As the economy revives from the COVID-19 lockdowns, we expect privacy law regulatory enforcement to return to the pre-COVID-19 pace.
The privacy regulations affect all businesses, including the alcoholic beverage industry, and are “strict liability” laws. “Strict liability” means the business will be automatically “guilty” if found non-compliant. There is no “grace period” to rectify the claimed violation nor to offer any defense if non-compliant. Even more problematic, besides enforcement by government, these statutes also allow private parties to “enforce the law” by filing private complaints for claimed violations. These private complaints (the lawyers are referred to as “bounty hunters”) typically lead to significant monetary settlements. The settlement agreements include payment of the plaintiff’s attorney fees, a significant liability of its own (often larger than the fines from violation of the regulations).
California Privacy Law: The California Consumer Privacy Act of 2018[i] (CCPA), the California Privacy Rights Act of 2020[ii] (CPRA), and the California Online Privacy Protection Act (Cal OPPA)[iii], together, are the most comprehensive set of privacy regulations in the U.S. Every company doing business with California residents is subject to these provisions, even if the business is not physically in California. Besides the provisions in the statute(s), the California Attorney General’s office has published detailed regulations to implement the CCPA statute[iv] and is now amending the regulations to implement the additional requirements in the CPRA statute. Any violation of the regulations will violate the statute.[v]
European Union Privacy Law: This note only addresses California privacy law and does not discuss the European General Data Protection Regulation (GDPR)[vi]. A U.S. company whose website contains general website advertising only (without targeting residents in the EU) will not be subject to the GDPR even if its website is accessed by residents in the EU. If the company has no other direct business relationship in the EU, the company is not subject to GDPR regulations. However, a company must comply with GDPR regulations if it has: (1) assets in the EU (affiliates or subsidiaries), (2) significant business in the EU, and/or (3) if the company’s website targets EU residents specifically encouraging EU residents to purchase its goods or services. (Again, general advertising is not “targeting.”)
Is Your Privacy Policy Up-to-Date?
Alert: The one or two paragraph privacy policies of the past are no longer sufficient for compliance with California’s new privacy laws.
How the Law Defines Privacy Policies and the Consumer’s “Personal Information”.
Privacy policies currently must comply with the CCPA that became effective on January 1, 2020. The CCPA will expire on December 31, 2022 and the new CPRA becomes effective on January 1, 2023. However, the CPRA does not replace the CCPA but expands and adds to the CCPA law and regulations.
California regulations define a privacy policy as “the statement that a business shall make available to consumers describing the business’ practices, both online and offline, regarding the collection, use, disclosure, and sale of personal information and the rights of consumers regarding their own personal information.”[vii]
California defines “personal information” as:
“Personal information” means information that identifies, relates to, describes, associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to the following:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.”[viii]
Personal information also includes precise geolocation information, biometric data, device IDs, cookie IDs, and internet activity information such as browsing and search history. inferences drawn from such personal information to create a “profile” about a consumer’s preferences and behavior are also considered “personal information”.
The act of “collecting” personal information is also broadly defined. The CCPA defines “collects”, “collected”, or “collection” as: buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.”[ix]
Who Must Comply?
A business that falls under one of these three threshold requirements is subject to the Privacy Law:
Annual gross revenues ≥ $25 Million.
50% of annual revenue selling the personal information of CA residents.
Obtains personal information of at least 50,000 CA residents or households annually.
Note: Obtaining personal information of at least 50,000 CA residents/households annually is much easier than one may think. For example, 137 unique CA visitors/day to a website qualify under this threshold. Consumer IP addresses routinely collected as part of regular website data collection count as “personal information” collected even if the consumer only looks on the website and does no business at that time (or ever).
Every company, wherever located, doing business with a consumer in California, is subject to the CCPA and CPRA regulations if the business meets any one of the threshold levels.
What Information Must Be Included in the Privacy Policy?
The first rule is that the policy must (1) be written using clear and straightforward language and in a format that makes the policy easily readable (including on small screens) and (2) the format must allow the consumer to print the policy as a document.
The second rule is that the privacy policy must be posted online with a conspicuous link using the word “privacy” on the website’s home or main page.
