Understanding the CCPA with James Snyder and Timothy Blood

Episode Notes

Transcript

Law Technology Now

Understanding the CCPA with James Snyder and Timothy Blood

03/04/2020

 

[Music]

 

Daniel B. Rodriguez: Hello and welcome to Law Technology Now. I’m your host. My name is Dan Rodriguez. I’m the Harold Washington Professor and Former Dean at Northwestern University’s Pritzker School of Law.

 

I’m delighted to welcome two very distinguished lawyers and guests to talk about data privacy and in particular California’s new Consumer Privacy Act. Today’s show is brought to you by our sponsors.

 

Thank you Logikcull, instant discovery software for modern legal teams. Logikcull offers perfectly predictable pricing at just $250 per matter per month. Create your free account anytime at logikcull.com/ltn. That’s logikcull.com/ltn.

 

And thank you also to Headnote, helping law firms get paid 70% faster with their compliant e-payments and accounts receivable automation platform. Learn how to get paid quicker and more efficiently at headnote.com.

 

And now on to the show. I am delighted to welcome our two guests, first James Snyder, a senior counsel with the Klinedinst Law Firm. James represents clients in business transactions, M&A and data privacy and security matters. He’s been at the leading edge of data privacy, counseling clients on the European Union’s General Data Protection Regulation as well as the CCPA.

 

He is an accomplished speaker in the fast-evolving data security landscape and has developed data privacy and security procedures for clients and counseled clients through breaches.

 

James’ experience in compliance is not restricted to data protection, he also has directly managed all facets of international regulatory compliance in the highly regulated financial services area.

 

He has also provided guidance on export and open source software compliance initiatives.

 

Also Timothy Blood is joining us from the Blood Hurst & O’Reardon Law Firm. He has represented tens of millions of data breach victims and class-action lawsuits as well as consumers in a wide variety of consumer protection matters. He has fought for consumers in federal and state courts throughout the country and before the Federal Trade Commission, California Department of Justice, the California Legislative Analyst office, United States Senate, California Legislature and its Department of Insurance.

 

Tim worked to pass the California Consumer Privacy Act of 2018 and helped draft the provision of the Act that provides consumers with a private right of action for data breaches and testified before the California Senate and Assembly.

 

Welcome James and Tim.

 

To start us off, I’d like to get a description and I’m going to ask Tim to take us through the highlights of this new statute, CCPA.

 

Timothy Blood: So this is truly a landmark piece of legislation. It’s the first and by far the broadest in the country that provides consumer protections for data privacy and Internet security and has several different components. Its first component is really a right for consumers to know what personal information companies collect on them.

 

And then also a right for consumers to know whether their personal information is sold or disclosed to anybody and whom that information is sold or disclosed, and very importantly a right to say no to the sale or disclosure of that information, and also companies can’t discriminate against people who say no, they don’t want their information shared.

 

Also the Attorney General of the State of California has primary regulatory authority over this statute and has primary enforcement authority, but the CCPA also provides a unique first-in-the-nation private right of action in the event that there is a data breach, so consumers have a direct right to sue companies in the event of a negligent data breach.

 

Daniel B. Rodriguez: Great thanks and we’ll get into a number of dimensions of this issue including the enforcement issue, but let me begin and this is for either of both of you, what are the particular problems to which the CCPA is designed to solve.

 

James Snyder: I think basically the concept is in light of things like Cambridge Analytica and another major sort of developments. The United States is sort of catching up to Europe in the sense of what consumers or individuals feel should be protected finally.

 

And so the CCPA is really trying to protect consumers or allow them had to have information about what information, what data is being collected in any given basis from a particular business. So it’s what information is being collected, how is it being used and with that then gives them the ability to take action if they want and prohibit or prevent businesses from using their information.

 

Daniel B. Rodriguez: So before there was a CCPA that’s so before now we had and have within the State of California, within the other 49 states in the United States, a web of laws and regulations and regulatory bureaus and authorities that deal with among other things data privacy to a greater or lesser extent.

 

(00:05:00)

 

So a Federal Trade Commission certainly Congress’ authority to enact general statutes. I’m not going to list them all, but suffice to say a web and a network of regulatory bureaus and devices. Why wasn’t that enough? So I see the problem of data breach and data privacy being there but what was missing in our regulatory landscape?

