CCPA Metrics Disclosure Requirement Takes Effect July 1, 2021

Posted by:

Effective July 1, 2021, annual public disclosure requirements will start to apply to every business that is required to comply with the California Consumer Privacy Act (“CCPA”), and which knows or should know that (alone or in combination) it  buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 10 million or more California residents in a calendar year. This requires these businesses to compile the following metrics for the previous calendar year (January 1, 2020 through December 31, 2020):

  1. The number of requests to know that the business received, complied with in whole or in part, and denied;
  2. The number of requests to delete that the business received, complied with in whole or in part, and denied;
  3. The number of requests to opt-out that the business received, complied with in whole or in part, and denied; and
  4. The median or mean number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.

This information must be disclosed in the business’s privacy policy or posted on its website and accessible from a link included in the privacy policy.  The metrics must be updated annually by July 1. In the disclosure, a business may choose to disclose the number of requests that were denied in whole or in part because the request was not verifiable, was not made by a consumer, called for information exempt from disclosure, or was denied on other grounds.

To review, the CCPA, which became effective on January 1, 2020, grants California consumers the right to control the personal information that businesses collect about them. Through the CCPA, California residents have the right to know what personal information is being collected, whether their personal information was sold or disclosed (and to whom), and may request that businesses delete their personal information.  Currently, only for-profit businesses that collect consumers’ personal information and meet one or more of these criteria must comply: (1) the business has an annual gross revenue in excess of $25 million; (2) the business collects, buys, receives, sells, or shares the personal information of 50,000 or more California-resident consumers, household, or devices; or (3) the business derives 50% or more of its annual revenue from selling consumers’ personal information. For more information about the rights afforded to California residents, and businesses’ obligations under the CCPA, see below for some of our previous CCPA blog posts.

Among other requirements, all businesses that are required to comply with the CCPA must maintain records of CCPA consumer requests and how the business responded to the requests for at least 24 months. These businesses are required to implement and maintain reasonable security procedures and practices in maintaining these records. Such records may be maintained in a ticket or log format, provided that the ticket or log includes the date of request, nature of request, manner in which the request was made, the date of the business’s response, the nature of the response, and the basis for the denial of the request if the request is denied in whole or in part.

In addition, the businesses must establish, document, and comply with a training policy to ensure that all individuals responsible for handling consumer requests made under the CCPA or the business’s compliance with the CCPA are informed of all the requirements in these regulations and the CCPA.

Attorneys at Conkle, Kremer & Engel are staying current with the CCPA and to guide their clients through compliance with this sweeping data privacy law.

0

ADA Lawsuits Attacking Website Accessibility Mount

Posted by:

Over the past few months, we have seen an increase in pre-litigation letters and lawsuits charging Americans with Disabilities Act (“ADA”) violations against commercial websites. These notice and demand letters and lawsuits allege that businesses’ websites violate the federal ADA and similar state laws because they do not give full and equal access to individuals who have disabilities (including blindness, visual impairment and hearing impairment). ADA lawsuits have been filed in federal and state courts throughout the country. No state is immune from such suits, and no business is too small to receive such ADA demands and claims.

One of the factors undoubtedly is the rise of law firms, and consortiums of firms, that specialize in filing such suits. The law firms often work with repeat-plaintiffs with disabilities, much like law firms that specialize in Proposition 65 private enforcement claims in California who work with repeat plaintiffs who purchase products that are then made the subject of notices of violations and lawsuits. The subjects of ADA and Prop 65 laws differ greatly, but the common element is that liability can be fairly easy to establish under both ADA and Prop 65, and both statutes allow awards of attorneys’ fees to the law firms that can far exceed the damages awarded. Some of the law firms that commonly send ADA letters making demands and file lawsuits about website accessibility problems include Pacific Trial Attorneys (Newport Beach, CA), Nye, Stirling, Hale & Miller (Santa Barbara, CA), The Sweet Law Firm (Pittsburgh, PA), Block & Leviton, LLP (Boston, MA), and Carlson Lynch (Chicago, IL).

While there is no universally mandated standard, many large businesses and state and federal agencies follow WCAG 2.1, Level AA standards, which were created by the Web Accessibility Initiative, an internationally recognized organization. Generally, WCAG 2.1 Level AA compliance requires that websites have text components for all images and videos such that assisted technology software may read this content to users. Among other requirements, the standards also require that websites have proper contrast between background images and overlapping font so that visually impaired individuals can use assisting software to be able to read and navigate the website.

