Blog Post 04.02.20
Stay-at-home and shelter-in-place orders prompted by the COVID-19 pandemic have already led to a dramatic increase in the reliance on technology—and the generation and collection of extensive personally identifiable information (PII)—for myriad personal and professional purposes. As businesses now contemplate how to safely welcome customers, guests and employees back to their physical premises, the collection of PII is only likely to increase in the form of virus and antibody testing, temperature taking, video monitoring to ensure social distancing, contact tracing via location tracking, and similar preventative measures based on the collection of biometric and other personal data.
At the same time, state attorneys general across the country have made clear that they intend to vigilantly enforce consumer privacy laws during the COVID-19 pandemic. For example, on June 16, 2020, nearly 40 attorneys general sent a combined letter to two major Bay Area technology companies commending their efforts on a “privacy-centered notification tool” for COVID-19-related alerts, but expressing “strong concerns” that certain apps focused on contact tracing do not meet privacy standards. There are also at least three bills currently pending in the U.S. Congress intended to federally regulate the privacy and security of data collected for contact-tracing purposes. And the private bar has also been active in bringing COVID-19-focused privacy class actions.
In short, privacy law is alive and well in the age of COVID-19, and businesses across industries must now be mindful of the consumer data that they are collecting and storing for both commercial and public health purposes. Two new laws in particular, the California Consumer Privacy Act (CCPA) and the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), are likely to be key tools in a growing wave of privacy law enforcement and litigation activity during COVID-19 and its aftermath.
The California Consumer Privacy Act (CCPA)
On July 1, 2020, the California Attorney General began enforcing the CCPA despite requests from the business community to delay enforcement in light of COVID-19. The statute provides California consumers with significant new rights over businesses’ use of their PII, including the right to know what PII is being collected, the right to have PII deleted, and the right to opt out of the sale of PII.
Notwithstanding this recent commencement of enforcement activity, the CCPA was signed into law on June 28, 2018 and became effective on January 1, 2020. As such, enforcement activity can address conduct that has occurred since the beginning of the year and will no doubt implicate various data privacy issues created by COVID-19. Indeed, the statute’s private right of action has already given rise to a slew of class actions with direct and indirect links to the ongoing pandemic.
Private Right of Action
The CCPA’s private right of action allows California consumers to sue on either an individual or classwide basis when companies doing business in California fail to “implement and maintain reasonable security procedures and practices” and that failure leads to the “unauthorized access and exfiltration, theft, or disclosure” of the consumers’ “nonencrypted and nonredacted personal information.” In addition to injunctive or declaratory relief and actual damages, the statute also authorizes consumers to seek statutory damages of $100 to $750 per consumer per incident if a violation is not cured within 30 days of notice. To paraphrase the late Senator Everett Dirksen, a breach here, a breach there, and pretty soon you’re talking real money.
The private plaintiffs’ bar has already been active in this space, filing dozens of cases that bring claims under the CCPA or that otherwise reference the statute. Many of these private CCPA actions have clear ties to or implications for COVID-19 data collection:
Businesses should anticipate that the frequency of such actions will generally continue to increase. In particular, it would appear that it is only a matter of time before there is a class action directly challenging the handling of biometric data or other PHI or PII collected to combat COVID-19 under the CCPA.
On July 1, 2020, the California Attorney General announced that “[t]oday we begin enforcement of the California Consumer Privacy Act (CCPA), a first-of-its-kind data privacy law in America.” The statute can now be enforced in connection with conduct occurring since its effective date of January 1, 2020. Moreover, media accounts confirm that enforcement activity has in fact begun in earnest, with reports of companies receiving compliance notices prior to the July 4 holiday weekend.
These early efforts have proceeded despite a broadly publicized request by trade associations and other organizations representing thousands of companies doing business in California to delay enforcement until January 2, 2021, due to the COVID-19 pandemic. Enforcement has also proceeded even though the California Attorney General’s Office did not submit final proposed regulations under the CCPA for review by the California Office of Administrative Law (OAL) until June 1, 2020. While the Attorney General has requested expedited review, OAL has up to 90 days to finalize the regulations. Thus, while the California Attorney General can now enforce the CCPA itself, these implementing regulations are not yet enforceable.
