RSS Feed LinkedIn Instagram Twitter Facebook
FMG Law Blog Line

Posts Tagged ‘CCPA’

CCPA Enforcement: It’s Here … And Beyond

Posted on: September 14th, 2020

By: Rick Bortnick

On July 1. California’s Attorney General (“OAG”) began enforcing the California Consumer Privacy Act (“CCPA”)  against Covered Entities, notwithstanding that California’s Office of Administrative Law (“OAL”) had yet to approve CCPA’s correlative regulations. That changed on August 14, when the OAG announced that it had approved CCPA’s final regulations, albeit it with what the OAL characterized as “non-substantive changes for accuracy, consistency, and clarity.”

OAL’s changes included a modification of the mandate requiring Covered Entities to include a “Do Not Sell My Info” link on their home page enabling consumers to “opt-out” and direct the Covered Entity not to sell their personal information. The OAL now requires Covered Entities to display a “Do Not Sell My Information” link rather than the shorthand “Do Not Sell My Info” phrase.

While the OAL’s deletion of the short-hand link is effective immediately, businesses have 30 days to cure any alleged violations from the date they receive a non-compliance letter.

In addition, the OAG withdrew four of the sections it previously had proposed as follows:

  1. removed guidance on how business may use previously collected information for a materially different purpose by obtaining express consent from consumers;
  2. removed guidance on how business substantially interacting with consumers offline should provide notice of right to opt-out via an offline method;
  3. removed guidance on how businesses can provide consumers methods for submitting opt-out requests; and
  4. removed a section addressing a Covered Entity’s ability to deny certain requests for authorized agents.

The OAG hit the ground running from the moment its authority to enforce CCPA incepted. The same day its enforcement authority went into effect, the OAG sent compliance letters to businesses across all sectors notifying the recipients of alleged CCPA violations.   

The Attorney General was not the only one eager to enforce CCPA. Within days, a putative class of consumers sued Walmart alleging it had violated CCPA’s security provision, been negligent under the California Customer Records Act, had committed unfair business practices, and breached the contract arising from Walmart’s privacy policy. According to the Walmart Complaint, “the dark web is replete with stolen Walmart accounts for sale”, including credit and payment card information. The Complaint further avers that Walmart’s online security systems are vulnerable to unauthorized intrusions. This suit comes on the heels of prior CCPA suits against Minted Inc., Zoom, TikTok, and

The named plaintiff also asserts that he had communicated with the alleged hackers and verified the available personal information belonged to Walmart’s customers, a highly uncommon allegation in class actions relating to alleged privacy incidents and cyber breaches.

Citing CCPA, the named plaintiff seeks class-wide damages of at least $100 but not more than $750 per affected consumer. For Walmart, this means that a potential class of two million Californians could result in $200 million to $1.5 billion in damages. While this would scale down for smaller businesses, even a business subject to the CCPA with 50,000 consumers would face damages ranging from $5 million to $37.5 million.

But that is far from the end of the risks and potential exposures that companies doing business and aspiring to do business in California may face. To the contrary, on November 3, California residents will vote on the proposed California Privacy and Rights and Enforcement Act, sometimes referenced as CCPA 2.0 (“CPRA”), a statute which would further enhance California consumers’ privacy rights. As proposed, CPRA imposes more robust privacy requirements on Covered Entities and increases the penalties they might be assessed for violations. The proposed legislation gathered over 600,000 (reportedly over 925,000) valid signatures, according to California’s Secretary of State. 

The enhanced privacy rights proposed in CRPA would bring California even closer to the European Union’s mandates, which are set forth in its General Data Protection Regulation, colloquially known as GDPR, currently the most robust privacy legislation in the world. 

Among other things, CPRA would impose new obligations with respect to personal information (“PI”) collected after January 1, 2023, save the right to access personal information collected on or after January 1, 2022.

Given consumers’ concerns about and sensitivity to the loss of their personal information, CPRA is expected to pass by an overwhelming margin.

In short, Covered Entities doing business or aspiring to do business with California residents should take all appropriate steps  to implement “reasonable security procedures and practices” (an undefined term) to be compliant with CCPA and its newly enacted regulations, and steel themselves for even more robust mandates upon the passage and enactment of CRPA. To start, businesses that sell the personal information of California residents should include a link on their home page to a separate notice page that includes a “Do Not Sell My Personal Information” tab advising users of their right to opt-out.

