Menu

The CCPA for the Land Title Industry: Who Does the CCPA Apply To?

Cybersecurity and Privacy   |   Technology   |   January 15, 2020
Download   
Share Page

In this program, Elizabeth Reilly from Fidelity National Financial joins Carlton Fields’ attorneys Jack Clabby, Joe Swanson, and Steve Blickensderfer as they answer real questions from real members of the American Land Title Association on what the CCPA means for the land title industry.

Part 1: Who Does the CCPA Apply To?
Part 2: Service Providers and Sale of Data Under CCPA
Part 3: CCPA Resources and Compliance Tips
Part 4: Practical Compliance With CCPA and New Privacy Laws

Originally published in American Land Title Association's Data Privacy CCPA Resources.

Transcript:

Jack Clabby: So, my name is Jack Clabby. I am an attorney at Carlton Fields in Tampa, Florida, and I want to thank the folks at the American Land Title Association for the opportunity to respond to some of their member questions and record this podcast. We have an outstanding panel today, and I'm allowed to say that because many of them are my colleagues and friends. First in the room with me here in Tampa, Joe Swanson. We also have dialing-in from Jacksonville, Florida Elizabeth Riley from Fidelity National Financial. And we have joining us in Miami my colleague, Steve Blickensderfer. Let's take a minute - Joe, if you'd start - and just give us a little bit about yourself.

Joe Swanson: Thanks, Jack. It's a pleasure to be here. As Jack mentioned, my name is Joe Swanson. I'm Jack's colleague here in Tampa. I'm a shareholder in the firm and I chair the firm's Privacy and Cyber Security practice group.

Jack Clabby: And Liz, can you tell the audience a little bit about yourself?

Elizabeth Riley: Sure. Thanks, Jack. I'm in-house counsel for the Fidelity family of title insurance companies. Jack mentioned I'm based out of our headquarters here in Jacksonville, Florida. My role as in-house counsel includes serving as senior privacy counsel and as compliance and regulatory counsel for Fidelity. I also am co-chair of ALTA's Data Privacy Task Force, and really appreciate folks at Carlton Fields taking the time to sit down with us and talk through some of our pressing questions on CCPA.

Jack Clabby: Thank you, Liz. And last but not least, Steve can you tell us a little bit about yourself?

Steve Blickensderfer: Thanks, Jack. My name is Steve Blickensderfer. I'm a senior associate in the Miami office of Carlton Fields. I have been doing data privacy now for a number of years starting with the GDPR. A number of us have probably cut their teeth on the GDPR, I being one of them. I'm also a certified information privacy professional with the IAPP with the specialty focus on US privacy laws, California privacy law being one of them.

Jack Clabby: Thanks, Steven. We have on this podcast two CIPPs and two CHIPS. Right? And so, Liz and Steve are both CIPP professionals and Joe and I are both CHIPS, which is Computer Hacking Intellectual Property professionals back when we were in government service as federal prosecutors. So, we like to have that kind of balance on the podcast here. Some of you may recognize Steve and Joe from the CF on Cyber podcast. We're going to hopefully keep this in the same vein where it's going to be interesting, but it's also going to be a little bit of fun.

Liz, can you kind of give us a sense of how we're going to frame this out and how we put together the topics for today?

Elizabeth Riley: Yes. So this is mailbag style. We have real questions from real ALTA members. As you know, our ALTA membership is comprised of title insurance companies, title and settlement agents, abstractors, title searchers, real estate attorneys across the country. So, many are in California. Many are outside of the state. Some are large insurers and agents, and many are smaller to mid-size agents and producers.

And, you know, while our industry, like many others, was not the target of the California Consumer Privacy Act, we are caught up in its crosshairs at this point. And so really it's just a, you know, ALTA members have heard the CCPA soundbites. You know, we know hundreds of thousands of businesses may have to comply. There's exorbitant compliance costs, steep fines and penalties if you don't comply, and there's a sense that our members want to get beyond the soundbites. We want to better understand what the CCPA means for us. You know, do we have compliance obligations? If so, where do we start?

So, we surveyed our members, asked what questions they have regarding the California Consumer Privacy Act, and here we are. These are questions from our members and you know we'll get some great information for our membership through this podcast today.

Jack Clabby: Thanks so much. Joe, can you give us a little bit of an overview on the CCPA before we dive into the topics?

Joe Swanson: Absolutely. Thanks, Jack. The CCPA takes effect January 1st, so less than a month from now it goes into effect. Now, the attorney general for California has responsibility for enforcing the law and by virtue of the status of the pending regulations - which I'll talk about in a moment - he will not, as a practical matter, begin enforcement until July 1st of 2020.

I said pending regulations. That's because in October, I believe, the attorney general's office issued pages of proposed regulations and put them out for public comment and they are currently taking public comment, or I think the period closed just this Friday. So, they're not considering those comments and we can expect final regulations at some point in the future. I mean, given the holidays as a practical matter, it may not be until after the first of the year, but that's where things stand.

