Insider’s note: California’s privacy law is enforceable on July 1. Insider asked the OAAA for an update and the OAAA provided this Q&A from an attorney who specializes in privacy. Regulatory work like this is a reason why membership in the OAAA is a must for your out of home company
The following Q&A is courtesy of the OAAA and Mike Signorelli of the Venable law firm. This follows the FAQ OAAA released in December 2019 to answer certain threshold questions about the CCPA. The CCPA is a new law that is subject to change and interpretation. Neither OAAA nor Venable is providing legal advice and recommend that you consult with your own legal counsel.
California’s new privacy law is set to be enforced on July 1, 2020. Is that happening?
Yes, enforcement by the California Attorney General (“CA AG”) is set to begin July 1, 2020. However, certain terms of the CCPA are already enforceable, and the implementing regulations will soon be enforced by the CA AG.
- Attorney General Enforcement. The CCPA went into effect on January 1, 2020. The CA AG may begin enforcement for violations of the law’s terms beginning on July 1, 2020. Businesses found to violate the law may be subject to civil penalties of $2,500 per violation and $7,500 per intentional violation.
- Private Right of Action. Private litigants have been permitted to bring lawsuits against businesses for violations described in Section 1798.150 of the CCPA (data breach-related terms) since January 1, 2020. Individuals or certified classes of individuals may file suit against covered businesses if certain types of nonencrypted and nonredacted personal information are exposed to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.
- Implementing Regulations. The CCPA gives the CA AG the ability to promulgate regulations to implement the law. Although the office has indicated it finished the regulation drafting process, the rules have not yet been finalized by the state of California. The California Office of Administrative Law (“OAL”) received the draft regulations from the CA AG on June 2, 2020, and it is now working to review the rules for adherence to specific statutory standards.
Typically, regulations approved by OAL during the month of June would become effective on October 1 of the same year. However, the CA AG asked the OAL to expedite its review of the regulations and make them effective starting July 1, 2020, to coincide with the CCPA’s statutory enforcement date. These regulations are not enforceable by the CA AG until approved by the OAL and published by the Secretary of State.
What should out of home companies be doing to get ready?
Out of home companies should assess whether the CCPA applies to their business. This assessment could include taking an inventory of the types of data the company collects, how that data may be shared, and for what purposes.
Covered businesses must provide California consumers with ways to access, delete, and opt out of “sales” of personal information. The CCPA’s access right extends to “specific pieces of personal information collected about a consumer,” meaning that businesses must return individualized information associated with a consumer in response to an access request. Additionally, subject to certain exceptions, businesses must comply with consumer requests to delete personal information. The right the CCPA confers on Californians to opt out of sales of personal information, as discussed further in Question 4, requires covered businesses to stop transfers of personal information within 15 days of receiving a request. Businesses subject to the CCPA should work to develop responses to communicate with consumers who submit CCPA rights requests as well as standardized process flows for facilitating those access, deletion, and opt out of sale requests pursuant to the law. Also of note, the CCPA applies in more limited ways to employee data and business-to-business data.
How should I treat employee records?
It is important to note that while the CCPA applies to any information that can be reasonably associated with a California consumer, employee information is temporarily exempt from most of the law’s terms. Until January 1, 2021, personal information collected about a consumer in the course of that person acting as a job applicant to, an employee of, owner, director, or officer of that business is exempt from the CCPA’s access, deletion, and opt out rights. Personal information collected to be part of an employee’s emergency contact file or to administer employment benefits is similarly exempt until the beginning of next year. However, covered businesses must comply with the CCPA requirement to provide employees with a notice at or before the point of personal information collection describing the categories of personal information to be collected and the purposes for which such information will be used.
What, if anything, should I do to my company website?
Among other requirements, the CCPA requires covered out of home media businesses to make changes to their consumer facing websites. Businesses subject to the CCPA must maintain a privacy policy containing specific information, such as the categories of personal information collected, the categories of sources of that information, the business or commercial purposes for collecting such information, and the categories of third parties with whom the business shares personal information, among other disclosures. The privacy policy must also inform consumers of their rights under the law. Furthermore, businesses that “sell” or transfer personal information to a third party in exchange for money or any other benefit must include a link on their websites titled “Do Not Sell My Personal Information” or “Do Not Sell My Info.” This link should enable consumers to opt out of any sales or transfers of personal information that can be reasonably associated with them.
As voters in California prepare for another ballot measure, is Congress any closer to enacting a national standard for privacy?
On June 25, 2020, the California Secretary of State certified a new privacy-related ballot initiative titled the California Privacy Rights Act of 2020 (“CPRA”) for the November 2020 ballot. This means that Californians will have the opportunity to vote to approve the new privacy initiative this fall. If the measure gains enough votes, it would materially amend many provisions of the CCPA. The ballot measure would, for example, set up an entirely new agency in the state of California called the California Privacy Protection Agency to enforce the CPRA. In addition, the measure would provide consumers with new rights to correct inaccurate data maintained about them and limit the use and disclosure of certain data elements deemed to be “sensitive personal information.” The CPRA would also create new contracting requirements for regulated entities and triple penalties for violations of the law related to individuals under age 16, among various other changes to the CCPA.
In addition to the State of California, Nevada and Maine have passed data privacy laws within the past two years. Those laws are narrower than the CCPA, but they indicate a trend of state action in the realm of data privacy, as the vast majority of state legislatures have considered data privacy legislation in recent sessions. The flurry of state activity in this space has prompted many in industry to ask Congress to pass a single, preemptive national data privacy law so businesses must comply with one data privacy standard as opposed to a patchwork of standards from the states. A preemptive federal data privacy statute would also help ensure that consumers’ data privacy rights are equal across the country and are not contingent on the states in which they live.
Members of Congress have drafted and considered various federal privacy bills and have held hearings about the content of such legislation on the Hill this year. However, with the election looming in November and Congress’s attention focused on the COVID-19 pandemic, it may be challenging for federal legislators to pass a preemptive data privacy law during the current session. As a result, out of home media companies should take steps to stay apprised of evolving state privacy requirements and should work with their trade associations to learn new information about compliance strategies and responsibilities relevant to various emerging state data privacy rules.
[wpforms id=”9787″]
Paid Advertisement