The Next Big Thing: Consumer Data Privacy

January 8, 2020

To average consumers, data privacy probably seems cut and dry: nobody can see their data unless they say so. However, for companies tasked with protecting personal information, data privacy isn’t as clear-cut.

The push to give consumers more control over the privacy of their personal data started with passage of Europe’s General Data Protection Regulation (GDPR), which went into effect in May 2018. The GDPR was designed to modernize laws that protect the personal information of individuals in the EU.

On the heels of the GDPR, the California Consumer Privacy Act (CCPA) is set to go into effect in January. The CCPA represents one of the most sweeping acts of legislation enacted by a U.S. state to bolster consumer privacy and marks a new beginning of stricter U.S. consumer protections.

Companies that already comply with the GDPR may find that they currently meet many of the requirements set forth in the CCPA.

“With many experts predicting that other states will follow suit in the coming years, companies that take proactive steps to better protect consumer data will be best equipped to ride the waves of change,” said Bill Burding NTP, ALTA’s president-elect and general counsel for California-based Orange Coast Title Co. “This may be the direction the rest of the country ultimately goes, so whether your operation must comply with CCPA, data privacy statutes will permeate across the country.”

In October, California’s attorney general issued proposed regulations for the CCPA. The public comment period ended Dec. 6. The law mandates that on or before July 1, 2020, the Office of the Attorney General must promulgate and adopt implementing regulations for the CCPA.

CCPA Impetus

California’s history with protecting privacy goes back to 1972, when the state amended its constitution to make the right to privacy an inalienable right. Over the years, multiple privacy protection laws have passed in California. After the Cambridge Analytica scandal in March 2018, a wealthy real estate developer in the Bay Area pushed for a ballot initiative on privacy. Spending $43.5 million of his own money, Alastair Mactaggart garnered enough signatures to put the initiative on the state’s ballot. At that point, legislators noticed the developer’s efforts and started working on a compromise.

In California, propositions passed by ballot are very difficult to change and the legislature can’t easily amend them. Negotiations happened quickly and a bill was proposed, passed and signed by the governor at the 11th hour.

“It happened very rapidly and pretty much on the last day that they could push legislation through there was a compromise,” said Stephanie Duchene, a partner with the law firm Mayer Brown. “Immediately the legislature began amending it and this last legislative session has been very active in this space.”

Five amendments were passed during the legislative session and signed by the state’s governor. According to the law firm Jones Day, the bills help clarify ambiguous provisions and focus the potential scope of the CCPA.

Of importance are the amendments excluding employee data and other businesses’ employees for one year from various obligations under the CCPA, the law firm noted.

In fact, Nevada and Maine already have passed consumer privacy bills, and another 35 states are considering proposals bills that affect data security.

Nuts and Bolts of CCPA

There are several terms defined in California’s privacy legislation in order to clarify the parameters of the law. The provisions of the statue pertain to certain businesses and all Californian consumers, which are defined as:

  • Consumer: Natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations. Applies even to California residents that do not seek a product or service from a company.
  • Business: Any sole proprietorship, partnership,LLC, corporation, association or “other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners” that:
    • Collects consumer public information (PI) or determines the “purposes and means of the processing of” PI either alone or jointly with others
    • Conducts business in California
    • Satisfies one of the following thresholds:
      • Gross revenue threshold: gross revenues in excess of $25 million USD, as adjusted
      • Collection threshold: buys, receives, sells or shares PI of 50,000 or more consumers, households or devices
      • Sale threshold: derives 50 percent or more of its annual revenues from “selling” consumer personal information

The definition of business warrants thoughtful consideration, according to Elizabeth Reilly, senior privacy counsel for Fidelity National Financial. While a company providing title or settlement services may not physically be in California, engaging or receiving information from a consumer who lives in the state may require compliance. “It’s very important to understand and to consider with the advice of counsel whether the law applies to you if you have the question “‘Are we or are we not a covered business under the law?” Reilly said.

