Marriott recently won dismissal of a proposed class action data breach lawsuit alleging several violations, including a violation of the California Consumer Privacy Act (CCPA). The case, Arifur Rahman v. Marriott International, Inc. et al., Case No.: 8:20-cv-00654, was dismissed in an Order by U.S. District Court Judge David O. Carter on January 12, 2021.

The Plaintiff in the lawsuit alleged that he was a member of a “class that were victims of a cybersecurity breach at Marriott when to employees of a Marriott franchise in Russia accessed class members’ names, addresses, phone numbers, email addresses, genders, birth dates, and loyalty account numbers without authorization.” Marriott admitted there was a breach, sent letters to affected individuals, and confirmed that no sensitive information, such as social security numbers, credit card information, or passwords, was compromised.

The matter was dismissed, as the Court found that it lacked subject matter jurisdiction as the Plaintiff lacked standing to sue. The Court was clear that in the 9th Circuit, the sensitivity of the personal information, combined with its theft, are prerequisites to finding that plaintiffs alleged injury in fact. Injury in fact is one of the three elements necessary to support Article III standing.

The data breach in this case affected approximately 5.2 million Marriott customers, but the information accessed by hackers was not “sensitive information,” which was a required element to be able to continue the lawsuit.

On December 11, 2020, California Attorney General Xavier Becerra released the fourth set of proposed modifications to the regulations of the California Consumer Privacy Act of 2018 (CCPA). This fourth set of proposed modifications is in response to comments received to the third set of modifications that were released on October 12, 2020. According to the update released with the proposed text, the changes include:

Revisions to section 999.306, subd. (b)(3), to clarify that a business selling personal information collected from consumers in the course of interacting with them offline shall inform consumers of their right to opt-out of the sale of their personal information by an offline method; and

Proposed section 999.315, subd. (f), regarding a uniform button to promote consumer awareness of the opportunity to opt-out of the sale of personal information.

The text of the proposed modifications can be found here. Probably the biggest news for the opt-out option is the proposal to include an opt-out button, which may be used in addition to posting the right to opt-out, but not in lieu of any requirement to post a “Do Not Sell My Personal Information” link. The proposed regulations state that if a business posts the “Do Not Sell My Personal Information” link, then the opt-out button shall be added to the left of the text as follows:    The proposed modifications also add language that states that submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. Businesses are not to use confusing language for opt-out requests or to require consumers to click through or listen to reasons why they should not submit a request to opt out. Businesses may not require consumers to provide personal information that is not necessary to implement the request, nor can a business require the consumer to search or scroll through the text of a privacy policy to locate the mechanism to opt out. In short, the proposed modifications appear to  strive for a simple process with minimal steps for consumers to opt out of the sale of their personal information.

The Attorney General’s Office will accept written comments on the proposed changes to the regulations until 5:00 p.m. on December 28, 2020. Comments may be sent by email to PrivacyRegulations@doj.ca.gov or by mail at the address contained in the notice of the fourth set of proposed modifications.

The California Consumer Privacy Act (CCPA) requires businesses covered by the CCPA to notify their employees of the categories of personal information the business collects about employees and the purposes for which the categories of personal information are used. The categories of personal information are broadly defined in the CCPA and include personal information such as medical information, geolocation data, biometric information, and sensory data.

As a result of the COVID-19 pandemic, many businesses are conducting screenings of employees for COVID symptoms. In many states, it is either required or recommended that businesses conduct such screenings of employees prior to entering the workplace. These employee screenings vary across the country but many include documenting an employee’s temperature, whether they have any COVID-related symptoms or exposure to individuals with COVID-19, or documenting travel out of state or out of the country. States vary too, in the method of collection of this information, with employees completing a written questionnaire via email, text, or mobile application. COVID-19 screening and temperature data is recorded and kept daily to demonstrate compliance with state and local public health requirements.

