Is the California Consumer Privacy Act Part of a Trend?

Episode Notes

Transcript

Digital Detectives

Is the California Consumer Privacy Act Part of a Trend

07/24/2018

[Music]

Intro: Welcome to Digital Detectives. Reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues, and what’s really happening in the trenches; not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.

[Music]

Sharon D. Nelson: Welcome to the 93rd edition of Digital Detectives. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises, a digital forensics, cybersecurity and information technology firm in Fairfax, Virginia.

John W. Simek: And I am John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives, our topic is, “Is the California Consumer Privacy Act, the start of a Trend.”

Sharon D. Nelson: Before we get started, I would like to thank our sponsors. We would like to thank our sponsor SiteLock, the global leader in website security solutions. Learn more at sitelock.com/legal/digitaldetectives.

We would also like to thank our sponsor PInow.com. If you need a private investigator you can trust, visit pinow.com to learn more.

John W. Simek: Our guest today is Scott Pink. Scott is a special counsel in the Data Security & Privacy practice at O’Melveny & Myers LLP. In this role, he advises media, entertainment, and consumer product companies on social media law, cybersecurity and privacy, marketing, and intellectual property. A former general counsel for a major media company, Scott has recently represented cutting-edge life science, biotech, and other companies on privacy and security policies and issues.

Thanks for being with us today, Scott.

Scott Pink: Thanks for having me.

Sharon D. Nelson: Well, Scott, there’s been quite a lot of headlines about the California Consumer Privacy Act, but not many people actually know much about it. Can you tell us what the impetus for the Act was?

Scott Pink: Well, the impetus in one way was a response to a ballot initiative that was scheduled for the November ballot which was designed to provide consumers more control over their privacy, and there was some concerns about the scope and extent of that initiative for businesses, so the Legislature decided to craft a version of that law that was in their view more well thought-out. So, the impetus in general was responding to that ballot initiative. I say behind that it was the concern that consumers needed more control over their data in light of recent data breaches and recent disclosures about how certain companies are using people’s data without necessarily their knowing it.

John W. Simek: Well, Scott, I think typical with legislation. We always get two sides and there’s always an opponent. So, can you tell our listeners who the opponents were and what their arguments were to this Act?

Scott Pink: Well, interesting thing is, normally it would be — industry would be sort of opposed to this kind of legislation, the tech industry being concerned about not so much providing consumers control of their privacy, but just having a regulation that was too onerous.

I think industry was prepared for some form of legislation, but I think they are concerned about making sure whatever legislation is and acted as legislation that can be readily complied with and won’t be too difficult to administer from a practical point of view.

So, I think that’s what the industry was focused on and I think will continue to be focused on as the Attorney General so as to implement regulations under this new law.

Sharon D. Nelson: Can you tell me when was the Bill signed into law and when does the law become effective?

Scott Pink: It was signed into law on June 28 of this year and it doesn’t take effect however for another, say 18 months or so, January 1, 2020. So, companies will have some period of time to get organized and get their procedures and policies in place to become compliant by the effective date. But during that time the Attorney General will likely be issuing some regulations to clarify certain aspects of the law so that companies have better guidance on what they need to do.

Sharon D. Nelson: I got the feeling when I was reading the news reports that something like that would be very helpful, so I’m glad to hear that they are going to get some further guidance, because I think when a new law like this is passed, if you don’t shine a light on the practicalities of it, it just doesn’t achieve the results that were intended.

Scott Pink: Yeah, I agree with that and I think that I’ve been a challenge for companies trying to comply with the general data protection regulation in Europe and that is a very extensive law, but it is much more difficult to take laws that were written sort of more generally and then apply them to the myriad of different situations in which data is handled. So, I think you’re going to see somewhat — may be the benefit of companies having gone through GDPR and understanding what can practically be accomplished under these situations.

(00:05:01)

John W. Simek: Well, Scott, I know that we are probably going to get a detailed answer from you on this one, but what are the rights that were granted to the citizens of California under this law?

Scott Pink: So, there are variety of rights that the California Legislature recognized in part as extensions of the right of privacy that exist in the California Constitution, and let me start first with what this covers. It covers personal information which people generally understand the main things like your name, your address, your Social Security Number, your driver’s license, but what’s interesting here is the California Legislature has developed what might be viewed as one of the more expansive definitions of what could be included within the definition of personal information.