Steve, will you take it from here and summarize the topics that we're going to be covering today?

Steve Blickensderfer: Sure. Thanks, Joe. The first and foremost topic that we're going to be covering is who does the CCPA apply to and what does it mean to be a "business" under the CCPA? Because that is the operative term and definition used to drive many of the CCPA discussions. The next thing I think we're going to focus on is, if you're not a business, how else can the CCPA impact you and what would your responsibilities be if you were, let's say, a service provider? If you're a service provider or if you want to be one, what do you have to have in place in order to be a service provider? What would be the benefits of being a service provide over, let's say, a third party, which is the other category and theme that we're going to get into?

So, once you figure out what your business is under the CCPA then we'll figure out what the roles and responsibilities are. What does it mean to sell data under the CCPA? It's a very easy word to, you know, kind of understand in concept, but under the CCPA it has a very strict definition and how to - the exceptions for selling are very, very important because with them come many extra responsibilities if you're selling, and if you're not then you escape some of those responsibilities.

And maybe we'll also wrap up with what other states are doing or kind of looking forward after we've kind of gone through the mailbags.

So, those are a brief overview of some of the things we're going to be going over today.

Jack Clabby: Thanks so much, Steve. We're about to jump into the mailbag here. It sort of looks like the sack that Santa Claus carries around with letters this time of year. There's quite a bit of information in it.

Before we do that, it wouldn't be a legal podcast, though, without some disclaimers. First, this is not legal advice. If you're listening to this, even if you are a client, it's not legal advice. This is for education purposes only. If there are clear answers, we will give you clear answers. If there's speculations, we'll tell you that we're speculating. So, we'll help you get on either side of the line, but nothing replaces a conversation with your counsel about this stuff.

And the second, Liz works at Fidelity but she is not here in her official capacity or representing Fidelity. Her opinions are her own and not those of her employer.

So, without further ado, let's get into it. So, question the first: Does the CCPA apply to my company which does not have offices in California? That is, does it apply only to the largest title agencies? Joe, you want to get us started with that one?

Joe Swanson: Sure. And like all good legal questions, the answer is largely it depends, Jack. And, we're going to run through a couple of the different questions that need to be answered for a business that's trying to evaluate whether the CCPA applies to them.

First off, you should know that the CCPA applies to a business. What is a business? Well, there's a multi-part test under the law and first off you have to satisfy all three of the following: you are a for-profit business, you collect California consumers' personal information or that information is collected on your behalf, and you determine the purposes and means of processing that personal information. So that was the second prong. So you are a for-profit business, you collect California consumers' personal information and you determine the purposes and means of processing it, and you do business in the state of California.

That third piece - you do business in the state of California - I want to give a couple of sort of brief examples or illustrations. If you have an office in California, then yes, you're doing business in California. If you have employees in California, yes you are doing business. If you have customers in California, that's where it depends. In all likelihood it applies, but there's one other analysis that you need to do when evaluating whether the CCPA applies and that is one of the following three provisions has to apply: (1) the business has at least $25 million in annual gross revenues. The law is not clear on this, but in all likelihood that is not limited to revenues in California. The second option would be the company buys, sells, shares, and/or receives the personal information of at least 50,000 California consumers, households, or devices on an annual basis. And the final options is that the business derives at least 50% of its annual revenue from selling California consumers' personal information.

Steve Blickensderfer: So, Joe, you had mentioned in their personal information. I just want to make sure we understand the definition of personal information before we kind of move forward. And you also mentioned California consumer and we use California consumer interchangeable with resident because that's effectively what it means. So when we're talking about personal information, it's a very broad definition that is kind of lockstep in many ways with European GDPR's definition of personal data. And so personal information means under this statute information that identifies, relates to, describes, or is reasonably capable of being associated with or could reasonably be linked directly or indirectly with a particular consumer or household. And the "or household" is new. That's a new thing that California brings to the table when it comes to privacy laws and protection. Historically it's pretty much just been the individual. So, if you think about IP addresses that are static that identify a house, not necessarily an individual, that would be personal information.

What's also important here is that the CCPA, unlike the GDPR, offers categories of personal information that are caked into the statute and you would find those in Section 140(o). And those categories are important because the other provisions of the CCPA talk about what you have to have in your online privacy notice. And those online privacy notice are required to track the categories of personal information that are in the statute. So just to kind of tie it together and summarize, you'll find biometric information, geolocation data, the classics personal information are like contact information, and importantly internet or other electronic network activity. So, that's just, and it was a big thing, but it's important to note what personal information means under the CCPA.

Important caveat before we leave what information is covered. It's important to note that at the very end of the fall early in the winter in 2019 the CCPA was amended to include a provision that excludes employee data for the most part from the CCPA's requirements. That exclusion has a sunset provision at the end of 2020. So, beginning January 1, 2021 employee data would otherwise be subject to the obligations and requirements of the CCPA, but for the most part for 2020 businesses, employee data is largely excluded from the - underneath the CCPA.

