New Privacy Laws in California and New York Are on a Collision Course with the COVID-19 Technology Boom

At the same time, state attorneys general across the country have made clear that they intend to vigilantly enforce consumer privacy laws during the COVID-19 pandemic. For example, on June 16, 2020, nearly 40 attorneys general sent a combined letter to two major Bay Area technology companies commending their efforts on a “privacy-centered notification tool” for COVID-19-related alerts, but expressing “strong concerns” that certain apps focused on contact tracing do not meet privacy standards. There are also at least three bills currently pending in the U.S. Congress intended to federally regulate the privacy and security of data collected for contact-tracing purposes. And the private bar has also been active in bringing COVID-19-focused privacy class actions.

In short, privacy law is alive and well in the age of COVID-19, and businesses across industries must now be mindful of the consumer data that they are collecting and storing for both commercial and public health purposes. Two new laws in particular, the California Consumer Privacy Act (CCPA) and the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), are likely to be key tools in a growing wave of privacy law enforcement and litigation activity during COVID-19 and its aftermath.

The California Consumer Privacy Act (CCPA)
On July 1, 2020, the California Attorney General began enforcing the CCPA despite requests from the business community to delay enforcement in light of COVID-19. The statute provides California consumers with significant new rights over businesses’ use of their PII, including the right to know what PII is being collected, the right to have PII deleted, and the right to opt out of the sale of PII.

Notwithstanding this recent commencement of enforcement activity, the CCPA was signed into law on June 28, 2018 and became effective on January 1, 2020. As such, enforcement activity can address conduct that has occurred since the beginning of the year and will no doubt implicate various data privacy issues created by COVID-19. Indeed, the statute’s private right of action has already given rise to a slew of class actions with direct and indirect links to the ongoing pandemic.

Private Right of Action
The CCPA’s private right of action allows California consumers to sue on either an individual or classwide basis when companies doing business in California fail to “implement and maintain reasonable security procedures and practices” and that failure leads to the “unauthorized access and exfiltration, theft, or disclosure” of the consumers’ “nonencrypted and nonredacted personal information.” In addition to injunctive or declaratory relief and actual damages, the statute also authorizes consumers to seek statutory damages of $100 to $750 per consumer per incident if a violation is not cured within 30 days of notice. To paraphrase the late Senator Everett Dirksen, a breach here, a breach there, and pretty soon you’re talking real money.

The private plaintiffs’ bar has already been active in this space, filing dozens of cases that bring claims under the CCPA or that otherwise reference the statute. Many of these private CCPA actions have clear ties to or implications for COVID-19 data collection:

• Private plaintiffs have filed a number of class actions alleging CCPA violations against a well-known video communications provider whose popularity has surged during the COVID-19 pandemic. Notwithstanding the fact that private claims under the CCPA are ostensibly limited to the “unauthorized” release of data due to the absence of “reasonable security,” most of these cases contain similar allegations that the company violated the CCPA by failing to notify consumers that it had acquired their personal information and made it available to third parties, and that they had the right to opt out of such use of their data. If successful, these claims could significantly widen the reach of the CCPA’s private right of action. Some complaints against the same video communications provider also make allegations specific to the “bombing” phenomenon—that is, unauthorized access of private videoconferences by hackers as usage of videoconferencing services has skyrocketed during COVID-19. These plaintiffs allege that the company failed to prevent plaintiffs’ nonencrypted personal information from unauthorized disclosure and that it violated its duty to implement and maintain reasonable security procedures and practices.
• Putative CCPA class actions have also targeted several companies in the health care industry, alleging data breaches involving protected health information (PHI). The specific targets of these PHI suits include an operator of drug and alcohol addiction rehabilitation facilities, a manufacturer and developer of medical devices for the treatment of diabetes, and a diagnostic company providing genetic screening services. Such cases tend to allege that this sort of “sensitive personal and medical information ... should have received the most rigorous protection available,” allowing plaintiffs to allege that the statutory requirement of “reasonable security procedures and practices” creates a heightened burden in the PHI context. Businesses considering temperature, virus or antibody testing to help ensure customer and employee safety during COVID-19 should be particularly mindful of about the level of security procedures appropriate to protect such data.

Businesses should anticipate that the frequency of such actions will generally continue to increase. In particular, it would appear that it is only a matter of time before there is a class action directly challenging the handling of biometric data or other PHI or PII collected to combat COVID-19 under the CCPA.

Government Enforcement
On July 1, 2020, the California Attorney General announced that “[t]oday we begin enforcement of the California Consumer Privacy Act (CCPA), a first-of-its-kind data privacy law in America.” The statute can now be enforced in connection with conduct occurring since its effective date of January 1, 2020. Moreover, media accounts confirm that enforcement activity has in fact begun in earnest, with reports of companies receiving compliance notices prior to the July 4 holiday weekend.

These early efforts have proceeded despite a broadly publicized request by trade associations and other organizations representing thousands of companies doing business in California to delay enforcement until January 2, 2021, due to the COVID-19 pandemic. Enforcement has also proceeded even though the California Attorney General’s Office did not submit final proposed regulations under the CCPA for review by the California Office of Administrative Law (OAL) until June 1, 2020. While the Attorney General has requested expedited review, OAL has up to 90 days to finalize the regulations. Thus, while the California Attorney General can now enforce the CCPA itself, these implementing regulations are not yet enforceable.

