Tag: CCPA

Posted on

Welcome To The Club, Virginia: The Consumer Data Protection Act

A white roadside billboard with the text "Virginia Welcomes You". An illustration of a cardinal sitting on a tree branch with two white flowers at the branches' ends separates the words Virginia and the rest of the billboard message.
Image source: https://www.flickr.com/photos/cgpgrey/4891418085/ (CC-BY 2.0), http://www.cgpgrey.com/

Virginia joined California last week in the data privacy regulation club as the state governor signed the Virginia Consumer Data Protection Act (CDPA) into law on March 2nd, 2021. This law shares some similarities with the CCPA and the upcoming CPRA, but there are just enough differences that will cause some possible confusion for library vendors who fall under the scope of the new law.

What Virginia Libraries Need to Know About CDPA Right Now

Virginia libraries paying attention to what happened in California might have a head start with what to expect in the coming years when the law comes into effect in 2023. If you were hoping that Virginia lawmakers would keep close to CCPA in an attempt to create consistent expectations and requirements for consumer data privacy, you might be out of luck. Nonetheless, there are some similarities: some good, others not so much.

First thing’s first – as was the case in California and CCPA, the vast majority of Virginia libraries do not fall under the scope of CDPA. The law pertains to entities conducting business in the state that meet a threshold of either controlling/processing personal data of at least 100,000 Virginia consumers in a calendar year OR controlling/processing personal data of at least 25,000 Virginia consumers and deriving at least 50% of their revenue from selling personal data. Combined with the exceptions made for government entities, non-profits, and higher education institutions, many libraries most likely are exempt from the CDPA, as well as non-profit library vendors.

CDPA stays close to the GDPR model of data controller (an entity determining the purpose of as well as the ways of processing personal data) and data processor (an entity that processes data on behalf of the controller). This eliminates the confusion that CCPA created by going with a different model (and CPRA added more to the confusion with the introduction of a new contractor role in that model!). Library vendors covered by CDPA could be both controller and processor in that the vendor collects and processes data on their behalf but also collects and processes data on behalf of the libraries and library patrons. Data controllers must include data collection and processing information in a publicly posted privacy notice, including what type of data is collected and shared with third parties.

Beyond scope and updates to vendor privacy notices, what do Virginia libraries need to know about CDPA?

Data rights – The new law grants the rights to access, correct, and delete their personal data with a data controller, as well as the right to request a copy of their personal data from the controller. Unlike CCPA, CDPA seems to not include household data in these rights; therefore, there might be a lesser chance of patrons requesting data that might include other patron data from their household.

Opt-out vs opt-in rights – Virginia consumers have the right to opt-out of the sale of their personal data, processing their personal data for targeted marketing, and using their personal data for profiling. This goes beyond the initial sale opt-out of CCPA. Even with the addition of “sharing” to the opt-out in CPRA, there might be confusion with vendors trying to accommodate different types of opt-out between CA and VA consumers.

Here’s where more confusion might set in – CDPA requires consumers to opt-inbefore their sensitive data is processed. Sensitive data in CDPA include race/ethnicity, sexual orientation, religious affiliation, mental and physical health, immigration status, biometric data, and precise geolocation data. On top of all this, sensitive data also includes any data collected from children under 13 years of age. CCPA requires affirmative opt-in of collecting personal data from 13- to 16-year-olds, so both laws are coming at collecting and processing minors’ data in very different ways.

Barring clarifications and amendments to either state’s regulations, expect some confusion from patrons when vendors attempt to comply with CDPA and the California data privacy laws.

A Heads Up to Libraries Outside of Virginia and California

While it took a while for another state outside of California to pass a data privacy law, the reality is that Virginia might be the first of a rapid succession of states to pass their own data privacy laws. At the time of this post, there are at least 13 states with active data privacy bills. Many of these bills share some similarities with CCPA/CPRA, but some have more in common with GDPR. The US currently has no federal data privacy law, and as time progresses, it might be that any successful federal data privacy regulation will not preempt stricter state laws. What we are looking at is a possible repeat of what we have with US data breach notification laws – 50+ different approaches, all just different enough to require their own processes. We’ll keep you updated on the latest regulations as they make their way through the legislative process, but it’s starting to look like 2021 might be a very busy year for data privacy regulation.

Related CDPA Resources and Commentary

Posted on

Summer Homework – Requesting Your Data

Welcome to this week’s Tip of the Hat!