 

Timothy Blood: That was really missing was a comprehensive way of addressing all of these problems. For example, California in the mid-1970s passed and added to its constitutional a very strong right to privacy and of course privacy has been an American ideal for a very, very long time since really the founding of our nation.

 

But especially with the advent of technology, online presence there has been nothing that has existed that really fits that particular unique set of circumstances that the digital age brings with it.

 

And so nobody was really doing anything because it’s a pretty big undertaking to take on really the largest tech companies in the world, some of the largest companies in the world and the tremendous commercial advantages that online data and its use bring with it.

 

So it was politically a big undertaking to even take on something like the CCPA in a comprehensive way. Yet you also had an overwhelming pent up public desire to address it. So a lot of people viewed online privacy rated it very highly as something very, very important to them, not everybody understands it; in fact, most people don’t understand it but they have a sense that something wasn’t quite right.

 

And so really, so what ended up happening with the CCPA was a Bay Area billionaire decided to pass an initiative, Alastair Mactaggart. So he introduced an initiative that he very carefully crafted, took the temperature of many different stakeholders when putting it together and put it on the California ballot.

 

Well that ballot pulled so well that sort of all the tech company money in the land based on polling indicated that it could not be defeated. And so what they did along with the consumer attorneys of California, which is a plaintiffs’ trade association approached Alastair and said hey, would you like to make a legislative deal, saves everyone a lot of money, we have much more certainty and we all can sort of refine what ultimately became the CCPA.

 

Alastair agreed to do that and it was only I think because of Alastair’s threat of an initiative that was going to pass that resulted in the California Legislature passing the CCPA. Now, not only did it pass the California Legislature but it passed the California Legislature unanimously. There was not a single no vote and I dare say that if the CCPA had been introduced the regular way, then what probably would have happened is it wouldn’t have gotten out of one or more committees and we’d never have the CCPA.

 

Daniel B. Rodriguez: Well, that’s so interesting and just on a minor tangent. Of course, the story you described has so much to do with not entirely unique but somewhat unique features of how lawmaking is done in California and a number of states more often found in the West right through direct initiatives. It’s very, very interesting.

 

So just on that subject and so this tech billionaire as you described him and what muscle he was able to bring to bear does that portend some significant legislative changes in other states now as a result? Does he have a desire and do others have a desire to expand the scope of this across other states?

 

Timothy Blood: So Alastair is actually a developer, not a tech guy.

 

Daniel B. Rodriguez: Oh sorry. I said billionaire, I just assume all the billionaires are tech billionaires.

 

Timothy Blood: Exactly certainly in California. So he’s a developer who had really nothing to do with technology before this and he was having dinner with an Google employee and was absolutely shocked to find out how much private information was available to companies in the United States without anybody’s control and that’s how the initiative, the idea of the initiative started.

 

And to answer your question, so I think the circumstances were somewhat unique in California as you suggest the direct initiative process in California and just the size and the heft of California means that if California passes legislation like this, it doesn’t just cause a ripple across the country, it really causes a tsunami.

 

So there are other states and Congress that are looking at doing things similar to the CCPA and large companies including companies like Microsoft have agreed to comply with the CCPA nationwide even though they’re not legally obligated to do so. So not just in California, but all over the country.

 

James Snyder: Yeah, I think it’s something like 20 plus states right now either have enacted or in the process of enacting something along the lines, so yeah.

 

Daniel B. Rodriguez: Interesting. What do you make of — I just something came across my desk just from Adweek, just the other day where this, the CEO, founder of a video online platform, ad platform called SpotX made a comment, the title of the article is, ‘Why CCPA Won’t Be as Big of a Deal as GDPR’.

 

(00:10:03)

 

And he suggests in this interview essentially because it’s one state and it’s not as far-reaching that it’s not likely to have an enormous impact. Is there anything to that?

 

James Snyder: Personally I don’t think so. I think there’s a report actually I just read this morning from Compliance Weekly where the estimated something around from $467 million to $16.5 billion in implementation costs by the year 2030 to give you a sense. I mean they are talking about probably 50% to 75% of all businesses in the State of California, which is obviously the biggest populous state in the Union are going to be impacted by this.

 

So and we’re not just talking about businesses with online presence, right, I mean you’ve got Mom & Pops that have a coffee shop and they’re collecting credit cards. If 14 transactions or so a day is going to get you probably up to a threshold where your business is covered by the CCPA. So I think it’s really, really broad and it’s not just going to be California based businesses, right. I mean really we’re in a global world now. So you’ve got European businesses that are marketing to California residents and consumers that might actually be traveling in Europe, they’re still — it’s still applicable. So I think it’s very far-reaching.

