[co-authors: Megan Siekkinen, Austin Smith]

The Privacy Oracle consolidates significant US legislative and regulatory developments at the state and federal level into a single publication. In this month’s issue, we offer:

• • An analysis of bills introduced in the 116th Congress that seek to regulate consumer privacy
  • A review of amendments to the CCPA that have recently advanced out of committee in the California legislature
  • Insight into the failure of the Washington Privacy Act and an update on amendments to Washington’s Data Breach Notification Law
  • A high-level round-up of draft state consumer privacy legislations
  • An overview of litigation risk associated with the private right of action for data breach in the CCPA
  • Practical tips on updating contracts to designate external parties as service providers under the CCPA

Federal Privacy Legislation Introduced, but Future Unclear

In the wake of calls for Congress to regulate consumer privacy and prevent a “patchwork” of state legislation, six bills have been introduced that would set forth broad federal obligations regarding the collection, storage, and disclosure of consumer data.[1] Despite bipartisan support for comprehensive privacy legislation, none of the federal consumer privacy bills listed below has progressed since introduction. And more bills may be added to the mix. Sen. Marsha Blackburn (R-TN) reintroduced the BROWSER Act (H.R. 2520 from the 115^th Congress), and the Senate Committee on Commerce, Science and Transportation mentioned they are working on proposed legislation of their own, though details and timing are still unknown.

Disagreement over federal preemption of state law may be one factor delaying advancement of any bill. House Speaker Nancy Pelosi (D-CA) recently drew a line in the sand on this issue during a Recode Decode Podcast on April 12, saying “the Republicans would want preemption of state law. Well, that’s just not going to happen. We in California are not going to say, ‘You pass a law that weakens what we did in California.’ That won’t happen.” Sen. Feinstein (D-CA) also made it clear that she would not support a federal bill that weakens California’s Consumer Privacy Act. Sen. Klobuchar (D-MN) said there were “a lot of tears shed about the patchwork of bills across the country” in a Senate Judiciary hearing, yet there is no federal preemption in her co-sponsored bill with Sen. Kennedy (R-LA). Sen. Blumenthal (D-CT) noted that draft proposals sent to the Judiciary Committee often undercut existing state protections by using preemption. On the other hand, Sen. Blackburn and Sen. Tillis (R-NC) voiced support for preemptive privacy legislation.

Federal consumer privacy bills introduced to date in the 116^th Congress:

[1] There are three more narrowly constructed, consumer-related bills:

• Blunt (R-MO) and Sen. Schatz (D-HI) introduced S. 847, Commercial Racial Recognition Privacy Act of 2019, on March 14. It would prohibit certain entities from using facial recognition technology to identify or track an end user without obtaining the affirmative consent of the end user. It would also require third party testing of technologies prior to implementation and meeting data security, minimization, and retention standards as determined by the FTC and NIST.
• Richard Durbin (D-IL) introduced S. 783, Clean Slate for Kids Online Act of 2019, on March 13. It would allow for deletion of PI collected by internet operators of activity prior to age 13.
• Edward Markey (D-MA) and Sen. Josh Hawley (R-MO) introduced S.748 on March 12. It would amend the Children’s Online Privacy Protection Act of 1998 (COPPA) to strengthen protections relating to the online collection, use, and disclosure of personal information of children and minors.

A Barrage of CCPA Amendments: Can Any Go the Distance?

After months of sparring among politicians, businesses, and privacy advocates, both the California Assembly and Senate have advanced a variety of proposed amendments to the state’s first-in-kind comprehensive privacy statute, the California Consumer Privacy Act or CCPA. But the clearest thing to emerge from this rush to “clarify” CCPA is the multitude of concerns that the statute has raised on each side of the debate.

The majority of bills approved by the Privacy and Consumer Protection Committee of the Assembly (“the Committee”) appear aimed at narrowing the amount and types of data that are subject to CCPA restrictions. For example, California businesses long have asserted that the CCPA should not apply to data collected by employers about their employees and job applicants. AB 25 would amend the CCPA to eliminate the statute’s potential application to data collected in the employment context.  Similarly, two amendments advanced by the Committee (AB 874 and AB 1355) would exclude deidentified or aggregated data from the definition of “personal information.” Another (AB 873) would narrow the definition of personal information further by eliminating the statute’s application to information that identifies only a household, rather than an individual. AB 1146 would exempt vehicle information shared between a motor vehicle dealer and a manufacturer.

One amendment that advanced in the Senate earlier this month would result in a significant change to the enforcement of the law. SB 561, scheduled for a hearing on April 29, 2019, would expand the CCPA’s private right of action to apply to any violation of the statute and eliminate the 30-day period that would allow businesses to cure a violation prior to a plaintiff initiating suit. Far from the narrowing and clarifying measures moving in the Assembly, this Senate initiative would expand exponentially the impact and costs of CCPA compliance for California businesses by allowing class action litigators to drive the interpretation and enforcement of the CCPA at will.

