A financial

16 Right to Deletion A consumer has the right to request that a financial institution delete any PI about the consumer that the financial institution has collected from the consumer A financial institution also must direct its service providers to delete the consumer s PI from the service provider s records Nine exceptions to this right Limited in broad utility, other than fraud prevention Bias towards consumer-facing business Bias towards ongoing relationships with consumers 15

17 When a Sale Isn t a Sale Definition of Sale Disclosing a consumer s PI to another business or third party for monetary or other valuable consideration Right to Opt Out/Opt In For consumers age 16 and older, there is a right to opt out of the sale of PI to a third party Prohibited from selling PI without consumer s express authorization Cannot request authorization of sale for at least 12 months after consumer opts out Affirmative authorization (opt in) required for consumers under the age of 16 16

18 Implications for Vendor Management The Act does not follow a typical vendor oversight model Instead, the service provider concept functions more as an exception and not a business obligation Obligation to direct service providers to delete PI Disclosures to a service provider that are necessary to perform a business purpose are not a sale if: The financial institution has provided notice that information is being used or shared in its terms and conditions; and The service provider does not further collect, sell, or use the PI, except as necessary to perform the business purpose 17

19 Private Rights of Action A consumer can bring a suit if: Nonencrypted or nonredacted personal information (as defined in the CA safeguards law) is subject to an unauthorized access and exfiltration, theft, or disclosure As a result of a violation of the duty to... maintain reasonable security procedures... to protect the personal information Amendment clarifies scope limited to above Available relief includes statutory damages of $100 to $750 per consumer per incident or actual damages, whichever is greater 18

20 Procedural Hurdle for Consumers Pre-suit notice for statutory damages 30 days written notice identifying the specific provisions of this title allegedly violated and opportunity to cure An individual consumer will not be required to provide notice of a violation before initiating an action if the consumer is seeking only actual pecuniary damages Amendments remove obligation for a consumer to provide notice to the AG 19

21 Administrative Enforcement California AG has enforcement authority The AG shall not bring an enforcement action... until six months after the publication of the final regulations... or July 1, 2020, whichever is sooner A financial institution violates the Act if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance Unclear whether the AG must provide notice and an opportunity to cure Injunction and civil penalties In general, $2,500 for each violation $7,500 for each intentional violation 20

22 Questions? Kevin Gould California Bankers Association (916) Nancy R. Thomas Morrison & Foerster LLP (213)

Overview of the New California Consumer Privacy Law

Overview of the New California Consumer Privacy Law In late June, California enacted Assembly Bill 375 (AB 375) as the California Consumer Privacy Act of 2018 (CCPA), a privacy law, unprecedented in the