 

Timothy Blood: If a company does business with a California company then that business may have to comply as a contractual matter with the CCPA if it does business with the California company and we’ve already seen that with the GDPR where companies that do business with companies that are regulated by the GDPR also have to often comply with aspects of the GDPR. Same is true with CCPA.

 

Daniel B. Rodriguez: I want to turn to GDPR in a moment but just to reinforce what was just said about compliance and all that I saw a report from PwC that they did a survey you may have seen the same report, and remarkably it said, one-fifth of all businesses indicated that they would be spending upwards of a hundred — more than a hundred million dollars and adding 50 staff just to comply with the provisions of CCPA, really remarkable.

 

So it’s come up a couple of times including the introduction, so this GDPR, General Data Protection Regulation enacted in Europe recently. How is CCPA different? Is this just modeled directly after the GDPR or what’s the — what are the salient differences between this statute and European regulation?

 

James Snyder: There’s definitely a lot of similarities certainly and many have doubted CCPA to be America’s GDPR but there are differences. I mean one of the main differences is GDPR is an opt-in regime and CCPA is an opt-out in the sense that under CCPA, businesses need to inform consumers about what information is being collected and give them the information and then allow them the ability to say, no, don’t do that or give me my information back.

 

Whereas in Europe, you actually have to agree explicitly to have anything collected. So that’s a pretty defining difference and obviously there’s the concept of private rights of action and rest of it with respect to breaches that is more far-reaching than even GDPR, which is interesting.

 

So in many ways and there’s the concept of personal information itself is actually quite much, much more broad under CCPA. My estimation then under GDPR, so it actually I think is a more challenging law probably in some ways to comply with and more protective of consumers or individuals than even GDPR.

 

Daniel B. Rodriguez: Let me press you on that point about the opt-in, opt-out, because one thing we know from what we all receive and consumers receive whether you’re talking about shrink-wrap licenses or what we used to call in the olden days contracts of adhesion and all that is that consumers rarely read the fine print. We click constantly on just to get to the next page and even when the information is provided before us. We know that about human nature, consumer behavior and the like.

 

So is there a concern or do you have a concern that in some sense maybe because of the opt-out nature of CCPA, the vast majority of consumers won’t pay any attention? We will just see this as again like shrink-wrap license or something that is just not worth their time, in which case their privacy is I mean maybe you say they’re voluntarily taking that chance but their privacy won’t be protected.

 

James Snyder: Yeah, I think it’s entirely possible, but I think that to really comply with CCPA at its core just for using an example of a website. Every single website page needs to have a link basically at the bottom or somewhere on the website that allows a consumer to have information as to how what information is being collected from them and how to opt-out.

 

So we’re not really seeing a lot of businesses do this yet. If you’re on the internet you’re not seeing this yet but this is — it’s coming and it is a requirement. So I think more and more it’s going to have consumers become more aware of oh what information really are you collecting about me and how long have you been collecting that and who are you giving it to and I think it’s just going to sort of bolster the opportunity to have a conversation about it and I think it will grow from there in my opinion.

 

(00:14:55)

 

Timothy Blood: And I think that’s right. I mean I’m a consumer protection advocate, so I think the opt-out feature of the CCPA is by far its biggest flaw and you’re absolutely right. It’s not a matter of not caring, it’s a matter of being busy doing other things in their lives to dig in and actually opt-out. And for some websites, it’s more difficult than others to opt-out, it can be very confusing.

 

I personally spend a bunch of time opting out of things in large part because I’m curious about it and some are very confusing, but that’s going to change over time. I think it’s going to get easier and more straightforward and as the CCPA is around us all the time, a lot more people are going to become more educated about it.

 

And people really do need to be more generally educated about online privacy and what’s really at stake, because most people today still do not have a fine appreciation of what’s at risk. They know something’s out there, they know something’s wrong, they don’t like it but they’re not quite sure what it is.

 

James Snyder: Yeah and you know I think just to kind of add to this, I mean there are some practical nuances that we sort of have to think through. There’s concept of a cookie right, which is a small file stored on a user’s computer, a consumer’s computer as it were that helps basically you not have to fill in your password maybe or your username but it also tracks you and those are used and sold, it’s personal information.