Do not be misled, however—there is no universal agreement in Sacramento that the CCPA must be tamed. Even if all of the Committee’s amendments were to be approved by the full California Assembly, the chances that any of these measures will be approved by the Senate is far from certain.

CCPA Amendments Summary:

Assembly Bills

AB 25: Clarifies that the term “consumer” does not include “a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business” to the extent that person’s information is collected and used “solely within the context of the person’s role.”

AB 846: Confirms that a “consumer’s voluntary participation” in a loyalty or rewards program is permitted under the statute

AB 873: Amends the definition of “deidentified” to mean information that “does not reasonably identify or link, directly or indirectly, to a particular consumer.” Also amends the definition of “Personal information” to mean “information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a particular consumer” and eliminates reference to information that identifies a household.

AB 874: Amends the definition of “personal information” to exclude deidentified or aggregated consumer data and amends the definition of “publicly available information” to mean information lawfully provided from federal, state, or local government records.

AB 1355: Requires that a business disclose “[t]hat a consumer has the right to request the specific pieces of personal information that the business has collected about that consumer.” Also provides that businesses may disclose the personal information sold to third parties by listing the category of third party, rather than by identifying each third party. Similar to AB 874, amends the definition of “personal information” to exclude deidentified or aggregated consumer information. Requirement that financial incentives and price differentials be reasonably related to the value provided to the business by the consumer’s data, rather than the value provided to the consumer by the consumer’s data.

AB 1146: Exempts vehicle information shared between a new motor vehicle dealer and the vehicle’s manufacturer from the statute.

AB 1564: Allows businesses to provide an email address rather than a toll-free number for CCPA requests.

Senate Bills

SB 561: Expands the CCPA private right of action to include any violation of the statute and removes the 30-day cure period prior to filing suit.

Washington State Privacy Act: A Postmortem

For most of March, the Washington Privacy Act (“WPA”) (SB 5367) looked like a sure thing. With Democrats in complete control of the state government, the bill’s nearly unanimous passage in the state Senate, and the support of the technology industry, the WPA seemed poised to join the CCPA as one of the first comprehensive state privacy laws. But the House substantially amended the bill in response to strong opposition from some consumer privacy advocacy groups. Efforts to find a compromise failed, and the bill was shelved for the year.

Although the legislature failed to enact the WPA, it did take some action in the privacy area, amending the state’s data breach law to require companies that have suffered a breach to notify consumers within 30 days of discovering the breach (the previous deadline was 45 days). The law also now requires businesses to inform affected consumers of when the breach occurred and when it was discovered, and, if the breach involved usernames or passwords, to tell consumers to take steps to secure their electronic accounts.

Washington lawmakers agreed on the basic framework of the WPA. Unlike the CCPA and other state privacy bills introduced this year, the bill was based on the EU’s General Data Protection Regulation (“GDPR”). It would have given Washington residents the right to access data that companies held about them (similar to the right contained in the CCPA), to correct inaccurate information about them, to demand deletion of data with only a few exceptions, and to opt out of some uses of their data, such as for targeted advertising. In addition, companies would have been required to conduct “risk assessments” for their processing of consumers’ personal data and to ask for the affirmative consent of consumers before processing their data in ways that posed a high risk of privacy harm. Legislators in both the Senate and House expressed that limiting the use of facial recognition technology by both the private sector and government agencies was a priority; however, they disagreed on how to accomplish this objective.

The Scope of the Law

At the most basic level, there were different opinions on who and what the law should cover. The Senate bill would have applied to entities doing business in Washington who met certain thresholds regarding the number of consumers whose data they controlled and how much of the businesses’ revenue derived from selling personal data; the amended House bill would have removed those thresholds so that all entities doing business in Washington would have been subject to the law by default (though both bills had some exceptions).

There were several other notable differences in scope. The House bill used a broader definition of personal data that would have included data that had already been made public, unlike the Senate’s bill. The House version also offered more guidance on what it meant to de-identify personal data so that it would no longer be subject to the law. And while the Senate bill would have defined a “sale” of personal data as an exchange for monetary consideration to a third party for the purpose of further licensing or selling the data, the House included any exchange or disclosure of personal data to a third party in exchange for anything of value and for any purpose in its definition of a sale.

Trusting Businesses?

Perhaps the most significant difference between the two versions of the WPA was in how they viewed businesses. The Senate bill reflected a relatively positive view of businesses, recognizing that they needed to be regulated in this sphere but also evincing a desire not to overly burden businesses with costly obligations. A belief that businesses might take advantage of consumers at every opportunity and needed to be regulated more strictly, on the other hand, was manifest in the House bill.

