March 2020 will long be remembered as the month and year of en masse shutdowns.  But the pandemic has done little if anything to slow new cybersecurity and data privacy laws.  As highlighted below, regulations for one have been submitted (CA), another has gone into effect (NY), and yet another has been proposed (CA).

California Consumer Privacy Act (“CCPA”) Gets Confirmed by State Attorney General

After nine months, a lot of public input, and three proposed drafts, the regulations for enforcement of the CCPA have been submitted for approval.  The final text of the regulations demonstrates how granular enforcement could be.  Here are five examples:

  1.  A business’s required privacy policy must include the date it was last updated.
  2. A business must provide at least two methods for consumers to send requests for deletion of their information.
  3. A service provider can retain, use, or disclose information in certain circumstances, such as to detect security incidents even after a deletion request.
  4. A business must confirm within 10 days that it has received a request to know what it has collected from consumers.
  5. A business must have a documented policy for verifying the identity of a person making a request related to their personal information.

The California AG will begin enforcing the CCPA on Wednesday (July 1).  About his approach to enforcement he has stated:

We will look kindly … on those that … demonstrate an effort to comply … [but if companies] are not (operating properly) … I will descend on them and make an example of them, to show that if you don’t do it the right way, this is what is going to happen to you.[1]

Three of the main features of the CCPA – privacy policies, service provider agreements, and the ‘must have reasonable security’ requirement – were previously discussed in more detail here, here, and here.

New York’s SHIELD Act Gets Underway

When states pass new cybersecurity and data privacy laws they tend to emphasize or include things other states may have overlooked.  For example, Colorado mandates a written data destruction policy, Ohio creates a ‘safe harbor’ for business’s that implement certain requirements, and Illinois, Washington, and Texas established privacy rights for biometric data.

The SHIELD Act distinguishes itself for the degree to which it requires risk assessments.  To be sure, several states require businesses to assess the risks associated with their online and offline data collection practices.  But New York requires that at least three types of risk assessments be performed:

  1. Administrative: identify material internal and external risks and assess sufficiency of safeguards to control risks.
  2. Technical: assess risks in network and software design; and in information processing, transmission and storage.
  3. Physical: assess risks of information storage and disposal

These provisions of the SHIELD Act went into effect on March 21.  While there are no published enforcement actions yet, on May 7 a letter agreement was entered into by the NY Attorney General and Zoom Video Communications, Inc.  In that letter Zoom agreed to implement a comprehensive information security program that includes most of the above risk assessment types.[2]         

California’s Privacy Rights Act Gets Approved for Ballot[3]

In November, California voters will have the opportunity to vote on legislation that will require data privacy compliance in addition to the CCPA.  If voted in, the CPRA will go into effect on January 1, 2023.  Here are four things the CPRA will include that the CCPA does not:

  1. Includes a definition for sensitive personal information that will include special categories of personal data such as biometric and geolocation data.
  2. Creates a separate enforcement agency – a California Privacy Protection Agency – from the California AG’s office.
  3. Expands consumer rights to know how long personal information will be kept, how to correct inaccuracies, and how to limit the use of personal information.
  4. Requires that companies conduct annual audits and risk assessments relating to their data collection and use practices.

Based on the evolution of the new cybersecurity and data privacy laws discussed herein, compliance during the next six months will be another ongoing challenge.  If you have questions about the application of these laws to your organization, please contact Romaine Marshall at romaine.marshall@stoel.com or (801) 578-6905.

[1] Nandita Bose, Reuters: California AG Says Privacy Law Enforcement To Be Guided By Willingness To Comply (Dec. 10, 2019), https://www.reuters.com/article/us-usa-privacy-california/california-ag-says-privacy-law-enforcement-to-be-guided-by-willingness-to-comply-idUSKBN1YE2C4?feedType=RSS&feedName=technologyNews&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+reuters%2FtechnologyNews+%28Reuters+Technology+News%29

[2] Letter Agreement Between Zoom & the NYAG, N.Y. Attorney General, (May 7, 2020), https://ag.ny.gov/sites/default/files/nyag_zoom_letter_agreement_final_counter-signed.pdf

[3] California Privacy Rights Act Qualifies for the November 2020 Ballot (June 25, 2020), https://www.caprivacy.org/california-privacy-rights-act-cpra-qualifies-for-the-november-2020-ballot/