California Attorney General Reinforces Need for CCPA Compliance

On Friday, California Attorney General Xavier Becerra released a statement providing tips on how to stay secure online amidst the COVID-19 emergency and reminding California consumers of their data privacy rights under the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020. This is a reminder that businesses subject to the CCPA must be mindful of and adhere to the CCPA requirements in handling personal information during this crisis. It also potentially signals future enforcement actions against companies that fail to do so.

The Attorney General’s press release stated “[w]hether it’s our children’s schooling, socializing with family and friends, or working remotely – we are turning to mobile phones and computers as a lifeline. With such a dependency on online connectivity, it is more important than ever for Californians to know their privacy rights.”

The press release also emphasized certain protections under the CCPA that consumers can invoke, including:

• the right to opt-out of the sale of personal information;
• the right to minimize or reduce the data collected by businesses during or after the emergency by requesting that the business delete personal data that it has collected; and
• the right to request that a business disclose to you what personal information the business collects, uses, shares, or sells.

The COVID-19 crisis has forced many companies to resort to the use of online technologies, such as video conferencing, streaming services, and mobile applications, and to collect, and in some cases disclose, new types of information, such as someone’s temperature or whether a person has tested positive for or been exposed to COVID-19. The Attorney General’s press release emphasizes that he views the rights of consumers and the obligations of companies to be at least as important during this crisis as in normal times, if not more so.

The press release also makes privacy-protecting recommendations specifically aimed at consumers, but these recommendations also might be applicable to companies and their workforces, including:

• Warn employees of email phishing scams related to the COVID-19 emergency;
• Protect virtual meetings with private IDs and passwords;
• Configure virtual private networks (VPNs) to safely interface with employees’ home networks; and
• Provide specific protections for the online activity of children.

Although the enforcement date of the CCPA is currently set for July 1, 2020, the Attorney General has repeatedly indicated that he expects businesses to comply now. Several industry groups have requested that the Attorney General delay enforcement of the CCPA due to the COVID-19 emergency, but he has declined to do so. Companies subject to the CCPA need to prepare for the possibility of enforcement actions starting July 1. For information on the CCPA requirements, please see our CCPA toolkit here.

The press release is part of a larger trend of investigating the privacy and security practices of companies during the COVID-19 crisis. Last week, the New York City Department of Education prohibited teachers and more than 1.1 million students from using Zoom for remote learning because of data security concerns.

In addition, even though the CCPA indicates that it is to be enforced by the Attorney General, several private-plaintiff class actions already have been filed asserting either direct claims under the CCPA or using the CCPA as a basis for violations of other state laws. In just the last month, the video conferencing company Zoom was sued in three separate proposed class actions alleging violations of the CCPA, as well as other privacy and unfair practices laws.¹ All three suits allege that Zoom collected personal data in the form of unique advertiser identifier data without providing adequate notice to users in violation of section 1798.100(b) of the CCPA. The complaints also allege that Zoom violated sections 1798.150(a) and 1798.120(b) of the CCPA by sharing this personal data with third parties such as Facebook without notifying or giving users the opportunity to opt out of this disclosure.

It remains to be seen whether these direct claims under the CCPA will result in liability, since the text of the statute seems to give exclusive enforcement rights to the Attorney General. The CCPA only creates a private right of action for security breaches under section 1798.150 of the CCPA, which provides for the recovery of statutory damages of up to $750 per violation.²

Companies can help manage privacy and cybersecurity liability from both private and public actors by considering the issues identified in O’Melveny’s checklist—Managing COVID-19 Privacy Issues—and working with experienced counsel.

¹ Cullen v. Zoom Video Communications, Inc., Case 5:20-cv-02155-SVK (N. D. Cal. Filed March 30, 2020); Taylor et al. v. Zoom Video Communications, Inc., Case 5:20-cv-02170-SVK (N.D. Cal. Filed March 31, 2020); Ohlweiler et al v. Zoom Video Communications Inc., Case 2:20-cv-03165-SVW-JEM (C.D. Cal. Filed April 3, 2020).

² Class actions have also been filed seeking recovery of statutory damages for security breaches under Section 1798.150. See Barnes v. Hanna Andersson, LLC, Case No. 20-cv-00812 (N.D. Cal. Filed February 3, 2020).