The US State of California state legislature enacted the California Consumer Privacy Act (CCPA) on 1 January 2020 through Assembly Bill 375 (AB 375), with additional amendments that were passed through Senate Bill 1121 (SB 1121). The CCPA refers to consumers in its language, which by definition includes employees. The consumer rights that have been addressed in this statute are:
- The right to request the deletion of personal information
- The right to request disclosure of categories of information and the identity of third parties to which the information was sold or disclosed
- The right to opt out of the sale of personal information
The CCPA requires a significant amount of organizational preparation for compliance. It will apply to any entity that does business in California and meets one of the following criteria:
- Annual gross revenue of more than US$25,000,000
- Annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households or devices
- Derives 50% or more of its annual revenues from selling consumers’ personal information
The CCPA imposes new obligations on organizations that are subject to the statute. For example, enterprises must provide notice to consumers before or during data collection. They must generate functional procedures for opt out, know and deletion requests. Moreover, for any opt-out requests, the organization should provide a Do Not Sell My Information link on its website and mobile application (app). Enterprises must respond to opt out, know and deletion requests within a specified timeline. Organizations should treat any type of user-enabled privacy setting that would indicate a consumer’s decision to opt out as a valid request. Organizations are required to confirm the identity of the consumer who is making a request to know or delete even if the consumer has a password-protected account.
It is important to note that the CCPA and EU General Data Protection Regulation (GDPR) are mutually exclusive and have different requirements. However, an enterprise that is subject to both regulations may have more responsibilities under the California law. For example, GDPR requires qualified organizations to engage in data inventory and mapping of data flows in addition to creating compliance-related records. Therefore, additional data mapping may be paramount to show the requirements pursuant to the CCPA. GDPR requires organizations to create processes and/or systems to properly respond to access to or deletion of personal information requests. Hence, qualified enterprises may be required to resolve definitional discrepancies of personal information. Under the CCPA, personal information includes:
- Identifiers (e.g., real name, alias, postal address, IP address, email address, account name, social security number, driver’s license number, passport number)
- Commercial information (e.g., personal property records, purchased products or services)
- Biometric information
- Internet or other electronic network activity information (e.g., browsing history, search history)
- Geolocation data
- Audio, electronic, visual, thermal, olfactory or similar information
- Professional or employment-related information
- Education information that is not publicly available personally identifiable information (PII)
Biometric privacy laws are an essential component when it comes to cybersecurity.
Biometric privacy laws are an essential component when it comes to cybersecurity. In general, organizations are now able to collect fingerprints, face scans or other biometric identifiers from consumers. In recent years, there has been a significant increase of putative class action lawsuits in various jurisdictions. So, in an effort to regulate the issues, state legislators have passed laws. For example, the US State of Illinois passed the Biometric Information Privacy Act (BIPA) that prohibits private organizations from obtaining a person’s biometric identifier or biometric information unless that person is notified in writing and signs a release. Obviously, this piece of legislation will impact consumer relations, but it is arguable that it is vital for employers who have implemented biometric tools to confirm time entries. The CCPA defines biometric information as an individual’s physiological, biological or behavioral characteristics (e.g., DNA) that can be used to establish individual identity. Biometric information includes “imagery of the iris, retina, fingerprints, face, hand, palm, vein patterns; voice recordings from which an identifier template such as a faceprint, minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms; gait patterns or rhythms, and sleep, health or exercise data that contain identifying information.”1
In the near future, there will be additional legislation on privacy and cybersecurity. As such, legal and non-legal experts should take the time to review and understand the guidelines so they can protect their clients enterprises and implement the necessary security measures. It is imperative for businesses and their employees to understand the rules and regulations.
Salar Atrizadeh, JD
Is an attorney with an extensive background in technology licensed to practice in the US State of California, the US District of Columbia and the United States District and Bankruptcy Courts. He has litigated legal actions in US state and federal courts for more than a decade. He has conducted seminars regarding artificial intelligence, augmented and virtual reality, privacy, cloud computing, cybersecurity, crowdfunding, cyberpiracy, cyberespionage, digital currencies, e-commerce transactions, electronic discovery, Internet of Things, online sales tax laws and online banking fraud before professional organizations, including the US State Bars of California, New Mexico and Oklahoma; SecureWorld Conferences, the American Law Institute, the University of Tulsa (Oklahoma, USA), Thomson Reuters/Rutter Group, NextSpace, Institute of Internal Auditors, IEEE, Rotary International and US Chambers of Commerce. Atrizadeh has educated legal and non-legal experts about Internet, technology, and computer laws, and applicable US state, federal, and international rules and regulations. He has presented before educational institutions on the topics of cyberharassment, cyberstalking and cyberbullying. He is an adjunct professor at California Lutheran University (USA) where he teaches business law courses. Atrizadeh has been interviewed by local, national, and international news and media outlets. He has also served as a legal expert on various panels and educated the public on the importance of privacy, security and regulation.
Endnotes
1 California Legislative Information, 1.81.5. California Consumer Privacy Act of 2018 [1798.100 - 1798.199], USA, 2018