Less than three months after California passed the California Consumer Privacy Act of 2018 (CCPA), Governor Jerry Brown signed SB 1121 this week, making a number of technical and substantive changes to the law.

Of particular note: SB 1121 modifies the financial institution carve-out language in CCPA section 1798.145(e). While the change is a welcome development for entities subject to regulation under the Gramm-Leach-Bliley Act (GLBA), it does not grant full exemption from the CCPA. Therefore, GLBA-regulated entities that collect information online will need to analyze the CCPA’s requirements and how they apply to a specific business.

The original carve-out language provided that:

“This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, if it is in conflict with that law.”

As we have previously discussed, that language raised a number of issues, such as what would constitute a “conflict” between the GLBA and the CCPA, and whether the language was even consistent with the GLBA insofar as personal information is not collected, processed, sold, or disclosed pursuant to the GLBA. The provision also failed to address the relationship between the CCPA and California’s Financial Information Privacy Act.

The new language tries to resolve some of those issues, stating:

“This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act … . This subdivision shall not apply to Section 1798.150.”

The new language removes the phrase “if it is in conflict with that law,” incorporates the California Financial Information Privacy Act, and adds a sentence providing that financial institutions are still subject to Section 1798.150. The preamble explains those changes as follows:

“The bill would also prohibit application of the act to personal information collected, processed, sold, or disclosed pursuant to a specified federal law relating to banks, brokerages, insurance companies, and credit reporting agencies, among others, and would also except application of the act to that information pursuant to the California Financial Information Privacy Act.”

While the revised language is no doubt welcomed by GLBA-regulated entities, it should not be interpreted as a full exemption. Rather, GLBA entities will remain subject to the provisions and requirements of the CCPA if they engage in activities falling outside of the GLBA—which they almost certainly do.

By way of explanation, the GLBA regulates financial institutions’ management of nonpublic personal information, which is defined in 15 U.S.C. § 6809 as personally identifiable financial information: 1) provided by a consumer to a financial institution; 2) resulting from any transaction with the consumer or any service performed for the consumer; or 3) otherwise obtained by the financial institution.

The CCPA defines “personal information” much more broadly to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The CCPA identifies numerous examples such as online identifiers, Internet Protocol addresses, email addresses, browsing history, search history, geolocation data, and information regarding a consumer’s interaction with a website or online application or advertisement. Notably, the CCPA’s definition also includes any “inferences drawn” from any personal information that is used “to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”

Therefore, to the extent that GLBA-regulated entities are using targeted online advertising, tracking web page visitors, and/or collecting geolocation data—to name a few examples—either through their web pages or apps, they will need to analyze the CCPA’s requirements.

As for the new statutory language providing that “[t]his subdivision shall not apply to Section 1798.150,” the impact of that sentence cannot be overstated.

Section 1798.150 sets forth a private right of action for consumers to seek statutory damages of not less than $100 and not greater than $750 “per consumer per incident or actual damages, whichever is greater” if the consumer’s information “is subject to an unauthorized access, exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” In other words, GLBA-regulated entities will still be subject to millions of dollars of potential damages if they experience a data breach.

California is once again poised to set the standard for privacy and data security by enacting the first state law directed at securing Internet of Things (IoT) devices. The law has passed the state legislature and is awaiting the signature of Governor Jerry Brown. It requires manufacturers of “connected devices” to equip them with “a reasonable security feature or features” that are:

  • appropriate to the nature and function of the device;
  • appropriate to the information the device may collect, contain or transmit; and
  • designed to protect the device and any information contained in it from unauthorized access, destruction, use, modification, or disclosure.

The law further provides that if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a “reasonable security feature” if the preprogrammed password is either unique to each device or the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

The law defines “authentication” as “a method of verifying the authority of a user, process, or device to access resources in an information system.” It defines “connected device” as “any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” “Manufacturer” is defined as “the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.”

Notably, the law exempts certain activities from its requirements. For example, it does not impose a “duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.” It also does not apply “to any connected device the functionality of which is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.” And the law exempts HIPAA covered entities and business associates to the extent the activity in question is covered by that act.

Importantly, the law states that it does not create a private right of action and vests enforcement authority solely with the California Attorney General’s Office, a city attorney, a county counsel, or a district attorney.

California law also already requires businesses to notify affected individuals if the business experiences a data breach and allows for a private right of action. The newly enacted California Consumer Privacy Act of 2018 also provides for not only a private right of action for certain data breaches, but also for statutory damages of between $100 and $750 per consumer per incident. Therefore, the new law fits into a broader statutory landscape that IoT manufacturers should be aware of and should take steps to mitigate the risk of litigation. That is particularly true given that plaintiffs’ lawyers have publicly stated that they are preparing for an onslaught of IoT-related litigation.

