CCPA Deep Dive: How California is Enforcing its Major Privacy Law
Ashley LeMay and Dylan Blakeley had had enough. The wife and husband had purchased two indoor Amazon Ring security cameras for their home to make them feel safer and to help keep an eye on the couple’s four daughters during LeMay’s overnight shifts at a hospital.
This was especially important to the family because their middle daughter suffers from seizures, so the ability to be quickly notified if a medical emergency occurred at home was of paramount concern.
Unfortunately, while the cameras allowed LeMay and Blakeley to monitor their home, it also provided the same ability to a group of criminals who on 4 December 2019 breached the cameras and began live-streaming their feeds. They also played the song “Tiptoe Through the Tulips” into the home by using the cameras’ two-way talk feature.
One of the couple’s daughters heard the music and went to investigate the noise. After entering a room with a camera, the music stopped and a man’s voice said, “Hello there.” The voice then began to yell racial slurs at the girl, who left the room to tell Blakeley what happened. He later disabled the camera.
Once LeMay and Blakeley found out that similar instances had occurred with other Ring cameras, they decided not to wait any longer for Ring to address the problem. Instead, they joined another couple in a class action lawsuit alleging that Amazon had shared their personal information to an unauthorized third party and failed to properly secure its products.
“Ring does not require users to implement two-factor authentication. It does not double-check whether someone logging in from an unknown IP address is the legitimate user,” according to the filing. “It does not offer users a way to view how many users are logged in. It offers no protection from brute-force entries—mechanisms by which hackers can try an endless loop of combinations of letters and numbers until they land on the correct password to unlock an account. Even though these basic precautions are common and unexceptional security measures across a wealth of online services, Ring does not utilize them for its services.”
The lawsuit was one of the first filed that alleged any kind of a violation of the California Consumer Privacy Act (CCPA). The law went into effect on 1 January 2020, but due to COVID-19 the California attorney general did not begin enforcement until 1 July 2020 and final regulations were approved 14 August 2020.
Under the CCPA, individuals have only a private right of action (grounds to file a lawsuit) if their personal data has been breached. Other cases must be brought by the Office of the California Attorney General. But cases like the one filed by LeMay and Blakeley show that individuals will seek claims under the CCPA—even before enforcement officially began.
“Additionally, we are seeing cases where consumers are attempting to extend the private right of action to other violations of the CCPA (e.g. failure to provide notice, as in the Ring case),” according to an analysis by Alex Scheinman, director at ACA Compliance Group, who oversees the company's General Data Protection Regulation (GDPR) data processing reviews and data privacy. “While the outcome of these cases is yet to be determined, including whether the consumers have standing to bring a suit, it is clear that consumers are availing themselves of this recourse mechanism and will likely continue to do so.”
The CCPA was passed by the California state legislature and signed into law by then Governor Jerry Brown in 2018. The law secured new privacy rights for California consumers and was the first of its kind in the United States.
Under the law, Californians have the right to know about the personal information a business collects concerning them and how it is used and shared; have the right to delete personal information collected from them—with exceptions; have the right to opt-out of the sale of their personal information; and have the right to nondiscrimination for exercising their CCPA rights.
“For the first time in a legal regime, Americans, at least in California, have the right to tell a business that sells their information, don’t,” said California Attorney General Xavier Becerra in testimony before the U.S. Senate Committee on Commerce, Science, and Transportation.
Along with these rights for consumers, the CCPA also requires businesses to provide Californians with notices explaining their privacy practices, which has become critically important during the fight against COVID-19.
“…as we battle a pandemic that has moved so much of life online, companies know more about us, our children, our habits than ever before,” Becerra explained. “That data is today’s gold. And as with gold, there’s been a rush to mine, use, and sell our personal information. Americans need robust tools that allow them to understand who has their data, what was collected, if it can be deleted, and how they can opt out of downstream selling.”
The CCPA is not, however, as broad as a law that it is commonly compared to—the European Union’s GDPR.
