Joshua M. Deitz, Speaker on California Consumer Privacy Act at ABA Section of Public Contract Law, 2019 Public Procurement Symposium
Joshua M. Deitz, a member of RJO’s Government Contracts and Cyber Security and Privacy practices, will be presenting on the implications of the California Consumer Privacy Act for government contractors at the ABA Section of Public Contract Law, 2019 Public Procurement Symposium in San Diego.
While many government contractors do not consider themselves to be typical “data brokers,” companies are increasingly collecting and retaining various types of data that will be governed by the California Consumer Privacy Act (CCPA). This will subject many companies to compliance obligations and legal risks outside their typical expectations.
Who is bound by the California Consumer Privacy Act
The CCPA will affect a wide range of government contractors. For example, contractors carrying out disaster recovery efforts may collect data on properties and debris linked to households and individuals who own or resided on the property. Contractors managing secure facilities may collect information on visitors and contacts. Contractors involved in surveys or surveillance may collect information on individuals, households, properties, or devices that would fall within various categories of personal information governed by the CCPA.
GDPR and the CCPA
With the enactment of the CCPA, many are wondering if their compliance with the General Data Protection Regulation (GDPR), a wide-sweeping, European-driven change in online data privacy and protection is enough. While GDPR and related compliance efforts will provide some protection from the CCPA, the CCPA will require separate and independent exposure analysis and compliance mechanisms.
The CCPA at-a-glance
The presentation will cover the basics of the CCPA, current implications and action items for government contractors doing business in California, and ongoing developments and likely litigation for the CCPA and other similar state laws in development.
What the CCPA requires
The CCPA requires companies doing business in California to inform California residents of how their information is collected and used, and to provide options for residents to manage how their information is shared or request that information held by a particular business be deleted.
What type of information the CCPA governs
The CCPA governs nearly all information that could be used to identify particular individuals or households and/or that could be linked or correlated between those individuals or households. This includes unique identifiers, account information, purchase information and histories, medical histories, educational histories, work histories, protected classifications, and internet search history. The CCPA also covers effectively all biometric information, geolocation data, and audio, visual, or other sensory information.
Possible exemptions from and troubles for the CCPA
While the CCPA provides exemptions for publicly available information, de-identified personal information, and aggregate personal information, these exemptions are likely to be the focus of additional legislation, regulations, and litigation. As machine learning continues to provide new techniques to parse and link theoretically deidentified data, companies will face a high burden in attempting to maintain data in a de-identified and/or aggregate format. The exemptions to the right to delete information will also likely be a focus of future litigation. While businesses are permitted to retain certain information to meet legal obligations, carry out public interest research, and comply with consumer expectations, the implementation of these exemptions will certainly be tested in the courtroom.
The presentation will also cover the 2019 bills recently signed by Governor Newsom, including the one-year exemption for employees of California businesses, and the draft regulations recently released by the Attorney General. As the CCPA is in its early stages, there will likely be further developments, amendments, regulations, and litigation to flesh out specific boundaries, acceptable compliance, and the scope of potential violations.
Are you interested in learning more about the CCPA? Please join us at this year’s California Consumer Privacy Act for government contractors, ABA Section of Public Contract Law, 2019 Public Procurement Symposium in San Diego. Click here to learn more.