The California Consumer Privacy Act (CCPA): Regulatory Trends and Challenges Explored

SEGMENT 1:
Jana Terry, JD, CIPP/US, Partner
Beckstead Terry PLLC

CCPA Regulatory Update: As the CCPA regulations are on the verge of becoming final, companies are now better able to determine the specifics of compliance. We will cover the highlights:

• How to comply with notice obligations
  • Notice at collection
  • Notice of right to opt-out of sale of PI
  • Notice of financial incentive
  • Notice of consumer rights/privacy policy
• How to respond to consumer CCPA requests (to opt out, for categories of PI, for specific pieces of PI, and to delete)
  • Verification procedures
  • Response deadlines
  • Options for substantive responses

SEGMENT 2:
Mary Jane Wilson-Bilik, Partner
Eversheds Sutherland (US) LLP

• Changes to the CCPA are on the horizon:  the CPRA initiative.   In November 2020, Californians are expected to approve a ballot initiative, the California Privacy Rights Act (CPRA).   This initiative will significantly amend the CCPA, adding new consumer rights and requiring businesses to implement these new rights, modify their contracts and amend their privacy policies.
• Highlights of the CPRA:   We will discuss several aspects of the CPRA, including
  • the new consumer right to correct their personal information
  • the concept of “sensitive personal information” and consumers’ right to limits its use and disclosure
  • consumers’ right to opt-out of selling and sharing their personal information
  • new contract requirements impacting all entities that receive personal information
  • new limitations on cross-contextual advertising, automated decision-making (AI) and profiling
  • the authority of California’s new privacy agency, the California Privacy Protection Agency (CCPA).

SEGMENT 3:
Kenneth K. Dort, Partner
Faegre Drinker Biddle & Reath LLP

• “Reasonable security procedures and practices” under the CCPA – what is a reasonable security procedure and practice for purposes of the private right of action for data breaches in the CCPA era as noted in Section 1798.150? We will take a look at the GDPR, NIST, and the CIS for insights on what protocols companies should be considering, as well as what recent litigation may be signaling on this front.
• Data breaches under the CCPA – what triggers has the CCPA imposed to permit private rights of action arising from data breaches?  How has the CCPA incorporated the current CA breach notification provisions in Section 1798,81.5 on this front, and what should companies incurring a breach involving CA residents be thinking about to address the exposure created by the CCPA in the data breach context.  What should companies be concerned about now?  Does the CCPA affect how breach notification efforts towards CA residents should be conducted?

SEGMENT 4:
Charumati Ganesh, CIPP/US, Associate
Varnum LLP

• Private right of action & increased litigation – Consumers may sue businesses for statutory damages when specified types of personal information are subject to unauthorized access and exfiltration, theft, or disclosure because of a failure to implement and maintain “reasonable” security measures and the business has not cured the alleged violation within the CCPA's pre-suit period. See Cal. Civ. Code § 1798.150. 
  • Plaintiffs don't need to show actual harm.
  • Liability could be enormous; for example, for Equifax, statutory damages of $100 – 750 per customer per incident would have translated to $1.5 to $11.25 billion in liability for its breach, which involved over 15 million California residents.
  • Though this only applies to data breaches, consumers have already attempted many times to bring CCPA claims alleging failure to comply (e.g. recent Zoom class actions) and have cited the CCPA  in connection with different violations (e.g. California Unfair Competition law)