Alston & Bird Consumer Finance Blog

Online Privacy

California Department of Justice Releases Post-Finalization Modifications to CCPA Regulations

By

On October 12, 2020, the California Department of Justice (“Department”) released its first set of proposed post-finalization modifications to the California Consumer Privacy Act Regulations (the “CCPA Regulations”).

As many businesses know, the CCPA Regulations were finalized on August 14, 2020.  The Department styled these new modifications as a “Third Set of Proposed Modifications” to the CCPA Regulations, suggesting that it sees them as related to the two rounds of modifications it proposed before the Regulations were finalized.  (You can read our summaries of the key impacts of these prior modifications here (first round of modification) and here (second round of modifications)).

While the Department’s new proposed modifications are modest in volume, they contain potentially significant impacts for businesses.  If passed in their current form, the modifications would modify the CCPA Regulations as follows:

(1) Required Offline Opt-Out Notices Would Return: Pre-finalization drafts of the Regulations required businesses that “substantially interact[] with consumers offline” to provide an offline notice to consumers about their right to opt-out of data sales.  However, this requirement was deleted as the Regulations were finalized during review by California’s Office of Administrative Law.

  • The Department’s new proposed modifications would reintroduce the requirement to provide offline opt-out notices whenever a “business … collects personal information in the course of interactions with consumers offline.”
  • As illustrations of how this required offline notice can be provided, the modifications state that “brick-and-mortar store[s]” may provide notice by (a) “printing the notice on the paper forms that collect the personal information” or by (b) posting signage in “the area where the personal information is collected.” Likewise, businesses that collect personal information over the phone may provide notice orally “during the phone call where such personal information is collected.”

(2) The Requirement for “Easy” Opt-Outs Would Return – with Specified Prohibited Practices: Pre-finalization draft of the Regulations required businesses’ methods enabling consumer to make Opt-Out requests to be “easy for consumers to execute and [] require minimal steps.” Again, however, this requirement was deleted as the Regulations were finalized during review by California’s Office of Administrative Law.

  • The Department’s new proposed modifications would reintroduce verbatim the requirements that (a) “[a] business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps,” and (b) opt-out submission methods cannot “subvert[] or substantially impair[]” consumers’ choice to opt-out.
  • The new proposed modifications contain a list of prohibited opt-out practices, potentially derived from the California Attorney General’s initial experience enforcing the CCPA. For example, businesses cannot:
    • Use confusing double-negative language (e.g., “Don’t Not Sell My Personal Information”),
    • Require consumers to click through or listen to reasons why they should not submit an opt-out request;
    • Require consumers to provide personal information not necessary for the opt-out request; or
    • If a consumer has already clicked on “Do Not Sell My Personal Information,” require the consumer to scroll through a Privacy Policy to locate the opt-out submission form.

(3) Businesses Could Ask Authorized Agents for Proof of their Authority (and Would Not Need to Go to the Consumer): The new proposed modifications would clarify that, when businesses receive a CCPA request from an individual purporting to act as a consumer’s authorized agent, they can require the authorized agent to provide proof it has written permission to act for the consumer. Under the current Regulations, businesses would have to go to the consumer to obtain this proof.

(4) All Notices to Consumers Under 16 Years of Age Would Require Additional Disclosures: The modifications would clarify that any privacy policy directed towards individuals under the age of 16 must meet the CCPA Regulations’ additional information requirements.  Currently, the Regulations imply that these additional information requirements only apply to privacy policies directed at children that are both under 13 (regulated under § 999.330 Regulations) as well as age 13-15 (regulated under § 999.331).  The modifications would clarify that any privacy policy that is directed at any individual under 16 – irrespective of under 13 or age 13-15 – must contain the additional content required under the CCPA Regulations.

A redline showing the proposed changes based on the currently effective regulations is available here.  The proposed modifications are open for public comment until Wednesday, October 28, 2020.

