california consumer privacy act of 2018 and gdpr …/media/files/insights/events/... • class...
TRANSCRIPT
December 12, 2018
Jim Halpert, Ed Totino, Ross McKean, James
McGachie
California Consumer Privacy Act of 2018 and GDPR Class/Group Actions
www.dlapiper.com
• Class actions broadly applicable to businesses (regardless of location) that collect personal information about
California residents
• Effective January 1, 2020 (though ahead of this date, further amendments are expected and the CA Attorney General is
to issue implementing regulations)
• Data breach private right of action available from January 1, 2020
• Privacy provisions enforceable by CA AG sometime between January 1, 2020, and July 1, 2020
• Substantial new rights for CA residents. Rights not identical to those offered to EU residents under GDPR
• Significant operational impacts for covered business, likely require significant time and effort to prepare
• Broad definitions and scope
• High risk of enforcement; potentially massive class action liability for data breaches
Game-Changing New Privacy Law in the US
2
What is the CCPA and why is it a big deal?
California Consumer Privacy Act
www.dlapiper.com 3
Summary
Key Components – Focus on Class Actions
New Consumer Rights
Access, deletion, opt-out,
information
Required Disclosures
Will require changes to
website and privacy
policies
Key Operational Changes
Will need to know where
data resides to be able to
comply with
requirements; data
inventory
Vendor Requirements
Will need to ensure
contracts with third
parties that are
processing data;
otherwise will trigger
consent requirements
Heightened Enforcement Risks
Potential private right of
action, class action risk,
AG enforcement
www.dlapiper.com
Heightened Enforcement Risks
4
CCPA Enforcement
• Potential private right of action and
statutory damages of US$100-750 per
violation in the event of data breach of
unencrypted or unredacted personal
information, if company does not have
“reasonable” security.
• Significant class action risk!
• Enforcement of privacy provisions by
California Attorney General with penalties of
up to $2,500 ($7,500 if intentional) per
violation.
www.dlapiper.com
• Entities (and parents and subsidiaries), regardless of location, that collect personal information about CA residents,
AND
• (a) have annual gross revenues over $25 million;
• (b) annually buy or sell personal information of 50,000+ CA residents, households, or devices; or
• (c) derive 50 percent or more of annual revenue from selling personal information.
• Limited Exemptions: do not apply to class action provisions of the law for GLBA and DPPA Exemptions
• Common Misconceptions: “the law does not apply to me because . . .”
• “I do not sell data”
• “I am a financial services company”
• “I already comply with GDPR”
• “I am not in the Ad Tech space”
• “I am B2B”
• “I do not have any customers in CA. I only have employees.”
Covered Entities
5
Covered Entities, Limited Exemptions, Common Misconceptions
Scope
www.dlapiper.com
• An individual’s first name or first initial and his or her last name in combination with any one or
more of the following data elements, when either the name or the data elements are not
encrypted or redacted:
• (i) Social security number.
• (ii) Driver’s license number or California identification card number.
• (iii) Account number, credit or debit card number, in combination with any required security code,
access code, or password that would permit access to an individual’s financial account.
• (iv) Medical information.
• (v) Health insurance information.
Data which if breached triggers class action risk
6
Scope
www.dlapiper.com
Compliance with GDPR is NOT Enough
7
High-level comparison – GDPR and CCPA
Data definition
Privacy policy/notices
Sale of data
Individual rights
Class actions
Enforcement
GDPR
• Any information related to an identified or
identifiable living natural person
• More detailed notices, layered approach
acceptable, distinction between data collected
from individual vs. collected from other sources
• No absolute right to opt-out of sale, but
conditional rights to object to processing
• Rights to access with narrow exceptions
• Conditional rights to erasure, to object to
processing and to restrict processing
• Right to portability with broader exceptions and
narrower range of in-scope data
• No explicit right against discrimination but
discrimination may render processing unlawful
• No class actions for statutory damages
• Antitrust-sized administrative fines (up to 4%
global group revenue for serious violations)
CCPA
• Broader definition includes information that
relates to, or is capable of being associated with,
an individual, device, or household
• Less detailed notices + prescriptive as to
placement of notices and manner in which it
must be received
• Right to opt-out of disclosure (sale), subject to
limited exceptions; entity must display opt-out
link on website
• Right of access limited to data collection in past
12 months; fewer explicit exemptions
• Conditional right to erasure, no right to object to
processing, no right of restriction or amendment
• Right of portability with fewer exceptions and
broader range of in-scope data
• Right against discrimination for exercising rights
• Data breach class action for statutory damages
• Potentially high California AG enforcement
($7,500 per violation if intentional)
www.dlapiper.com
Compliance Management
8
Key Components
• Data mapping and impact of sweeping
definitions and broad scope.
