On September 23, 2021 attorney Lily Li spoke at PrivSec Global: The Largest Data Protection, Privacy and Security Event of 2021. The Global Live Stream Experience was a two day event from September 22 to September 23, 2021.
The topic of discussion was “Why Most CCPA Cases Will Fail: Five Hurdles Plaintiffs Must Clear.” For more details on the topic and to watch the presentation on-demand, click here.
Hard on the heels of the California Consumer Privacy Act of 2018 (CCPA) and updated state privacy laws in Nevada and Maine which took effect in 2019, state data privacy legislation is still on the rise.
In November of 2020, California citizens approved the California Privacy Rights and Enforcement Act (CPRA), further amending the CCPA. The CPRA is intended to strengthen privacy regulations in California by creating new requirements for companies that collect and share sensitive personal information. It also creates a new agency, the California Privacy Protection Agency, that will be responsible for enforcing CPRA violations.
As momentum builds for state privacy laws, 2021 could be the year that privacy laws gain footing across the country, helping Americans exercise control over their digital lives.
Washington’s Privacy Act 2021, SB 5062 **Update: The WPA did not pass the House by the April 11 deadline. On April 12, however, Senator Carlyle tweeted that the “bill remains alive through the end of the session.” The legislature will close on April 25.
*** Update 4/26: The WPA did not pass for the third year in a row, due to the late introduction of a limited private right of action (for injunctive relief). Jump to the bottom of the page for links to other pending state legislation.
The most notable – due to its furthest progression in state legislation – is the current draft of the Washington Privacy Act 2021 (“WPA”). This draft bill is the third version of the act introduced by Washington state Sen. Reuven Carlyle (D-Seattle) in as many years.
Image Credit: FDA Nutrition Label, modified by Metaverse Law
The growing frequency and severity of privacy incidents within the past decade—the Facebook-Cambridge Analytica data scandal and Equifax data breach, to name just a few—has made consumer privacy a topic of public attention and concern.
In response to consumers’ increased wariness regarding their private data, some companies are trying to use privacy labels and icons to signal a commitment to privacy protection. The ultimate goal is to make privacy more accessible, transparent, and understandable.
This article reviews the history and current trends around privacy icons and labels.
Typically, the YourAdChoices icon is placed on cross-context behavioral ads—that is, ads targeted to consumers based on a profile of that consumer’s characteristics, preferences, and internet activity. If a browsing consumer views an ad that was targeted to them, they can click the YourAdChoices icon next to the ad to control whether ads should be personalized to them while browsing and to learn why that certain ad was displayed to them.
When the California Consumer Privacy Act (CCPA) came into effect in 2020, it created new privacy requirements for over 500,000 business nationwide . One of the requirements is to prominently display a “Do Not Sell My Personal Information” link on a business’ homepage, if a business is subject to CCPA, and “sells” or discloses a consumer’s personal information for valuable consideration. If a consumer submits a request through the link, the business must allow consumers to opt-out of the sale of that consumer’s personal information.
In response to this new requirement, the DAA designed a green version of the YourAdChoices icon for CCPA use. This is called the Privacy Rights Icon.
When implemented correctly by participating companies, the green Privacy Rights icon brings consumers to www.privacyrights.info, a website set up by the DAA to help centralize and facilitate “Do Not Sell” requests across all participating companies.
While the two DAA icons above are forms of industry self-regulation, the California Office of the Attorney General (OAG) has also designed a “Do Not Sell” button to accompany the Do Not Sell link.
Following hot on the footsteps of the California Privacy Rights Act, Virginia Gov. Ralph Northam (D) signed the Consumer Data Protection Act on Tuesday, making Virginia the second state in the U.S. to pass a comprehensive data privacy law. Below, please see our comparison of the the California Consumer Privacy Act and the Virginia Consumer Data Protection Act.
A “business” that meets at least one threshold below: • Generates over $25M in annual gross revenue; • Handles the records of at least 50,000 California consumers; or • Generates over 50% in annual revenue from sales of consumer data
Same as CCPA, except the threshold for handling records of California consumers increases from 50,000 to 100,000.
