By Gregg W. Kettles, Best Best & Krieger LLP
The California Consumer Privacy Act, or CCPA, went into effect this year and the California Attorney General began enforcing it on July 1. One might assume that any legislation aimed at “consumers” would have nothing to do with government. That would be a mistake.
The CCPA is broadly written. A local agency that ignores the CCPA does so at its own peril.
The CCPA covers personal information — that is, information that could be associated with any particular person or household. This includes identifiers such as a consumer’s real name, postal address, IP address and email address. It also includes information about transactions that a person or household has participated in, including records of goods and services purchased.
The law gives consumers the right to know what personal information is collected about them, the right to easily opt-out of the sharing of their personal information, the right to take their personal information somewhere else and, subject to certain limitations, the right to have that information destroyed.
The CCPA is not toothless.
Any consumer whose non-encrypted or non-redacted personal information is subject to unauthorized access as a result of an organization’s violation of the duty to implement and maintain reasonable security procedures may sue to recover damages — either individually or as part of a class action lawsuit. Those who violate the CCPA may also be sued by the state’s Attorney General and incur civil penalties.
What This Means for Local Government
While the CCPA expressly applies only to for-profit entities, it doesn’t follow that public agencies should remain ignorant of its provisions.
Public agencies regularly contract with for-profit firms to bill for services provided by the public agency. A billing services provider for a public agency supplying electric, water and other utility services, will obtain information regarding the name, address, telephone number, credit history and utility usage data of individual customers. This information is presumptively private under the California Public Records Act, and is also designated as confidential in a typical public agency/billing services provider contract. As such, it constitutes personal information that is subject to the CCPA.
A local public agency might also enter into a contract with a private micro-mobility device provider, such as Lime, Jump or Bird. In exchange for allowing these firms to leave their scooter, bike and other ride-sharing devices in the public right of way, an agency might ask that the provider collect (and share with the agency) usage data revealing the identity of an individual rider and the route they took on a particular day and time. Such information counts as personal information under the CCPA.
Public agencies may have even considered selling some of this information to private firms.
For example, my electricity usage might be valuable to firms who sell and install home solar power systems. Your water usage might be valuable to firms who sell and install drip irrigation systems and drought tolerant ground cover and landscaping. Another person’s travel patterns might be valuable to retailers.
If I have been known to buy cold brew coffee at Starbucks, the next time I’m renting an electric scooter near a Starbucks, Starbucks might like to know so they can send me advertisement in real time that they are having a special on cold brew coffee just a block away.
A public entity is liable for injury caused by the tortious act, or omission, of an independent contractor to the same extent the public entity would be subject to such liability if it were a private person. When there is a duty to do certain work carefully, or to maintain property in a safe condition, this duty cannot be avoided by delegating the work to an independent contractor.
Under the peculiar risk doctrine, a city is liable for injuries resulting from the negligent performance of a contract involving special risks, particular to the work to be done, and arising out of its character, or out of the place where it is done, against which a reasonable person would recognize the necessity of taking special precautions.
All of this means that a public agency may be on the hook for violations of the CCPA by an independent contractor. A firm hired to assist with billing for the agency’s utility services might fail to implement and maintain reasonable security procedures with respect to customer data and suffer a data breach, leading to a lawsuit on behalf the agency’s customers for statutory damages.
Alternatively, the billing firm might fail to provide the agency’s customers with the CCPA’s required “notice at collection” regarding the categories of personal information collected. This might result in complaints to the Attorney General and legal action.
Protecting Your Agency Against CCPA Violation Risks
Public agencies have experience addressing the liability risks posed by the acts and omissions of independent contractors.
Typically, agencies address them by inserting an indemnity clause into their contract with an independent contractor. These indemnity clauses may require the independent contractor to pay the agency’s litigation expenses and money damages the agency is ordered to pay if sued for something the contractor did or failed to do.
Agencies have also addressed the liability risks posed by independent contractors by insuring against them. Insurance policies tailored to the risks associated with electronic data and misuse of personal information, for example cyber liability and data breach insurance policies, are increasingly available.
Either way, where a public agency contracts with a private entity collecting information from consumers, the agency should review its contracts and insurance coverage to ensure it is adequately protected against the risks of a violation of the CCPA.