The following categories of information must be in the privacy policy under the CCPA regulations.
(1) Describe each category of personal information the business collects.
(2) List the sources from which the personal information is collected.
(3) List for what purposes the personal information is collected.
(4) Specify the categories of third parties with whom the information is shared.
(5) Explain the consumer’s right to request to see what information has been collected.
(6) Describe how a consumer may request his/her data be deleted. (An exception is if the information is for legitimate business purposes.)
(7) The policy must also describe the security measures the business has in place for data security. The law requires all businesses collecting data to adopt “all reasonable security procedures and practices.” (Encryption of data is the most critical security procedure to have in place.)
If the business sells/shares personal data:
(8) You must disclose if the business sells/shares consumer information/data to benefit the company. If personal data is sold or shared for company advertising, the business must include a clear and conspicuous “do not sell” link on the home page and any consumer must be able to access this link without requiring the creation of an account.
(9) Include a statement clarifying that a consumer will not be discriminated against if the consumer the sale of their data.
Be Prepared to Comply with the New Additional CPRA Provisions.
Under both the CPPA and CPRA statutes the consumer has the right: (1) to know what information is being collected, (2) to delete personal data, (3) to opt-out of the sale of his/her data to a Third Party, and (4) to non-discrimination if the consumer opts-out.
The CPRA expands the CCPA Regulations:
1. The CPRA adds two additional consumer rights: (1) the right to limit how their information is used and disclosed, and (2) the right to request any incorrect information be corrected promptly without incurring penalties.
2. The CPRA adds a new definition: “Sensitive Personal Information” described as any Personal Information that reveals:
(a) A consumer’s social security, driver’s license, state identification card or passport number.
(b) A consumer’s account log-in, financial account, debit card, or credit card number combined with any required security or access code, password or credentials allowing access to an account.
(c) A consumer’s precise geolocation.
(d) A consumer’s racial or ethnic origin, religion, union membership or philosophical beliefs.
(e) A consumer’s genetic data, biometric data, health data and sexual orientation.
(e) The contents of a consumer’s mail, email and text messages unless the business is the intended recipient of the communication.[x]
3.Another important change under the CPRA is the definition of “sell”. Under the CPRA the definition of “sell” is expanded to include “sharing” of information. Under the CPRA “to sell” includes transfers of personal information not only for monetary or other valuable consideration, and “sharing” the information such as disclosures for a commercial purpose including advertising that benefits the company. Money need not be exchanged between the parties for the transaction to fall under the definition of “sell”.
4. CPRA distinguishes between “non-personalized advertising” (general advertising) and “cross-context behavioral advertising”[xi].Cross-behavioral advertising substantially relies on “profiling”. The CPRA added a new definition for profiling: Under the CPRA, a consumer has the right to “opt out” of behavioral advertising practices. This is similar to the right to opt-out of the sale or sharing of personal information.
5. Under the CPRA the collection, storage and use of identifiable consumer information is limited to what is necessary to exchange goods or services successfully. Companies may not gather, retain or use data that is not necessary to the purpose for collecting the data nor retain the data longer than needed for the business purpose for which it was collected.[xiii]
6. Under the CPRA the definition of third-parties is no longer limited to service providers that process personal data for the business, payment authorizers and product or service providers. Under the new definition, the business must also disclose any third-party contractors with whom the business has a contract and with whom personal information is shared.
7. If the business discloses personal information to a service provider or contractor for a business purpose, the business must that party that (a) specifies the information is disclosed only for limited and specified purposes, (b) obligates the third party to comply with the CPRA regulations, and (c) assures the third party secure the data.(Note: most security breaches occur through third parties.)
8. Enforcement is Changed: The primary enforcement is when there is a breach of security and a corresponding unwarranted disclosure of consumer’s personal information. Under the CCPA, the state Attorney General (AG) enforces the law. Businesses have 30 days to resolve the complaint before fines are levied by the AG. Consumers have the right to private action (lawsuits) if unencrypted or unredacted data is breached due to negligence by the company.