To minimize the risk of receiving an ADA violation letter or being sued, we recommend you take at least the following steps:

  1. Request that your digital team ensure and confirm that your website conforms with WCAG standards and, if so, what version/level as there were several earlier WCAG standards prior to the current WCAG version 2.1. To reduce the chances of such claims being made against your company, request your digital team to make your website WCAG 2.1 Level AA compliant and keep it that way until a more updated standard comes into general use.
  2. Add a footer entitled “Accessibility” or “Accessibility Statement” to your website. The footer should preferably appear on the homepage and each webpage, preferably near your “Privacy Policy” and “Terms of Service” footers.
  3. Add a webpage that is linked to the Accessibility Statement footer (e.g. https://www.conklelaw.com/accessibility-statement). This webpage should include an Accessibility Statement discussing your commitment to ensuring accessibility to all and providing contact information to report accessibility barriers and assistance with purchasing products or navigating the website. If you want help formulating your Accessibility Statement, seek qualified counsel to assist you.
  4. Instruct your digital team to periodically review the website as it is updated to ensure there are no access barriers, that all newly uploaded content (including temporary pop-up offers, sale announcements, discount codes, rebates, etc.) complies with WCAG standards, and that all customer service representatives are trained to handle website accessibility inquiries. This training should include advising a responsible person in your digital team of any reported accessibility barriers, and being specifically trained to help disabled customers place orders.

Even if you have not taken these steps before receiving a demand letter or lawsuit from one of the ADA plaintiffs’ lawyers, it’s possible to reduce liability by taking prompt steps. If you received such a website accessibility notice of violation or legal complaint, contact qualified counsel promptly to assist in minimizing the impact and avoid similar future claims. All of the ADA violation matters that Conkle, Kremer & Engel attorneys have defended have been resolved fairly quickly with modest settlements. Others accused of website ADA violations have not been so fortunate, with some reporting having paid tens of thousands of dollars. CK&E attorneys are well qualified to help with all types of ADA and accessibility compliance concerns, whether for websites or physical facilities.

0

The California Consumer Privacy Act (“CCPA”) Is Enforceable Beginning July 1, 2020. Is Your Business Ready?

Posted by:

You may have noticed a recent influx of personal emails about updates to businesses’ privacy policies and terms and conditions. This may be due, in part, to the California Consumer Privacy Act (“CCPA”) allowing individuals to bring private rights of action against businesses. While the CCPA was effective January 1, 2020, it will be enforceable by the California Attorney General beginning July 1, 2020.

What is the CCPA?

The CCPA grants California consumers the right to control the personal information that businesses collect about them. Through the CCPA, California residents have the right to know what personal information is being collected, whether their personal information was sold or disclosed (and to whom), and may request that businesses delete their personal information. Under the CCPA, personal information is any data that identifies, relates to, or describes a particular person or household. Information such as a person’s name, address, and email address (even a computer IP address) are considered personal information. This applies to information collected online and offline, so the CCPA may apply to businesses even if they do not have a website.

Not all businesses need to comply.

The CCPA applies to for-profit businesses that collect consumers’ personal information and meet one or more of these criteria:

(1) The business has an annual gross
revenue in excess of $25M;

(2) The business collects, buys,
receives, sells, or shares the personal information of 50,000 or more
California-resident consumers, household, or devices; or

(3) The business derives 50% or more of
its annual revenue from selling consumers’ personal information.

Even small consumer-oriented businesses should take particular note of the second criteria: If the business’ website collects what the Act classifies as “personal information,” such as email addresses or the IP Address of the computer accessing the website, it may not take very long to collect that kind of information about 50,000 California-resident devices or consumers and make the business subject to the Act.

Upon receiving a verified consumer request, businesses meeting any of the above-mentioned criteria must give California residents the means to exercise their rights under the CCPA and cannot discriminate against them for exercising these rights. Businesses must complete the consumer’s request within 45 days, although an extension of time may be available, and the process of responding to consumer requests must be supported by reasonable security procedures and practices.

What happens if a business does not comply?

A failure to cure any alleged violation of the CCPA within 30 days of notification of alleged noncompliance will subject businesses to an injunction and civil penalties of no more than $2,500 per violation or $7,500 per intentional violation. And if personal information is improperly disclosed or stolen due to the absence of reasonable security procedures and practices, businesses may be subjected to civil action for injunctive or declaratory relief, damages of $100 to $750 per consumer, per incidentor actual damages (whichever is greater), or any other relief that the court deems proper.

Are you ready to comply with the CCPA? Attorneys at Conkle, Kremer & Engel are staying current with the CCPA to guide their clients through compliance.

0