The State of California’s Data Privacy Law Remains in Flux
When the California Consumer Privacy Act ("CCPA") passed, there were more than a few things that gave businesses pause – inconsistencies and typos among them – and left privacy professionals grappling with trying to figure out how to comply with the CCPA as it continued to evolve throughout the years.
But the CCPA is still a moving target for most businesses in 2020. Since the CCPA passed in 2018, there have been three major events that continue to change the understanding of the CCPA: (1) legislative amendments to the text of the statute; (2) regulations from the California Attorney General’s office, which attempt to clarify and expand the statutory requirements; and (3) a potential new initiative – the California Privacy Rights Act (“CPRA”) – that will significantly modify the CCPA if Californians’ vote it into law in November 2020.
Initially, the California Legislature passed several amendments to the CCPA in October 2019, which aimed to address concerns by businesses that they should not be subject to the CCPA because they are neither consumer facing nor in the “big data” world. Detailed coverage of the October 2019 amendments can be found here. Most notably, two of these amendments provide businesses temporary and limited one-year exemptions, which are set to expire on January 1, 2021: (1) an exemption for job applicant, employee, owner, director, officer, medical staff, or contractor personal information (“Employee Exemption”); and (2) personal information collected in the business-to-business context (“B2B Exemption”). These exemptions, however, have limitations. The Employee Exemption still requires businesses to provide notice at or before the point of collection regarding the categories of personal information collected and the reason for the collection. The B2B Exemption requires businesses to still provide individuals a right to opt-out of the sale of their personal information (assuming the business sells personal information). Further, both of these exemptions still permit litigants to file a private cause of action against a business if there is a data breach. With these exemptions set to expire end of this year, businesses taking advantage of them are left in a precarious state regarding whether they should move forward with full CCPA compliance in preparation for 2021 or hedge their bets that the exemptions will be extended.
Next, compliance with the CCPA posed a challenge for businesses because the CCPA proposed regulations kept changing from October 2019 to March 2020. In short, the regulations provide guidance regarding, among other things: (1) how to provide privacy notices to consumers; (2) how to handle consumer access, deletion, and opt-out of sale requests; (3) sale of minors’ personal information; (4) how to verify a consumer’s identity before responding to requests; (5) the requirement to not discriminate against consumers for exercising their rights under the CCPA; (6) recording-keeping requirements; and (7) the role of service providers. Detailed coverage of these proposed regulations can be found here , here and here. Each iteration of the proposed regulations modified and expanded the scope of the CCPA to address ambiguities in the text of the statute and criticisms from the public and various industry groups. On June 1, 2020, the California Attorney General released the final text of the CCPA regulations, which adopts the latest March 2020 version. The Attorney General has requested the Office of Administrative Law to approve the final regulations within 30 business days, which leaves businesses with about a month to comply with these regulations before the July 1, 2020 CCPA enforcement date.
Lastly, the state of California’s data privacy laws remains further in flux as we near the November 2020 elections. Alastair Mactaggart – the key advocate who pushed the California Legislature to pass the CCPA – has submitted a ballot initiative that, if voted into law, will overhaul the CCPA and make it look similar to the European Union’s General Data Protection Regulation by, among other things, drawing a distinction between “personal” and “sensitive” information, creating a right to correct inaccurate personal information, requiring businesses to notify consumers regarding how long their personal information will be retained, and establishing a privacy enforcement authority – the California Privacy Protection Agency. Notably, if Californians’ vote the CPRA into law, the Employee and B2B exemptions will be extended until January 1, 2023.
If passed, the CPRA will become effective January 1, 2023, which gives business two years to assess gaps in their data privacy compliance.