So, for example, they specifically include commercial information, including records of personal property, biometric information; the information like retinal scans and fingerprint scans. They include things like your Internet or electronic network activity, your browsing activity, your search history. Those are things which never have been really specifically defined as personal information but will be under this new law.

In addition, they include audio, electronic, visual, thermal, olfactory, and similar information. Now that’s a mouthful, but that’s basically a lot of tips and things could be covered within that, and that’s something I think the Attorney General is going to have to clarify what exactly are we talking about in terms of thermal; for example, thermal information, that’s probably something like the temperature which you keep your thermostats during the day possibly.

It’s a much more expansive definition of personal information, which I think will make it more challenging for companies to identify what exactly we have in each of these categories because now traditionally companies were looking at things such as name, email address, address. Things that are more specifically identifiable but now we have all these other categories that need to be taken into consideration. In addition to that there are sort of three main lights. I suppose that are officially or formally recognized under California law under this Act.

One is a right of transparency, that’s essentially the right to find out what information is being collected and to whom you are disclosing it to; so a much more specific right to demand that information. Heretofore, California didn’t really have that right to ask what information a company has on you, now you have that right.

There’s a right of deletion. Now, that’s a right that the Europeans have recognized for some time now under this concept called right to be forgotten and it’s not a concept that really exists under US law. Under US law you can more or less keep data as long as you really want, but this law would require a company to delete information upon request of a consumer, and this is probably one of the more challenging aspects of the law as how do you locate, identify and delete information?

The good news I think — if there is good news here, is that the Legislature in this particular light has recognized a number of exceptions and a number of bases on which you can continue, you can retain information to try to ease the burden on companies and to prevent this kind of light making it very difficult to do business. So, it’s an important right, it’s a right that companies will now need to be in a position to respond to but it is somewhat softened by some of the exceptions in the law.

The third right, and this is one that I think was important to consumers and certainly to public interest groups is the right to opt-out of sales of personal information. There was some concern that companies were collecting and then reselling personal information without the consumer really having the ability to either know about it or control that process. So now there is a right to opt out of those sales, but this doesn’t necessarily cover all types of use of personal information. So you need to really understand if you’re a company whether or not what you’re doing is a sale of personal information. But there is now a new requirement to give consumers the right to opt out of and you have to act upon that request. So those are the main rights that have been enacted.

The law also recognizes that in certain circumstances consumers can bring a lawsuit if companies fail to abide by the requirements of this new law. So there are actually some potential teeth in it if a company fails to comply.

John W. Simek: That’s interesting when you mentioned thermal, Scott, and you immediately went to the thermostat and then the nest kind of devices, and when I heard that my first thought was, geez, thermal imagery, they are tracking my thermal signature through a house or something, so.

Sharon D. Nelson: We actually have seen the use of thermostats used as a weapon where somebody has remotely kicked up the heat or whatever in order to cause the ex-spouse to pay a lot of money, if they knew they were out of town or something like that. So, it’s a crazy world we live in, isn’t it?

(00:10:09)

Scott Pink: Yeah. Well, I think thermal is not really defined, so yes, it could include all those different things and it’s up to the imagination, I suppose.

John W. Simek: Well, I’m glad we’re going to get some potential clarification though; it sounds like.

Scott Pink: Well, let’s hope so. That’s one that — when I read it, I thought that some more clarification on what’s meant by, for example, thermo — are we talking about thermostats, are we talking about heat imaging, and what exactly are we getting out there.

John W. Simek: Right, right. Well, before we move on to our next segment, let’s take a quick commercial break.

[Music]

Advertiser: At least 80 of the 100 biggest law firms in the country have been hacked since 2011. Protect your firm and your clients from cyber attacks with SiteLock. Their industry leading cloud-based suite of website security solutions includes website scanning, web application firewall, including Distributed Denial of Service mitigation, and 24×7×365 US-based customer support. Give your firm and your clients peace of mind knowing their information is secure. Learn more at sitelock.com/legal/digitaldetectives.

[Music]

Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigation, including workers’ compensation and surveillance. Find a prescreened private investigator today. Visit www.pinow.com.

[Music]

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is, is the California Consumer Privacy Act, the start of a trend? Our guest today is Scott Pink, a special counsel in the data security and privacy practice at O’Melveny & Myers, LLP.

