Now that the January 1, 2020 compliance deadline for the California Consumer Privacy Act (“CCPA”) has passed and the dust has settled, it may be worth taking a look at how a few other changes in California may impact privacy law. More specifically, in the chaos caused by CCPA compliance, several privacy experts have overlooked California’s steps to regulate the Internet of Things (“IoT”).

THE INTERNET OF THINGS GETS MORE DANGEROUS

While we were all focused on the impeding CCPA deadline, we can be forgiven for missing a recent incident where a Ring security camera was hacked to harass a child in her bedroom. On December 12, 2019, the Washington Post reported on 8-year-old Alyssa LeMay who went to her bedroom when she heard music. Once inside her bedroom, the music stopped and a man’s voice said: “Hello there.” The hacked Ring camera allowed the stranger to view Alyssa’s room and speak directly to her. The man also told Alyssa that he was Santa Claus. The remarkable exchange between Alyssa and the stranger allowed the man to use a racial slur with the child and prompt her to misbehave. The video on the Washington Post website has to be watched to be believed and to fully understand the significant danger created by the “Internet of Things” devices. Further, while this incident did not cause long-term damage, it is easy to see the dangers created by these devices in our homes.

This incident with the Ring camera makes parents long for simpler times, such as in December of 2015, when they only needed to worry about pictures and data saved on children’s toys that were breached by a toymaker.

LEGISLATION ADDRESSES THE DANGERS RELATED TO THE INTERNET OF THINGS

While the CCPA deadline was important, California lawmakers imposed another deadline on January 1, 2020, that requires a manufacturer of a connected device, such as the Ring camera, to take steps that would make IoT devices collect and safely store data. Specifically, the “Security of Connected Devices” law may provide a model for other state and federal laws as IoT devices become more ingrained in our lives. And, while the law may contain several significant holes and only applies to manufacturers, it provides a decent first step in regulating this new technology with the following:

• First, the new law states that “Manufacturer” “means the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the person’s behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device.” This definition will have an immediate impact to the extent this will create more security outside of California as manufacturers bring all devices in compliance with California’s laws rather than lose access to the California market. Therefore, while this law is limited to California, we can expect all IoT devices in all states will get more secure.

• Next, the law requires “[a] manufacturer of a connected device…equip the device with a reasonable security feature or features that are all of the following: (1) Appropriate to the nature and function of the device. (2) Appropriate to the information it may collect, contain, or transmit. (3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”  Once again, because the California market is so large, we can expect to see all IoT devices integrate “reasonable security features” regardless of whether the device will be sold in California.

• Further, many of the other definitions found in this law are broad and will most likely result in manufacturers increasing security features. For example, the term “connected device” is used in the law to mean “any device, or other physical objects that are capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” Therefore, while it is clear that a Ring camera would fall under this law, we may see manufacturers of printers make sure they are in compliance.

• Finally, while the law is broad, it does not create a private cause of action. The California Attorney General will need to enforce this law. Additionally, it is clear that this law is limited to manufacturers and does not apply to individuals that install and use IoT devices.

THE INTERNET OF THINGS IS WITH US FOR GOOD

At present, the dangers presented by interconnected devices must be addressed by manufacturers of the products and law enforcement such as the California Attorney General.  California’s Security of Connected Devices law does not create a private cause of action. That being said, this technology, and the laws that control the use of this technology, are quickly evolving.  In the matter of a few years, we have gone from speculating how these devices could cause harm to see children harassed in their own bedrooms. The Economist recently reported: “One forecast is that by 2035 the world will have a trillion connected computers, built into everything from food packaging to bridges and clothes.” (The January 10, 2020 edition of the Wall Street Journal also addresses these issues in great detail.) Based on this significant increase in interconnected devices in both residential and industrial settings, the Economist article concludes: “As a result, a series of unresolved arguments about ownership, data, surveillance, competition and security will spill over from the virtual world into the real one.”  Therefore, as these dangers become clear and we see the potential for property damage or bodily injury, we can expect to see state and federal governments step up the regulation of the Internet of Things.

