Risk Update

Risk “Issue” Week (Part 5) — Data Privacy, CCPA and Law Firm Compliance Responsibilities

Posted Dan Bressler

3 Big Pitfalls To Avoid Regarding The California Consumer Privacy Act Compliance” —

  • “The reach of the CCPA cannot be underestimated — businesses outside of California are not necessarily outside the scope of the CCPA.”
  • “More specifically, the CCPA gives California residents the right to (i) know what personal information is being collected, used, shared, or sold about them, (ii) know whether and to whom their personal information is sold or otherwise disclosed, (iii) access and review their personal information, (iv) opt-out of the sale of their personal information, and (v) non-discrimination in the level of service and pricing despite exercising any of their privacy rights.”
  • “Such responsibilities under the CCPA, however, only apply to those businesses that meet one or more of the following criteria: (a) gross annual revenues in excess of $25 million; (b) buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices; and/or (c) derive 50 percent or more of annual revenues from selling consumers’ personal information.”
  • “The reach of the CCPA cannot be underestimated — businesses outside of California are not necessarily outside the scope of the CCPA… Given the scope and reach of the CCPA, it comes as no surprise that most companies in the United States that do business with California residents and meet any of the qualification criteria are scrambling to comply.”
  • “Being GDPR Compliant Does NOT Mean Your Company Is CCPA Compliant. It may come as a surprise to some, but GDPR compliance does not guarantee CCPA compliance. In fact, your company (or client) may have additional obligations under the CCPA.”
  • “Once the policies implemented by your company (or client) have been updated to address CCPA requirements, those policies must not be set in stone. The CCPA may give the consumer the right to delete personal information held by businesses (or their service providers), but this “right to be forgotten” does not extend to the privacy policies of your company (or client). Revisit these policies on a regular basis to update them based upon guidance from enforcement actions, newly promulgated regulations or potential modifications to the statute.”

A law firm focused exploration of response strategies: “4 Ways Firms Can Keep Compliant With the CCPA” —

  • “A law firm’s website should describe California residents’ rights including their right to authorize personal data deletion, or allow disclosure of information and notice of collection. What’s more, a firm must also provide opt-outs for the selling of consumer information.”
  • “Law firms leveraging outside vendors, such as e-discovery providers, to store or process data that includes Californians’ personal information should update their vendor contracts to ensure that such information is not used for anything outside of specified services, said Jackson Lewis principal Joseph Lazzarotti.”
  • “Law firms need to prepare for data requests, which includes having a system to process such requests and protocols to find data and verify a requester’s identify. Law firms may face more difficulties in this regard compared to other businesses because of the data large sets corporate clients send them.”
  • “Implement ‘Reasonable Security Procedures.’ Lazzarotti noted the CCPA provides statutory damages for anyone whose ”nonencrypted or nonredacted public information” was breached because a company lacked “reasonable security procedures and practices.” Plaintiffs could be awarded $100 to $750 per consumer per incident or actual damages, whichever is greater, and injunctive or declaratory relief.”

For those wondering, here’s: “A Comparison of GDPR and CCPA.”

And, worth noting: “States Are Proposing Their Own CCPA-Like Privacy Laws” —

  • “The Washington Privacy Act (Senate Bill 6281), which failed to pass last year, was reintroduced in the state senate for the 2020 legislative session.”
  • “A bill that is strikingly similar to the CCPA has been introduced in Nebraska.”
  • “House Bill No. 473 (Virginia bill) would amend Virginia law to add the Virginia Privacy Act. The bill applies to any company doing business in Virginia or that produces products or services “intentionally targeted to residents” of Virginia…”
  • “Companion bills have been introduced in the Florida Senate (Senate Bill 1670) and the Florida House of Representatives (House Bill 963)…”
  • “New York has recently seen its own share of privacy laws and regulations proposed. Most notably, the New York Privacy Act (NYPA), which some refer to as “groundbreaking,” was reintroduced in the state senate at the beginning of the year…”