Planning for Calif. Privacy Law Compliance Amid Uncertainty
California Attorney General Xavier Becerra’s recent announcement that enforcement of the California Consumer Privacy Act will begin as planned on July 1 has drawn sharp criticism from industry leaders and practitioners. They cite the lack of clarity on the legislation and an unreasonable compliance burden for many companies dealing with COVID-19.
Despite Becerra’s deadline, the final regulations have not been issued, meaning companies have no clear road map on implementing the sweeping changes to the privacy and cybersecurity compliance landscape. Still, some insights have emerged, including the latest modifications to the proposed regulations, released on March 11.
Businesses that completed their compliance plans early this year should evaluate what was released last month, with special attention to provisions concerning service providers. They may need to further amend their data-sharing contracts with service providers, whose ability to use personal information for operational purposes has shifted.
New Criteria for Service Providers
Service providers now must limit use of personal information “on behalf of the business that provided the personal information,” and are specifically prohibited from building or modifying consumer profiles to use in providing services to another businesses, or correcting or augmenting data acquired from another source. They can use data to improve the quality of their services. The March modifications also mean that many more businesses can qualify as service providers.
That includes businesses that provide services to nonprofits or smaller organizations that do not qualify as businesses under the statute, and those businesses that collect personal information directly from consumers on behalf of other businesses.[1]
As to the latter change, the new language seems to fix language in the statute that suggested a business could be a service provider only if another entity disclosed personal information to it (and not if the business collected the personal information directly from the consumer).
Moreover, as service providers, organizations can have fewer reporting requirements. Thus, data-sharing agreements may no longer fully comply with the revised criteria, requiring many businesses to adapt their practices, and their contracts, again.
In addition, some businesses’ obligations with respect to disclosures and responses to requests to know may be minimized — if the business houses data on consumers differently based on certain legal obligations, such as banks or lessors that may maintain former tenant and customer data in nonsearchable or accessible format.
Even Without Total Clarity, Businesses Should Prepare
Because the third draft of the proposed regulations[2] was released so recently — and it’s unclear when the final regulations will come out — it is unlikely that the final regulations will be available in time for companies to make significant changes in terms of compliance before the deadline. Still, businesses are better off navigating through the current chaos than waiting for clarity.
Despite the uncertainty noted above — to say nothing of the issue of whether online cookies and exchange of data for targeted advertising constitutes a sale — most companies should still comply with the fundamentals. At the very least, notices at collection and privacy policy should be in place, as well as the proscribed method for receiving and processing requests.
And, of course, the data should be encrypted, redacted or deidentified, with appropriate security measures to prevent unauthorized access or disclosure. However, businesses should know that the intricacies of any plan will likely have to be adjusted and implemented as the regulations and further industry guidance become available.
Companies Take Different Approaches
Compliance efforts thus far reflect little consensus among industry leaders as to the fundamental requirements of the statute and regulations. Facebook Inc., for example, does not provide users with an opportunity to opt out, claiming that the requirement is inapplicable to its service because Facebook does not sell people’s data.[3] Many have questioned this, especially given that the Cambridge Analytica scandal was a catalyst for enacting a new data privacy framework.
Other operationally similar companies have taken a different approach. A platform for connecting employers with prospective applicants has denied selling user data and yet requires that those who wish to opt out under the CCPA delete their accounts because the transfers that may be deemed a sale under the CCPA are “inherent in [its] product.”[4]
Unfortunately, when operationally similar companies with market power take on vastly different and inconsistent approaches to compliance (such as, for example, whether using third-party cookies for behavioral advertising constitutes a sale), small businesses are often forced to agree to vastly different data-sharing terms with companies providing the same service.
Problems arise when multiple platforms share personal information, such as an applicant’s name and email address, but under different data-sharing terms. If the business stored this information in an internal address book, which data-sharing terms would apply to its use of personal information, and would this mean that the business ought to segregate the data and maintain vendor-specific address books?
For now, the CCPA does not provide answers to these questions, but best practices weigh in favor of keeping separate data pools, despite overlaps, and despite obvious inefficiencies and high compliance costs.
CCPA in the Time of COVID-19
Businesses are also understandably concerned about balancing coronavirus-related business disruptions and responding to CCPA consumer requests quickly, which in some instances involves tasks that must be performed on site.
With restrictions in place in California and elsewhere, it could be difficult or practically impossible to receive and/or respond to consumer requests under the CCPA. For example, the statute and the proposed regulations do not offer alternatives to a business when its call center staff is unable to go to work or when its consumer demands a copy of data rendered inaccessible as a result of site closures.
Many groups, including the Motion Picture Association of America, have urged deferred CCPA enforcement. But Becerra’s office has declined. Limited exemptions may be available, but they will likely be addressed case by case and will need to be well-documented.
To the extent possible, businesses should devise a compliance plan that includes an assessment of aspects that need to be scaled back (and reasons necessitating the change), any notices regarding temporary changes to the compliance procedures or capacity and up-to-date procedures for anticipating and avoiding security breaches. Because the private right of action arises from a security or data breach, the protections afforded to consumer personal information should never be sacrificed.
“Planning for Calif. Privacy Law Compliance Amid Uncertainty,” by Ana Tagvoryan and Ana Amodaj was published in Law360 on April 14, 2020.
[1] §999.314(a),(b).
[2] https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-text-of-second-set-mod-031120.pdf.
[3] https://about.fb.com/news/2019/12/californias-new-privacy-law/amp/.
[4] https://www.indeed.com/legal/ccpa-dns?hl=en&cc=US.