High Profile Settlements, Strengthened Data Security Orders, and COPPA: The FTC’s 2019 Privacy and Data Security Update

By

A&B ABstract

Each year the Federal Trade Commission (the “FTC” or “Commission”) publishes a report on its activities with respect to consumer privacy and data security during the prior year.  On February 25, 2020, the Commission released its 2019 Privacy and Data Security Update. The update contains a summary of the FTC’s enforcement, advocacy, and rulemaking actions as well as its activities with respect to its privacy and security-related workshops, consumer education and business guidance, and international engagement.  The update is a useful way to see what the FTC focused on in the prior year and where to expect continued interest. Some highlights from the update are provided below.

 Discussion

In the enforcement space, the FTC update spotlights its two most high-profile settlements to date: Facebook and Equifax.  First, in July 2019 the FTC and the Department of Justice’s announced a joint settlement with Facebook based on allegations that the company’s misrepresentations and consumer privacy failures violated its 2012 order.  The 2019 settlement order imposed a record-setting $5 billion penalty and included a number of provisions designed to change Facebook’s overall approach to privacy.  The settlement is currently pending approval by the United States District Court for the District of Columbia. Also, in July 2019, the FTC announced a settlement with Equifax for alleged data security violations, including Gramm-Leach-Bliley Act violations, that affected 147 million people.  The settlement included a payment of up to $700 million to help consumers affected by the breach and was part of a global resolution with a consumer class action, the Consumer Financial Protection Bureau, and 50 states and territories.

Data Security Orders

The FTC’s enforcement actions over the past year with respect to data security incidents also highlight the Commission’s efforts to strengthen its data security orders, including through increased specificity, increased accountability of third- party assessors, and improved corporate governance on data security issues.  Each category of improvement is reflected in seven data security orders issued by the FTC over the past year against companies in a range of industries: ClixSense (pay-to-click survey company), i-Dressup (online games for kids), DealerBuilt (car dealer software provider), D-Link (Internet-connected routers and cameras), Equifax (credit bureau), Retina-X (monitoring app), and InfoTrax (service provider for multilevel marketers).

COPPA

The FTC’s update also makes clear the FTC’s continued focus on the Children’s Online Privacy Protection Act (“COPPA”) in 2019 and beyond.  In September 2019, the FTC and New York Attorney General settled with Google, and its subsidiary YouTube over allegations it collected personal information, including in the form of persistent identifiers, from viewers of child-directed channels without first notifying parents and getting their consent.  The $170 million judgment is the largest civil penalty under COPPA. In 2019 he FTC also settled charges against Musical.ly, now known as TikTok, for $5.7 million for illegally collecting personal information from children on a child-directed app.  The FTC also announced it was seeking comments on the effectiveness of the 2013 amendments to the COPPA Rule and hosted a workshop in October 2019 to discuss whether additional changes are needed.

Other Concerns

The FTC update describes other areas of focus, including credit reporting and financial privacy, Do Not Call and telemarketing, and international enforcement. You can read the entire update here.

SHIELD Act Overhauls New York’s Data Breach Notification Framework

By

On October 23, 2019, New York’s new breach notification provisions came into effect, a result of New York’s passage of the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) in July. That Act overhauled New York’s data privacy framework, expanding the list of data elements that are considered “private information” while growing the types of incidents and covered entities that may trigger New York’s notification requirement. The SHIELD Act also imposes a new legal obligation for owners and licensors of private data to comply with the Act’s “reasonable security requirement.” Some regulated businesses, like those in the healthcare and financial industries, will be deemed compliant with the SHIELD Act’s reasonable security requirement if they already comply with laws like HIPAA or the GLBA. In an attempt to mitigate its potential burdens on smaller operations, the SHIELD Act explicitly defines small businesses, for whom the Act’s “reasonable security requirement” will be assessed with regard to factors like a business’s “size and complexity.”

The SHIELD Act’s breach notification provisions went into effect on October 23, 2019, while the new data security requirement goes into effect on March 21, 2020.

The Act’s main provisions are described below.