This difference in outlook could be seen in how the same GDPR-style rights were implemented. The Senate bill often made exceptions to consumer rights in situations where complying with a request would be cost prohibitive or technically infeasible, would have allowed businesses to retain data a consumer requested to delete if it was necessary for a “business purpose,” and in limited circumstances would have permitted businesses to charge a “reasonable fee” to comply with repetitive consumer requests. The House bill did not include nearly as many exceptions for businesses, only allowed for an analogous exception from the right to deletion if the data was necessary “in relation to the purposes for which it was collected or processed,” and forbid business from ever charging consumers any fees.

Facial Recognition

The differences in the Senate and House approach to facial recognition are a microcosm of the debates over the WPA. The scope of the Senate’s definition of facial recognition, covering only uses for identification, was narrower than the House’s bill, which also regulated its use to detect demographic information or mood. And as it did in other areas, the Senate bill also provided businesses with more latitude to deploy this new technology. The Senate version of the WPA would have permitted the use of facial recognition in decisions that have legal or other significant effects as long as a human reviewed the decision, but the House version prohibited such uses entirely. While the Senate bill would have required companies to allow third parties to test their facial recognition technology for unfair bias, the House bill would have required independent verification that the technology was not biased before it could be deployed. The House similarly put more limits and stricter judicial oversight on the use of facial recognition by government agencies.

Enforcement

The disagreements between the two chambers’ bills regarding enforcement reflected the same worldviews. The House wanted to provide significantly broader enforcement mechanisms for the law—and do so sooner—than the Senate. One of the biggest points of disagreement between the two bills was whether to provide a private right of action. The Senate would have limited enforcement actions to those brought by the state Attorney General, while the House would also have allowed consumers to sue companies who allegedly violated the law directly. Further, the Senate bill provided for a 30-day opportunity to cure violations before becoming liable under the WPA; the House removed that provision. And the House was in a bigger hurry to start enforcing the law: its version would have gone into effect at the end of July 2020, while the Senate would have given businesses an extra year to get into compliance.

Too Far Apart

With the exception of the House providing for a private right of action, the differences between the Senate and the House versions of the WPA were arguably of degree, not kind. It is possible that each issue standing alone would not have been a deal breaker during negotiations. But cumulatively, there was too much daylight between the two drafts to reach a compromise—especially with time running short at the end of the legislative session. The failure of Washington to pass the WPA is a warning to other states trying to pass similar legislation that they too will have to wrestle with these questions about how broad a scope such a law should have, the leeway given to businesses, and how to enforce consumer privacy rights.

State Consumer Privacy Law Roundup

The following chart summarizes the current status of comprehensive consumer privacy reforms that have been introduced at the state level since the passage of the CCPA. This chart details states that are considering broad laws that would apply across industies. In addition to the draft laws noted below, Maine is considering a consumer privacy law that has been introduced but would apply only to data collected by ISPs—stay tuned for future coverage!

Update from LitLand: A Review of Data Breach Litigation Risk

LitLand is a monthly feature that reviews developments in litigation as they relate to privacy matters and highlight any past, current, and future cases about which you should know.

Welcome to LitLand! In recognition of the fact that the Privacy Oracle was born from demand to track developments such as California’s passage of the CCPA, it seemed only appropriate that our first LitLand feature pay homage to our humble beginnings.

The California legislature earlier this month advanced A.B. 561, an amendment that would expand the private right of action under the Consumer Privacy Act. As it stands, the CCPA limits the private right of action to breaches in which “a consumer’s nonencrypted or nonredacted personal information is subjected to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s failure to maintain reasonable security procedures to institute a civil action for various damages.” If the amendment passes, consumers would have a private right of action for any violation of their rights under the CCPA. This includes the failure of a business to provide required disclosures on its website or honor a deletion or access request. Statutory damages continue to be set at not less than $100 and not greater than $750 per incident or actual damages per violation, whichever is greater, even when plaintiffs do not show harm from the violation. In many cases, including security breaches, each consumer affected would be considered one violation, and 3-figure damages could easily become 7- and 8- figure damages.

Even if defeated, the private right of action provision that is currently in the statute arguably lowers the procedural bar for plaintiffs who have historically faced standing hurdles by making failure to notify regarding a breach a “harm” that would confer standing. A look at the largest consumer data breach class actions implicating California residents in recent years (as reported in the California Office of the Attorney General (“California AG”) 2016 Data Breach Report) provides some insight into the scope of the risk that companies doing business in California will face as of next January:

1. Anthem
   Nationwide Consumer Settlement: $115 Million
   Potential CCPA Statutory Fine: $1.3B – $7.8T

Anthem suffered a cyberattack in 2015 that resulted in the exposure of 78.8 million consumer records, including their names, addresses, Social Security numbers, dates of birth, and employment histories. 10.4 million California residents were affected.