The Senate Floor Analysis explained that the law is necessary because many IoT devices “collect a vast amount of personal and intimate information” which, if not properly secured, can be vulnerable to breaches. Further, many IoT devices “can be directly hacked into, allowing strangers to conduct surreptitious surveillance on homes or to communicate through devices directly.”

The law was enacted contemporaneously in both the California Senate and Assembly. It takes effect on January 1, 2020.

The CFPB has issued a final rule amending the provisions of Regulation P that implement the Gramm-Leach-Bliley Act (GLBA) annual privacy notice requirement.  The final rule is intended to reflect the GLBA amendments made by the Fixing America’s Surface Transportation Act that exempted financial institutions meeting certain conditions from the annual notice requirement.  The statutory exemption from the annual notice requirement became effective in December 2015.  The amendments to Regulation P made by the final rule will be effective 30 days from the final rule’s publication in the Federal Register.

The final rule provides that a financial institution is not required to deliver a GLBA annual privacy notice if the financial institution (1) only shares nonpublic personal information (NPPI) with nonaffiliated third parties only under one of the GLBA exceptions that do not trigger a customer’s opt-out rights (§ 1016.13, § 1016.14, or § 1016.15); and (2) has not changed its policies and practices with regard to disclosing NPPI from the policies and practices that were disclosed in the most recent privacy notice provided to the customer.  Financial institutions that choose to take advantage of the annual notice exemption must still provide any opt-out disclosures required under the Fair Credit Reporting Act (FCRA), which can generally be provided in the initial privacy notice.  In the Supplementary Information accompanying the final rule, the CFPB states that it does not interpret the second condition for using the annual notice exemption to include changes to a financial institution’s FCRA disclosures or changes to voluntary disclosures and opt-outs that are provided in the institution’s privacy notice.

The final rule includes timing requirements for providing annual privacy notices by a financial institution that no longer meets the conditions for the exemption.  The timing requirements vary depending on whether the change that causes the institution to no longer satisfy the conditions for the exemption also triggers a requirement under Regulation P to provide a revised privacy notice.  Under Regulation P, a financial institution must provide revised notices before it begins to share NPPI with a nonaffiliated third party if such sharing would be different from what the institution described in the initial privacy notice it delivered.

The final rule also removes the alternative delivery method for GLBA annual privacy notices that Regulation P (pursuant to a 2014 amendment) allowed financial institutions to use if they met certain conditions.  Since any financial institution that met the conditions for using the alternative delivery method would meet the conditions for the statutory exemption, the CFPB believes an institution with both options available to it would choose not to provide an annual privacy notice at all rather than provide it using the alternative delivery method.  However, the CFPB indicates in the Supplementary Information that financial institutions that qualify for the annual notice exemption can still, without affecting their eligibility for the exemption, choose to post privacy notices on their websites, provide privacy notices to consumers who request them, and notify consumers of the notices’ availability.

 

CFPB Acting Director Mick Mulvaney reportedly announced on Thursday that he was lifting the freeze on the CFPB’s collection of personally identifiable information (PII) from companies it supervises.  As we previously reported in December 2017, Mr. Mulvaney imposed a freeze on the CFPB’s collection of PII due to concerns about the CFPB’s data security systems.

The freeze was reportedly lifted through a memo to the staff of the CFPB, in which Mr. Mulvaney stated that “Out of an abundance of caution and a desire to protect Americans’ privacy, I placed a hold on the collection of personally identifiable information and other sensitive data.”  However, “after an exhaustive review by outside experts, including a comprehensive ‘white-hat hacking’ effort, we can lift th[e] hold.”  The independent review concluded that “externally facing Bureau systems appear to be well-secured.”

The freeze had significantly impacted the CFPB’s supervisory program, prior to which companies being examined were able to submit information, including PII, to CFPB examiners by uploading it to the CFPB’s Extranet.  During the freeze, the CFPB halted use of the Extranet, and examination teams resorted to burdensome workarounds, such as requiring examination responses to be printed onto paper that could be shredded at the conclusion of the exam.  Notably, the freeze did not extend to the CFPB’s enforcement division, which continued to collect PII in connection with enforcement actions.

Colorado has enacted groundbreaking privacy and cybersecurity legislation that will require covered entities to implement and maintain reasonable security procedures, dispose of documents containing confidential information properly, ensure that confidential information is protected when transferred to third parties, and notify affected individuals of data breaches in the shortest time frame in the country.

The new law—which becomes effective on September 1, 2018—was spearheaded by the Colorado Attorney General’s office, which is charged with enforcing its requirements.  As a result of the legislation, covered entities should consider implementing written information security programs, third party vendor management controls, and incident response plans to best position themselves against potential enforcement actions and civil litigation in the future.