Expanding the Types of Incidents and Entities Covered Under Breach Notification:

The SHIELD Act expands the pool of incidents which trigger mandatory notification to data subjects.  Prior to the SHIELD Act, New York required individual notifications only when certain private information was acquired by an unauthorized individual. Under the SHIELD Act, New York now requires individual notifications where such information is either accessed OR acquired. In deciding whether such information has been unlawfully accessed under the statute, the Act directs businesses to consider whether there exist any “indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.”  So now under the SHIELD Act, if an unauthorized entity merely views information and does not download or copy it, New York requires individual notifications.

The SHIELD Act also expands which entities may be required to make disclosures under New York’s notification requirement. Previously, New York required notifications only from those entities which conducted business in New York and owned or licensed the PI of New York residents.  Under the SHIELD Act, New York’s notification requirement applies more broadly to any business which owns or licenses the private information of New York residents, regardless of whether it conducts business in state.
Expanding the Definition of Private Information

Not only does the SHIELD Act expand the types of breaches which may trigger notifications, it further expands New York’s definition of private information (“PI”) by incorporating biometric data and broadening the circumstances in which financial data is considered PI.  The Act defines biometric data as that which is “generated by electronic measurements of an individual’s unique physical characteristics,” such as fingerprints, voice prints, and retina or iris images.  And while account numbers and credit/debit card numbers were previously only considered PI in combination with security codes and passwords that permitted access to financial accounts, now under the SHIELD Act, such information is considered PI under any circumstances where it could be exploited to gain access to an individual’s financial accounts, even when security codes and passwords remain secure.

Under the SHIELD Act, New York now joins those states that protect online account usernames and e-mail addresses when stored in combination with passwords or security questions that could provide access to online accounts.  The Act does not require usernames and e-mail addresses to be paired with other personal information, beyond that needed to access an online account, to constitute PI.

Clarification of Substitute Notice by E-mail:

Prior to the passage of the SHIELD Act, New York more broadly permitted notification by e-mail when the notifying business had access to the e-mail addresses of all affected data subjects. The SHIELD Act, however, creates a new exception where notice by e-mail is no longer permissible when the breached information includes the data subject’s e-mail address in combination with a password or security question and answer.  This provision appears aimed at preventing businesses from notifying by e-mail when the notification itself may be sent to a compromised account.

Breach Notification Content Requirements and Exemptions:

The SHIELD Act expands the required content of notifications by requiring a business to include the telephone numbers and websites of the relevant state and federal agencies responsible for providing breach response and identity theft services.

On the other hand, the Act also carves out new exceptions in the case of inadvertent disclosures or where notification may already be required under another statute. The SHIELD Act exempts businesses from New York’s breach notification requirement if information was disclosed inadvertently by persons authorized to access the information and the business reasonably determines that such exposure will not likely result in the misuse of information or other financial or emotional harm to the data subject.  Such determinations, however, must be documented in writing and maintained by the disclosing company for at least five years.  If the disclosure affects more than five hundred New York residents, a business availing itself of this exemption must provide the written determination of non-harmfulness to the New York Attorney General within ten days of making the determination.

The Act further exempts certain businesses from making additional notifications where they are already required to notify under other federal or state laws.  Under the SHIELD Act, no further notice is required if notice of a breach is made under any of the following:

1)      Title V of the Gramm-Leach-Bliley Act (GLBA)
2)      the Health Insurance Portability and Accountability Act (HIPAA) or Health Information Technology for Economic and Clinical Health Act (HITECH);
3)      New York Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500), or;
4)      any other security rule or regulation administered by any official department, division, commission, or agency of the federal or New York state governments.

Reporting HIPAA and HITECH Breaches to the State Attorney General:

Any covered entity required to provide notification of a breach to the Secretary of Health and Human Services under HIPAA or HITECH must also notify the New York Attorney General within five business days of notifying HHS.  Thus, while the SHIELD Act exempts HIPAA and HITECH regulated companies from re-notifying affected individuals, it nevertheless requires an additional notification to the state Attorney General.

Creation of the Reasonable Security Requirement:

Effective March 21, 2020, the SHIELD ACT imposes a new “reasonable security requirement” on every covered owner or licensor of New York residents’ private information. The SHIELD Act requires businesses to develop and maintain reasonable administrative, technological, and physical safeguards to ensure the integrity of private information.

