What Will the California Consumer Privacy Act Actually Bring in 2020?
By Procopio Senior Counsel Elaine F. Harwell, CIPP/US
California’s passage of a landmark data privacy and protection law, the California Consumer Privacy Act (CCPA), has rightly drawn significant attention. You may be aware that this sweeping new privacy legislation has its fair share of ambiguities, drafting errors, and contradictions, and has already been amended once. The law, which will become effective January 1, 2020, with enforcement delayed until the following July, grants new rights to California residents, including the right to access their information in a portable format and the right to opt-out of the sale of their personal information.
We recently reported on an important proposed amendment, SB 561, which would expand the private right of action to any violation of the CCPA and remove the ability to cure within 30 days of notification. The bill, which also authorized the Attorney General to provide general guidance on compliance, had the backing of Attorney General Xavier Becerra. On April 29, 2019, the California Senate appropriations committee placed this bill on the “Suspense File,” which is a way to consider the fiscal impact of the bill to the state. On May 16, 2019, a hearing was held in committee and the bill was taken under submission, which means the bill has been blocked and is effectively dead.
Several other key proposed amendments, however, are still pending at various stages in the California legislature:
- Analysis: This bill proposes to redefine “consumer” to exclude a person’s personal information only to the extent that it is collected and used solely within their employee role, or similar role within the employment context.
- Status: On 5/1/19, the appropriations committee passed this bill. It was ordered to a third reading on 5/9/19 and will move to a vote by the full assembly and then potentially on to the Senate.
- Analysis: This bill proposes to narrow the definition of “personal information” by removing information that is “capable of being associated with” a particular consumer and information that could be linked to a particular “household.” It also redefines “deidentified” data.
- Status: On 5/15/19, the bill passed the assembly appropriations committee. It has been ordered to a third reading as of 5/16/19 and will move to a vote by the full assembly and then potentially on to the Senate.
- Analysis: This bill would authorize customer loyalty programs even if a consumer opts-out of their personal information being sold.
- Status: On 5/8/19, the bill passed the assembly appropriations committee. It has been ordered to a third reading as of 5/9/19 and will move to a vote by the full assembly and then potentially on to the Senate.
- Analysis: Currently, the CCPA requires that businesses make available to consumers two or more methods to submit access requests, including, at a minimum, a toll-free number and a web address. This bill would instead require only that businesses make available a toll-free number or an email address, or if the business maintains a website, a method to submit requests via the website.
- Status: On 5/13/19, the bill was read a third time in assembly, passed, and ordered to the Senate.
- Analysis: This bill would clarify that the CCPA does not restrict an entity’s ability to comply with any rules or regulations and permits the use of data to prevent fraud or illegal activity.
- Status: On 5/7/19, the bill was ordered to a third reading.
- Analysis: Currently, the law requires individuals be notified of a breach “in the most expedient time possible.” This bill would require disclosure of a breach be provided in the most expedient time possible, but in no case more than 45 days following a data breach. It would also define “reasonable security procedures and practices” to include a cybersecurity program that reasonably conforms to specified standards published by the National Institute of Standards and Technology (NIST).
- Status: On 5/9/19, the bill was read a third time in assembly, passed, and ordered to the Senate.
- Analysis: This bill would require any business that uses facial recognition technology, as defined, to disclose that usage in a physical sign at the entrance of every location that uses the technology.
- Status: On 4/25/19, the bill was read a third time in assembly, passed, and ordered to the Senate. On 5/8/19, the bill was referred to committee (judicial and appropriations).
Arguably, the proposed amendment with the biggest impact to business would have been SB 561, which as we previously reported would have expanded the private right of action to any (even technical) violations of the CCPA. While it appears there will be no expansion of the private right of action this year, many legal scholars and commentators believe the CCPA may still ultimately see an expanded right of action. We will just have to wait and see.
The majority of the proposed active amendments at this time appear to be poised to narrow or provide some needed clarity to provisions of the CCPA. For example, if AB 873 passes, it will focus the definition of personal information to information that is linked directly, or indirectly, to a particular consumer and may eliminate some of the confusion surrounding how to apply the CCPA to “households.” Ultimately, the CCPA will likely see several changes over the course of the next few months. The legislative session ends in September and in the meantime, we will continue to closely monitor the developments.
Elaine F. Harwell is a Senior Counsel with Procopio and a member of its Privacy and Cybersecurity Practice Group. She is an experienced business litigation attorney and a trained privacy professional. Her practice is focused on representing clients in cybersecurity and data privacy matters, including litigating claims involving privacy issues, helping clients manage emerging risks and conduct privacy risk assessments, and advising on regulatory issues. Elaine has also been involved in numerous trials as well as arbitration proceedings related to contract and general business disputes, complex unfair competition and business practice claims, and professional liability. She has earned the ANSI-accredited Certified Information Privacy Professional/United States (CIPP/US) credential through the International Association of Privacy Professionals (IAPP).