“Some folks call or refer to CCPA as an omnibus data protection law, akin to GDPR,” says Caitlin Fennessy, research director at the International Association of Privacy Professionals (IAPP). “CCPA is focused to a much greater extent on the sale of personal data…it does not provide the full suite of fair information practices that privacy professionals are familiar with.”
For instance, Fennessy says the GDPR is premised on the requirement that organizations need to have a legal basis to process someone’s data. But CCPA does not address whether it’s legal for a business to process an individual’s data; instead, it focuses on providing consumers with the ability to control whether their information is sold.
The penalties for violating the CCPA are still steep—civil penalties up to $2,500 for each violation or $7,500 for each intentional violation of the law. Given the population of California, approximately 39.5 million people as of 2019, these costs could add up quickly for organizations that commit violations.
And while the law is still very new, privacy professionals are watching closely to see whether other U.S. states propose and pass similar legislation and what developments occur in the courts.
“We are seeing a lot of linkage between allegations of violation of CCPA primarily on data breach or no opt-out of sale and lack of notice of collection,” Fennessy says. “But very often plaintiffs are combining that with counts related to the unfair competition law in California and trying to link those two things to provide for a private right of action. We’re waiting to see if that legal theory works or sticks.”
This is the approach that LeMay and Blakeley’s legal team is using in their class action lawsuit, which is currently winding its way through the California court system.
“As described herein, [Ring] advertised their products and services as enhancing security and safety, but in fact provided products and services that were highly vulnerable to hacking and that worsened the safety and security of Plaintiffs and the Class Members,” according to the suit, allegedly a violation of California’s unfair competition law because Amazon falsely advertised its products.
Prior to the enforcement deadline, the California Office of the Attorney General undertook major conversations with stakeholders to craft the final regulations for CCPA. This included seven public forums, more than 300 letters, four public hearings, and an open comment period where more than 1,000 public comments were submitted.
After reviewing this information, the attorney general withdrew four provisions from CCPA regulations before finalizing them on 14 August 2020.
“In California, privacy is an inalienable right. Californians should control who possesses their personal data and how it’s used,” Becerra said in a statement. “With these rules finalized, California breaks ground and leads the nation to protect and advance data privacy. These rules guide consumers and businesses alike on how to implement the California Consumer Privacy Act. As we face a pandemic of historic proportions, it is particularly critical to be mindful of personal data security.”
The first withdrawn provision was on a section of the law (Section 999.305) that prevented businesses from using consumers’ personal information for a materially different purpose than what was disclosed when the business collected the information, unless it obtained consent from the consumers.
Another withdrawn provision would have required businesses’ methods for opting out of data collection to be easy for consumers to follow and require minimal steps, along with a provision that would have required businesses that interact with consumers offline to provide offline notices about their ability to opt-out of data collection. Additionally, the attorney general withdrew requirements that allowed businesses to deny requests from authorized agents that do not submit proof that they are authorized to act on a consumer’s behalf.
The Office of the Attorney General did not provide an explanation for why these changes were made, which has led privacy experts like Fennessy to ponder the decision.
“It could be as simple as they didn’t hew to the exact letter of the law and the AG wanted to make sure they were able to defend that—that they had the authority to defend everything in the regulations,” she adds.
Under the CCPA, the California attorney general is required to provide notice to organizations that are in violation of the law and give them 30 days to remedy those errors and become compliant. His office sent letters out after 1 July, as soon as it was legally able to do so, said Stacey Schesser, supervising deputy attorney general, California Department of Justice, in a panel discussion hosted by IAPP.
“There was a surprise that we were enforcing the law, but I think the attorney general has been quite forthcoming that July 1 starts enforcement,” Schesser said, adding that if organizations fail to take steps to become compliant, the attorney general could open an investigation or file a lawsuit against them.
Organizations that receive these notices should take actions to become compliant and also notify the attorney general of the steps they have taken to become so, said Travis LeBlanc, partner at Cooley LLP and member of the Privacy and Civil Liberties Oversight Board, in the panel. Taking these actions is critical, he added, because if the attorney general opens an investigation, it will not be limited to the original issues.