So, what does this mean for CCPA compliance? None of us could have predicted a year ago that employers would be collecting temperature data, lists of symptoms, and travel information from our employees. If you drafted your CCPA employee notice prior to the start of the pandemic, you may want to review the categories of personal information you now collect in light of these COVID-19 data collection requirements and recommendations. For example, depending upon the type of temperature check, this data could be considered biometric information or sensory data. Your employee notice may also need to disclose how such categories of personal information are used by the business, such as to comply with state and local public health requirements.

While the CCPA requires notice to employees of the categories of data collected, in light of the pandemic, businesses may wish to review their employee notice to determine if it needs to be updated to accurately reflect any additional categories of personal information collected and how the business is using that personal information.

Proposition 24 is known as the California Privacy Rights Act of 2020 (CPRA). It is on the ballot in California on November 3, and if it passes it will amend and expand certain provisions of the California Consumer Privacy Act (CCPA). Some say it’s CCPA 2.0, however, there are some provisions that make the CPRA look more like the General Data Protection Regulation (GDPR) – the European data regulation that reshaped privacy rights in the European Union. Two provisions in particular are very GDPR-like; specifically, the creation of the California Privacy Protection Agency (CPPA), which will become the regulator charged with implementing and enforcing both the CCPA and CPRA, and the expanded definition of sensitive personal information. CPRA would become effective Jan. 1, 2023, with an enforcement date of July 1, 2023. Here are some key highlights of Proposition 24.

What’s new for California consumers in CPRA? CPRA creates a new category of data, similar to GDPR, for sensitive personal information. CPRA also adds several new rights for consumers:

  • to restrict the use of sensitive personal information;
  • to correct inaccurate personal information;
  • to prevent businesses from storing data longer than necessary;
  • to limit businesses from collecting more data than necessary;
  • to know what personal information is sold or shared and to whom, and to opt out of that sale or sharing of personal information;
  • CPRA expands the non-discrimination provision to prevent retaliation against an employee, applicant for employment, or independent contractor for exercising their privacy rights.

What do businesses need to know regarding CPRA? It creates a new data protection agency with regulatory authority for enforcement of both CCPA and CPRA. Some new key provisions for businesses are:

  • the CPRA creates a Chief Auditor, who will have the authority to audit businesses data practices;
  • the CPRA also requires high risk data processors to perform regular cybersecurity audits and regular risk assessments;
  • the CPRA adds provisions regarding profiling and automated decision making;
  • the CPRA adds restrictions on transfer of personal information;
  • the CPRA requires businesses that sell or share personal information to provide notice to consumers and a separate link to the “Do Not Sell or Share My Personal Information” webpage and a separate link to the “Limit the Use of My Sensitive Personal Information” webpage or a single link to both choices;
  • the CPRA triples the fines set forth in CCPA for collecting and selling children’s private information and requires opt-in consent to sell personal information of consumers under the age of 16;
  • the CPRA expands the consumer’s private right of action to include a breach of a consumer’s email address and password/security question and answer.

The CPRA also changes the definition of “business” to more clearly define the annual period of time to determine annual gross revenues, which specifies that a business must comply with CPRA if, “as of January 1 of the calendar year,” the business had annual gross revenues in excess of twenty-five million dollars “in the preceding calendar year,” or alone or in combination annually buys or sells or shares the personal information of 100,000 or more consumers or households, or derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.

In addition to these criteria, CPRA adds somewhat puzzling language that states that a business would also be defined in the CPRA as a person that does business in California, that is not covered by one of the criteria described above, who may voluntarily certify to the California Privacy Protection Agency that it is in compliance with and agrees to be bound by CPRA.

The CPRA adds the new term “contractor” in addition to service provider. A contractor is a person to whom the business makes available a consumer’s personal information for a business purpose pursuant to a written contract with the business. The CPRA contains specific provisions to be included in the contract terms, and the contract must include a certification that the contractor understands the restrictions and will comply with them. The CPRA adds several new definitions, including definitions for cross-context behavioral advertising, dark pattern, non-personalized advertising, and profiling, and makes some changes to the definition of personal information. The CPRA eliminates some of the CCPA language regarding the “categories” of personal information.