Jack Clabby: Thanks so much, Steve. The, you know, one other point we're going to talk about a little bit later in the cast too is the breadth of the word "sale." And it doesn't mean, you know, just going into a store and trading money for personal information. There's a lot more to it that we'll talk about in a moment.

The second question kind of relates to the first and it touches on this idea of doing business in the state of California. Is there a threshold when it comes to the number of customers in California? Does it matter that we didn't do anything to solicit those customers? Alright, so the hypothetical here is a large title agency with offices in let's say New York, Florida, and Connecticut. No office, no employees, no physical presence in California, but let's say they do 20, 30, 50 California residents a year perhaps because their realtor they're working with in New York, Florida, or Connecticut, you know, likes that title company - right? - likes that title agency and just wants to work with them. So you've got a large east coast title agency that a couple of times a year just deals with transactions that take place on the east coast but touch a California resident's data. Do we have an application of the CCPA? Is this company a business if they otherwise meet the standards?

So, on this hypothetical, I'll take a crack at this. Right? Here's one way to think about it. The statute and the proposed regs do not provide a cut-off. They don't tell us what doing business means in terms of customers if you're not otherwise registered to do business or active in the state of California. So, if you are serving 20, 30, 40 California residents a year and you otherwise are a relatively large title agency. The California AG or consumer would have a pretty good argument that you're doing business in California. Right? The risk profile for that kind of an organization, though, isn't that high. Right? There's going to be quite a bit of enforcement activity by the AG and others before they can get around to doing anything against you. So, I think your profile is not that significant.

There's actually an exemption in the CCPA which is worth looking at for companies that fit this description. It's 1798.145 under (a) and under (6). OK, so 145(a)(6). And it essentially says the obligations that are imposed on businesses by this title shall not restrict a business's ability to collect or sell a consumer's personal information if every aspect of that commercial conduct takes place wholly outside of California. Well, what does that mean if our large title agency that's on the east coast is cranking through $25 million in revue but does 20, 30, 40 a year? Well, they're not going to qualify for that exemption because - an there's more in the statute - the business collected the information while the consumer was outside of California. So if these 20, 30, 40 transactions are taking place, you know, it's a timeshare purchase - right? - or it's a condo purchase or it's a real property purchase and it's in Florida. If at the point of collection and every touch occurs outside California, you've got a shot at this. But, again, what we are talking about is I think for a company with this profile, a likelihood that the CCPA does apply to them but a low likelihood that they're going to get really entangled with things.

Alright, so let's talk about question number three. Again, it's kind of a similar question about the definition here. And, Joe, we're going to, this is a little bit of a wind-up here, but we're going to look to you for the answer on this one. There's a, in 1798.140, alright, there's a, it's (c)(1)(b). OK, but we're talking about the definition which is, you know, you have to have the big three plus one of the other little three, which is $25 million in gross revenues or buy, sell, share 50,000 or 50% of revenue. But the phrase in, about the 50,000 residents says "receives for commercial purposes" or "shares for commercial purposes." You know, does it matter if it's commercial purposes in terms of what actually gets done with this data? Let's say you are, again, you're this multi-state east coast title agency. You're all over the east coast. You're making, you know, you're not necessarily making $25 million in gross revenues, but you're active and you've got a website. Your website doesn't aim to get business in California, but you don't know. It's possible that 50,000 or more California households or devices connect with you. Is that going to be subject to the CCPA?

Joe Swanson: You know, at this point at least until there's some clarification from the attorney general's office in the regulations or otherwise, it's not clear. And it's a close call and frankly a strict reading of it would probably say that it does apply on that fact matter, Jack. And that's why, the reason for that, or one way to look at it here is if you focus on the definition of commercial purposes which is defined in 1798.140, it's not that helpful. It's a lengthy definition. I'll try to paraphrase it, but it means to advance a person's commercial or economic interests by inducing another person to buy, rent, lease, join, do another of other things in connection with a commercial transaction. And so, you know, the hypothetical that you posed I think is looking at what happens where there's this passive collection of IP information from people in a state that the company does not do business in, in this case California. And, you know, this is a very real problem for a lot of companies that have a significant presence online and may very well have some number of California residents visiting their website, enough to surpass this 50,000 in a year, which I think on average is like 140 a day or something fairly modest. In the GDPR there's a concept of whether or not you're sort of targeting the residents. There's not that same kind of concept in the CCPA. It at least on its face is much more absolute in its application. And so the company in the hypothetical that you posed albeit passive collection of possibly 50,000 or more in this case IP addresses with no plan to actually use that information, while they are probably not intended to be encompassed by the CCPA as a practical matter they probably are. Or at least until there's some clarification, they should presume that they are.

Jack Clabby: At a company like that, too, Joe, you know, again, if they're not doing business in California and the only data they're collecting are these sort of passive IP addresses their risk profile is pretty low, too.

Joe Swanson: I agree. I agree.

Jack Clabby: But the inquiry that that company should be going through really is this am I doing business and what does it mean?


©2020 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications

Disclaimer

The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.