Welcome to the second post in our Spotlight series, where we talk with a leader in a particular field or emerging area of interest to technology and sourcing lawyers and professionals.
Ezra Church is a partner in Morgan Lewis’s litigation practice who counsels and defends companies in privacy and cybersecurity matters. His practice is at the forefront of issues such as biometrics, artificial intelligence, location tracking, ad tech, and blockchain. Ezra is a Certified Information Privacy Professional (CIPP) and co-chair of the firm’s Class Action Working Group, and he recently helped lead our firm’s Practical Advice on Privacy publication series on the California Consumer Privacy Act (CCPA). Now that that law is in place, we wanted to get an update from Ezra regarding its impact on US privacy law.
Who does the CCPA apply to?
The law is much broader than historic privacy laws in the United States, and applies to all businesses that do business in California, collect personal information from California residents, and (1) have global revenue of more than $25 million, (2) receive personal information from 50,000 or more consumers or devices in a year, or (3) get 50% or more of their revenue from the sale of data. That second prong is important and sometimes overlooked—even a small startup company may well have 50,000 California consumers or devices from which the company collects personal information, such as an IP address.
What should companies add to their privacy policies for CCPA compliance?
I have typically found that there are three changes needed to revise company privacy policies for compliance with the CCPA.
First, privacy policies traditionally focused on the collection of information on the company website. But the CCPA requires that the privacy policy address all collection of personal information, not just on the website; that change sometimes requires substantial additional thought and work by a company.
Second, the CCPA requires that companies describe the categories of personal information collected and, for each category, the purpose of collection, and the parties to which it may be disclosed. We have found that some privacy policies need to be reorganized to clearly convey this information on a per-category basis—and it may be helpful to present it in a chart format.
Third, the law requires disclosure of a consumer’s rights available under the CCPA, specifically the right to know what information is collected about the consumer (including categories), the right to request deletion of personal information, and the right to opt out of the sale of personal information, where applicable. Under the new California Privacy Rights Act of 2020 (CPRA), which was passed into law through a ballot initiative in November 2020, starting January 2023, consumers will also have the right to correct information about them—and that right will also need to be disclosed in the privacy policy.
How does the CCPA impact breach responses?
Although most of the provisions of the CCPA can only be enforced by the California attorney general (AG), the CCPA did make a critical change to California law by allowing for private class actions in the event of data breaches that involve a lack of reasonable security on the part of a company. Perhaps as significant, the CCPA added statutory penalties for data breaches of $100–750 per consumer per incident. This is huge, since litigants have typically struggled to identify what monetary harm, if any, they suffer from a data breach.
All of this significantly ups the ante for data breach response where there may be personal information of California residents involved. California was already the destination forum for breach class actions, and that will certainly continue given the added incentives for litigants under CCPA.
The CCPA has been effective for just over a year now. What are we seeing in terms of enforcement?
To date, we have not seen the California AG announce any public enforcement actions related to the CCPA—certainly welcome news for companies still trying to understand and comply with the CCPA.
But it’s important to note that the CCPA actually provided for delayed enforcement—although it was effective starting January 2020, it was not enforceable until July 2020. It seems likely that we will see enforcement activity in the coming months. It’s also important to note that the CPRA, mentioned above, will create a new agency called the California Privacy Protection Agency focused on enforcing privacy rules in California. That will not be up and running until January 2023 at the earliest—but look out once it is!
Do you expect to see laws like the CCPA in other states?
Yes, California has been a traditional leader for US privacy law. The state passed the first law requiring notification of data breaches in 2002, and those laws now exist in all 50 states and the District of Columbia. I think we will see a few states enact laws similar to the CCPA in 2021 (look for action in Virginia and Washington any day now) and it will be a trend that spreads around the country going forward.