“They can start looking at broader consumer protection issues…and violations of other privacy statutes within California,” LeBlanc said.
So far, Schesser said, the attorney general’s office has focused its enforcement actions on businesses that operate online and needed to make actions and options available online for Californians to exercise their rights under CCPA.
“A central aspect of CCPA and one of the most robust rights CCPA affords Californians is the right to opt-out of the sale of personal information and the requirement that if a business is selling personal information that they have that ‘Do Not Sell’ link that’s clearly and conspicuously posted on the homepage,” Schesser said. “Given that that is really a unique aspect of this law—and one that is clearly spelled out in this statute—it would be appropriate to assume that businesses that are selling information and don’t have that link should make sure to cure that as quickly as possible.”
While the attorney general’s office is spearheading its enforcement efforts, CCPA also allows Californians to file suit against a business if their nonencrypted and nonredacted personal information is leaked, such as in a data breach.
Under this private right of action, Californians can sue to recover damages between $100 and $750 per incident or actual damages—whichever is greater—along with injunctive or declaratory relief and any other relief the courts deem proper.
When assessing statutory damages, the court will consider a number of circumstances, including the number of violations; the willfulness of the defendant’s misconduct; the nature, seriousness, persistence, and length of time of misconduct; and the defendant’s assets, liabilities, and net worth, according to the CCPA.
And while private right of action suits are meant to focus on this one area of liability, privacy and legal experts have seen a slew of lawsuits filed that expand upon this—including the Ring case.
In the IAPP panel discussion, Dominique Shelton Leipzig, partner, privacy and security, co-chair of ad tech privacy and data management at Perkins Cole, said that—as of July 2020—she is aware of 55 cases that have been filed utilizing a private right of action. Just one-third of those cases, however, allege violations of the CCPA explicitly. The rest mention the CCPA alongside unfair competition and other claims of California law violations.
While many of the provisions in CCPA are focused on data collection and rights of Californians to be aware of those practices, there are also requirements for security.
The final regulations require businesses that collect Californians’ data to implement “reasonable security measures to detect fraudulent identity- verification activity and prevent the unauthorized access to or deletion of a consumer’s personal information.”
Additionally, if a consumer has a password-protected account with a business, the business can use its existing authentication practices to verify that consumer’s identity.
“If a business suspects fraudulent or malicious activity on or from the password-protected account, the business shall not comply with a consumer’s request to know or request to delete until further verification procedures determine that the consumer request is authentic and the consumer making the request is the person about whom the business has collected information,” according to the regulations.
This focus on verification and account protection is pushing organizations to explore using more advanced authentication methods, says Rolf Lindemann, vice president of products at Nok Nok Labs, Inc., and co-chair of the UAF Technology Working Group for the FIDO Alliance.
The FIDO Alliance is an open industry association focused on authentication standards to reduce reliance on passwords. It develops technical specifications for open, scalable, interoperable authentication methods to reduce reliance on passwords; operates industry certification programs to ensure adoption of those specifications; and submits technical specifications to recognized standards development organizations for formal standardization.
“Usernames and passwords, we can’t argue that those are best practices for security,” Lindemann says. “The nuance here is that companies have one more driver to move to a state-of-the-art technology to protect user accounts.”
This is already happening in the financial sector where banks are requiring customers to use multifactor authentication methods to log in to their accounts. There’s also growing interest in using biometrics for authentication, Lindemann adds, because FIDO helped create an ecosystem where a user’s data is only uploaded to the device he or she is using to authenticate themselves—it is not transferred beyond that device, adding in an extra layer of security.
“When we designed FIDO in the first place, data privacy was a major concern and an important factor for us,” Lindemann says. “We made sure that if you use FIDO, there is no need to store biometric data on the server side. There is no need to track the user beyond the data you collect from the user already. It’s not adding another super cookie.”
