Privacy Basics a Colorado Lawyer Should Know: The California Consumer Privacy Act and the Colorado Consumer Data Privacy Act

Jenifer McIntosh

 

I.              Introduction

In this world of ever proliferating acronyms, it becomes difficult to determine which we should pay attention to, particularly in the legal community, and even more so when working with clients in technology. Most of us know what IRS, USPTO, COPPA and USDC CO stand for and what effect they have, if any, on our particular area of the practice of law. The looming California Consumer Privacy Act[1] (the CCPA[2]), and the lesser known Colorado Consumer Data Privacy Act[3] (the CDPA[4]) are laws every attorney practicing in Colorado should have awareness of, as well as a bare-bones understanding of. Many of our clients—large and small—have casually shrugged off any privacy compliance or assessment efforts regarding exposure under the EU’s General Data Protection Regulation (the GDPR), and some rightfully so, given the lack of customers, marketing, or presence in the EU or European Economic Areas. The CCPA and CDPA, however, hit much closer to home, and will likely have an impact—wanted or not.

II.            If You Are a Tax or Civil Litigation Attorney, What Basics Do You Need to Know?

The CDPA became effective last year on September 1, 2018, and requires entities who collect or monetize data to use reasonable and appropriate measures to protect Colorado residents’ Personally Identifiable Information (PII). There are two general parts of the law. The first part governs how “covered entities” safeguard the PII they maintain, own, or license. The second part governs when those entities must report a breach of the same PII to the respective Colorado residents, including when and what they must disclose when a breach of Colorado residents’ PII has occurred.

If your client is a person, commercial entity, or governmental entity and they collect, use, own, or license (sell) information gathered from residents of Colorado, they have a statutory responsibility to protect this personal information and to report any breaches.[5] Now, one quirk in Colorado law is that covered entities have the obligation to protect all information, whether hard copy or electronic in form. However, when a breach of that information occurs, the entity only has to disclose the breach of unencrypted, computerized “Personal Information” (separate from PII).[6]  This makes sense, given the nature of electronic data, but may take some clarification when sitting down with a client who has both types of Personal Information.

PII, for security purposes, is defined as the following by the CDPA:

a.     Social Security number

b.    Personal ID number

c.     Password or pass code

d.    Government and/or state-issued ID number

e.     Passport number

f.      Biometric data

g.     Employer, student, or military ID number

h.    Financial transaction device information (credit card, etc.)[7]

Under the data security portion of the CDPA, companies are required to have written policies documenting their data destruction policy for PII, for both written and electronic records containing PII.[8] This part of the law also requires covered entities to have “reasonable security procedures and practices,” appropriate to the nature of the PII and the nature and size of the business, to protect the PII collected, used, or both.[9] Covered entities are required to make sure any third-party service providers comply with these protective requirements of the CDPA.[10] As a third-party provider maintaining, storing, or processing PII, if your client does not retain the primary responsibility for security (which would be difficult given the nature of certain software as a service products), you can either agree to meet those requirements or lose access to the PII gathered by your client.

Personal Information (again, separate from PII), for purposes of the breach notification obligations of the CDPA, includes the following unique combination of information:

For Personal Information which is neither encrypted or redacted, a breach of that Personal Information will have occurred if there is an unauthorized taking of the:

a.     First name or first initial and last name plus one of the following –

                        i.         Social Security number,

                      ii.         Employer, student, or military ID number,

                     iii.         Passport number,

                     iv.         Driver’s license or government/state-issued ID number,

                       v.         Medical information,

                     vi.         Biometric data,

                   vii.         Health insurance ID number; or the  

b.    Username or email with password/security question (with answer);

c.     Account number or credit/debit card number with security code, access code or password.[11]

Under this section of the CDPA, a “security breach” is an unauthorized acquisition of unencrypted, computerized Personal Information.[12] Investigation of any such breach must be prompt and performed in good faith.[13] If an investigation determines no misuse has occurred or is not “reasonably likely” to occur, notice of the breach is not required.[14] If your investigation, however, determines the opposite is true, notice to those whose data was affected must occur no later than thirty days after you have determined the data breach has occurred.

When more than 500 Colorado residents are affected, one must also notify the Colorado Attorney General.[15]  If more than 1,000 Colorado residents are affected, one must notify consumer reporting agencies who compile and maintain files on consumers (i.e., Equifax).[16]  Specific information is required for all notices, and guidelines exist for how to provide such notices. The general idea is: notice needs to be made in a realistic manner which is reasonably likely to fully inform the affected Colorado resident, as well as reach that Colorado resident.[17] For instance, if the email account of a resident has been breached, notice needs to be sent via a reliable medium other than that email account.

Also of note for application of the CDPA, is where a separate state or federal notice requirement exists, a good rule of thumb is to comply with the shorter time period requirement. For example, HIPAA requires notice within 60 days of the determination of a breach. Such a timeframe is unworkable in the eyes of the state of Colorado, however, because of the thirty-day requirement in Colorado, and the thirty-day requirement applies whether your business falls under HIPAA or not. This is, of course, a short, broad-brush summary of the breach notification requirements, which should be meticulously revisited on numerous occasions.