The CCPA authorizes the California Attorney General—and only the Attorney General—to bring a civil action to recover penalties for violations of the CCPA if businesses fail to cure such violations within 30 days of notification of noncompliance. In such cases, the statute authorizes civil penalties of up to $2,500 for each violation and up to $7,500 for each intentional violation, as well as injunctive relief. Further, unlike private plaintiffs—who are limited to suits challenging the “unauthorized” revelation of “personal information” due to a lack of “reasonable security”—the Attorney General can bring a civil action in response to any uncured violation of the CCPA. This includes failures by businesses to comply with consumers’ requests to identify and/or delete their PII, as well as failures to provide an opportunity for consumers to opt out of the sale of their PII.
A proposal to further strengthen the CCPA in the form of the California Privacy Rights Act (CPRA) has also qualified to appear on the ballot in California this November. If passed, the CPRA would, among other things, eliminate the 30-day cure period prior to a government enforcement action, create a new California Privacy Protection Agency to enforce the CCPA and CPRA, and provide consumers with additional rights to restrict businesses’ use of their sensitive personal information (SPI). SPI would specifically include information germane to COVID-19 mitigation efforts—like precise geolocation and biometric and health information—as well as other sensitive data like Social Security, driver’s license, and passport numbers, and information about financial accounts, race, ethnicity, religion, union membership, personal communications, genetics, sex life, and sexual orientation.
The New York SHIELD Act
On July 25, 2019, the SHIELD Act (S.5575B/A.5635) was signed into law, broadening the scope of existing New York data breach notification and data protection laws. The new law has two components: (1) covered entities must adopt a comprehensive cybersecurity data protection program to safeguard “private information,” now defined to include biometric data; and (2) covered entities must comply with data breach notification requirements when there is unauthorized “access” to “private information.” The breach notification requirements took effect on October 23, 2019, while the cybersecurity requirements took effect on March 21, 2020. While the SHIELD Act does not create a private right of action, it charges the New York Attorney General with enforcement. To the extent that companies are collecting additional sensitive information including health data and other COVID-19-related material, it is critical that companies establish comprehensive cybersecurity to protect that information.
Cybersecurity Program Requirements
The SHIELD Act requires “any person or business that owns or licenses computerized data which includes private information of a resident of New York” to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information, including, but not limited to, disposal of data.” The safeguards can be tailored based on the size and complexity of the institutions but must at a minimum include:
Data Breach Notification Requirements
The SHIELD Act expands the definition of data breach to cover any situation involving unauthorized “access” to “private information,” regardless of whether such data is “acquired.” In the event of a data breach, the Act requires prompt notice to affected individuals and to government authorities. The SHIELD Act contains an exception, however, to the requirement to notify affected individuals if the exposure of private information was “inadvertent,” by persons authorized to access the information, and the business “reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.”
The New York Attorney General is charged with enforcing the SHIELD Act. While the SHIELD Act does not create a private right of action, the Attorney General may bring an action for civil penalties or to enjoin unlawful practices. The statute also expands the time period within which the Attorney General may bring an action from two to three years. Penalties for failing to provide notice in the event of a data breach can amount to the greater of $5,000 or $20 per instance of failed notification (capped at $250,000 per breach). Penalties of up to $5,000 per violation can be imposed for failing to adopt reasonable safeguards. While there have not yet been any public SHIELD Act enforcement actions, the New York Attorney General entered into a May 7, 2020, letter agreement with the same video communications provider that has been targeted by private litigants in California. The letter agreement expressly references COVID-19 and requires the company to implement a comprehensive cybersecurity program.
Suggested Business Practices
Any business considering new practices for collecting or storing PII—and biometric data in particular—should first seek expert legal advice. At a high level, several practices will be worth considering for many such businesses:
For more information, please reach out to your regular Pillsbury contact or the authors of this client alert.
Pillsbury’s experienced multidisciplinary COVID-19 Task Force is closely monitoring the global threat of COVID-19 and providing real-time advice across industry sectors, drawing on the firm’s capabilities in crisis management, employment law, insurance recovery, real estate, supply chain management, cybersecurity, corporate and contracts law and other areas to provide critical guidance to clients in an urgent and quickly evolving situation. For more thought leadership on this rapidly developing topic, please visit our COVID-19 (Coronavirus) Resource Center.