BY SVIATLANA LIASHCHYNA
In the beginning of July, the new California Consumer Privacy Act (Act) made national headlines as the strictest privacy law in the United States. It provides consumers with the following rights: 1) the right to know and request that a business discloses what types of personal information is collected about the consumer, how it is collected, how it is used, and who it is disclosed to; 2) the right to direct a business not to sell the consumer’s personal information; 3) the right to request that a business deletes the consumer’s information, with some exceptions; and 4) the right not to be discriminated against because the consumer exercises their rights under the Act.
Default legal services and collection law firms are provided with confidential information during the normal course of their business. In light of California’s new law, should these firms start modifying their internal policies and procedures to ensure compliance with this Act?
Not quite - the firms are not required to comply with this Act directly, unless a client chooses to enhance their privacy policies nationally and requires firms to comply with the Act’s provisions through retention agreements.
The California law was initially introduced in February 2017 and was made inactive the following September. The law was then ordered from inactive file to second reading on 06/21/2018, and it was signed by the California governor on 06/28/2018. The reason for such a rush was a legislation initiative which was scheduled for voting in November 2018 and proposed a division of California into three states. That initiative included a statement that the ballot sponsors would withdraw the three-state proposal if the California Consumer Privacy Act was passed and signed by the Governor by June 29, 2018. The Californian legislators used the opportunity and passed the Act before the deadline.
This law applies to for-profit businesses operating in the State of California that collect and control the personal information of California residents, and meet at least one of the following conditions: 1) have annual gross revenues in excess of $25 million; 2) receive or disclose the personal information of 50,000 or more California residents, households, or devices on an annual basis; or 3) derive 50% or more of their annual revenue from selling California residents’ personal information. The law does not prohibit a disclosure of personal information to service providers and even eliminates the liability of the disclosing business if a service provider violates the restrictions of this law. The exception would include if the business had actual knowledge, or reason to believe, that the service provider intended to commit a violation.
The law does not apply to protected health information which is governed by the privacy, security, and breach notification rules of the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations; to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (GLBA) and its implementing regulations, if it is in conflict with that law; or to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report and used for the limited purposes provided in the Fair Credit Reporting Act (FCRA).
One of the most common relators for this law is the General Data Protection Regulation(GDPR). The comparison is accurate only to the extent that both regulations apply to a broad scope of private confidential information, unlike GLBA and HIPAA that cover financial and health information respectively. Both regulations also apply to companies that are located outside of the legislators’ jurisdictional borders and require costly compliance mechanisms. The GDPR is a much broader regulation which covers data breach notification and data security requirements, cross-border transfer data requirements, and data processor security expectations. None of these topics are covered in the California law.
Considering the applicability limitations and limited types of requirements included in California Consumer Privacy Act, default legal services and collection law firms, regardless of their location, should not be required to implement any additional security and privacy policies and procedures unless a servicer requires them through a retention agreement.
Sharing trends and best practices to help you improve your processes and maximize your profitability.