Many races and initiatives that California voters considered on November 3 are still undecided, but Proposition 24, the California Privacy Rights Act of 2020 (the “CPRA”) isn’t one of them. The California electorate approved Proposition 24 by a comfortable margin – 56% of Californians voted in favor.

Like its predecessor the California Consumer Privacy Act of 2018 (the “CCPA”), the impact of the CPRA won’t be felt immediately. It goes into effect on January 1, 2023, and many of its provisions are unclear and will require study. But all businesses that have a presence in California will need to consider its requirements, and given the scope of the law, addressing its requirements early will be essential.

New Sheriff in Town

Perhaps the most significant development in the CPRA is the establishment of a new agency, the California Privacy Protection Agency, dedicated to handling enforcement and compliance with privacy regulations. This makes California the first state with an agency focused solely on enforcing privacy laws. This new agency will replace the California Attorney General in interpreting and enforcing the CCPA. The ultimate impact of the agency will develop as its members are selected and interpret its mandate, but it is clear from the CPRA that it has broad authority to bring civil and criminal actions.

Select Key Provisions

The CPRA is not an entirely new law – it is an extension and modification of the CCPA. It adds a number of new definitions and provisions that, in some cases, extend the scope of the CCPA and, in other cases, clarify the requirements of the CCPA. The result is that companies that already comply with the CCPA will need to revisit their policies and procedures to ensure compliance with the CPRA. Key provisions include:

• Sensitive Data. The CPRA adds a definition of “sensitive data,” which includes government-issued identifiers, account log-in credentials, financial account information, precise geolocation, contents of certain types of messages, genetic data, racial or ethnic origin, religious beliefs, biometrics, health data, and data concerning sex life or sexual orientation, and allows consumers the ability to limit the use and disclosure of sensitive data.
• Data Breach Liability. The liability for data breaches under the CCPA has been expanded to include a private right of action for unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security. These kinds of breaches are common and raise the stakes for companies doing business in California. The CPRA also eliminates the 30-day cure period for bringing private actions – something that was more confusing than effective.
• Annual Audits and Risk Assessments. Under regulations to be adopted by the new Agency, businesses that undertake high-risk processing will be required to have annual audits and regular risk assessments. In particular, such regulations would require businesses whose processing presents significant risks to consumer privacy or security to perform a thorough and independent cybersecurity audit annually.
• Automated Processing Limitations. A new concept of “profiling” has been added to the CCPA, consisting of “any form of automated processing of personal information, . . . to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.” The Privacy Agency is required to develop regulations addressing access and opt-out rights for this kind of technology, similar to the requirements of the EU’s General Data Protection Regulation.
• Right to Correct Inaccurate Data. The CPRA adds the right to correct consumer data to the existing rights of notice and deletion.
• Limits on Sharing Personal Information. In addition to restrictions on the sale of personal information, the CPRA extends many of those limits to the “sharing” of personal information. This change will expand the obligations of companies to comply with opt-out and similar requests.
• Data Minimization. Similar to the GDPR, the CPRA adds concepts of data minimization, requiring companies to limit the personal information they collect to the type of information that is necessary for their operations, and to inform consumers of the length of time the business intends to retain each category of personal information and sensitive personal information, or the criteria used to determine that period.
• Service Providers, Contractors and Third Parties. The CPRA places new contractual and direct obligations on service providers, contractors and third parties. In particular, the CPRA adds and revises existing definitions in the CCPA, and adds a new definition for contractors, which focuses on the business providing data pursuant to a written contract, prohibiting the contractor from sharing or selling the personal data, processing it for any purposes other than those specified in the contract or combining it with data received or collected through other means, with some limited exceptions. Moreover, the CPRA contractually extends the data protection obligations of the act to service providers, contractors and third parties, and requires service providers and contractors to cooperate with and assist businesses in providing requested personal information in response to consumer requests, and complying with correction or deletion requests. As we learned from the CCPA, an effective date in two years is a short time when it comes to compliance with complex privacy laws. Companies that have taken steps to comply with the CCPA will need to take concrete steps to comply with the CPRA, including:

Continue reading

As a privacy and cybersecurity lawyer, I’m often asked by clients and potential clients about preparing a privacy policy – whether they need one, and how much it costs. And underlying the question is an assumption – privacy policies are really just formalities, and all they need to do is find the right form, or a competitor’s model, make sure to change the name and contact information, and they’re done.

They are right about one thing – any company that collects any kind of personal information needs a privacy policy. Laws throughout the world – not just in the United States, but in the European Union, Canada, Australia and elsewhere – have laws that require a privacy policy, some in great detail, others more generally. The California Online Privacy Protection Act, which went into effect in 2004, began this trend, and the advent of the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in California increased the details for privacy policies of companies under their jurisdiction, by requiring greater detail on the types of data collected, the uses of the data, and how consumers can limit the use of personal data.

There are also third parties that require privacy disclosures, including Google Analytics, a ubiquitous feature of commercial websites.

But they are wrong about what it takes to create a privacy policy. Using another company’s policy might be a starting place, but it takes much more. Assuming that all privacy policies are alike is a dangerous practice – if a company does not take the steps to ensure that the policy is accurate and complete, it increases, rather than limits, its liability. Companies must analyze their data collection practices and make sure that reality is reflected in the policy.

What is Included in a Privacy Policy?

While there are a wide variety of policies, they generally include some key elements:

• Information about the business, including contact details;
• The types of personal data that is collected;
• How the data is used;
• Whether and how it is shared with third parties; and
• What does the company do to protect personal information?

Continue reading

CCPA: Hotel Loyalty Programs, Data Retention and the Brave New World of Privacy

By Robert E. Braun

The California Consumer Privacy Act (the “CCPA” or the “Act”) is a piece of consumer privacy legislation which was signed by California Governor Jerry Brown on June 28, 2018, and goes into effect on January 1, 2020. The Act is, far and away, the strongest privacy legislation enacted in the United States at the moment (although there are a number of contenders for that honor), giving more power to consumers to control the collection and use of their private data, and is poised to have far-reaching effects on data privacy.

What is the CCPA?

It is estimated that more than 500,000 companies are directly subject to the CCPA, many of them smaller and mid-size business, where the detailed requirements of the Act – disclosure and notice procedures, opt-out rights, updating privacy policies, and revising vendor agreements – is daunting. As discussed below, many hotels and hotel companies will be directly impacted by the Act, either because their qualify as a “business” as defined in the CCPA, or because they are associated with companies – brands and management companies – that are subject to the Act. Hotel owners, managers and brands that have not grappled with the requirements of the CCPA need to move quickly to do so, or risk potential liability under the penalty provisions of the Act.

Where did the Act Come From?

In early 2018, Alistair McTaggart, a California real estate developer, led an effort to include a new privacy law – the Consumer Right to Privacy Act of 2018 – on the November 2018 California ballot. By June 2018, supporters of the initiative had gathered enough signatures to earn a place on the November ballot. In response, California legislators, working with California businesses and other interest groups, negotiated and passed a substitute bill – the CCPA – in exchange for an agreement to drop the more restrictive text in the Consumer Right to Privacy Act from the November ballot.

The Act is aggressive, and cites the March 2018 disclosure of the misuse of personal data by Cambridge Analytica, as well as the congressional hearings that followed which highlighted the fact that any personal information shared on the internet can be subject to considerable misuse and theft. This prompted the California legislature to move rapidly to protect Californians’ right to privacy by giving consumers much more control of their personal information.

Because the Act was adopted so quickly, and because it was driven by the original proposition, the Act, as entered into law, does not have the kind of guidance that helps us understand how to implement the concepts in the Act. The California Attorney General has, as required under the Act, submitted proposed regulations that assist in complying with the Act, but much more needs to be done for businesses to feel comfortable in plotting a means of compliance. It is likely that our understanding of the Act, and how businesses can comply with the Act, will evolve over the coming years.

The Act as Part of a Broader Shift in Consumer Preferences

In order to understand the impact of the Act, and how to address its many changes, businesses need to understand how it reflects an evolution in consumer attitude toward the ownership and use of personal information.

In the United States, there have been few limitations on the collection or use of personal data. There are some exceptions – financial information is regulated under the Gramm-Leach-Bliley Act, health information is governed under the Health Insurance Portability and Accountability Act , and children’s information is addressed under the Children’s Online Personal Privacy Act. But in general, personal information – names, addresses, and other identifying information – may be collected and used without significant restriction, and consumers did not typically object.

The advent of computers and the increased ability to collect, store, process and monetize information, has changed consumers’ attitudes. Companies increasingly base their business models on the ability to collect and utilize information. This is not limited to firms like Facebook and Google; a variety of firms monetize the information they collect, both by direct marketing and by sharing, or selling, the data to others. Along with the “legitimate” use, came less savory forms, like credit card fraud and identity theft. As a result, individual consumers are increasingly concerned about how their personal data is shared.

Hotels should be particularly aware of this shift, since hotels are among the businesses most targeted by bad actors, and reports of data theft are regularly reported.

Behind these changes is a significant shift in the treatment of personal information. Increasingly, the belief is that an individual should have control over his or her identifying data, and not just a limited selection of financial data, but a broad array of information – essentially, anything that could be used to identify an individual. This would include not just names, addresses and other obvious data points, but also biometric and location data, of which many of us are unaware are being collected.

Do Hotels Need to Comply with the Act?

The Act is applicable to many businesses, whether located inside or outside California.? The Act applies to for-profit entities that both collect and process the personal information (as defined in the Act) of California residents and do business in the State of California – ?a physical presence in California is not a requirement to becoming subject to the Act. Additionally, the business must meet at least one of the following criteria: Continue reading

As most (but not all) business know, the California Consumer Privacy Act of 2018 (the “Act” or “CCPA”) goes into effect January 1, 2020. It is estimated that more than 500,000 companies are subject to the CCPA, many of them smaller and mid-size businesses that may not have pre-existing robust privacy policies and procedures.

The CCPA applies to for-profit entities that both collect and process the personal information (as defined in the Act) of California residents and do business in the State of California, whether or not the business has a physical presence in California. Businesses that meet at least one of the following criteria are subject to the Act:

• Generate annual gross revenue in excess of $25 million,
• Receive or share personal information of more than 50,000 California residents annually, or
• Derive at least 50 percent of its annual revenue by selling the personal information of California residents.

While enforcement actions by the Attorney General won’t begin until six months after the final regulations are published, or July 1, 2020, companies need to ensure they are in compliance on January 1, 2020, when the Act goes into effect. This article is a summary of a five-part series designed to guide companies through compliance, “Complying with the California Consumer Privacy Act in 5 (More or Less) Not So Easy Steps.”

Part 1 – Data Mapping

A company cannot comply with the Act without understanding what data the company collects, how it uses the data and who has access to it. Understanding how the company collects, processes, transmits and stores data – as well as how it’s used and who uses it – is the foundation of a data privacy program and the key to complying with the Act and most other privacy regulations. A company’s data is often its most valuable asset, but the exact movements of sensitive data are often poorly understood, providing unknown exposure points and increasing the risk of data loss.

There is a benefit to this practice that goes beyond complying with the Act. Companies can determine the extent of their data collection practices and whether it advances the business. Companies must realize that every point of data it holds is not just an asset, but also a liability. Eliminating unnecessary data reduces liability exposure. Understanding a company’s data profile leads to efficiencies in operations and can better rationalize costs associated with maintaining data, including cybersecurity and insurance expenses. Learn more here.

Continue reading