There have been rumors that engagement with a single California consumer in the context of providing title and escrow services even if you’re outside the state, could trigger the law’s application. “The fact that you may come across one person’s information who’s a California consumer in the context of providing title or settlement services in Florida likely isn’t going to get you within the scope of CCPA, but it’s certainly something that warrants close attention and reasoned analysis to make that determination,” Reilly added.

According to Kendall Burman, a data privacy council for Mayer Brown, there’s also a second part of the definition of business. She said a company can also be covered by the CCPA if it controls or is controlled by a business that satisfies the definition in part one and “shares common branding with the business.”

  • “Control” or “controlled” means:
    • “Ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business”
    • “Control in any manner over the election of a majority of the directors, or of individuals exercising similar functions”
    • “Power to exercise a controlling influence over the management of a company”
  • “Common branding” means a “shared name, service mark, or trademark”

Another important term loosely defined in the statute is “personal information.” This is information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” This does not include publicly available information, deidentified or aggregated information, or employment-related information or business contact information.

“What’s interesting is that this definition is even broader than the corresponding definition under the GDPR,” said Lei Shen, a partner with Mayer Brown. “Under the GDPR, the definition really was just limited to information about an individual, but under the CCPA this definition includes information that relates to a household as well.”

The information does include—but is not limited to—the following: if it identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a consumer or household:

  • Identifiers such as real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, Social Security number, driver’s license number, passport number, or similar
  • Commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
  • Biometric information
  • Internet or other electronic-network activity information, including but not limited to browsing history, search history and information regarding a consumer’s interaction with a website, application or online advertisement
  • Geolocation data
  • Professional or employment-related information
  • Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (FERPA)
  • Inferences drawn from any information identified in this subdivision to create a profile about a consumer reflecting preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes

 

Look Back

One piece of the legislation that companies may not be aware of is that it allows for a 12-month look-back period. This means covered companies must disclose and deliver requested information to the consumer back to Jan. 1, 2019. Burman said the practical impact of that is it can be difficult for some companies if they don’t have the technical infrastructure that allows them to provide the information that they need to provide.

Burding added, “Imagine you are driving down a road with no speed limit and you get a ticket when they do post a speed limit and make it retroactive before the speed limit was enacted. I’ve never seen a look-back statute like this before. where businesses could be fined for a regulation that’s still in a comment period.”

GLBA Exemption

The CCPA exempts certain types of personal financial information that is subject to federal regulation. However, because the exemption is designed for types of data, not types of companies, financial institutions are not fully exempt from the law and should attend to its details. The CCPA exempts information that’s collected pursuant to the GLBA Gramm-Leach-Bliley Act (GLBA).

Shen said the GLBA exception is something several of Mayer Brown’s clients have relied on.

“That doesn’t mean that the business is exempt entirely from the CCPA; you will still need to be responding to requests,” she said. “The response may be, ‘We have no information that is subject to the CCPA to disclose to you at this time.’ We’ve also had several clients that, as they’re going through their data mapping and trying to really understand where they’re collecting information from and for what purpose, start out saying, ‘Everything we collect is subject to the GLBA.’” Once when they dig a little deeper, they realize that’s not really the case because the GLBA has much more limited definitions.”

Reilly said that companies must perform an analysis of whether the data collected was pursuant to the GLBA. Companies also must still account for how they will respond to consumer requests.

“It’s a great exemption, but it’s not a perfect one for us unfortunately,” Reilly said.

How Companies Can Prepare

The California attorney general will have the right to enforce the law. There also is a private right of action for unauthorized access to a consumer’s “nonencrypted or nonredacted personal information.” There is a $7,500 fine per intentional violation ($2,500 per unintentional violation) if a company fails to address an alleged violation within 30 days. Companies can prepare by:

  • Identifying necessary changes to address new individual rights
  • Updating privacy notices and internal privacy policies
  • Reviewing internal processes
  • Updating recordkeeping
  • Updating vendor agreements
  • Reviewing security measures
  • Reviewing data breach response plan

“The new information rights will necessitate new, or changes to existing, internal privacy programs,” Shen said. “Companies should consider designating a role with responsibility for CCPA compliance and oversight. You will want to have processes in place to receive and track consumer requests regarding personal information and consider workforce training, particularly for workers that will be handling individual requests.”

Chris St. John, president of Lawyers Title of Kansas, said at this point Kansas has not passed any consumer data privacy legislation, but it’s something he’s keeping a close eye on.

“We have always taken our customers privacy very seriously,” he said. “We will continue to watch for new legislation and do whatever is necessary to protect the best interest of our customers.”

Data Mapping

Duchene said step one is really getting your arms around your company’s data collection processes. Data mapping is discovering what data you collect, where it’s stored, with whom it’s shared, how long it’s retained and for what purposes it’s used. This requires a formal inventory of data ingress—such as customer registration, systems, fields within the systems and connections between systems. This data needs to be actively maintained as an organization grows and evolves.

A data map may contain:

  • Source(s) of data ingestion (a marketing form)
  • What data you are collecting (name, phone and email)
  • The purpose of the data (send relevant communication over email)
  • The handling of the data
  • The retention timeline of the data

Burding said Orange Coast Title has been mapping data since passage of the GLBA.

“I thought this would be the next shoe to drop,” Burding added. “We already complied with a vast majority of the statute, but that was blind luck. I was only off by 12 or 13 years. But title companies that must comply with data privacy laws will need to invest in a data mapping program.”

ALTA Advocacy Efforts

ALTA has kept a close eye on data privacy, which was a major focus during the 2019 Advocacy Summit. While on Capitol Hill, attendees told members of Congress that ALTA members already are regulated by GLBA. ALTA has advocated that any federal data privacy and security legislation should provide a carve-out to those subject to GLBA.

ALTA has participated in two coalitions pressing for a single national data privacy standard. These groups include the U.S. Chamber Privacy Working Group and Main Street Privacy Coalition.

Earlier this year, ALTA asked Senate Banking Committee Chair Mike Crapo (D-Idaho) and Ranking Member Sherrod Brown (D-Ohio) to urge Congress to develop uniform rules to guide businesses about how to protect data and help them when it’s stolen.

“Data privacy, protection and collection standards should recognize differences in the sensitivity of the data, the risk of harm to the consumer if it’s exposed and the reasonable ability of businesses, based on their size, to implement different safeguards,” the letter stated.

ALTA is concerned that consumer data privacy laws that have passed or are pending create standards for businesses that consumers are not willing to follow. One example is pushback from customers when ALTA members implement secured encrypted email communications for real estate transactions.

“We urge policymakers to ensure data privacy laws set reasonable expectations and requirements for businesses when providing services directly to Americans, such as title companies that close consumers’ mortgage loans,” said Diane Tomb, ALTA’s chief executive officer.

ALTA’s letter suggested legislation to direct the Federal Trade Commission to update the privacy notice under GLBA. An updated disclosure could be like the Consumer Financial Protection Bureau’s improvements to consumer mortgage disclosures. These design elements have been incorporated into the new 1003. An updated notice would provide information about which entities the data is shared with and for what purposes. This could aid in building transparency and consumer trust to describe what personal information is collected, why it is requested or needed, how that information is used and shared, and for what purposes.

A national standard should also be established to ensure that consumers are notified of breaches in a timely and consistent manner, ALTA also wrote in its letter. A single federal law would provide consumers with clarity regarding the scope of protection of their personal information and will eliminate disparity in consumer rights and protections based solely on the consumer’s state of residence or location of the business. Data is now typically shared electronically across jurisdictional boundaries.

“The physical location of the consumer or the business should not be a factor in consumer protections. It is important for consumers served by the industry to have the same set of safeguards and protections in place, regardless of the state jurisdiction,” ALTA said in the letter.

Jeremy Yohe is ALTA’s vice president of communications. He can be reached at jyohe@alta.org.  


Contact ALTA at 202-296-3671 or communications@alta.org.