Have you ever wondered what data OverDrive collects while you’re reading the latest ebook? Or what Kanopy collects when you’re watching a documentary? As library workers, we have some sense as to what vendors are collecting, but we are also patrons – what exactly are vendors collecting about *us*?

GDPR and CCPA both give different sets of users (EU residents and CA consumers, respectively) the right to access the data collected by organizations and businesses; however, some organizations extended that right to all users, regardless of geographic residency. Below are some of the more well-known library vendors who are offering some form of data request process for their users (aka library patrons, including you!):

  • Cengage
  • Elsevier
  • Kanopy’s data request appears only to apply to CA consumers: “Under California Civil Code Section 1798.83, if you are a California resident and your business relationship with us is primarily for personal, family or household purposes, you may request certain data regarding our disclosure, if any, of personal information to third parties for the third parties’ direct marketing purposes. To make such a request, please send an email to privacy@kanopy.com with “Request for California Privacy Information” in the subject line. You may make such a request up to once per calendar year. If applicable, we will provide to you via email a list of the categories of personal information disclosed to third parties for their direct marketing purposes during the immediately-preceding calendar year, along with the third parties’ names and addresses. Please note that not all personal information sharing is covered by Section 1798.83’s requirements.”
  • LexisNexis
  • OverDrive
  • ProQuest
    • ExLibris, owned by ProQuest, appears to have a different data request process: “You may request to review, correct or delete the personal information that you have previously provided to us through the Ex Libris Sites. For requests to access, correct or delete your personal information, please send your request along with any details you may have regarding the method by which the information was submitted to privacy@exlibrisgroup.com. Requests to access, change, or delete your information will be addressed within a reasonable timeframe.”

What is surprising is that there are not more library vendors that offer this option, or not extending the option to all users. This might change over time, depending on how the newest data privacy ballot initiative in California goes in November, or if additional regulations are passed in other states or even in the federal government. If more companies provide this right to access for all users, then it’s more likely that this practice will become a standard practice industry-wide. LDH will provide the latest updates around data access options from library vendors when they come along!

Posted on

Last Minute Panic: A CCPA Update

Welcome to this week’s Tip of the Hat!

We hate to break it to you, but there are only a few weeks left in 2019. Do you know what that means? That’s right – only a few more weeks before the California Consumer Privacy Act comes into effect. A lot has happened since our first newsletter about the CCPA in March, so let’s take some time to catch everyone up on the need-to-knows about CCPA as we head into 2020.

Everything and nothing have changed

Lawmakers introduced almost 20 amendments in the past few months in the State Legislature, ranging from grammatical edits to substantial changes to the CCPA. In the end, only a handful of amendments were signed by the state governor, all of which do not substantially change the core of CCPA. There are now a few exceptions to CCPA with the amendments, such as employee data, but that’s the extent to the changes introduced into the Act going into 2020.

However, this doesn’t mean that we won’t see some of the stalled or dead amendments come back in the next legislative session. Expect additional amendments in the coming year, including new amendments that might affect regulation and scope of the Act.

What you need to know about regulation and enforcement

In October 2019, the California Attorney General office published a draft set of regulations of how their office will enforce CCPA. While the public comment period is open until December 6th, many businesses are taking the regulations as their new playbook in preparing for CCPA compliance.

“Household” dilemma

The problematic definition of “personal information” remains… problematic. The amendment that sought to remove “household” from the definition stalled in the State Legislature. The regulations address the handling of household information to a small extent. If someone requests access to personal information, including household information, the business has the option to give aggregated data if they cannot verify the identity of the requester.

Again, this broad definition has ramifications regarding patrons requesting information from library vendors. Libraries should work with library vendors in reviewing confidentiality and privacy policies and procedures and discuss the possible impact this definition will have on patron privacy.

Hello, COPPA!

One of the major elements of CCPA is the regulations surrounding collecting and processing personal information from anyone under 16 years of age. CCPA requires businesses to get affirmative authorization from anyone 13 years old up to 16 years old before the business can sell their personal information. To comply with the new requirement, many businesses might now have to collect or otherwise verify the age of the online user. This leads into the realm of the Children’s Online Privacy Protection Act (COPPA) – now that the business has actual knowledge of the online user’s age, more businesses could be subject to liability under COPPA.

