Electronic Discovery & Information Governance - Tip of the Month: The California Consumer Privacy Act: Possible E-Discovery Implications

Scenario

You're the director of E-discovery Services at a major social networking company. The company’s headquarters and main development facilities are in Santa Clara County, California, but its servers and operations are spread over the entire world. Many of the company’s developers and customers are European Union residents. The company recently revised its e-discovery processes to account for the EU General Data Protection Regulation ("GDPR").

The general counsel walks into your cubicle and drops an article on your desk. It's titled "California Enacts GDPR-Like Consumer Privacy Protections: What You Need to Know." She then asks you, "We just finished the GDPR e-discovery update. Now do we need to do something about this?"

California's New Privacy Law

On June 28, 2018, California Governor Jerry Brown signed Assembly Bill 375, the California Consumer Privacy Act of 2018 ("CCPA" or "the Act"). Barring further amendment, the CCPA will go into effect January 1, 2020. The CCPA will give California residents control over how companies collect, store, use and disclose their personal information. The CCPA covers for-profit companies doing business in the state of California that:

(1) Have annual gross revenues of more than $25 million (as adjusted);

(2) Buy, receive, sell or share for commercial purposes the personal information of 50,000 or more consumers each year; or

(3) Derive 50 percent or more of revenue from selling consumers’ personal information.

Unlike earlier state and federal privacy laws, which tend to focus on a specific sector or type of personal information, the CCPA arguably applies to all businesses that meet these requirements. The CCPA, however, includes explicit exceptions to ensure that it doesn’t come into conflict with pre-existing privacy laws such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA).

GDPR Compliance Does Not Translate into CCPA Compliance

While the CCPA and GDPR both focus on consumer rights, companies should not assume that being GDPR-compliant means that they're already CCPA-compliant. Although companies with a GDPR compliance program have a head start on CCPA compliance, these businesses subject to the law should ensure that they have the operational, technical and contractual ability to comply with the CCPA for any personal information they collect about California residents.

Several CCPA Provisions Raise Issues for E-Discovery Professionals:

• The CCPA's broad definition of "personal information" implicates information routinely disclosed in discovery. The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Personal information specifically includes unique identifiers, biometrics, geolocation data, browsing and search information, “inferences drawn” from personal information to create a profile about a consumer and “[p]rofessional or employment-related information.” Companies cannot avoid disclosure of employee "personal information"—especially “professional and employment-related information” to service providers and litigation adversaries in discovery. It may be advisable to add terms to vendor agreements and protective orders specifying the recipients' obligations to comply with the CCPA.
  
  
• The CCPA gives consumers the right to demand that companies delete their personal information. The CCPA requires companies to delete personal information “collected from the consumer” on demand. There are certain exceptions to this, including data collected to protect against fraud or other illegal activity, enable internal uses that are reasonably aligned with consumer expectation, complete a business transaction with the consumer and "comply with a legal obligation." (Sec. 1798.105(d)(8).) Retention obligations and litigation holds would likely qualify as "legal obligations," but companies that make operational changes to how they store and process personal information will need to ensure that these changes don't lead them to delete personal information that's subject to litigation holds.
  
  
• The CCPA gives consumers a private right of action for "disclosure" of personal identity information. Under the CCPA, California consumers get a private right of action for "disclosure" of names—in combination with any of the following: (i) Social Security numbers; (ii) driver’s license and state ID numbers; (iii) financial account numbers, passwords, and access codes; (iv) medical information; or (v) health insurance information—"as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices." (Sec. 1798.150(a)(1).) The plain language of this section could cover, for example, inadvertent public filing of consumers' names and account numbers in litigation. While many argued that this surprisingly common kind of error already violated California privacy law, the existence of a private right of action, with meaningful statutory damages, gives plaintiffs' attorneys an incentive to pounce on any publicized inadvertent disclosure.

The CCPA May Still Be Further Amended

The precise details of the CCPA may yet change. The CCPA was passed quickly to keep a more stringent initiative on privacy from appearing on the ballot in November. As a result, the CCPA has gaps and provisions likely to cause unintended consequences. Amendments have already begun. Governor Brown signed a first round of amendments, embodied in Senate Bill 1121, on September 23, 2018. But given the stakes for major technology players, it's reasonable to expect further attempts at amendment. Once the CCPA goes into effect, there are also likely to be legal challenges.