The CPRA also adds “sensitive personal information” as a defined term which means:

(l) personal information that reveals: (A) a consumer’s social security, driver’s license, state identification card, or passport number; (B) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (C) a consumer’s precise geolocation; (D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication; (F) a consumer’s genetic data; and (2) (A) the processing of biometric information for the purpose of uniquely identifying a consumer; (B) personal information collected and analyzed concerning a consumer’s health; or (C) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

The CPRA retains the CCPA exemptions for medical information governed by the California Confidentiality of Medical Information Act or protected health information collected by a covered entity or business associate under HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act), personal information collected as part of a clinical trial or other biomedical research study, activity involving the collection of personal information bearing on a consumer’s credit worthiness, and personal information collected, processed, sold or disclosed subject to the Gramm-Leach-Bliley Act or the federal Driver’s Privacy Protection Act of 1994.

The CCPA’s limited exemptions for employment information and so-called business-to-business information are also continued in the CPRA, however these provisions shall expire on January 1, 2023.

The CPRA provides authority for the CPPA to create extensive regulations, including a requirement for regulation of businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security to: (A) perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent; and (B) to submit to the CPPA on a regular basis a risk assessment with respect to the processing of personal information.

The private right of action under CPRA is expanded to include that consumers whose email address in combination with a password or security question and answer that would permit access to the account be able to institute a civil action and to recover damages or other injunctive relief. The CCPA 30-day cure period after notice of a breach is eliminated and administrative fines for violation of the CPRA increase to not more than $2,500 for each violation or $7,500 for each intentional violation or violations involving the personal information of consumers that the business has actual knowledge is under 16 years of age. The CPPA will have broad powers of investigation and enforcement for violations of the CPRA.

We will follow the progress of Proposition 24 on election day and provide an update here next week.

Recently we wrote about two amendments to the California Consumer Privacy Act of 2018 (CCPA) that were awaiting signature on Governor Newsom’s desk: AB 1281, which extends the one-year exemptions for employee information and business to business information for another year until January 1, 2022; and AB 713, which provides an exemption from the CCPA to medical information that is governed by the California Confidentiality of Medical Information Act (CMIA) or to protected health information that is collected by a covered entity or business associate governed by the federal Health Insurance Portability and Accountability Act (HIPAA) and the federal Health Information Technology for Economic and Clinical Health Act (HITECH). Both amendments were signed by the Governor.

While AB 1281 extends the exemptions for employee information and business to business information from the CCPA for another year, AB 713 actually broadens the CCPA exemption for medical information to include business associates. Section 1798.146(a) now includes a business associate of a covered entity governed by HIPAA and HITECH, to the extent that the business associate maintains, uses, and discloses patient information.

The California Consumer Privacy Act of 2018 (CCPA) currently exempts from its provisions certain information collected by a business about a natural person in the course of the person acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor of a business. This exemption is set to expire on December 31, 2020. In addition, the so-called business-to-business exemption for transactions and communications with the business that occur solely within the context of the business conducting due diligence regarding or providing or receiving a product or service to or from that company, partnership, sole proprietorship, nonprofit, or government agency is also set to expire on December 31, 2020.

Recent legislation passed in California would extend both of the exemptions until January 1, 2022. Assembly bill 1281, (AB 1281) which was presented to Governor Gavin Newsom on September 8, 2020, extends the one-year exemption for employee information and business to business information for another year until January 1, 2022. The bill also provides that the extension of these exemptions is contingent upon voters not approving the ballot Proposition 24, known as the California Privacy Rights Act of 2020 (CPRA). Should the CPRA pass on November 3, it would extend these exemptions until January 1, 2023. Some other highlights of the CPRA include the creation of a new category of sensitive personal information (SPI) that would give consumers the power to restrict its use, a provision that allows consumers to prohibit businesses from tracking their precise geolocation to a location of approximately 250 acres, and the addition of email and passwords to the list of defined “personal information” included in a data breach.