This could lead to another tricky conversation for libraries – library vendors who fall under CCPA collecting additional patron data for compliance. Collecting and processing patron data is sometimes unavoidable due to operational needs, but it’s still worthwhile to ensure that the data is properly secured, processed, and deleted.

Do Not Track, for real this time

Do your browsers on your library public computers have “Do Not Track” turned on by default, or have other browser plugins that prevent tracking by third parties? If not, here’s another reason to do so – the regulations state that “If a business collects personal information from consumers online, the business shall treat user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request…” So get installing those privacy plugins already!

Do we have to comply with CCPA?

It depends on who the “we” is in this question. As of now, most California libraries are most likely out of the scope of CCPA (though, as Joshua Metayer pointed out, the CCPA gives no guidance as to what is considered a for “profit” business). Library vendors will most likely have to comply if they do business in California. Some businesses are trying to keep CCPA compliance strictly to CA residents by setting up a separate site for California, while other businesses, such as Microsoft, plan to give all US residents the same rights CA residents have under CCPA.

We’ve only covered a section of what’s all going on with CCPA – there’s still a lively debate as to what is all entailed by the definition of “sale” in regards to personal information which is a newsletter in itself! We also could have an entire newsletter on CCPA 2.0, which is slated to be on the November 2020 ballot. California continues to be a forerunner in privacy law in the US, and the next year will prove to be an important one not only for everyone under the scope of CCPA but for other states looking to implement their CCPA-like state law.

Posted on

Privacy Regulation Update from #PSR19

Welcome to this week’s Tip of the Hat! The temperature in Las Vegas in September is still hot, but LDH survived the heat while attending the Privacy. Security. Risk. 2019 conference hosted by the International Association of Privacy Professionals. Thousands of privacy professionals from a variety of backgrounds came together to share their knowledge and experiences in implementing privacy in their workplaces. Some of the presentation slides and materials are already available on the schedule page, so feel free to browse.

The California Consumer Privacy Act was on everyone’s minds and in conversations at PSR, and for good reason – enforcement begins in about three months. The amendments process is all but wrapped up, and now businesses are scrambling to be in full compliance by January 1st, 2020. Libraries do not fall under the scope of CCPA; however, library vendors who do business in California and meet certain criteria fall under the scope of CCPA.

CCPA wasn’t the only waves California made at PSR. Last week the same group that sparked the creation of CCPA proposed a new ballot initiative, the California Privacy Rights and Enforcement Act, slated for a 2020 ballot. This initiative provides additional protections to consumers on top of what CCPA already provides:

  • Rights surrounding use and sale of sensitive data such as health, race/ethnic, and location data
  • Require opt-in consent for data collection from consumers under 16 years of age
  • Require businesses to be more transparent about the use of algorithms or automatic creation of profiles from data, as well as the use of profiles in decision making

Again, while libraries are most likely not in the scope of CPREA, library vendors will need to keep track of the progression of this new initiative.

But enough about California. What are the other states doing? Take a look at “CCPA and Its Progeny: States Take Control While Congress Weighs a Broad New Law” where you will get a broad overview of privacy regulations in other states. Many states are poised to either introduce or pass privacy legislation modeled off of CCPA or GDPR in the next year. Without a general data privacy law on the federal level, many states are filling in the gaps as they did with data breach response regulations. Currently, you have 50+ different laws (including Puerto Rico) to comply with when responding to a data breach! We might reach the same situation with data privacy regulation if the federal government does not pass a data privacy bill that preempts state law. Don’t expect a federal bill to be passed during a presidential election year, though. The soonest we might have a chance for a federal bill to pass will be two to three years’ out, which gives states more than enough time to pass their own bills.

In any case, 2020 will be another busy year for privacy regulation, and LDH will keep you updated on the most relevant information for libraries and vendors.

Posted on

California [Privacy] Dreamin’

A young white boy standing outside of a car saying Californiaaaa.
California is a trendsetter when it comes to state regulation. California’s 2003 data breach notification regulation served as the inspiration for many other states in later data breach regulations. It should be no surprise to learn that California is again setting a trend in data privacy and security regulation.

The California Consumer Protection Act (CCPA) passed in 2018 after a short six months in the state legislature. The Act models the European Union’s GDPR. Depending on who you talk to, GDPR’s enforcement date of May 2018 was one of the reasons why the Act was rushed through the state legislature. Some of the similarities between GDPR and CCPA include user’s rights to request, access, receive, and to delete any personal data that the business has collected.

