The California Consumer Privacy Act: Everything We Know with Six Months to Go
The California Consumer Privacy Act (CCPA) is fundamentally changing the way in which businesses deal with the personal information of California residents. At the time of this article, the CCPA will go into effect in only about six months, and will require businesses subject to its terms to undergo significant compliance efforts. Yet, even with the looming deadline, there is still ambiguity as to the CCPA’s terms as the California legislature is working on amendments and the Attorney General’s office will be promulgating interpretative regulations.
The below article seeks to bring some calm to this storm. In doing so, it first reviews how the CCPA was enacted and discusses its basic terms. It then analyzes the on-going legislative process for amending the CCPA prior to its effective date, as well as the Attorney General’s process for drafting interpretative regulations.
How Did We Get Here?
The CCPA’s background is perhaps as interesting as its terms. In short, by June 2018, privacy advocates had collected enough signatures to place a ballot measure on the November 2018 state election to pass a stronger version of the CCPA. In response, the California legislature hastily enacted Assembly Bill 375, which was the original version of the CCPA.
California legislatures voted for Assembly Bill 375 even though many expressed serious concerns over its terms. They were willing to do so for two primary reasons. First, they were assured by the privacy advocates that they would not submit the ballot measure to the secretary of state if the bill passed. Second, they determined that it was better to pass a flawed bill – and then try to fix it – then it was to allow the ballot measure to become law. That is because ballot measures are incredibly difficult to change in California, requiring a super-majority vote of the legislature.
In fact, after passing Assembly Bill 375, the legislature quickly passed a clean-up bill – Senate Bill 1121 – to address some of the CCPA’s more glaring errors. Yet, even with the passage of Senate Bill 1121, it was understood that the 2019 legislative session would seek to address many other issues with the CCPA.
Another complicating factor is that the CCPA charges the California Attorney General’s office with promulgating interpretive regulations on a number of issues. The Attorney General’s office also is charged with enforcing the CCPA’s provisions (with the exception of creating statutory damages for private litigants to sue for certain data breaches). As part of Senate Bill 1121, the legislature required the Attorney General’s office to publish final regulations no later than July 1, 2020 (six months after the CCPA’s effective date). The Attorney General’s office cannot enforce the statute until it publishes those regulations.
Brief Overview of the CCPA
The CCPA controls the manner in which “businesses” treat the “personal information” of California residents. The CCPA defines “business” to mean any for-profit legal entity doing business in California that (1) has annual gross revenues in excess of $25 million, (2) alone, or in combination, buys, receives, sells or shares the personal information of 50,000 or more California residents, households or devices, or (3) derives 50% or more of its annual revenues from selling California residents’ personal information.
The CCPA defines “personal information” incredibly broadly to include information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” A few of the categories of personal information subject to the CCPA are names, addresses, email addresses, social security numbers, medical information, geolocation information, biometric information, browsing history, search history, unique identifiers (such as cookies and IP addresses), commercial information, account names, audio, or employment-related information.
The CCPA grants California residents a number of rights relating to their personal information. First, they have the right to know what categories of personal information a business collects about them and if that information is shared with other entities. Second, they have the right to submit “verifiable consumer requests” to a business to have it provide more information as well as produce to them the specific pieces of personal information the business has collected. Third, they have the right to demand that the business delete the personal information it holds about them. Fourth, they have the right to demand that a business not “sell” their personal information to third parties. The CCPA’s definition of “sale” includes the transfer of personal information for “monetary or other valuable consideration.” Fifth, they have the right to not be discriminated against for exercising any of their rights.
The CCPA is enforceable by the California Attorney General’s office, which may seek $2,500 for each violation or $7,500 for each intentional violation. The CCPA does not define “violation” such that it is unclear if it will be applied on a person consumer, per day, or some other basis.
The CCPA also allows for a private right of action for statutory damages of between $100 and $750 per consumer, per incident for data breaches due to a business’s failure to implement and maintain reasonable security procedures. The CCPA links those damages to the more restrictive definition of “personal information” in California’s breach notification statute. The CCPA does not define what constitutes “reasonable” security.
The Amendment Process
As noted, the California legislature delayed the CCPA’s effective date until January 1, 2020, so that it could have another legislative session to try to fix issues with the CCPA. The legislature has until September 13, 2019, to pass any bills.
There were fourteen bills submitted during the legislative session that would impact the CCPA. A discussion of those bills is set forth below. Notably, even with so many bills submitted, there is no doubt that issues will remain CCPA when the CCPA goes into effect.
Expanded Private Right of Action
Perhaps the most notable bill is Senate Bill 561. That bill would have expanded the CCPA’s private right of action to cover not only data breaches, but also all of the CCPA’s privacy-related rights. The bill was sponsored by Senator Hannah-Beth Jackson and supported by the California Attorney General’s office. Simply put, if enacted, it would have resulted in a flood of lawsuits. However, Senate Bill 561 did not make it out of the Senate committee process.
Notably, Senator Jackson chairs the Senate Judiciary Committee where many (if not all) of the CCPA-related bills will be heard. She has publicly stated that since her bill failed, she will do everything in her power to stop any bill that seeks to weaken the CCPA by creating exemptions or carve-outs.