 

And in many cases, they’re technically required. There’s instance where the website just won’t work if you don’t — if the cookies aren’t collected. So you may have the ability to opt out and that’s fine. But you may not be able to use the service either and there’s in some instances that may be because the business is prohibiting your use and we can talk about that a little bit more in terms of being discriminated against.

 

But in some cases just technically it breaks, it doesn’t work. So there are some things we sort of have to accept I guess to a certain extent in terms of what information really can be opted out of in order to use what the service we’re looking to use online.

 

Daniel B. Rodriguez: Much more to discuss. Before we move on, we’re going to take a quick break to hear a message for more sponsors.

 

[Music]

 

Advertiser: Hey law firms, getting paid is fantastic, but dealing with accounts receivable is such a pain, what if there was a better way? Enter Headnote, an industry-leading compliant e-payments and AR automation system. Their unique blend of features cuts through the noise and helps you get paid 70% faster. Skip the paper checks, spreadsheets and awkward calls due to overdue clients. Get paid faster with less effort. Visit headnote.com for more information.

 

[Music]

 

Advertiser: 10 years ago, eDiscovery meant lawyers packed into a basement, fumbling with complex slow software wondering where their lives had gone wrong. Today much of that frustration remains, but fortunately there is Logikcull, not eDiscovery, but instant discovery. Logikcull’s intuitive cloud-based software makes document search and review easy, fast and affordable. It’s time to get out of the basement. Create a free account instantly any time of day at logikcull.com/ltn. That’s logikcull.com/ltn.

 

[Music]

 

Daniel B. Rodriguez: And we’re back. I’m here with James Snyder and Tim Blood talking about CCPA and data privacy. So one of you at the beginning of the show talked about one of the motivations behind CCPA being greater concern with data privacy and of course, the debacle involving Cambridge Analytica.

 

But I want to push on that because it’s still not clear to me how the CCPA if at all solves that dilemma. And so let’s dig into that particularly in connection with Facebook. So here you have a company Facebook, where free service is offered in exchange for marketing information and ad platform.

 

So the question I want to ask first is if consumers opt-out can they be denied that free service?

 

Timothy Blood: I don’t think they can be denied. I think that would be in violation of the anti-discrimination provisions of the CCPA, because of course, Facebook is not actually free. Facebook wouldn’t exist if it was free. What they are doing is they are allowing you to use the Facebook platform but they are getting in return an enormous amount of personal information about you and that personal information is really the payment for that access to the platform.

 

James Snyder: From my vantage point, I think the devil is in the details, my clients tend to be, not Facebook but companies like Facebook, technology companies and I agree in the sense that if there’s a discrimination and there’s a benefit, there’s consideration essentially they’re using the data, then I totally agree with Tim.

 

I think it’s going to be case by case specific if there’s some sort of free service that’s being offered and there’s no data being collected or it’s all aggregated, which is all exempt from under the CCPA and maybe, maybe not. I don’t know. But I think it’s interesting, it’s something for companies to think through, but I think certainly as companies shouldn’t rest on their laurels and think there’s some sort of safe harbor because it’s a free service. I think that would be a mistake.

 

(00:20:00)

 

Daniel B. Rodriguez: Well of course, the ambiguity or the uncertainty could be resolved, couldn’t it, if part of the proposed regulations. We’re right in the period right of regulations could answer this question definitively. So I’m sort of curious why this wasn’t wrestled to the ground if not in the statute then in the proposed regs?

 

Timothy Blood: Well I think with the statute, I mean statutes being statutes they are by their very nature of general applicability and you have a statute overlaid in an area that is exceedingly complex and also ever-changing. I mean the technology that exists today is far different than the technology that was used five years ago and that’s going to continue.

 

And so the regulations become exceedingly important and they can also become very complex because they’ll need to address a whole host of different situations and the best regulations will address future applications of technology. But those regulations over time are going to need to be updated, they’re going to need to be revised, they’re going to need to be expanded to address things that people writing the regulations have not yet thought about.

 

James Snyder: Yeah and if I can just add on to that, I think it’s important I note that the Act was put into place and I think seven days. I mean it was very, very quickly written and enacted if my memory serves and with that there were a whole slew of typos and errors and in the actual act itself and then it was string of amendments after the fact and in some ways, a lot of things were proposed and either died or didn’t make it before the end of the session.

 

But I think in my estimation you’ll see more changes in the next session if not for anything else then just to clean up errors and typos that still remain.