So, Scott, I think people are always concerned, especially little businesses, does this horrible law that impacts so much, it will make me do all these things, does it apply to me and they don’t know what kind of businesses. So, what kind of businesses does this law apply to?

Scott Pink: Well, it applies to all kinds of businesses in the sense that there’s not really industry specific businesses, but there are some thresholds that have been built into the law to sort of, I guess, in some sense, respond to the concerns of a small business and the ability to be able to comply with this kind of the law.

So there are some thresholds and more or less is designed to imply this to larger institutions, I would say. So there are three thresholds that have been baked into the law and what you have to meet one of those three. So, one is that your annual gross revenues — well, first of all back up a minute, you have to do business in the State of California. If you’re not doing business in the State of California, this law doesn’t apply to you.

So, assuming you’re doing business in the State of California and you’re collecting data from personal information from a California consumer, then the next test is, do I meet one of these three sort of size threshold? And one threshold is, do you have annual gross revenues in excess of $25 million? So, that’s a fairly sizable company.

The second is, do you alone or in combination annually by or receive for business commercial purposes the personal information of 50,000 or more consumers, households or devices? That’s an interesting one. So, if you collect, you can look — it’s three different things.

So, it’s 50,000 or more consumers, so if you have 50,000 or more California consumers then arguably this law would apply to you. But it could also be 50,000 or more devices or 50,000 or more households. So, I think there’s going to need to be some clarification there.

I think the terminology “or” means it has to be one of those three, not necessarily the combination of all three of those. That means you have to have 50,000 or more consumers or 50,000 or more households or 50,000 or more devices, you would add up 20,000 consumers, 20,000 households, and 10,000 devices to get 50. So, the threshold is 50, but it’s three different kinds of things that could meet the threshold.

Sharon D. Nelson: I read the law exactly as you stated it, that it had to be one of the three and any one of the three would trigger your obligations. Do you think that’s correct?

(00:14:57)

Scott Pink: Yes, that’s the way I read it.

Sharon D. Nelson: Okay.

Scott Pink: And what’s interesting is the term “device”, so you could have 50,000 or more devices in — that you’re collecting personal information from but 20,000 consumers potentially. So, if you had two devices in a house, so that’s a lot to see where that kind of plays out. But they’ve introduced these other concepts of households and devices that normally I’ve not seen in other privacy laws.

The third threshold is, I think you derive 50% or more of your annual revenues from selling consumer personal information. So, that’s a completely different threshold that doesn’t really depend on the number of consumers or the amount of revenue. So you could be a smaller company but if most of your revenue is from selling consumers’ personal information, then 50% or more, then you’re subject to this law.

John W. Simek: So, just a follow-up, Scott, in what you said, doing business in California, so then I might understand that I don’t have to be based in California but if I serve California residents that whatever the threshold is at, 50,000 or whatever, then this law would apply to me then, potentially; correct?

Scott Pink: Yes, I think the question will be what does business in California mean? But if you’re selling — suddenly if you’re selling products to consumers in California and you’re likely to be considered doing business in California and if you’re collecting 50,000 or more — information from 50,000 or more consumers in California, you’re likely doing business in California.

But, it is a separate analysis, and again, the law doesn’t really define what does business means. The term “does business” has different meanings depending on what law you’re talking about. For example, in tax law, it has a certain meaning, corporate law has a certain meaning, so it may be up to the AG to define what it means here.

I would say it would require probably some activity directed towards California.

John W. Simek: So, Scott, what obligations do businesses have now without this law?

Scott Pink: I mean, they generally have an obligation at least on the California law to have a privacy policy that describes their data collection processes information practices and they have a requirement under California law to have reasonable security for the personal information. And there are sort of a myriad of other laws that apply to personal privacy laws relating to security breaches and laws relating to how to handle credit card information and laws relating to Social Security Numbers. But, it’s kind of a hodgepodge, there’s no law right now that has these specific rights baked into it.

Sharon D. Nelson: I think this law is a really, really good step, but I know and you made reference to this that a lot of the businesses think that these obligations are going to be very burdensome. So, it helps that the law isn’t going to come into effect until 2020, and it certainly will help if the attorney produces some regulations and some guidance for people; have you been hearing people complaining about this?

Scott Pink: I think it’s still a little bit of a ways away that most companies are concerned about it. I wouldn’t say complaining necessarily but are concerned about it and want to understand it what it means, but it’s still a bit in the future.

