Privacy Act is major risk to companies that hold data, panel says

The California Consumer Privacy Act poses a major risk to any company that holds consumer data, but there is plenty businesses can do to protect themselves, according to panelists speaking during a webinar on Tuesday.

One key, according to Rebecca Perry, is figuring out what data the business doesn't need and is allowed to delete under the 2018 law. She was a panelist on "Laying the Groundwork for CCPA Litigation: Data Retention," organized by Manatt, Phelps & Phillips LLP and two software firms, nNovation LLP and Exterro.

"Data that you don't have can't be breached," said Perry, the director of strategic partnerships at Oregon-based Exterro. "Data that you don't have doesn't need to be protected. And if you don't have it, you don't have to produce it."

The law known as the CCPA gave consumers four basic rights: to know what information a company has about them, to delete some classes of that data, to opt out of the sale of their personal information, and to not be discriminated against by companies for exercising any of these rights. The law also creates a private right of action, allowing consumers to sue directly under the law.

Attorney General Xavier Becerra began enforcing the CCPA on July 1, just a month after his office issued its final enforcement regulations. The tight time frame to comply upset many in the technology field.

But attorney Brandon P. Reilly said the basic step companies need to take hasn't changed: Know what data you have.

"Document everything, and then document your documentation," said Reilly, a partner in Manatt's privacy and data security practice.

Reilly explained that potential causes of action under the law come in "three buckets."

"The first are traditional data breach causes of action, where there has been a reported or discovered data security incident," Reilly said.

These were the main focus of the private right of action under the law, he said. But companies are also seeing cases brought by consumers under the privacy and right to delete aspects of the law, adding these will take time to shake out in the courts. Among the companies hit by these kinds of cases, he said, are Apple Inc., the home security company Ring Inc., Zoom Video Communications Inc., as well as video game and health care companies.

"They're trying to enforce those through civil litigation," Reilly said. "This is not something the statute authorizes. It's very clear that the attorney general is the sole enforcer of those obligations, but nonetheless plaintiffs' attorneys are trying to get creative."

The third set is traditional lawsuits that add a CCPA claim, Reilly said. As an example, he cited companies using the CCPA to help drive unfair competition complaints.

Constantine Karbaliotis, counsel with Toronto-based nNovation LLP, said companies should avoid being caught off guard by how apt some consumers will be to sue under the CCPA. He said many people are aware of the General Data Protection Regulation, the European Union's 2016 data privacy law that helped inspire the CCPA.

"They really have created an expectation among consumers about how privacy law should work," Karbaliotis said.

He added the coronavirus pandemic and contact tracing software have reminded people about privacy concerns.

"The irony being in some cases that the data collection in those apps is less than we're currently voluntarily taking on with many of the things were putting on our phones," Karbaliotis said.

Privacy regulation in California is still a moving target, Perry noted. Californians for Consumer Privacy, the group founded by wealthy privacy advocate Alastair Mactaggart, has placed an even stronger law on California's 2020 ballot.

The California Privacy Rights Act would place more explicit restrictions on how companies use data, including giving consumers a more granular ability to restrict certain types of data. The CCPA itself was the result of a compromise between Mactaggart and state lawmakers that resulted in him taking a previous initiative off the 2020 ballot, but he said he was disappointed by later steps by the Legislature to weaken the law.

But Perry and others say the November initiative has had one positive effect from the perspective of technology companies: hitting the pause button.

"There was a flurry of activity late last year, with several states looking at possible bills," Perry said. "I think now with the CPRA, that's going to be on the ballot in November in California, states have slowed down and are waiting to see what's going to happen because this is a more comprehensive piece of legislation."