 

Daniel B. Rodriguez: And I suspect you’d both agree that just because a big tech as it were held their powder in the legislative debate you said it was passed unanimously, doesn’t mean that they’re in any way reticent or reluctant to engage in the political process as amendments are introduced, as regulations are proposed and all of that, right?

 

Timothy Blood: Yeah, that’s right and in fact last year there were a very large number of proposed bills mostly by business that sought to change the CCPA. For the most part those bills were unsuccessful. It was really just some narrow sort of cleanup issues but the business community is going to continue to try to undercut the CCPA I think.

 

I mean we’ll continue to see that, that’s the way the legislative process is. It’s one of the big advantages to them of an initiative not being passed because if an initiative was passed, it is exceedingly difficult to change a California voter past initiative as opposed to a law that just pass with legislative process.

 

But there’s actually another initiative that Alastair Mactaggart is introducing that further refines the CCPA and that’s going to be on the 2020 ballot. So we’ll see what happens with that. I think overall it’s a better version of the CCPA from a technical standpoint that in that sense should give businesses some comfort even if they’re not necessarily comfortable with the content of the Act.

 

Daniel B. Rodriguez: Yeah.

 

James Snyder: And it is challenging for businesses really in this political climate to come out against data privacy, right, it’s just sort of — it’s not really PC and I don’t think it benefits businesses. So you’re not going to see Facebook come out and lobby outwardly to not protect people’s data, right, that that would just be bad business for Facebook. So it’s a fine line for them.

 

The other thing I’d say is from my standpoint given that I represent usually technology companies, I see practical nuances where businesses should probably get on board protecting more data than less for obvious reasons such as preventing data breaches, which can be very expensive and can essentially bankrupt a midsize or startup technology company before it really gets off the ground.

 

But in addition to that, I help a lot of clients just to negotiate with their customers, a software agreement may be as an example and a lot of — if they’re trying to do business with a big techno company as an example, those companies flow down security requirements and you have to comply with certain standards ISO and SOC 2, etc., around financial information, all post Sarbanes-Oxley and I think you’re going to see the same sort of standards be implemented in probably the next couple of years with respect to data privacy and they’re going to be flowed down from the big companies because these companies want to do business with them.

 

So I think it’s just starting to do it now is just good business and in addition to that obviously there’s you’re protecting consumers’ data which is good business and you can market it that way.

 

So I think there are some practical nuances on both sides where it benefits the consumers and I think it benefits businesses to sort of thinking ahead and implementing, stringent requirements as they can.

 

Daniel B. Rodriguez: We’re already seeing that start to happen in Europe with the GDPR, right, involuntary standards and efforts.

 

James Snyder: Absolutely.

 

Daniel B. Rodriguez: People want it and so naturally whenever there’s a new law put into place especially something that’s complex is this, right now we are living through the greatest time of uncertainty in cost.

 

(00:25:03)

 

But eventually we’re going to work through all these uncertainties and the sort of fixed costs aspect of this and it’s going to become normalized and nobody will be really complaining so much about compliance with the CCPA.

 

So the challenge of course as with any big law going into effect is getting through the implementation stage.

 

James Snyder: Right, right. And I think right now just to add to that real quick, I think right now it’s tougher on smaller businesses, because I think big businesses as they have the resources to sort of you can throw at this and they can eat the cost upfront and over time it’s just easier for them. So I think small businesses and also technology startups or late stage startups which we have a lot of them in California, it’s going to be harder on them initially.

 

But I think over time what you’re seeing is these third-party vendors that are coming out that are providing solutions now that I think will drive the cost down. I don’t think probably in the next couple of years the cost of implementation is going to exponentially be diminished.

 

So I think we’re getting there and eventually it’ll be a lot easier to sort of comply with the law.

 

Daniel B. Rodriguez: So the conversation we’ve been having exists in the shadow of uncertainty also about enforcement. I’m also struck from what I’ve read is that the Attorney Generals will slow out of the gate, right, in the first few months in exercising enforcement prerogatives. First of all is that a correct description? And second why is that? If so, why is that?

 

I want to turn to the private right of action in a moment but just focusing on implementation and enforcement at the AG’s level what are we seeing?

 

James Snyder: Sure. So the AG has had about a year and then they’re going to have another six months to both comp with regulations and during the first six months of 2020, there is a no-enforcement period and then enforcement is scheduled pursuant to the CCPA to start taking effect after July 1.