2. Target
   Nationwide Consumer Settlement: $10 Million
   Potential CCPA Statutory Fine: $750M – $5.6B

During the holidays in 2013, hackers accessed Target’s point-of-sale reader using credentials stolen from a third-party vendor. The breach exposed the credit and debit cards of approximately 40 million shoppers who had visited Target stores. 7.5 million California residents were affected.

3. LivingSocial
   Nationwide Consumer Settlement: $4.5 Million
   Potential CCPA Statutory Fine: $750M – $5.6B

The personal information of more than 50 million people, including names, email addresses, encrypted passwords, and some users’ dates of birth were compromised in a cyberattack on LivingSocial in 2013. 7.5 million California residents were affected.

4. UCLA Health
   Nationwide Consumer Settlement: $7.5 Million
   Potential CCPA Statutory Fine: $450M – $3.4B

In 2014, hackers breached the hospital’s networks, resulting in the unauthorized access of the personal health information of 4.5 million California residents.

5. PNI Digital Media (Costco/RiteAid/CVS)
   Nationwide Consumer Settlement: $250 per person
   Potential CCPA Statutory Fine: $280M – $2.1B

The company was targeted in a cyberattack between 2014 and 2015, where payments processed online by Costco, CVS, or Rite Aid were affected. The personally identifiable information and credit cards of 2.8 million California residents were affected.

6. T-Mobile USA, Inc. (Experian)
   Nationwide Consumer Settlement: $22 Million
   Potential CCPA Statutory Fine: $210M – $1.6B

Fifteen million T-Mobile customers were potentially affected when credit check bureau Experian was hacked in 2015, exposing the customers’ names, addresses, dates of birth, social security numbers, and driver’s license numbers. Over two million California residents may have been affected.

Practitioners’ Corner

Practitioner’s Corner is a monthly focus on topics of interest to in-house counsel in the implementation of their privacy programs.t’s in a CCPA-compliant service provider contract?

You could start by diving right into the relevant definitions and obligations, but we urge you to take a step back. Ask yourself: do I need to establish a service provider relationship in the first place?

The CCPA allows consumers to opt out of a business’s “sale” of personal information to a third party. When consumers exercise that right, they effectively cut off the flow of their personal information between the business and the third party. Businesses can avoid this outcome in certain cases by executing a contract with the third party, making it the business’s “service provider” and immunizing the relationship and data flows from the consumer’s opt-out choice.

The trade-off is that service providers are restricted from “retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business,” meaning that it is more difficult for service providers to freely use personal information.

The question is whether creating the service provider relationship is necessary in every situation. The CCPA does not compel businesses and service providers to contract when they exchange personal information between them, unlike the controller-processor relationship in the General Data Protection Regulation (GDPR).

Some situations unquestionably call for service provider contracts because the consequence of an opt-out choice is unacceptable to the business. For example, if you use a cloud service provider to store personal information, a consumer’s opt-out choice would, in effect, prevent you from storing that consumer’s personal information with that cloud service provider. Giving individual consumers control in this manner is likely untenable from a technical system architecture perspective and may actually jeopardize the security of the data.

Here is another consequential scenario: savvy CCPA lawyers will know that two entities in the same corporate group are considered a single “business,” if they control or are controlled by one another and they share common branding. This means that, if two entities in the same corporate group exchange personal information, but are not similarly branded, that exchange could be a “sale.” In this case, having an intra-group service provider contract is critical because it prevents a potentially significant business interruption.

In other cases, you may find it acceptable not to create a service provider relationship because the costs of creating that relationship outweigh the benefits. For example:

• Your service does not depend on a transfer of personal information to a third party.
• You have alternative arrangements that can be used in the event of a consumer’s opt-out choice.
• You expect that consumers will seldom exercise their opt-out choice, so the impact of consumer opt-out requests is lessened.
• It is not feasible for the service provider’s uses of personal information to be constrained by contract.

In addition to these factors, you should also consider whether your existing contracts have language that is compatible with the CCPA’s requirements for creating the service provider relationship. If the recipient of personal information is effectively a service provider already, you may not need to take further action. Alternatively, updating your contracts for CCPA compliance may not present significant challenges.

Your decision whether to transform third parties into service providers is unique to your circumstances. As with all CCPA compliance efforts, that decision begins with knowing your data flows. In Part 2, we will discuss the language that must be present in CCPA service provider contracts if you decide to create them.