Applies to businesses that • Handles the records of at least 100,000 Virginia consumers; or • Handles the records of at least 25,000 Virginia consumers and derives over 50% in gross revenue from sales of consumer data
Definition of personal data
Any information that could be associated or linked with a particular consumer or household.
Same as CCPA, except that there is a reasonableness element: Any information that could be reasonably associated or linked with a particular consumer or household.
Limited to particular consumers. “Any information that is linked or reasonably linkable to an identified or identifiable natural person”
Definition of sensitive personal data
Does not define sensitive personal data.
Defines sensitive personal data to include: • Social security number • Driver’s license number • Account log-in, debit, or credit card number in combination with password or PIN • Precise geolocation • Racial/ethnic origins • Religious or philosophical beliefs • Union membership • Contents of e-mails or texts to others • Genetic/biometric data • Health information • Sex life/sexual orientation data
Defines sensitive personal data to include: • Racial/ethnic origins • Religious beliefs • Mental or physical health diagnosis • Sexual orientation • Citizenship/ immigration status • Genetic/biometric data • Children’s data • Precise geolocation
Consumer rights
• Access • Deletion • Non-Discrimination • Opt-out of: o Sale of personal data
Same as CCPA, with the addition of rights to: • Correct personal information • Limit the use of sensitive personal information
• Access • Correction • Deletion • Port • Opt-out of: o Targeted advertising o Sale of personal data o Profiling in furtherance of decisions that produce legal effects
Data Privacy Impact Assessments
No requirement to conduct or document.
No requirement to conduct or document.
Controllers must conduct and document data protection assessments for the following activities: • Targeted advertising • Sale of personal data • Profiling • Sensitive data • Catch-all: any data that presents a “heightened risk of harm to consumers.”
Data Protection Authority
California Office of the Attorney General
$10 million allocated per year to the California Privacy Protection Agency (CPPA). Primary enforcement and rulemaking abilities shift from the California Attorney General to the CPPA.
Virginia Office of the Attorney General
Cure Provision
30 days to cure upon written notice of a violation by the California Attorney General’s office.
Ability to cure removed from CPRA.
30 days to cure upon written notice of a violation by Virginia Attorney General’s office.
Enforcement
Administrative fines ranging from $2,500 per violation to $7,500 for intentional violations.
Administrative fines of $7,500 now includes intentional violations and children’s data violations.
Administrative fines of $7,500 per violation.
Private Right of Action
Consumers have a private right of action for the unauthorized disclosure of nonencrypted and nonredacted personal information.
In 2020, with large portions of the global workforce abruptly sent home indefinitely, IT departments nationwide scurried to equip workers of unprepared companies to work remotely.
This presented an issue. Many businesses, particularly small businesses, barely have the minimum network defenses set up to prevent hacks and attacks in the centralized office. When suddenly everyone must become their own IT manager at home, there are even greater variances between secure practices, enforcement, and accountability.
“Reasonable Security” Requirements under CCPA/CPRA and Other Laws
Under the California Consumer Privacy Act (CCPA), the implementation of “reasonable security” is a defense against a consumer’s private right of action to sue for data breach. A consumer who suffers an unauthorized exfiltration, theft, or disclosure of personal information can only seek redress if (1) the personal information was not encrypted or redacted, or (2) the business otherwise failed its duty to implement reasonable security. See Cal. Civ. Code § 1798.150.
Theoretically, this means that a business that has implemented security measures—but nevertheless suffers a breach—may be insulated from liability if the security measures could be considered reasonable measures to protect data. Therefore, while reasonable security is not technically an affirmative obligation under the CCPA, the reduced risk of consumer liability made reasonable security a de facto requirement.
However, under the recently passed California Privacy Rights Act (CPRA), the implementation of reasonable security is now an affirmative obligation. Under revised Cal. Civ. Code § 1798.100, any business that collects a consumer’s personal information shall implement reasonable security procedures and practices to protect personal information. See our CPRA unofficial redlines.