The key takeaway here is that if AB 1281 is enacted or if Proposition 24 passes, employee/job applicant information as well as business-to-business communications will continue to be exempt from the CCPA. Both AB 1281 and AB 713 regarding medical information, which we wrote about recently here, are currently on Governor Newsom’s desk.

DataGrail recently released a mid-year report on trends related to the California Consumer Privacy Act (CCPA) and how it has affected consumers and businesses. The report indicates that consumers are regularly opting out of the sale of their personal information, with the “do not sell” right being the most exercised right, occurring 48 percent of the time, more than access rights (at 21 percent) and deletion requests (at 31 percent).

Overall, according to this report, about 83 percent of consumers expect to have control over how businesses use their data, and this research confirms that people are taking action to control their privacy by exercising rights provided by the CCPA. 

When the CCPA first went into effect in January 2020, DataGrail found that Californians began exercising those rights right away. In January 2020, there was actually a surge of individual requests to exercise their rights granted under the CCPA. Since that initial surge, such requests have leveled off at about 13 requests per million records every month. Data from a recent Gartner report show that the manual processing of one single request costs an average of $1,406. If companies continue to process these requests manually, that could be upwards of $240,000 per million records. It seems like a call for a standardized process that can be implemented by companies across the board to handle these requests more efficiently.

DataGrail also found that 3 out of 10 requests go unverified (i.e., no fraud detection for requests that might be made for purposes of stealing personal information). This again shows a need for a scalable verification process to prevent harm to consumers, which the CCPA aims to protect against.

The California legislature recently passed AB 713 which is an amendment to the California Consumer Privacy Act of 2018 (CCPA). This bill will take effect immediately on September 30, 2020 once Governor Gavin Newsom signs the legislation. The effect of AB 713 is that it adds Section 1798.146 to the CCPA, and states that the CCPA shall not apply to medical information that is governed by the California Confidentiality of Medical Information Act (CMIA) or to protected health information that is collected by a covered entity or business associate governed by the federal Health Insurance Portability and Accountability Act (HIPAA) and the federal Health Information Technology for Economic and Clinical Health Act (HITECH).

Section 4 (A) of AB 713 states that to be exempt, the information must meet both of the following conditions:

  1. i) It is deidentified in accordance with the requirements for deidentification as set forth in Section 164.514 of Part 164 of Title 45 of the Code of Federal Regulations (HIPAA regulations).
  1. ii) It is derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by HIPAA, CMIA, or the Federal Policy for the Protection of Human Subjects, also known as the Common Rule.

Additional provisions of the bill prohibit a business or other person from reidentifying information that was deidentified, unless a specific exception is met. Beginning January 1, 2021, the bill requires that contracts for the sale or license of deidentified information must include specific provisions relating to the prohibition of reidentification of information.

Specifically, Section 2 of the bill requires that businesses that sell or disclose medical information that was “deidentified in accordance with specified federal law, was derived from protected health information, individually identifiable health information, or identifiable private information to also disclose whether the business sells or discloses deidentified patient information derived from patient information and, if so, whether that information was deidentified pursuant to specified methods.”

So, what are the key takeaways from this amendment? Businesses that sell or license deidentified medical information will be required to update their privacy policies and to add specific provisions to contractual agreements regarding the prohibition of reidentification of medical information.

The California Consumer Privacy Act (CCPA), touted as the toughest privacy act in the country, went into effect on July 1, 2020. Although the enforcement regulations have been tweaked three times during the last year, this week California Attorney General Xavier Becerra (AG) issued the final set of rules that his office will use to enforce the law.

According to the AG, the regulations were approved on August 14 after non-substantive changes were made by his office. Therefore, companies can use the final regulations to assist in determining their compliance with the law.