CCPA differs in several key ways from GDPR, nonetheless. One difference is CCPA’s scope. To fall under CCPA, your business (this most likely includes libraries and library vendors!) must meet at least one of the following criteria:

  • Have $25 million or more in annual revenue,
  • Possess the personal information of more than 50,000 Californian consumers, households, or devices, or
  • Earn more than half of its annual revenue selling Californian consumers’ personal information

Not having a physical business presence in California is not a guaranteed exemption from CCPA compliance. You have to prove that you are not doing business in the state, which can be tricky at best. Most libraries who will fall under the scope of CCPA will most likely do so due to the second criteria of processing personal information.

Even though the CCPA passed in 2018, the enforcement date is not until January 1st, 2020. State legislators can change the Act up to the enforcement date, which makes planning for CCPA compliance difficult. There have been major amendment proposals to CCPA in the past few months: some to address problematic lines in the Act, while others add extra protections. The latest amendment is the “Privacy for All” Act in which further extend the rights of consumers, including more explicit notification and consent for data collection and use, as well as prohibiting discrimination against customers who choose to limit the data collected and shared by the business.

There remain many other loopholes. One loophole that will affect libraries and vendors is who can make a data request. Currently, the definition of “personal information” is very broad in the CCPA – not only it includes data about a person, but about the household associated with that person. For libraries, this could have ramifications regarding patrons requesting information about a member of their household, including adult children, ex-partners, or for libraries who grant teens over the age of 13 the same confidentiality privileges as adults. Confidentiality and privacy policies and procedures will need to be reviewed in light of this broad definition, as well as organization-wide discussions about the unintended consequences for patron privacy.

With other states adopting CCPA-type laws, libraries and vendors who do not fall under CCPA’s scope will have to reckon with CCPA. That is unless the US Federal Government passes a privacy law that overrules individual state laws. As always, stay tuned!

Resources for further reading:

Posted on

“It’s complicated”: GDPR Compliance and US Libraries

Hello and welcome to the inaugural issue of Tip of The Hat! Today’s topic is the complicated relationship between GDPR compliance and US Libraries.

We mean it when we say it’s complicated.

Many academic and public libraries scrambled in 2018 to determine if they would need to comply with the European Union’s launch of the General Data Protection Regulation (GDPR). Some libraries, particularly academic and special libraries, are following the lead of their parent organization in deciding if they need to comply. In the case of academic libraries, some higher education institutions have satellite campuses in the European Union, making compliance almost a certainty. Public libraries find themselves wondering if they need to comply even though they do not have a physical presence in the EU. Instead, public libraries might have EU citizens with library cards (if they are visiting workers or students, for example) or otherwise have EU citizens using library resources that collect user information.

In her article for the The Privacy Advisor, Katya Kulesova, CIPP/US, lays out five questions for US organizations wondering if they fall under the scope of GDPR:

  1. Do you personalize your goods or services for EU customers?
  2. Do you target EU users with advertising campaigns?
  3. Is there an establishment in the EU that is processing personal data on your entity’s behalf?
  4. Do you monitor European users?
  5. Do you have a large customer base in the EU?

Katya explores each question, noting key gray areas that can pop up in each question. For example, does using web analytic software, such as Google Analytics, on the library website count as monitoring EU users? If you are using that data to create user profiles that would then be used to influence user behavior, you might fall under the scope of GDPR.

The best way to determine if your library needs to comply with GDPR is to talk with your legal staff . Nonetheless, GDPR case law is few and in between, and it could take a couple of years to build a solid foundation of case law surrounding GDPR enforcement. In the meantime, these questions can help you and your legal staff start the conversation about GDPR compliance.

Even if your legal staff advises that your library does not fall under the scope of GDPR, you may still want to implement some of the privacy requirements laid out in the regulation. Many state laws, including the California Consumer Privacy Act, share many similarities with GDPR. With talk of a federal privacy law in recent months, it’s only a matter of time until US libraries will need to look into revising data privacy policies and procedures to comply to state and/or federal law. Take advantage of the advanced notice GDPR is giving you and start work now on your procedures and policies – you’ll be in good standing when your library is covered under an upcoming state or federal privacy law!

A few more resources surrounding GDPR and US libraries: