A survey of U.S. corporate leaders released only a few months ago found those CEO’s ranking cyber threats and the potential over-regulation of data privacy among the greatest challenges to the growth of their organizations.
If that survey were taken again today, these top results undoubtedly would be shuffled by the emergence of the COVID-19 pandemic and the resultant global economic downturn.
But even while organizations are required to confront challenges posed by COVID-19, new state laws demand attention to privacy compliance issues from business leaders and legal teams.
Last month, enhanced data security requirements became applicable under New York’s SHIELD Act to any entity collecting or storing personal information of a New York resident, even if that entity has no physical presence and no other commercial links to New York state.
Next, on the immediate horizon, is the July 1 commencement of enforcement of California’s Consumer Privacy Act (CCPA), which limits collection and use of personal information of California residents.
And looming over that horizon? A new and even more demanding California privacy law being referred to as “CCPA 2.0,” which may be on the ballot for approval by California voters in November.
Because of their broad scope, and in the absence of attention from the federal government, these state regulations are imposing nationally applicable standards for data security and privacy compliance.
The New York SHIELD Act
The “Stop Hacks and Improve Electronic Data Security” Act took final effect March 21, and while the substantive provisions of the law are important, the act’s jurisdictional applicability may be its most notable aspect.
The SHIELD Act applies to “any person or business that owns or licenses computerized data thaT includes private information of a resident of New York.” This assertion of extraterritorial applicability and jurisdiction is more expansive than the approach taken by previously enacted privacy laws, including CCPA (which applies to entities that “do business in California”) and even the EU’s General Data Protection Regulation (which largely applies to non-EU businesses only if they “target” the marketing of goods or services at EU consumers).
The Act’s definition of “private information” is also expansive, encompassing a name or other personal identifier (including signature) coupled with a Social Security or driver’s license number, financial account information, biometric data, or, most broadly, a user name or email address together with a password that would permit access to an online account.
Given this broad definition, the lack of any jurisdictional limitation, and the sizable population of New York state, the SHIELD Act essentially applies to all businesses with customers in New York, and also to any entity operating a website that allows users from New York to sign into an individual account (even if that account is not used for e-commerce).
The data security provisions of the SHIELD Act that took effect in March require that these entities to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information including, but not limited to, disposal of data.” The “reasonable safeguards” to be implemented include a well-developed data security program (e.g., written policies, training of employees on security practices, and scrutinization of vendors) together with reasonable technical and physical safeguards (such as risk assessments, intrusion detection, testing and monitoring of systems, and routine and secure disposal of data, devices, and storage media). For a more thorough discussion of how a business can meet such requirements, please review my column, :Defining Reasonable Care for the Protection of Personal Data,” from the Feb. 25 edition of The Legal Intelligencer.
In addition to these data security requirements, the SHIELD Act also bolsters New York’s data breach notification requirements, which, like the act’s data security requirements, now apply to any entity that collects and stores private information of a New York resident regardless of whether the breached entity “conducts business” in the state of New York. In addition to this jurisdictional expansion, the act’s expanded breach notification requirements most notably clarify that an incident must be reported as a “breach” if unauthorized persons “access” electronically stored private information, even if the information is not downloaded, copied, or shared by those third parties.
The California Consumer Privacy Act requires that businesses notify consumers of the businesses’ data collection practices at the point of collection, whether that collection occurs online or offline. The act also requires businesses to put in place processes to fulfill consumer requests for access to or deletion of their personal information (defined broadly to include any information that can be used to identify an individual, including a name or email address) and to allow consumers to opt-out of sales and certain transfers of that personal information.
While the CCPA had an effective date of Jan. 1, the enforcement of the law is not scheduled to commence until July 1. The California Attorney General has emphasized, however, that its enforcement of the act will not be delayed further by the COVID-19 pandemic, despite requests by trade groups for such a postponement.
In the meantime, the attorney general has been promulgating draft regulations intended to guide the interpretation of CCPA’s requirements. The most recent March 2020 revisions to those regulations address issues including whether vendors (“service providers” under the CCPA) may use personal information for internal purposes, the language that must appear in online privacy policies, what constitutes a “sale” under the act, and whether a computer’s IP address is considered “personal information” that can reasonably be linked to an individual. Despite this third iteration of draft regulations, some of these issues remain very unclear with only a few months left before the law is enforced.
One issue not addressed whatsoever in these draft regulations is the potential extraterritorial scope of the CCPA. While the CCPA applies only to entities “doing business in the state of California” (and meeting other criteria), that phrase is undefined in the text of the act. In the absence of a statutory definition or regulatory guidance, there is substantial uncertainty as to whether the law applies to or could be enforced against a business that has no physical location in California. Under California law, there are various, sometimes conflicting concepts of what it means to “do business” in the state. The applicable test may be whether the company is required to pay taxes there, whether state law requires an out-of-state business to register with the state, or perhaps whether the company has adequate contacts with the state to justify the state’s exercise of personal jurisdiction over the company.
While the legal niceties of the “doing business” test are up for debate (along with the enforceability of the act against nonresident entities), it appears clear that the CCPA is intended to be interpreted broadly to protect the privacy of California consumers. Viewed through that framework, any business that maintains ongoing commercial relationships with California residents (e.g., by shipping goods to the state, maintaining online accounts for California consumers, or targeting advertisements at California residents) may potentially be subject to enforcement and would best be advised to comply with the CCPA.
Looking further into the future, the November 2020 elections may include a ballot initiative in California seeking voter approval of the California Privacy Rights and Enforcement Act, colloquially dubbed “CCPA 2.0.” If the ballot initiative passes, the law would take effect in January 2023.
CCPA 2.0 seeks to “operationalize” the CCPA by creating the California Privacy Protection Agency, an independent executive agency tasked with taking over enforcement of these laws from the California attorney general. CCPA 2.0 would also adopt a new category of “sensitive personal information” (including categories such as race and ethnicity, but also the contents of private communications) that would receive enhanced legal protection, similar to protections afforded in the EU under the GDPR. CCPA 2.0 also would put further restrictions on the use of personal information, particularly for online targeted advertising such as tracking users from one website to another website.
To qualify for the November ballot, the sponsors of CCPA 2.0 must obtain more than 600,000 voter signatures by the end of April. As of December, the sponsors indicated they were on pace to meet this requirement, but social distancing due to COVID-19 might have hampered the collection of signatures from California voters. If CCPA 2.0 makes it to the ballot, and is voted on and approved, this will continue the push being led by U.S. state governments toward more robust regulation of privacy and data security practices.
Devin Chwastyk is a member of McNees Wallace & Nurick and the chair of the firm’s privacy and data security group. For more than 15 years, he has represented parties in data breach litigation, counseled businesses on compliance with emerging privacy laws, and helped clients respond to data security incidents.