• Process and mechanisms for individual right
requests.
• Notice and privacy policy requirements –
• Review collection practices
• New notices at or before collection
• Changes to website and website policies
• Update privacy policy every 12 months
• Vendor and third party management
• Mandatory contract terms for “service providers”
• Data breach indemnification, encryption requirements
• Deletion requests
• Third party data flow
• Resale of data
www.dlapiper.com
Getting StartedWhat Companies Need to do Now.
9
www.dlapiper.com
• CCPA Breach Class Action is unlikely to be amended or clarified through rulemaking
• The biggest risk in CCPA START SOON!
• Mapping Breach Notice Data Elements and Risk Profile
• Scope/Source
• Minimization/Deletion of unnecessary data
• Contracts with service providers and 3rd parties that touch or have access to these data
• Inventory – are breach notice data encrypted end-to-end?, redacted?, is a valid arbitration clause in place
with CA residents?
• Ongoing Process
• Establish controls
• What are we doing now?
• What do we want to do?
• What are our risk areas?
10
Lead time to complete action items may drive order in which addressed
Action Items
www.dlapiper.com
• Control processes designed for GDPR unlikely to be fit for CCPA without changes
• Data breach risk is far greater under CCPA
• Deletion, encryption, redaction or class action waiver are needed under CCPA
• GDPR data mapping will not be tailored to class action risk or sufficient for CCPA privacy requirements
• Different scope and definitions (devices, household information, publicly available information, health
and financial data)
• Different data subject rights
• Different privacy notices
• Commercial agreements amended for GDPR will need to be further amended (specific terms to
avoid qualification as ‘third party’, data breach indemnification, cooperation in responding to
deletion requests)
11
CCPA’s Challenges for Company GDPR Program
“I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
-- FBI Director Robert Mueller, 3/1/12
• Statutory damages of between $100 to $750 per consumer per incident for breaches (or actual damages if greater), if
• the data is not encrypted or redacted, and
• the business did not have reasonable security practices and procedures
• no risk of harm required (may violate due process)
• but this would allow for very expensive eDiscovery and trigger nuisance lawsuits after many reportable breaches
• Plaintiffs must provide the business with 30 days’ written notice identifying the specific provisions violated
• 30 day cure period after notice but difficult in most breaches
Class Action Lawsuits for Data Breaches
www.dlapiper.com
• Any of the above combination of data elements
• Subject to an unauthorized access and exfiltration, theft, or disclosure
• Access is required maybe not a laptop theft or accidentally emailing the info to the wrong
address?
• Resulting from “the business’s violation of the duty to implement and maintain reasonable
security procedures and practices appropriate to the nature of the information”
• Invites broad discovery into business’ security program -- an eDiscovery nightmare
Elements
14
CCPA Data Breach Cause of Action
www.dlapiper.com
• Encryption
• Redaction
• 30 day right to cure – get your data back!?