Moreover, Covered Entities should be careful to maintain and update, as necessary, proactive employee training and robust information security protections. This, of course, includes having attorneys, who carry the attorney-client privilege with them, train both employees who deal with the public, as well as those with access to personal data, on how to detect and avoid social engineering and other types of business email compromise attacks. A company’s reputation and viability might depend on it.  

If you have questions or would like more information, please contact Rick Bortnick at [email protected].

New Jersey Moving Toward Adopting Privacy Legislation like the GDPR and CCPA

Posted on: March 5th, 2020

By: Justin Boron

New Jersey legislators are pushing forward on new data privacy legislation with disclosure and consent requirements that are akin to—and in some instances more burdensome than—the California Consumer Privacy Act.

The CCPA—which took effect in January this year—was the first statute of its kind to be adopted in the U.S.  In the wake of the CCPA’s controversial implementation, co-sponsors of the New Jersey bill are holding a public hearing set for March 16 to obtain feedback on the proposed data privacy legislation.[1]  Introduced on February 25, 2020, AB 3283 is the most recent proposal to revise New Jersey’s data privacy law. You can read the bill here:  Other bills from previous sessions remain pending, including AB4902 and AB4640.

If the latest bill is adopted in New Jersey, companies that collect, maintain, or control personally identifiable information (PII) would be required to obtain affirmative consent from consumers.  This feature contrasts with the CCPA, which requires that businesses provide consumers the right to opt-out of PII sale, and it would place New Jersey law more in line with the EU’s privacy law, the General Data Protection Regulation, which requires affirmative consent.

The bill would also give a consumer the right to demand that the business provide the PII that the company has disclosed to a third party.

With multiple bills pending, it remains unclear what direction New Jersey legislators will ultimately take.  Some of the questions arising from the bills are whether the final legislation would include a private right of action, allow for a safe harbor cure period, vest enforcement authority exclusively in the attorney general, or include some combination of those characteristics like the CCPA.

While the substance of the bill remains in flux, the legislative push toward public hearings—and the media attention that it is grabbing—suggests that some form of the legislation will ultimately be adopted.  The New Jersey bill is one of a patchwork of bills pending in the state legislatures across the country aiming to implement measures like the CCPA and GDPR.


States are Busy on the Cyber Front

Posted on: February 19th, 2020

By: Amy C. Bender

2020 is off to a busy start, with several states taking action on cybersecurity legislation and issuing other legal updates. Highlights include:

California – California’s Attorney General has issued revised proposed regulations regarding the California Consumer Privacy Act (“CCPA”), which creates consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. The updates, which are aimed at providing more relief for consumers and clarity to covered businesses, include changes to definitions, notice and other requirements for covered businesses, and consumer rights and requests. The revised proposed regulations are available here and are currently under a public comment period.

Maryland – In the first decision of its kind under Maryland law, a federal court has ruled that a loss of software and data due to a ransomware attack was covered under a business owner’s property insurance policy. Specifically, the court found that the loss qualified as a “direct physical loss of or damage” to covered property (the affected computer server and networked computers) based on the loss of the data and software in the computer system and the loss of functionality to the computer system itself. The court reasoned that the policy did not limit covered losses to tangible property only or to total property losses. The decision is available here.

Massachusetts – The state’s legislature has stalled a proposed consumer data privacy law (available here) that would have imposed notice and disclosure requirements on businesses that collect consumers’ personal information, provided consumers the right to delete and opt out of third-party disclosure of collected personal information, and allowed consumers to sue for violations of the act without having to show any resulting damage. The bill has been sent to a “study order,” where a committee will study it and report its findings.

New York – The Stop Hacks and Improve Electronic Data Security Act (“SHIELD ACT”), available here, amends the state’s existing data breach notification law to require any person or business that owns or licenses computerized data that includes private information of New York residents to develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information, including disposal of data. The data security provisions go into effect on March 21, 2020.

Virginia – Similar to Massachusetts, Virginia’s legislature has delayed and referred to study several privacy-related bills, including bills relating to consumer rights regarding access and sale of their personal data, destruction and disposal of records containing personally identifiable information, and collection and safekeeping of biometric data by employers.