The CPRA creates the California Privacy Protection Agency[xiv] to enforce the law and businesses will no longer have a 30-day grace period. They now face fines immediately after a breach is reported. Under the CPRA consumers additionally may file a civil action against a business for not having, or maintaining, security measures for unencrypted/unredacted data pertaining to email addresses, passwords, and answers to security questions. Further, the statute explicitly states the implementation of reasonable security procedures and practices following a breach regarding that breach.
9. Risk Assessments and Audits. Under the CPRA annual cybersecurity audits and risk assessments must be made by businesses that process data and whose practices may put protected data at risk for a cybersecurity breach. This regulation only applies to companies whose practices may put protected data at risk. The statute is unclear and for now, it is up to the company to determine if its security practices are putting protected data at risk. The statute states it is the obligation of the business collecting consumer personal information to implement “reasonable security procedures and practices appropriate to the nature of the personal information to protect it from unauthorized or illegal access, destruction, use, modification, or disclosure.”[xvi]It is a wise business practice for a company to do a risk assessment and audit of its cybersecurity practices.
A Word About E-Mail Marketing
Email marketing is an effective marketing channel and widely used. However, because email marketing is data driven and uses personal information gathered either directly or indirectly from data subjects, you must mention use of emails in the Privacy Policy sections describing what data you collect, how you collect the data, cookies, and automatic data collection methods. The general rule of thumb is it is acceptable to send marketing messages to consumers who signed on to your own database list. However, you must be more circumspect if using a database purchased from a third-party provider.
The Cal OPPA was passed in 2004 and requires any company using email marketing: (1) to have a Privacy Policy disclosing what type of personal information your website or application collects, (2) explain if personal information is acquired from third parties, and (3) provide an easy method allowing consumers to opt out of, or unsubscribe from, personal information and the email list. A written easily found Privacy Policy on the home or main page is compliant.
Note that a third-party email client will generally always have its own privacy policy, but you must have your own privacy policy and assure the two policies concur. The email client is the “data processor” and the company is the “data controller”. As the “data controller”, you must determine the purposes and means of processing personal data and must comply with the privacy laws. This requires a written agreement with the data processor.
A final note on email marketing - comply with false advertising laws. Misleading or false advertising is strictly prohibited under both California and Federal law.[xvii]It is important that the header of the email be clear regarding the content/purpose of the email.
A Short Word About Data Brokers
Data brokers collect a large range of information from online and offline sources and much of the data is personal information. The brokers combine pieces of information and separate them into “categories” that are then sold to companies. The most important information used in developing these categories are a consumer’s web and purchase history, age, gender, and income. This data improves targeting certain segments for advertising. The brokers create different databases of individuals and use them later for targeted advertising and marketing. Generally, the brokers search the internet for publicly available information from social media sites and receive it from companies who have collected the data themselves.
You must be careful if using a data broker. Although collecting data for a “legitimate business interest” is acceptable, the law does not consider advertising to be a “legitimate business interest”. Be sure any data received or used was gathered for a legitimate business purpose or with consumer consent.
If you purchase targeted databases, you must disclose this in your privacy policy.
Breach of Security Issues
There is no precise definition of “reasonable security procedures and practices” and this is now working its way into the Courts. The most important task for a company is to document what practices and procedures are in place to assure security. Employee manuals/training and any HR manuals should be updated to include CCPA requirements and precautions to be taken.
By far, malware and hacking present the greatest threat of security breaches, both in the number of breaches and the number of records breached. The retail sector especially struggles with malware and hacking comprising approximately 90 percent of all retailer breaches.
Physical breaches, resulting from theft or loss of unencrypted data on electronic devices only represents approximately 20 percent of security breaches. Breaches caused by errors, predominantly from misdelivering of email, for example, and inadvertent exposure on the public Internet also represent approximately 20 percent of security breaches.[xviii]
Data security is the responsibility of every company that collects Personal Information and must be taken seriously. Encryption of data is always the strongest and most basic choice for data security.