There are a lot of companies that, at least larger ones that might be affected by this law, that are doing business in Europe or at least believe they have to comply with the European Data Protection Regulation or GDPR, and to the extent that they have done that work, they are probably a little less concerned about this because this does in some ways mirror a lot of what you have to do in a GDPR.

So, I think for those companies this is just merely an extension of the work they’ve already done, but certainly there are going to be a lot of companies that haven’t — are compliant with GDPR may not even know what it means that are more California-focused, maybe just more US-focused and will have to think about how am I going to comply with these very specific regulations.

But since it’s a year-and-a-half away and there’s no regulations there at this point, I think a lot of companies are still doing a little bit of a wait and see.

John W. Simek: They’re going to wait and see the implement like they waited and see the GDPR, Scott, you think?

Sharon D. Nelson: Oh, exactly, exactly. You know they will, John.

Scott Pink: Well, I think they’ll wait and see if there’s any issues, any regulations or guidance, or if there are further modifications, but there are — yes, definitely a lot of companies sort of waited to the last minute to, maybe ours, even waking up now to GDPR.

John W. Simek: Well, Scott, what are your thoughts? Do you think other states are likely to adopt similar laws, why or why not?

Scott Pink: I think some states will. I think some states will see — will probably want to respond to California’s lead; California often is the lead in these areas, but I don’t think it will be in rapid succession like the security breach disclosure laws. I think the timing will be maybe over the next year or year-and-a-half, maybe see a couple of states adopt something like this and maybe not quite this abroad, but I could see that happening in the next couple of years.

(00:20:03)

But I don’t think you’re going to see 49 states adopting this in the next year-and-a-half; I think it’s going to take some time.

Sharon D. Nelson: Well, as a final question what I’ve heard a lot is that the fact that we have all these different data breach notification laws, that’s been very cumbersome because you have all these State laws you have to comply with. So, I wondered when I was reading the original article about this, I said, well, why isn’t there a Federal law covering these rights so that you only have to comply with one law and not all 50? Wouldn’t that make more sense, what do you think, Scott?

Scott Pink: Well, I think that there are Federal laws that apply in certain sectors like HIPAA in the healthcare area and Gramm-Leach-Bliley which applies to the financial institutions, and I think those have been very helpful to companies operating those industries because they have one standard, they have to worry about more or less.

I think it would make some sense if there’s going to be legislation on this point to have sort of a consistent set of standards nationwide because it’s going to be practically difficult, very difficult to honor this just for California but not for another State. I don’t know it may be possible, but I don’t know if companies are going to want to do that, they’re going to want to make sure that they are applying the most practical solution, which is the same one for everybody.

So, I think a Federal law would certainly to the extent there is legislation or regulation on it, I think a Federal or nationwide approach would make some sense but I know what you have to see is taking a look at, in the fall I believe they’re having hearings that were examined among other things, the impact of laws like this on commerce, in general, and whether these are good laws, whether this should be a unified standard that applies across the country.

So, I don’t think — I don’t expect anything soon or in the next year, but I think you could possibly see some more activity by Congress maybe in 2019, if they’re going to consider it, that would be the time before this law takes effect.

Sharon D. Nelson: Well, activity by Congress; yeah, maybe; and I’ll leave it there.

Scott Pink: Sharon, you notice we don’t have a Federal Data Breach Notification law.

Sharon D. Nelson: Well, that’s what I was going to say. I mean, how many years have they proposed that and they haven’t been able to get that, but then an activity in general out of Congress is not something we’ve grown used to.

But, I really appreciate your thoughts today, Scott. Your expertise here has been very useful, and this is a law that it got a lot of headlines initially, but I think people aren’t really looking at it a lot yet as you say it’s somewhat in the future, but it is certainly something that every State is going to be considering and something that lawyers certainly need to have a feel for what this law is and what else might be coming.

So, thank you so much for being our guest today.

Scott Pink: My pleasure. Thank you for having me.

John W. Simek: Well, that does it for this edition of Digital Detectives. And remember, you could subscribe to all the editions of this podcast at legaltalknetwork.com or on Apple Podcasts. And if you enjoyed our podcast, please rate us on Apple Podcasts.

Sharon D. Nelson: And you can find out more about Sensei’s digital forensics, technology and cybersecurity services at senseient.com.

We will see you next time on Digital Detectives.

[Music]

Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.

[Music]

Continue Reading