 

In practice, that’s not really going to happen. The AG like any government agency has a set budget, they have been given a very small amount of money to do everything that they are obligated to do under the CCPA which is a lot, but the reality is they have only a couple of people dedicated to the CCPA and they’re really busy with coming up with regulations and working through the initial implementation.

 

And really no money for enforcement and that’s likely not going to change in any significant way for the foreseeable future. So I think there’s a big question about whether we will see any AG enforcement whatsoever of the CCPA, other than maybe sort of really dramatic sort of a poster child of a bad actor.

 

Daniel B. Rodriguez: Yeah Cambridge have Analytica in California which we all know.

 

James Snyder: Exactly.

 

Daniel B. Rodriguez: So that gets us to just a very unique unusual feature of this statute which is private right of action right, the ability of consumers to go to directly to court. So I noticed again you read the fine print it is a private right of action but it’s also capped right in terms of damages and pretty severely.

 

So tell us what your hopes and dreams are with respect to this private right of action and how you think that will affect enforcement?

 

Timothy Blood: So this only applies to data breach cases. So when there’s a data breach case like the Equifax case something like that or the target data breach or any of the other number of data breaches that we’ve seen. And data breach cases are really unique animals. They’ve been around for quite a while now and mostly in Federal Court and what we have seen is years and years and years of litigation over things like whether the plaintiff has standing to sue in Federal Court to even bring the claim.

 

And then if they can bring the claim what is the cause of action. We are slowly moving towards some degree of uniformity with regard to what cause of action somebody could even bring although that varies from circuit to circuit and in some places, district court to district court about whether somebody has any cause of action and if so what that cause of action is.

 

And that’s before you even get to issues like can you get a class certified and what the remedies are. So the CCPA is designed to solve a lot of those really vexing problems. So it provides for statutory damages or actual damages whatever is greater.

 

Daniel B. Rodriguez: Does it solve all the standing issues? Are the standing issues pretty straightforward?

 

Timothy Blood: Yeah so this should solve the standing issues because now the legislature has said, yes people are harmed and we are providing a statutory remedy to address that specific harm, so that should be sufficient to provide standing in Federal Court where a lot of these cases are going to end up.

 

It’s certainly sufficient in the Ninth Circuit, the Seventh Circuit a number of those circuits and then even in the more challenging circuits, this should be enough to confer Article III standing on the litigant.

 

Daniel B. Rodriguez: Assuming no continuing tightening up of standing requirements by the Supreme Court, which is a whole another conversation.

 

Timothy Blood: Yeah, but it was I mean we drafted it to specifically address issues with the Spokeo Supreme Court case which essentially says if it’s statutory damages that are untethered to any actual harm they’re just a penalty, then there’s no Article III standing.

 

(00:30:06)

 

But there’s plenty in the CCPA that answers that question and so under Supreme Court precedents, we’ll see, but I think there’s a very strong likelihood that Federal Courts will find that a plaintiff would have standing.

 

Daniel B. Rodriguez: Well, let me ask you about the issue the other way around and one of you noted the fact that they’re not all big tech companies we’re talking about here some are so-called mom-and-pop operations. Does the private right of action and the penalties that are provided risk really going overboard, putting a lot of these mom-and-pop operations at real risk for what might be negligent but it’s not Cambridge Analytica, it’s an honest mistake?

 

Timothy Blood: I mean two comments to that. One is the private right of action only applies to companies that are that have gross revenues of $25 million or more.

 

Daniel B. Rodriguez: Okay well answer to that question, yeah.

 

Timothy Blood: And then effectively data aggregators. So it prevents a company from starting a small spin-off with low revenues but that’s what the business 00:31:03 is doing.

 

Daniel B. Rodriguez: Got it.

 

Timothy Blood: So no, so that shouldn’t be a problem. Now could the damage amounts get very, very large in a large data breach and threaten the viability of the company. In theory yes, however having a statutory penalty or statutory damage provision in a statute is nothing unique to the CCPA. Those provisions have been around for a very, very long time. In the data protection realm California has the Medical Information Act which provides for $5,000 per violation damages. And we have not seen any medical providers go out of business in the event of a data breach in the medical field, in the medical arena.

 

So both litigants and courts have a long history of dealing with those sorts of issues in a very reasonable, I think responsible manner that prevents companies from actually being wiped out and ends up being sort of a Chamber of Commerce talking point if you will but nothing more.