Although the AG has not yet publicly commenced an enforcement action under the law, the AG has stated that those efforts started on July 1. We anticipate that those efforts will be strategic and well thought out by the AG, as we have seen with the enforcement actions of other privacy laws. We believe that enforcement actions will be determined based upon the brands targeted, the substance of the violations, and where guidance can be the most impactful.

Now that the regulations are final, if they haven’t done so yet, companies may wish to review their compliance efforts with CCPA.

While the California Consumer Privacy Act (CCPA) went into effect on January 1st of this year, the California Attorney General submitted the final draft of proposed regulations only last month. With the CCPA’s inclusion of a private right of action for California residents to seek actual or statutory damages if their personal information has been “subject to an unauthorized access and exfiltration, theft or disclosure” due to a business’s failure to “implement and maintain reasonable security procedures,” there is added exposure in California consumer class actions if a business suffers a data breach, especially because the CCPA allows for statutory damages without having to prove actual harm. The CCPA sets the statutory limit between $100 and $750 per consumer per incident. The amount awarded is based on “any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.”

Now, with the Attorney General’s enforcement in effect as of July 1, the second half of 2020 could reveal much more about the Attorney General’s CCPA enforcement strategy. Additionally, the strategy of private litigants, who have been able to file CCPA claims since January 1, may also be instructive on what to expect for enforcement by the state.

While COVID-19 has certainly halted much litigation (or perhaps moved it to the digital world), the migration to remote work has actually led to several CCPA actions, as threat actors have exploited this unsteady transition and immense strain on information technology departments, which, for the first time, are dealing with a large group of employees working from home. So far this year, April was the most active month for new CCPA litigation, with over a dozen complaints being filed in both state and federal courts, mostly in California (no surprise), but also in Florida, New York, and Washington.

To date, the CCPA has yet to be interpreted in court. However, some of the recent case filings indicate that plaintiffs are attempting to interpret the CCPA’s private right of action very broadly.

It would seem that the limitations on the CCPA’s private right of action are clear. Section 1798.150(a)(1) of the CCPA states: “Any [California resident] consumer whose nonencrypted and nonredacted personal information…is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action.” Civil actions maybe be instituted for actual or statutory damages, injunctive relief and other relief the court deems proper.

The civil private right of action applies only if personal information has been the subject of a data breach and the statute makes clear that the “cause of action established by this section shall apply only to violations as defined in subdivision (a) and shall not be based on violations of any other section of this title.” Nonetheless, many litigants are attempting to bring actions for statutory damages related to a violation (i.e., failure to comply) of the CCPA without including any allegations related to the limited private right of action for a loss related to a data breach.

Furthermore, the CCPA expressly precludes consumers from using it as “the basis for a private right of action under any other law.” Section 1798.155 of the CCPA provides the Attorney General with broad enforcement authority over all CCPA violations, which means that there is no need for enforcement via any other consumer protection law. However, plaintiffs in many of the recent pleadings filed attempt to use the CCPA as a means of indicating violation of other consumer protection laws.

Overall, there have been 50 consumer class actions alleging some type of CCPA violation filed in the first six months of the year. And in the second half of 2020? Well, there is no indication of it slowing down. Because the Attorney General’s enforcement powers just took effect, the next six months will likely see more private litigant activity and state enforcement, even though the CCPA regulations are not yet effective; the Attorney General may bring an action under the CCPA for CCPA violations that occurred any time after January 1 by relying on the statute rather than the regulations. Therefore, if a business has been hit with a consumer class action, it could see an enforcement action down the road as well.

Currently, with the CCPA’s onerous requirements and the heightened possibility of email compromises and data security incidents due to the remote work situation, the liability risk for failing to comply with the CCPA could be very significant for businesses. Businesses that are vigilant in their CCPA compliance may be in a position to avoid the ominous threat of CCPA enforcement.