Washington – The legislature has introduced a revised version of a proposed law, the Washington Privacy Act (available here), which would apply to certain private business that control or process consumer personal data and that are located within or targeted to residents of the state. The law would provide consumers rights regarding their personal data, impose responsibilities on covered controllers and processors, and regulate facial recognition services. The bill is now scheduled for a public hearing.

Freeman Mathis & Gary’s Data Privacy and Security Practice Group is here to help clients with policies and training. If you have any questions or would like more information, please contact Amy Bender at [email protected].

Could Facebook’s $5 Billion FTC Fine for Privacy Violations be Covered by Cyber Insurance?

Posted on: August 14th, 2019

By: Isis Miranda

A similar question was posed to me recently at a conference where I was speaking about the GDPR (European General Data Protection Regulation): “Could my company just buy insurance instead of worrying about whether our China-based venders are complying with the GDPR?” The audience chuckled. But the question raises important and complex issues, one of which is whether civil fines are insurable and, more importantly, whether they should be.

Record-breaking fines recently announced by the FTC (Federal Trade Commission), including $5 billion against Facebook and up to $700 million against Equifax, and proposed fines by the ICO (the UK’s Information Commissioner’s Office), including £183 million against British Airways and £99 million against Marriott, combined with the advent on the horizon of the CCPA (California Consumer Privacy Act), a sweeping GDPR-like privacy law, has increased anxiety over the insurability of these fines.

Traditional insurance policies generally do not cover regulatory fines, but many cyber policies do. These insuring provisions, which typically provide coverage for civil fines and penalties levied by any regulator worldwide arising from a data breach “where insurable by law,” have yet to be scrutinized by a court. Uncertainty over whether courts may void these policy provisions as being contrary to public policy prompted the Global Federation of Insurance Associations to request assistance from the OECD (Organisation for Economic Co-operation and Development), explaining that “there is international confusion as to the insurability of fines and penalties” and stating that “OECD work to clarify this issue would benefit consumer and insurer contract certainty.”

Answering this question is no easy task. Starting with the question of whether these fines are insurable, one immediately finds that there are no legislative pronouncements or court decisions addressing the issue in the context of a cyber policy that expressly provides coverage for regulatory fines. And efforts to predict how a court might rule once the issue is raised, as it inevitably will be, are stymied by the disarray of the current case law in the related areas of punitive and statutory damages. This diversity of opinion reflects the complexity of the underlying question – whether such fines should be insurable. Courts struggle with questions, such as who should decide – legislators, judges, insurance companies? And what criteria should be applied in making the decision? Should the decision apply to all civil fines and penalties issued pursuant to a given regulation or should the issue be decided on a case-by-case basis for each violation?

In the U.S. the decisions of courts across the country regarding the insurability of punitive damages are, well, all over the map. These decisions vary in their approach to reconciling the language of the insurance policy at issue with public policy considerations in the approximately 20 states that prohibit insurance for directly assessed punitive damages, including decisions that:

  1. prohibit insurance for punitive damages, even if the policy expressly provides coverage;
  2. prohibit insurance for punitive damages, unless the policy expressly provides coverage;
  3. do not prohibit insurance for punitive damages but do not interpret policies as covering them, unless expressly included; and
  4. do not prohibit insurance for punitive damages and interpret policies as covering them, unless expressly excluded.

It is unclear whether courts will address coverage for fines and penalties in similar fashion. States that do not prohibit punitive damages could, nonetheless, place restrictions on insurance for civil fines and penalties beyond existing limits on insuring intentional conduct. And vice versa. Thus far, a few courts have applied the prohibition on punitive damages to civil fines and penalties without addressing the distinctions between the two. For example, in City of Fort Pierre v. United Fire and Casualty Company, 463 N.W.2d 845 (S.D. 1990), the federal government sued the City of Fort Pierre seeking civil penalties due to violations of the Clean Water Act of 1977. The South Dakota Supreme Court held that the civil penalties were punitive in nature and thus precluded from being covered under the City’s insurance policy. A dissenting justice disagreed, stating: “Before punitive damages may be awarded, malice on the part of the party from whom the punitive damages are sought must be shown. No similar requirement exists for the imposition of the civil penalty. Therefore, the civil penalty the United States sought to have imposed upon the City of Ft. Pierre cannot be equated to punitive damages.” Similarly, in Bullock v. Maryland Casualty Company, 85 Cal. App. 4th 1435 (Ct. App. 2001), the California Court of Appeal held that civil fines are not insurable without addressing the fact that the public policy prohibiting insurance for punitive damages was expressly limited to punitive damages that were assessed upon a finding of fraud, oppression or malice. City Products Corporation v. Globe Indemnity Company, 88 Cal. App. 3d 31 (Ct. App. 1979). It will be interesting to watch how the case law evolves as coverage battles involving cyber policies that expressly provide coverage for fines and penalties percolate through the courts.