As consumers increasingly prioritize their privacy and as new laws and regulations are adopted, Lindemann says organizations will be under greater pressure to adopt more secure methods for authentication to ensure compliance and trust.
Following California, Nevada and Maine have adopted comprehensive privacy laws; Connecticut, Louisiana, Massachusetts, North Dakota, and Texas set up task forces to craft comprehensive bills on privacy protections; and 16 other U.S. states had privacy legislation in process.
At the federal level, there is also increasing interest in Congress to pass greater privacy protections for Americans, such as the SAFE DATA Act (S. 4626) introduced by Roger Wicker (R-MS), chair of the U.S. Senate Commerce, Science, and Transportation Committee.
The bill would enshrine some of the same rights that the CCPA does for Californians, including the right to access, correct, delete, and transfer data collected by an organization. It would also require companies to minimize data collection, processing, and retention; hire data security officers and designate privacy officers; and conduct regular privacy impact assessments.
“The biggest new development that has impacted data privacy—as it has impacted so many facets of our life—is the COVID-19 pandemic, which has resulted in millions of Americans working from home,” Wicker said during a Senate hearing about the need for federal level data privacy legislation. “The increased use of video conferencing, food delivery apps, and other online services increases the potential for privacy violations. The need to collect a great deal of data for contact tracing and to track the spread of the disease likewise raises privacy concerns if done improperly. For all of these reasons and more, the need for a uniform, national privacy law is greater than ever.”
Privacy legislation at the U.S. federal level has routinely stalled, however, because of issues identified in a Brookings Institution report published in June 2020. The report looked at Wicker’s previous draft of the U.S. Consumer Data Privacy Act (USCDPA), which the SAFE DATA Act contains provisions of, and legislation introduced by U.S. Senator Maria Cantwell (D-WA), the Consumer Online Privacy Rights Act (COPRA).
“Although COPRA and USCDPA are promisingly similar in many aspects, stakeholders have staked out polar all-or-nothing positions on the two provisions where Wicker and Cantwell are the furthest apart—preemption and the private right of action,” according to Brookings. “As long as these protagonists remain in their own corners, the broader privacy debate will be frozen and federal legislation stalled.”
Less than a year into enforcement of the California Consumer Privacy Act (CCPA), more than 900,000 Californians added their signatures to place the California Privacy Rights Act (CPRA) of 2020 on the ballot for the November 2020 election.
Californians passed the initiative, which was designed to clarify some areas of the CCPA and expand privacy protections under it—making it more similar in scope to the EU’s General Data Protection Regulation. The act goes into effect on 1 January 2023, although some provisions go into effect immediately.
“Consumers need stronger laws to place them on a more equal footing when negotiating with businesses in order to protect their rights,” according to the ballot initiative. “Consumers should be entitled to a clear explanation of the uses of their personal information, including how it is used for advertising, and how to control, correct, or delete it, including by allowing consumers to limit businesses’ use of their sensitive personal information to help guard against identity theft, to opt-out of the sale and sharing of their personal information, and to request that businesses correct inaccurate information about them.”
Under the CPRA, Californians have the right of expanded initial notification obligations—meaning businesses would be required to notify Californians about any data collection before that collection occurs; whether that data can be sold or shared with other parties; and how long that data can be retained.
Additionally, the CPRA clarifies that businesses should retain data on consumers that is only “necessary and proportionate” to achieving the purpose of the data collection or for purposes that are compatible with the context of the data’s collection.
CPRA also requires businesses to “implement reasonable security procedures and practices” to “protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure,” according to the initiative.
Furthermore, the CPRA creates a California Privacy Protection Agency to enforce the CCPA—instead of the current approach that relies on California’s attorney general to handle enforcement of the law—among other provisions.
“While many companies are still grappling with the nuances of the CCPA, if the CPRA gets the green light from voters in November, it will bring yet another wave of compliance issues and implementation of new policies, procedures, and processes for many businesses in and outside of California,” wrote Kathryn M. Rattigan, associate at Robinson & Cole LLP, for The National Law Review.