Reasonable administrative safeguards include:

(1) Designating one or more employees to coordinate security; (2) Identifying reasonably foreseeable internal and external risks; (3) Assessing the sufficiency of the safeguards in place to control identified risks; (4) Training and managing employees in the security program practices and procedures; (5) Selecting service providers capable of maintaining safeguards, and requiring those safeguards by contract; (6)Adjusting the security program to account for business changes or other new circumstances.

Reasonable technical safeguards include:

(1) Assessing in network and software design risks; (2) Assessing risks in information processing, transmission, and storage; (3) Detecting, preventing, and responding to attacks or system safeguards; (4) Regular testing and monitoring of key controls, systems, and procedures.

Reasonable physical safeguards include:

(1) Assessing the risks of information storage and disposal; (2) Detecting, preventing, and responding to intrusions; (3) Protecting against unauthorized access or use of private information during data collection, transportation, and destruction; (4) Disposing of private information within a “reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.”

Applying the Reasonable Security Requirement to Small Businesses:

The SHIELD Act makes special provision for small businesses, presumably to avoid overly burdening them. Under the statute, a small business is defined as any business with “(I) fewer than fifty employees; (II) less than three million dollars in gross annual revenue in each of the last three fiscal years; or (III) less than five million dollars in year-end total assets.”  While small businesses are still subject to the reasonable security requirement, their safeguards need only be “appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information” the small business collects about consumers.

Implications of the SHIELD Act’s Security Requirement for Compliant Regulated Entities:

Just like businesses may be exempted from the SHIELD Act’s notification requirements if they comply with another statute, businesses may also be deemed to be in compliance with the SHIELD Act’s reasonable security requirement if they are already subject to and in compliance with the following data security requirements:

1)      Title V of the GLBA;
2)      HIPAA or HITECH;
3)      23 NYCRR 500, or;
4)      Any other security rule or regulation administered by any official department, division, commission, or agency of the federal or New York state governments.

Penalties for Noncompliance:

The SHIELD Act increases the penalties for noncompliance with New York’s notification requirements. Previously, businesses faced a fine of the greater of $5,000 or $10 dollars per instance of failed notification, so long as the latter did not exceed $150,000.  Now, penalties may grow as large as $20 per incident with a maximum limit of $250,000.

The Act also lengthens the time in which legal actions for failure to notify may commence from two years to three years. This time is measured from either the date on which the New York Attorney General became aware of the violation, or the date a business sends notice to the New York Attorney General, whichever is first. Regardless, in no case may an action be brought “after six years from the discovery of the breach by the company unless the company took steps to hide the breach.”

The SHIELD Act empowers the New York Attorney General to sue both for injunctions and civil penalties when businesses fail to comply with the Act’s reasonable security requirements. It explicitly excludes, however, any private right of action under the reasonable security requirement provisions.

Alston & Bird Details 21 Potentially Significant Impacts from Draft CCPA Regulations

By

Late last week, the California Attorney General published much-anticipated proposed Regulations under the California Consumer Privacy Act (“CCPA”). The Regulations are extensive and contain a number of potentially material business impacts.

To help companies work through the Regulations, Alston & Bird’s Privacy & Data Security team published a client advisory outlining “21 Potentially Significant Business Impacts” from the proposed CCPA Regulations. View the full advisory here.

This advisory tackles a number of issues likely of interest to companies attempting to get ready for CCPA, including:

  • Why posting a CCPA privacy policy on your website may not be enough to satisfy your CCPA notice obligations – instead you may need additional “just in time” notices at every specific point where you collect data (or lose the right to collect it);
  • Why you may hear discussions about a potential return of Do Not Track in the online context, this time as a “Do Not Sell My Info” request;
  • Why brick-and-mortar interactions with consumers may require companies to facilitate “offline” CCPA rights requests; and
  • Why companies that take a position as vendor or service provider may need to examine any aspect of their business that involves pooling customer data for regulatory risk.

Alston & Bird is closely following the development of the CCPA and its Regulations. For more information, contact Jim HarveyDavid KeatingAmy MushahwarKaren Sanzaro, or Daniel Felz.