III.         Brass Tacks: Coordinating Requirements of Both the CCPA and CDPA

The upcoming CCPA, unlike Colorado’s law, is not yet in effect. When it does come knocking in January next year, the law will usher in a new state of being for entities collecting consumer data, whether or not they sit in California.  While initially you might believe this California regulation is unlikely to affect your clients, consider just how large the economy of California is[18] and combine that knowledge with the fact that 6.9% of the U.S. GDP in 2017 was driven by the digital economy.[19] Even if at first blush you think there is no way your client does enough business in California to implicate CCPA, those two facts alone should change your perspective on the influence of this impending state law.

Generally, a company—including one in Colorado—will have to comply with the CCPA if it takes in personal information about California residents and meets one of the following criteria:

  • It has annual revenues of at least $25 million;

  • It obtains personal information from at least 50,000 California residents, households, or devices (this includes collection of IP addresses from websites or the use of cookies to collect browsing information on 50K or more California residents or devices – including cell phones, etc. This works out to about 138 data points a day.); or

  • It receives more than 50% of its revenue from selling personal information about California residents.[20]

If the CCPA applies, it will require the client—similar to the CDPA—to establish and maintain “reasonable security” measures to protect data collected on California residents, including employee information. This becomes especially important under the CCPA, since both the California Attorney General and California residents will have the right to sue and enforce these provisions when a company fails to employ reasonable security to protect that collected personal data. Data is now a valuable commodity, and a larger part of our economy than most people realize, even today.[21]

The major difference between the Colorado law and the CCPA is the additional rights provided to consumers under the CCPA, including requests for deletion and (most frightening to industry clients) a private right of action when a company fails to implement and maintain reasonable security for the data they have, resulting in the “unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information.”[22] The legislature is considering additional amendments to the CCPA, which would broaden this singular, original private cause of action to include the right to sue for other violations of a California consumer’s rights which now exist under the current version of the CCPA. Such rights include, among others, allowing California residents to request disclosure, deletion, and portability of their personal information from a company collecting it.

The CCPA will also require companies to disclose the reasons why they collect and store the data.[23] Under this umbrella of requirements, businesses must:

a.     Inform consumers of (a) the purposes for and (b) the categories of personal information collected at or prior to actual collection;

b.    Contractually require third parties and service providers to also comply with CCPA guidelines;

c.     Not discriminate (similar to GDPR) against consumers for exercising their data rights;

d.    Respond to PI requests, but not more than twice in a 12-month period;

e.     Train employees on the handling of data requests, opt-ins and other CCPA requirements;

f.      Restrict resale of the PI unless express consent is obtained from that consumer;

g.     Not alter the original use of the data without notice;

h.    Have a clear and conspicuous link for “Do Not Sell My Personal Information” on their homepage available to consumers, and, at a minimum;

i.      Have a comprehensible Privacy Policy clearly stating the consumer’s rights, how to send in requests, and what categories of information are collected, sold or disclosed for commercial purposes (three different lists) in the previous 12 months.[24]

The “previous 12 months” requirement in (i) above, is the CCPA’s look-back provision, or look-back requirement. The CCPA requires companies to provide answers to consumers’ requests as far back as the aforementioned previous 12 months. Thus, although a request to delete may be received on January 1, 2020, a consumer can nevertheless seek removal of data for the previous 12 months.[25] Because a company must comply with a consumer request within forty-five days of receiving it, this look-back provision means entities coming under the reach of CCPA should already be assessing data location, identification, and governance of the same—in addition to maintaining accurate records of consumers’ personal information—beginning January 1, 2019. That means start today, rather than next year.

Personal information under the CCPA is also much broader than that of the CDPA.[26] Personal information under the CCPA includes inferences which could be drawn from personal information (such as preferences, behavior, intelligence), and further includes “[i]nformation that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”[27] This broad definition, as you might expect, has drawn concerns about scope and enforcement—a concern not lost on California’s current AG, prompting an amendment from his office to do away with a former requirement that the AG review any initial consumer complaints.

Similar to Colorado’s law, the CCPA grants the AG in California the right to investigate and enforce the CCPA.[28] If proven, a violation of the CCPA can lead to a $2,500 fine per violation, or up to $7,500 per violation if such violations are found to be intentional.[29]

In addition, exceptions with regard to who and what the CCPA enforcement covers are broader than exceptions provided under the Colorado law. The CCPA for example, does not apply to nonprofits, period.[30]  Furthermore, with regard to entities regulated by HIPAA, or institutions regulated under the Gramm-Leach-Biley Act (GLBA), or consumer reporting agencies regulated under the Fair Credit Reporting Act (FCRA), the specific information collected pursuant to those laws is not subject to the CCPA.  Medical information collected pursuant to HIPAA, is governed only by HIPAA, and not by the CCPA.  However, any information collected by that same company which is not protected by HIPAA, will, arguably, be covered by the CCPA. We will have to wait and see if further gaping holes and theft of sensitive consumer data at entities such as Equifax,[31] Employees Retirement System of Texas,[32] and Wells Fargo[33] has any effect on exceptions for FCRA under the CCPA, despite what are likely furious lobbying efforts of these industries.

