A rapidly growing number of states have enacted or are actively considering new privacy laws that will directly affect how businesses collect, use, and store consumer and employee personal information. While the California Consumer Privacy Act (CCPA) has garnered the greatest attention, important laws have been enacted in Illinois, such as the 2008 Biometric Information Privacy Act ("BIPA") which has already spawned a wave of class action litigation on behalf of Illinois consumers and employees. The State of Washington legislature also is considering a comprehensive consumer privacy law modeled after the GDPR, although its status in the legislative process is uncertain as of this writing.
These laws are already affecting, or will affect, most U.S. companies (unless they qualify for a limited exemption) collecting personal or biometric information from U.S. consumers and employees in the subject states, whether or not their business operations require compliance with the European Union's General Data Protection Regulation (GDPR), which went into effect in May 2018.
This state legislative activity has reinvigorated calls for a comprehensive general federal privacy law to establish a uniform national standard instead of widely varying state laws. Nevertheless, it is unlikely that Congress will agree on legislation anytime soon. Unless and until Congress acts, businesses should understand that their obligations with respect to customer data may vary materially among the various states.The most prominent and sweeping state privacy law is the CCPA which, as we have previously advised, takes effect on Jan. 1, 2020. The CCPA will require companies across the United States - even many not based in California - to make significant changes to the ways that they collect, use, and share personal information of California residents. The California legislature currently is considering as many as forty (40) amendments. One such amendment, S. 561, introduced in February 2019, supported by the California Attorney General, would radically alter the responsibilities of the California Attorney General's Office. Most importantly, S. 561 would:
- Expand the right of consumers to bring a private cause of action from an action for data breach to an action for any violations of the CCPA.
- Eliminate the ability of businesses to cure an alleged CCPA violation within 30 days before the AG could initiate an enforcement action.
- Eliminate the ability for a business or "third party" to seek the opinion of the AG for guidance on how to comply with the CCPA.
As such, S. 561 would be a major rewrite of the CCPA (which itself represented a compromise between consumer and business interests from its evolution from a ballot initiative to legislation), and would shift much of the responsibility for guiding and enforcing the CCPA from the California Attorney General, as provided under the CCPA, to plaintiffs' class action lawyers. As such, it reflects the reluctance of the California AG to be the primary enforcer of the rights of California consumers under the new law. In addition, as required by the CCPA, the California Attorney General will be initiating a rulemaking in the Fall of 2019 to adopt and implement clarifying regulations for the CCPA that will be effective on or before July 1, 2020. The timing of this rulemaking should hasten legislative activity on the many pending amendments to the CCPA.
The CCPA will not apply to smaller businesses or those who do not access large amounts of consumer information. The CCPA will instead apply to any business that collects Californians' data if: (1) its annual gross revenues exceed $25 million; (2) "Alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices"; or (3) at least 50 percent of a company's revenues comes from selling personal information. "Personal information" is defined extremely broadly to include not just name, but also categories such as IP addresses, geolocation data, commercial information, and other "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." As currently written, the term "consumers" may well include employees.
In general, the CCPA grants to a consumer various and extensive rights with regard to personal information that a business collects and/or discloses relating to that consumer. These include:
- rights to notice of what personal information is collected (including particular requirements for the contents of privacy notices) and how personal information is used;
- a limited right to data deletion;
- certain rights directed at the sharing of personal data with third parties (including a right to opt-out);
- a prohibition against discriminating against consumers for exercising their CCPA rights; and
- rights of consumer access.
The law will also require businesses to take various actions that are intended to inform consumers of those rights and how to exercise them. In addition, the CCPA likely will require substantial amendments to contracts between companies and "service providers" that process personal information on behalf of businesses.
It is important to consult with an attorney as to how the specific requirements apply to your business. The details of these requirements are still in flux, but in view of the magnitude of the task businesses should already be evaluating their obligations under the CCPA. The CCPA allows the California Attorney General to seek penalties of up to $2,500 per violation, and $7,500 per intentional violation. The CCPA also creates a private right of action for data breaches for failure to maintain reasonable security procedures, with minimum statutory damages available of $100-$750 per consumer, per incident. Although the CCPA takes effect on January 1, 2020, the provision requiring businesses to provide, upon request, a list of the categories of entities with which it has shared personal data over the preceding twelve months will actually apply to data sharing during the preceding year. That means that businesses need to be keeping records now of every such sharing since January 1, 2019.
Other states have waded into the privacy waters as well. As of this writing, the Washington legislature is considering comprehensive privacy legislation, but its prospects are uncertain, and other states are starting to address the issue as well.
One state that already has done so in Illinois, and its 2008 Biometric Information Privacy Act ("BIPA") is currently having a substantial effect on businesses seeking to introduce facial recognition technology. The Illinois BIPA regulates the collection, use, and sale of individuals' biometric identifiers, including facial scans or geometry, retinal scans, or fingerprints of Illinois consumers and employees. It creates compliance requirements for those who collect, store and use biometric data. In general, the Illinois law requires written consent for the collection of facial images, retinal scans, fingerprints, and other identifiers, and prohibits sharing of that biometric data. Importantly, the law allows consumers to enforce the law by class action lawsuits for monetary damages. This year, there has been a rising tide of BIPA class action litigation, particularly following the January 2019 Illinois Supreme Court ruling that a plaintiff need not allege any actual injury beyond a violation of rights under BIPA to qualify as an "aggrieved person" eligible to sue for damages under BIPA. See, Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan. 25, 2019). Other important state laws are now in effect in states ranging from Vermont and Massachusetts to New York and Nevada.
Evaluating compliance obligations under these state laws is complex. It is necessary to understand what customer data is collected (and the definitions can vary from state to state), to conform data collection and use practices to legal requirements, and to develop and implement processes to respond routinely and consistently to customer requests under the CCPA. Agreements with service providers, which under the CCPA are exempt if they process personal information for a business purpose pursuant to a written contract, must be reviewed to make sure that they contain the necessary limitations on further use, retention or disclosure of the data.
To learn more about the issues discussed by this client alert, please contact Jeff Kosseff at firstname.lastname@example.org or 703.489.9046; William Baker email@example.com or 571.317.1922; or Doug Bonner at firstname.lastname@example.org or 202.352.7500.