On Monday, June 4, 2018, at 12 PM PT/1 PM MT/3 PM ET, Ballard Spahr attorneys will hold a webinar to provide an in-depth analysis of the new law and to discuss what covered entities must do to ensure compliance.  Click here to register.

For a discussion of the new law’s most notable provisions, see our legal alert.

 

The Association of Corporate Counsel (ACC) Foundation has released The State of Cybersecurity Report (2018), underwritten by Ballard Spahr.  The report, subtitled “An In-House Perspective,” provides insights on corporate cybersecurity issues from more than 600 general counsel, chief legal officers, and other senior law department leaders at organizations worldwide.

The new report, which updates and builds on the 2015 edition that was also underwritten by Ballard Spahr, reflects the fact that companies experienced more breaches than ever in 2017—up 45% from 2016—as in-house counsel continue to increase the amount of attention—and money—spent on protecting sensitive online data.  It includes a self-assessment tool companies can use to assist their efforts.

For more about the report, click here.

In the absence of federal action, state legislators continue to propose bills that would increase data privacy and security protections for consumers.  Any entity that does business in these states or maintains confidential information of their residents should monitor the legislation to determine whether and how the proposed changes may affect operations.

The bills are a direct reaction to Equifax’s data breach disclosure last summer.  Oregon, New York, Alabama, and Rhode Island have now joined the list of states considering new data breach legislation.  Such legislation has already been proposed in Arizona, Colorado, North Carolina, and South Dakota.

See our legal alert for an analysis of how the new bills could affect covered entities.

We are pleased to announce that Ballard Spahr has launched CyberAdviser, a new blog focused on the latest news and developments in privacy and cybersecurity law.  It will offer insights into the latest transactional, governance and compliance matters, investigations, civil and criminal litigation, regulatory and legislative developments, industry trends, emerging technologies, and other cyber issues.

CyberAdviser is produced by the members of Ballard’s Privacy and Data Security Group—a nationwide team of more than 50 attorneys who provide a wide range of legal services to help clients identify, manage, and mitigate cyber risk.  Please visit the blog and subscribe to receive regular updates.

The FTC has released its annual report summarizing its activity during 2017 relating to privacy and data security issues.  In its self-declared role as “the nation’s primary privacy and data security enforcer,” the FTC outlines 10 privacy cases and 4 data security cases that it brought in 2017, including Uber Technologies (transportation service), Vizio (television manufacturer), Blue Global (lead generator), Upromise (college rewards program), ACDI Group (an alleged debt buyer), TaxSlayer (tax preparation service), and D-Link (wireless routers and Internet cameras).  In addition, the FTC also brought its first actions to enforce the EU-US Privacy Shield in 2017.  The FTC report also described its activities relating to international enforcement, children’s privacy, and Do-Not-Call.

The FTC also highlighted its advocacy efforts, workshops, and publications, many of which focus on what are likely future areas of FTC enforcement, such as privacy and security concerns with IoT devices, payment systems, artificial intelligence and blockchain technologies, connected cars, and student privacy.  One of the FTC’s new publications of note is its Stick with Security blog series, which offers periodic insights into key takeaways from recent law enforcement actions, closed investigations, and experiences of companies.  The FTC report also demonstrated that the agency is attempting to be flexible in light of the changing nature of identity theft, informational injuries, and modern technologies while remaining vigilant in its mission to protect consumers.  Companies should similarly remain cognizant of the FTC’s role as “one of the most active privacy and data security enforcers in the world.”

This week, New York Governor Andrew Cuomo issued a press release directing the New York Department of State to issue a new regulation impacting consumer reporting agencies.  The new regulation was adopted on an emergency basis and went into immediate effect in order to protect consumers from identity theft and other potential economic harms that may arise following a data breach.

The regulation requires consumer reporting agencies to:

  • Identify dedicated points of contact for the Division of Consumer Protection to obtain information to assist New York consumers in the event of a data breach;
  • Respond within 10 days to information requests made on behalf of consumers by the Division of Consumer Protection;
  • File a form with certain information to the Division of Consumer Protection, including all fees associated with the purchase or use of products and services marketed as identity theft protection products as well as a listing and description of all business affiliations and contractual relationships with any other entities relating to the provision of any identity theft prevention or mitigation products or services; and
  • In any advertisements or other promotional materials, disclose any and all fees associated with the purchase or use of proprietary products offered to consumers for the prevention of identity theft, including, if offered on a trial basis, any and all fees charged for its purchase or use after the trial period and the requisites of cancellation of such continued use.

The protections appear targeted to address alleged abuses by the consumer reporting industry following the recent Equifax data breach.  Cuomo also announced that the Division of Consumer Protection will be issuing a demand letter to Equifax for information to assess the damage and risk of identity theft to New York State consumers resulting from the data breach.

Cuomo did not address the status of previously announced proposed regulations of the consumer credit reporting agencies by the New York Department of Financial Services.