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post The Internet Of Things Gets More Dangerous And More Regulated In 2020 appeared first on Privacy Risk Report.

The compliance deadline for the California Consumer Privacy Act (“CCPA”) is January 1, 2020. Even though the CCPA is the first privacy law that will directly impact a large number of U.S. businesses, the best strategy for most U.S. businesses will be to take a measured response toward this new law.

GDPR Hysteria

The General Data Protection Regulation (“GDPR”) has been in effect for more than a year. And, without question, GDPR has impacted privacy law across the world as 59,000 data breaches were reported to the EU supervisory authorities which resulted in the assessment of about 90 penalties since the May 25, 2018 compliance deadline. However, while GDPR has undoubtedly impacted many businesses, it has not become a daily concern for most businesses in the EU and almost no concern for the vast majority of U.S. businesses.

Before the compliance deadline, there was what can only be called “GDPR hysteria” over how the world would look after GDPR. As the GDPR deadline loomed many experts and U.S. law firms grew hysterical and rushed to create GDPR practices. While an assessment of privacy safeguards and preparation is always recommended, the best advice at that time was for American businesses to simply use GDPR as another opportunity to review their privacy safeguards rather than stress over compliance.

A Measured CCPA Response   

Today, we are seeing a similar hysteria over the upcoming January 1, 2020, CCPA compliance deadline. In the days leading up to the enactment of CCPA, we are seeing law firms and other experts set up practice groups dedicated to the onslaught of CCPA claims. And, once again, a measured response may be the best course when determining a game plan for compliance as not every U.S. business will be subject to the CCPA.

Before any business pays a law firm’s newly-minted CCPA practice group a large retainer, it may be worth looking at the fundamental principles of this new law. First, the impact of the CCPA may be limited to the extent the “businesses” subject to this law must collect consumers’ personal data, do business in California, and satisfy at least one of the following additional requirements to fit into the definition of “business” under the law:

• Annual gross revenues exceeding $25 million;
• Possess the personal information of 50,000 or more consumers, households, or devices; or
• Earn more than half of its annual revenue from selling consumers’ personal information.

These requirements will most likely narrow the scope of the CCPA to larger, national businesses.

Admittedly, if the CCPA applies, the stakes are high for compliance as a business that violates the CCPA can be prosecuted by the California Attorney General or be sued in a civil suit for damages ranging from $100 to $750 for each California resident (or actual damages if greater) involved in a breach. (Cal. Civ. Code § 1798.150)  Therefore, any business subject to CCPA has reason to be concerned about this privacy law.

However, while it is reasonable to expect the CCPA to have a greater impact on U.S. businesses than GDPR, the CCPA may not apply to the vast majority of businesses. In many cases, the best place to start to determine if the CCPA should cause concern for a business falling into this gray area is to look at the California legislature’s stated intent behind the CCPA which includes:

• “…the bill would grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.”

• “The bill would require a business to make disclosures about the information and the purposes for which it is used.”

• “The bill would grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified.”

• “The bill would grant a consumer a right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed.”

• “The bill would require a business to provide this information in response to a verifiable consumer request.”

• “The bill would authorize a consumer to opt-out of the sale of personal information by a business and would prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.”

• “The bill would prohibit a business from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized, as specified, to be referred to as the right to opt-in.”

• “The bill would prescribe requirements for receiving, processing, and satisfying these requests from consumers.”

CCPA compliance may not need to be an overriding concern for a smaller business that does not face any of the challenges outlined above. That is, if a business does not have many requests to destroy stored personal information, it may not need an elaborate process to field such requests. Of course, even if a business believes the CCPA does not apply to it, a measured response may still include taking steps toward compliance. First, businesses are always best served by protecting customer/client data that they have been entrusted with. Also, it is only a matter of time before almost every business will operate under state or federal privacy laws. Therefore, while it may be practical for all businesses to begin working toward CCPA compliance, there is no reason to be hysterical about this new privacy law.

The post No Need To Get Hysterical Over The Compliance Deadline For The California Consumer Privacy Act appeared first on Privacy Risk Report.