Now to the question we started with. Without knowing the contents of Facebook’s insurance policy, we can only speculate as to its terms, including which state’s laws would apply to interpret the policy. But we would not be going out on a limb by saying that the $5 billion FTC fine likely exceeds policy limits. Facebook will not garner much sympathy, given that it inarguably violated the FTC’s 2012 order and can readily afford the $5 billion fine. And there is concern that allowing companies to obtain insurance to cover civil penalties for violating data privacy and security statues would discourage them from making the investments necessary for compliance. But the reality is more nuanced. Small- and medium-sized businesses, in particular, benefit from the data security assessments, cyber risk consulting services, and preferred vendors that are made available by many cyber insurance carriers, which serves to increase compliance with related statutes. See, e.g., Kyle D. Logue & Omri Ben-Shahar, “Outsourcing Regulation: How Insurance Reduces Moral Hazard” (Coase-Sandor Institute for Law & Economics Working Paper No. 593, 2012). These issues will, no doubt, continue to be debated for many years to come.

Amidst all this uncertainty, one thing is sure: the future will be fascinating.

If you have any questions or would like more information, please contact Isis Miranda at [email protected].


The CCPA: Precursor To American GDPR Or Undue Burden On American Businesses

Posted on: July 30th, 2018

By: Jonathan Romvary

As we recently posted, California recently passed the landmark California Consumer Privacy Act of 2018 (“CCPA”) that goes into effect on January 1, 2020 and grants California residents new expansive privacy rights. Many observers are comparing its scope to that of the European Union’s General Data Protection Regulation (“GDPR”). However, as protective as the new statute may be for California residents, it represents a number of significant burdens and challenges for businesses throughout the country.

Unknown Final Requirements

Despite what appears to be a finalized bill, future amendments and clarifications to the CCPA are necessary and will likely significantly alter the current draft. The CCPA was enacted after a single week of legislative debate. The reasons for the quick turnaround can be debated but the current draft contains a number of errors that will need to be addressed before its effective date on January 1, 2020. The uncertainty surrounding the bill means that businesses attempting to be proactive in terms of compliance may be throwing darts in the dark.

Attorney General Regulations

Additionally, the bill instructs the California Attorney General to develop regulations ahead of the effective data in a number of areas to further the purposes of the CCPA. While its arguable whether this will provide greater protections to consumers, it will undoubtedly come at the burden of those businesses covered by the CCPA. At this time these specific AG regulations are unknown and with an upcoming election, there is no guarantee we will know what these regulations will be until late next year before implementation.

Compliance Burn Out

As we all know, the GDPR went into effect on May 25, 2018. Most companies have spent the last year conducting data flow analysis, mapping, and regulatory compliance in order to come into compliance prior to the effective date. According to an October 2017 survey by Paul Hastings LLP, the cost of GDPR compliance for Fortune 500 firms runs approximately $1 million just for the necessary technology that those companies need to comply.

Unfortunately for all of those companies that spent the last 12 to 18 months traversing GDPR compliance, you will not automatically be complying with the CCPA. The CCPA requirements, while similar, do not entirely overlap with the GDPR and, in many cases, the CCPA goes even further than the GDPR. All those companies will now need to engage in an additional 18 months of legal compliance reviews in anticipation of the January 1, 2020 implementation date.

The scope of the CCPA affects businesses across the country, not just those in California. The CCPA protections generally encompasses all retail and commercial activity that includes the collection of data relating to a resident of California which retained, sold or transferred by the business. While the CCPA contains numerous exemptions of data use and functionality these exceptions require close scrutiny and analysis by covered businesses. To discuss how the CCPA might affect your business and what you can do in anticipation of the numerous issues relating to the act, please contact Jonathan Romvary at [email protected].