In contrast to the CCPA, the CDPA does not explicitly exempt certain sectors from application of the law. For example, nonprofits and consumer reporting agencies are not exempted as applied specifically to that information the federal statute carves out as sensitive and protectible data. While the AG of Colorado has noted compliance with other privacy regulations (GLBA, HIPAA, etc.) are generally sufficient[34], where CDPA rules establish additional or more rigorous requirements from other regulations, compliance with the CDPA rules are to be met notwithstanding (e.g., the 30 day notice requirement under CDPA is shorter than that of HIPAA).

IV.          Conclusion

So, what do these new regulations require of the attorney not wholly immersed in privacy or cyber security law?  At the bare minimum, they require you to find out if your clients’ businesses deal in data, how much, and where. Generally speaking, if your clients maintain information on their employees or customers in Colorado, the CDPA will apply to your clients and the data they maintain. The client must take “reasonable security” measures to protect the information; have a written policy for maintaining and destroying the information; and comply with set timing and content protocols for assessing and reporting a breach of that information.

If your clients receive and solicit a substantial amount of business from California, or derive a large part of their income from any collection, analysis, sales, or truly anything involving data, you will need to ask more questions of your clients to determine how close, if at all, they are to falling into the purview of the CCPA. A good Chief Security Officer, if the company doesn’t have a Privacy Officer, should know where to start in an assessment. If not, they are in luck. Colorado is full of knowledgeable, practically minded privacy attorneys who can help.

[1] The CCPA becomes effective January 1, 2020. The law includes, however, a twelve month “look back” period, allowing consumers to request disclosure of their Personal Information (PI) information kept for up to one year prior to the actual request. California Consumer Privacy Act of 2018, Cal Civ. Code Div. 3, Pt. 4,  Tit. 1.81.5 (operative January 1, 2020).

[2] Privacy: Personal Information: Businesses, California Legislative Information, https://leginfo.legislature.ca.gov/faces/billCompareClient.xhtml?bill_id=201720180AB375 (last visited Apr. 5, 2019).

[3] H.R. 1128, 71st Gen. Assemb., Reg. Sess. (Colo. 2018) (enacted).

[4] Please note that the Colorado Consumer Data Privacy Act is not generally known by the acronym “CDPA,” but this acronym will be used throughout this Article for the sake of convenience.

[5] Colo. Rev. Stat. §6-1-713.5, 716.

[6] Colo. Rev. Stat. §6-1-716.

[7] Colo. Rev. Stat. §6-1-713(2)(b).

[8] Colo. Rev. Stat. §6-1-713(1).

[9] Colo. Rev. Stat. §6-1-713.5(1).

[10] Colo. Rev. Stat. §6-1-713.5(2).

[11] Id.

[12] Id.

[13] Id.

[14] Id.

[15] Id.

[16] Id.

[17] Id.

[18] Id.

[19] Id.

[20] Id.

[21] Michael Mandel, The Data Economy is Much, Much Bigger Than You (and the Government) Think, The Atlantic (July 25, 2013), https://www.theatlantic.com/business/archive/2013/07/the-data-economy-is-much-much-bigger-than-you-and-the-government-think/278113/.

[22] John Stephens, California Consumer Privacy Act, American Bar Association (Mar. 8, 2019), https://www.americanbar.org/groups/business_law/publications/committee_newsletters/bcl/2019/201902/fa_9/.

[23] Cal. Civ. Code §1798.100 (2019).

[24] California Consumer Privacy Act of 2018, Cooley (Oct. 31, 2018), https://cdp.cooley.com/ccpa-2018/.

[25] Which claws back information collected from January 1, 2019.

[26] The scope of personal information is subject to additional amendments and heavy lobbying.

[27] Cal. Civ. Code §1798.140(o)(1) (2019).

[28] Cal. Civ. Code §1798.155 (2019).

[29] Id.

[30] Cal. Civ. Code §1798.140 (2019).

[31] Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach, U.S. Government Accountability Office (Aug. 30, 2018), https://www.gao.gov/products/GAO-18-559.

[32] Largest Healthcare Data Breaches of 2018, HIPPA Journal (Dec. 27, 2018), https://www.hipaajournal.com/largest-healthcare-data-breaches-of-2018/.

[33] Zack Whittaker, Millions of Bank Loan and Mortgage Documents have Leaked Online, TechCrunch, https://techcrunch.com/2019/01/23/financial-files/ (last visited Apr. 5, 2019).

[34] Colorado’s Consumer Data Protection Laws: FAQ’s for Businesses and Government Agencies, Colorado Attorney General, https://coag.gov/resources/data-protection-laws (last visited Apr. 5, 2019).