The CCPA authorizes the California Attorney General—and only the Attorney General—to bring a civil action to recover penalties for violations of the CCPA if businesses fail to cure such violations within 30 days of notification of noncompliance. In such cases, the statute authorizes civil penalties of up to $2,500 for each violation and up to $7,500 for each intentional violation, as well as injunctive relief. Further, unlike private plaintiffs—who are limited to suits challenging the “unauthorized” revelation of “personal information” due to a lack of “reasonable security”—the Attorney General can bring a civil action in response to any uncured violation of the CCPA. This includes failures by businesses to comply with consumers’ requests to identify and/or delete their PII, as well as failures to provide an opportunity for consumers to opt out of the sale of their PII.

A proposal to further strengthen the CCPA in the form of the California Privacy Rights Act (CPRA) has also qualified to appear on the ballot in California this November. If passed, the CPRA would, among other things, eliminate the 30-day cure period prior to a government enforcement action, create a new California Privacy Protection Agency to enforce the CCPA and CPRA, and provide consumers with additional rights to restrict businesses’ use of their sensitive personal information (SPI). SPI would specifically include information germane to COVID-19 mitigation efforts—like precise geolocation and biometric and health information—as well as other sensitive data like Social Security, driver’s license, and passport numbers, and information about financial accounts, race, ethnicity, religion, union membership, personal communications, genetics, sex life, and sexual orientation.

The New York SHIELD Act
On July 25, 2019, the SHIELD Act (S.5575B/A.5635) was signed into law, broadening the scope of existing New York data breach notification and data protection laws. The new law has two components: (1) covered entities must adopt a comprehensive cybersecurity data protection program to safeguard “private information,” now defined to include biometric data; and (2) covered entities must comply with data breach notification requirements when there is unauthorized “access” to “private information.” The breach notification requirements took effect on October 23, 2019, while the cybersecurity requirements took effect on March 21, 2020. While the SHIELD Act does not create a private right of action, it charges the New York Attorney General with enforcement. To the extent that companies are collecting additional sensitive information including health data and other COVID-19-related material, it is critical that companies establish comprehensive cybersecurity to protect that information.

Cybersecurity Program Requirements
The SHIELD Act requires “any person or business that owns or licenses computerized data which includes private information of a resident of New York” to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information, including, but not limited to, disposal of data.” The safeguards can be tailored based on the size and complexity of the institutions but must at a minimum include:

• designation and training of employees to coordinate cybersecurity compliance;
• the use of third-party service providers capable of maintaining appropriate cybersecurity practices, with safeguards required by contract;
• risk assessment of the company’s cybersecurity program, including both the network and software design and the information processing, transmission and storage;
• processes and physical safeguards to detect, prevent and respond to attacks or system failures;
• monitoring and testing of the effectiveness of the cybersecurity program;
• processes to dispose of data safely, securely and permanently within a reasonable amount of time after it is no longer needed for business purposes; and
• updates to the program periodically to address changes in the business or circumstances that would require the program to be changed.

Data Breach Notification Requirements
The SHIELD Act expands the definition of data breach to cover any situation involving unauthorized “access” to “private information,” regardless of whether such data is “acquired.” In the event of a data breach, the Act requires prompt notice to affected individuals and to government authorities. The SHIELD Act contains an exception, however, to the requirement to notify affected individuals if the exposure of private information was “inadvertent,” by persons authorized to access the information, and the business “reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.”

Government Enforcement
The New York Attorney General is charged with enforcing the SHIELD Act. While the SHIELD Act does not create a private right of action, the Attorney General may bring an action for civil penalties or to enjoin unlawful practices. The statute also expands the time period within which the Attorney General may bring an action from two to three years. Penalties for failing to provide notice in the event of a data breach can amount to the greater of $5,000 or $20 per instance of failed notification (capped at $250,000 per breach). Penalties of up to $5,000 per violation can be imposed for failing to adopt reasonable safeguards. While there have not yet been any public SHIELD Act enforcement actions, the New York Attorney General entered into a May 7, 2020, letter agreement with the same video communications provider that has been targeted by private litigants in California. The letter agreement expressly references COVID-19 and requires the company to implement a comprehensive cybersecurity program.

Suggested Business Practices
Any business considering new practices for collecting or storing PII—and biometric data in particular—should first seek expert legal advice. At a high level, several practices will be worth considering for many such businesses:

• Adopt robust data security measures to combat both inadvertent data disclosure and intentional data theft or misuse.
• Ensure that data security measures address both external threats like hacks and internal threats from authorized employees and third-party contractors (e.g., sale of data for personal profit, public posting of celebrity data, cyberstalking, etc.).
• Provide detailed notice to consumers and seek their consent regarding policies and practices around PII collection, storage, and sale.
• Document steps taken to protect consumer privacy to establish a demonstrable effort to comply with applicable privacy laws.
• Update consumer agreements to include enforceable mandatory arbitration and class action waiver provisions that clearly extend to potential privacy litigation.
• Seek indemnification and audit rights from any vendors handling PII for potential data breaches or misuse.

For more information, please reach out to your regular Pillsbury contact or the authors of this client alert.

Pillsbury’s experienced multidisciplinary COVID-19 Task Force is closely monitoring the global threat of COVID-19 and providing real-time advice across industry sectors, drawing on the firm’s capabilities in crisis management, employment law, insurance recovery, real estate, supply chain management, cybersecurity, corporate and contracts law and other areas to provide critical guidance to clients in an urgent and quickly evolving situation. For more thought leadership on this rapidly developing topic, please visit our COVID-19 (Coronavirus) Resource Center.