Another notable bill is Assembly Bill 25, which is directed at fixing what some perceive to be an over-reach of the CCPA, namely, that it currently covers the personal information of employees. Given that the CCPA is a consumer privacy statute, many have argued that it should not extend to employees. Assembly Bill 25 would fix that issue by excluding employees from the CCPA’s definition of “consumer.”
Some commentators also have suggested that Assembly Bill 25 could eventually exclude business to business contacts from the CCPA. For example, the CCPA currently applies to the names, email addresses, and addresses of individual’s in their employment capacity when they interact with other businesses.
Assembly Bill 25 passed the Assembly in May and is currently pending in the Senate.
Assembly Bills 874 and 1355 would amend the CCPA to clarify that it does not cover de-identified or aggregate consumer information. Specifically, those bills would fix a typo in the CCPA that has caused some ambiguity on the issue. However, it should be noted that – even without fixing the typo – there is plenty in the CCPA that businesses can rely on for the proposition that de-identified and aggregate consumer information is excluded. Nonetheless, it would be beneficial to have the typo fixed.
Assembly Bill 874 also seeks to modify the CCPA’s language surrounding publicly available information. The CCPA currently excludes publicly available information from its coverage, but states that information is not publicly available if it is “used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.” Assembly Bill 874 would remove that condition.
Assembly Bill 873 also deals with the CCPA’s de-identification provision. That bill would replace the CCPA’s definition of de-identified with the Federal Trade Commission’s three-part standard. Businesses have criticized the CCPA’s current definition as unworkable.
All three of those bills passed the Assembly in May and are pending in the Senate.
A group of bills seek to create additional exemptions. Assembly Bill 981 would create a limited exemption for certain information in the insurance context. Assembly Bill 1146 would exempt certain transfers of information in the motor vehicle dealer context. Assembly Bill 1416 would create additional legal exemptions.
All three of those bills passed the Assembly in May and are pending in the Senate.
Amendments to California’s Breach Notification Statute
Two bills – Assembly Bill 1035 and 1130 – are directed at amending the state’s breach notification statute. As noted, the CCPA creates a private right of action with statutory damages for data breaches caused by a failure to implement and maintain reasonable security procedures. Those data breaches, however, must involve the types of personal information covered by the breach notification statute and not the larger set of personal information covered by the CCPA.
In its initial form, Assembly Bill 1035 would have linked the “reasonably security” standard in the CCPA to NIST standards. That would have provided at least some legislative clarity for businesses on this significant issue. Nonetheless, that language did not make it out of the Assembly. The current version of the bill, which did pass the Assembly, would only require that notice of a data breach be provided within 45 days.
Assembly Bill 1130, which also passed the Assembly, would expand the types of personal information subject to the breach notification statute to include biometric information, tax identification number, passport number, military identification number or other unique identification number issued on a government document commonly used to verify an identity. This bill would effectively expand the types of personal information subject to the CCPA’s statutory damages provision.
Customer Loyalty Programs
One concern that businesses have with the CCPA is whether its anti-discrimination provision will prohibit customer loyalty programs. Assembly Bill 846 would exclude such programs from the CCPA’s coverage unless they are unjust, unreasonable, coercive or usurious in nature. This bill passed the Assembly in May and is pending in the Senate.
Methods for Receiving Requests
Assembly Bill 1564 would modify the CCPA to provide that a business can make a toll-free number or email address and physical address available for submitting verifiable consumer requests. This bill passed the Assembly and is pending in the Senate.
Senate Bill 753, which was withdrawn in April, would have amended the CCPA’s definition of “sale” to exclude certain advertising cookies.
Privacy for All Act
Assembly Bill 1760, which was withdrawn in April, would have significantly revised and expanded the CCPA.
The Attorney General Regulatory Process
The CCPA identifies specific areas upon which the Attorney General must publish regulations, including (1) identifying additional categories of personal information to be covered by the CCPA, (2) updating the definition of unique identifiers, (3) establishing exceptions to comply with state or federal law, (4) creating procedures and guidance for verifiable consumer requests, (5) developing a uniform opt-out logo/button, and (6) providing guidance and requirements for notices that must be provided to consumers.
As part of its rule-making process, the Attorney General’s office hosted a series of public hearings in January, February and March of 2019. It also solicited written comments from interested parties, and there are over 1,300 pages of comments available on the Attorney General’s CCPA web page.
The Attorney General’s office has stated that it will publish draft regulations in the Fall 2019. Presumably, the publishing of those draft regulations will be shortly after the legislature finalizes its amendment process.
The next few months will be important for businesses subject to the CCPA as the legislative and regulatory process unfolds and the exact terms of the CCPA are finalized. Nonetheless, businesses subject to the CCPA should understand that the CCPA’s fundamental privacy rights are not going to change. Consequently, businesses should be developing and implementing their compliance programs as soon as possible. At a minimum, businesses should be spending the next few months inventorying and mapping the personal information that they maintain. For many businesses that process will be the most difficult and time-consuming obstacle to CCPA compliance, and there is no reason to delay such efforts.