 

James Snyder: Yeah and the other thing is that there is a cure period offered under the Act which doesn’t necessarily alleviate damages necessarily, but the point is that if there’s a some sort of issue the consumer is raising and as an example, aside from a breach, let’s say a business isn’t producing the information that the consumer is asking for, the business does have a 30-day period by which to cure its defect under the Act.

 

And in addition to that, there was also requirements to verify that somebody is who they say they are when they’re asking for data and that’s obviously important because we’re talking about confidentiality and personal information. So I think that it’s going to be an interesting nuance in the law, as the progress in the law and how things are actually happening in practice because I think you’re going to see in some ways, you are going to see some businesses kind of drag their feet and abuse this verifiable request procedure which is not really described very well into the Act anyway.

 

In other cases, I think you’re going to find that people just give up, I think probably is practical. So it’s kind of aside from what we were talking about, but I think those nuances with how long the business has to sort of provide information first off and then if they don’t do it, then they’re giving an opportunity to fix what they didn’t do as well and then only then is there really going to 00:33:19 are going to be damages, unless we’re talking on a breach, which is different.

 

Daniel B. Rodriguez: So, let me ask one last question to the both of you just taking the lens a little bit back from the details of the statute, which is a statute passed by one state, a massive state to be sure but just one state. Is it your prediction and do you think that we’re going to see federal legislation and if we see federal legislation dealing with these issues, is it going to look a lot like CPA, is it going to be different, will there be a period of time of experimentation to see how things work out in California?

 

What do we see in terms of the landscape of data protection throughout the United States, whether in different states or at legislation at a federal level?

 

Timothy Blood: Well I think it is entirely possible and it’s really my hope that the CCPA ends up effectively becoming the law of the land even if it’s not specifically the law of the land and I would liken it to California Emission Standards which are higher than the federal standards but yet followed by auto companies across the country and up until recently really more for political reasons than anything else that has worked very well.

 

Now that said, there are various bills and hearings being held on this very issue on Capitol Hill where those go it’s really I think at this point anyone’s guess. Is it going to be legislation that is aimed at preempting and curtailing consumer protections and privacy protections or is it going to be something more like the CCPA that just adopts a standard nationwide.

 

I think given the political climate I think it is unlikely to be a federal version of the CCPA but that also increases the chance like we’ve seen a lot with a lot of legislation over the last number of years of just nothing happening coming out of Congress. But really that’s the big question mark.

 

(00:35:02)

 

James Snyder: Yeah and I think again to hit on the point earlier, there’s 20 plus states right now that have either enacted or are enacting some semblance of data privacy regulations. None of which have been quite as stringent as CCPA but there have been New York is an example that didn’t go through but it was it was much more far-reaching actually than the CCPA.

 

So you could see states that go even beyond possibly and I think there’s a lot of really good reason from the business community standpoint to have one standard and whether that’s CCPA or whether it’s a federal standard that matches CCPA. I think it’s actually behooves the business community to have a standard that they know what rules to follow and I think in terms of you know the political climate, I just don’t see big technology outwardly going against data privacy. I think it’s bad business and I have seen Facebook with the FTC in the last year, heavy fines of course, a pittance given the annual revenues of Facebook but still I mean larger sums of money with related to data breaches.

 

So I think that that will continue and I think there probably will be some poster children for CCPA in the next — well in the near term.

 

Daniel B. Rodriguez: Well, it looks like we’ve reached the end of our time together for this episode. I want to thank James Snyder and Tim Blood for being our guests on this fascinating episode.

 

If our listeners have questions our wish to follow up James first how can they reach you?

 

James Snyder: Yeah I can be reached at [email protected], that’s [email protected].

 

Timothy Blood: And I can be reached at [email protected], that’s [email protected].

 

Daniel B. Rodriguez: Great. Thank you, and thanks to our listeners for tuning in. If you liked what you heard, please rate and review us in Apple podcasts, Google podcasts, Spotify or your favorite podcasting app.

 

Until next time, this has been Dan Rodriguez on Law Technology Now.

 

[Music]

 

Outro: If you would like more information about what you have heard today, please visit legaltalknetwork.com. Subscribe via iTunes and RSS. Find us on Twitter and Facebook or download our free Legal Talk Network app in Google Play and iTunes.

 

The views expressed by the participants of this program are their own and do not represent the views of, nor are they endorsed by Legal Talk Network, its officers, directors, employees, agents, representatives, shareholders, and subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.

 

[Music]

Continue Reading