Technology & Privacy
Here’s a Crash Course on State Comprehensive Privacy Legislation
February 14, 2024 | Max Rieper
Since the start of the new year, you may have noticed that many websites have updated their privacy policies. This is largely in response to the California Consumer Privacy Act of 2018 (CCPA), which went into effect on January 1, 2020. Since Congress has so far failed to pass a national privacy law, the California statute has become the new de facto standard.
As we’ve highlighted, the CCPA follows upon the European Union General Data Protection Regulation (GDPR) that was implemented in 2018, by giving consumers greater rights over the data that companies are collecting from them. While the GDPR defaults to an opt-in standard, where consumers need to declare their intention before personal information is collected from them, the CCPA defaults to an opt-out standard, allowing entities to collect personal information from consumers unless the consumer says otherwise.
The CCPA gives consumers five rights:
The law applies to businesses that have (a) at least $25 million in gross revenues; (b) deal with the personal information of at least 50,000 consumers, households, or devices; or (c) derives at least 50 percent of its annual revenues from selling consumers’ personal information.
Lawmakers passed the CCPA quickly in 2018 to prevent a similar, but more far reaching privacy ballot initiative from going before voters. Lawmakers spent the 2019 legislative session debating a number of amendments to the law before its effective date of January 1, 2020. These nineteen bills mostly addressed concerns raised by business interests, with seven of them passing into law. We’ve provided an analysis of those seven bills below:
California Attorney General Xavier Becerra (D) has released a draft of regulations offering guidance on how to notify consumers, handle requests about data, and avoid discriminating against consumers who exercise their rights. His office will not begin enforcement until July 1, 2020, while regulations are finalized, but it can still prosecute cases for violations that happened before between January and July of this year.
Despite the landmark privacy legislation becoming law this year, expect even more action on privacy in California this session. First of all, the legislature will have to decide on what to do with temporary exemptions for information collected on employees carved out by AB 25 and the business-to-business exemption provided by AB 1355 (see analysis above).
A push to clarify whether loyalty programs constitute discrimination under the CCPA is also likely. Although AB 1355 provides that a business may “offer a different price, rate, level, or quality of goods or service to the consumer if that price or difference is directly related to the value provided to the business by the consumer’s data”, it is not entirely clear if this means retailers can offer discounts to customers that allow their loyalty data to be sold. That would have been clarified with AB 846, but that bill was shelved just before last year’s session ended. One lawmaker has already announced plans to re-introduce the bill in 2020. And lawmakers have already filed a bill to exempt medical research data from the law.
Lawmakers could take action to head off yet another ballot measure proposed by privacy activist Alastair Mactaggart, who is pushing to place a measure on this November’s ballot called the California Privacy Rights and Enforcement Act that would:
California Governor Gavin Newsom (D) has even proposed a “data dividend” that would allow consumers to profit off the sale of their data, although specifics are sparse at this point.
The broad, and in some cases vague, language of the CCPA will require more precise clarification from lawmakers and the attorney general to guide businesses towards compliance. Many retailers and consumer groups will be watching closely to see just how the CCPA works in practice. With such far-reaching effects, the law is certain to have unintended consequences legislators would like to avoid. The CCPA is now the law of California, with practical consequences beyond its borders, but legislative action on privacy in California and other states is not subsiding any time soon.
February 14, 2024 | Max Rieper
January 8, 2024 | Bill Kramer
December 12, 2023 | Bill Kramer