Other Prevention
• Deletion of breach notice data elements
• Use of class action waivers – CCPA purports to prevent these, but federal FAA law preempts
Other Risk Management
• Obtain certification you follow an accepted security standard
• Cyber insurance
Defenses
15
CCPA Defenses
• Before data breach
• Protection via terms and conditions – arbitration provisions with class action waivers
• Certifications / Surveys / Audits showing reasonable security measures in place
• Introduce variation in practices if possible to limit size of potential class
• After data breach
• Attempt cure of data breach and provide consumer notice of cure
• Argue that stopping further data breach is cure
• Argue that improving security measures and improving encryption is cure
• After lawsuit filed
• If in California court, try to remove to federal court
• Early motions to dismiss or strike class definitions to limit size of class / class discovery
Mitigation of Class Action Risk
• Came into force 25 May 2018
• Article 83 GDPR: General conditions for imposing administrative fines: regulatory action not the only concern!
• Introduces statutory right to damages for distress
• Article 82(1) – provides right to compensation for distress: "Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered."
• Article 80(1): Representation of data subjects: "The data subject shall have the right to mandate a not-for-profit body, organisation or association…to lodge the complaint on his or her behalf…"
GDPR damages for distress – a new Payment Protection Insurance?
GDPR – Damages for Distress and Class Actions
GDPR - Damages for Distress and Class Actions
Risk any regulatory fines or action may be the catalyst for privacy litigation on the basis that
fault may be considered to have been established – litigation costs may ultimately outstrip the
fine!
• Lloyd v Google [2018] EWHC 2599 (QB)
• Alleged contravention of UK data protection legislation based on so-called “Safari Workaround” by which Google allegedly used its “DoubleClick cookie” technology on the iPhone Safari browser to obtain browser generated information about users of iPhone users in 2011-2012
• Claim did not proceed on basis of distress – premised simply on the fact that a breach was averred to have occurred. Court rejected this argument:
• “I do not believe that the authorities show that a person whose information has been acquired or used without consent invariably suffers compensatable harm, either by virtue of the wrong itself, or the interference with autonomy that it involves. Not everything that happens to a person without their prior consent causes significant or any distress. Not all such events are even objectionable, or unwelcome. Some people enjoy a surprise party…”
• Court determined no real prospect it would allow the claim to progress as a representative claim under relevant English rules: “This is a novel form of action, but everything was new once… That does not mean, however, that the Court must permit such an unauthorised action to continue, come what may”
GDPR – UK Developments
• Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113
• Group litigation involving circa 5,500 employees (from affected group of almost 100,000)following deliberate, criminal actions of disgruntled employee
• October 2018 – English Court of Appeal held that:
• Morrisons was not directly liable for the breach: it did not itself misuse any privateinformation, and – except in one inconsequential respect – its data security measures wereadequate.
• Morrisons was, however, vicariously liable for the rogue employee’s actions - insuranceviewed by court as key:
"There have been many instances reported in the media in recent years of data breaches ona massive scale caused by either corporate system failures or negligence by individualsacting in the course of their employment. These might, depending on the facts, lead to alarge number of claims against the relevant company for potentially ruinous amounts. Thesolution is to insure against such catastrophes; and employers can likewise insure againstlosses caused by dishonest or malicious employees."
GDPR – UK Developments
• Belgium - Test-Aankoop/Test-Achats collective class action
• Germany - Amtsgericht decision of 7 November 2018
• Netherlands - Privacy Claim against Precent Ltd – July 2018
GDPR – Pan-European Perspectives
• California Invasion of Privacy Act (Cal. Penal Code §§ 630, et sq.)
• Class actions started around 2006 when California expanded its law to interstate telephone calls
• California Shine the Light Law (Ca. Civil Code § 1798.83)
• Cases filed when statute first became effective in 2005, faded away, and recently began to be filed again
• Telephone Consumer Protection Act (47 U.S.C. § 227)
• Over 4,000 new cases filed in 2016 and 2017
• Over 2,000 new cases filed in first half of 2018
• Data Breach Litigation
• Around 50 to 100 class action filed per year pre-CCPA
As demonstrated by the number of TCPA cases, the availability of statutory damages can lead to a large increase in cases.
CCPA class actions may well be next, given the volume of breaches.
Privacy Litigation Trends