The California Attorney General’s position is that the information security laws and regulations generally require a risk management approach. This means companies must develop, implement, monitor, and regularly update a comprehensive information security program. The required security risk management process generally includes the same basic steps: (1) Identify information assets and data to be secured. (2) Assess risks to the assets and data. (3) Implement technical, administrative, and physical controls to address identified risks. (4) Monitor effectiveness of controls and update as risks, business practices, and controls evolve
The Center for Internet Security (CIS) is a nonprofit organization that many regulators look to for “reasonable security procedures and practices". CIS promotes cybersecurity readiness and response by identifying, developing, and validating best practices and recommends a set of 20 security measures for data security.
Section 1798.82 of the California Civil Code outlines a detailed process for a notification to be provided to any California resident whose personal information was compromised by a breach of security. A best practice is to notify the regulatory authorities and consumers . Further, be aware that many other states have adopted their own privacy protection laws with similar notification of breach requirements.
One protection commonly advised for companies collecting and retaining is to review your insurance coverage regarding cyber insurance coverage.
Penalties for Failure to Comply with California Privacy Laws/Regulations
Penalties may range up to $2500 per inadvertent violation and up to $7500 if the breach was because of failure to employ “reasonable” security practices. Because this law only became effective on January 1, 2020, filed complaints are just now working through the court system. Generally, the complaints are seeking “class action” status that will greatly increase the penalties.
There is a private right of action (lawsuit) only in cases of a breach of security, but many plaintiffs are suing under the Unfair Competition law and bringing the Privacy laws in through the backdoor.
Summary:
Know what type of Personal Information you collect, receive, retain and/or share.
Be sure you post a clear and complete Privacy Policy on the main/home webpage.
Collect data for specific and legitimate business purposes.
Don’t keep data that is no longer used and keep data up-to-date.
Develop and maintain strong cyber security practices (encryption is a “must”).
Disclaimer: California privacy statutes and regulations are long and detailed. This post only summarizes the law and is for information only and not intended to provide or be relied on as legal advice. Please consult with your counsel for advice about specific questions.
[i] California Civil Code Sections 1798.100 et.seq. This section of the law known as the California Consumer Privacy Act of 2018 is effective beginning January 1, 2020 and expires on December 31, 2022. The CCPA did not replace the 2004 Online Privacy Protection Act (Business and Professions Code sections 22575-22579) but added significant detail to what must be included in a privacy policy.
[ii] California Civil Code Sections 1798. 100 et.seq. This section of the law was adopted with the passage of Proposition 24 in the 2020 election and is known as the California Privacy Rights Act of 2020. This part of the Privacy law becomes effective on January 1, 2023.
[iii] California Business & Professions Code 22575, et seq.
[iv] 11 CCR 999.300 et seq.
[v] 11 CCR 999.000(b).
[vi].The GDPR has been in effect since 2018. U.S. businesses must comply with the GDPR regulations only if they have assets, affiliates or significant business in EU such as contracts with EU companies. The primary difference between the CCPA/CPRA and the GDPR is that under the GDPR, you may only retain personal information if the customer affirmatively “opts-in”. California law states the customer must be provided the option to “opt-out”. [vii] 11 CCR 999.301(p).
[viii] California Civil Code 1798.140(o).
[ix] California Civil Code 1798.140(e).
[x] California Civil Code 1798.140(ac).
[xi] California Civil Code 1798.140(k). “Cross-context behavioral advertising” is defined as the targeting of advertising to a consumer based on a profile of the consumer including predictions derived from the consumer’s personal information and the profile is developed based on the consumer’s activity over time and across multiple businesses or across multiple, distinctly-branded websites.
[xii] California Civil Code 1798.140(z).
[xiii] California Civil Code 1798.100(c)
[xiv] California Civil Code 1798.199.10.
[xv] California Civil Code 1798.150.
[xvi] California Civil Code 1798.100(e).
[xvii] See, e.g., California Business & Professions Code 17529.5(a) and 15 U.S.C.A. section 7704.
[xviii] Information from the California Attorney General’s 2016 Data Breach Report.
This blog is dedicated to occasional (and hopefully interesting) reports of state and national alcoholic beverage regulatory developments that we encounter in our practice. Booze Rules (and any comments below) are intended for informational use only and are not to be construed as legal advice. If you need legal advice please consult with your counsel.