California’s Landmark Consumer Privacy Law is Live. What’s Next?

Since the start of the new year, you may have noticed that many websites have updated their privacy policies. This is largely in response to the California Consumer Privacy Act of 2018 (CCPA), which went into effect on January 1, 2020. Since Congress has so far failed to pass a national privacy law, the California statute has become the new de facto standard. 

California Consumer Privacy Act

As we’ve highlighted, the CCPA follows upon the European Union General Data Protection Regulation (GDPR) that was implemented in 2018, by giving consumers greater rights over the data that companies are collecting from them. While the GDPR defaults to an opt-in standard, where consumers need to declare their intention before personal information is collected from them, the CCPA defaults to an opt-out standard, allowing entities to collect personal information from consumers unless the consumer says otherwise. 

The CCPA gives consumers five rights:

• The right to know categories and specific pieces of personal information the business has collected about them;
• The right to access specific pieces of information collected on the consumer;
• The right to request that a business delete any personal information collected from the consumer; 
• The right to opt-out of the sale of transfer of personal information about the consumer to third parties; and
• The right not to be discriminated against by the business for exercising any of their other rights.

The law applies to businesses that have (a) at least $25 million in gross revenues; (b) deal with the personal information of at least 50,000 consumers, households, or devices; or (c) derives at least 50 percent of its annual revenues from selling consumers’ personal information.

2019 Amendments to CCPA

Lawmakers passed the CCPA quickly in 2018 to prevent a similar, but more far reaching privacy ballot initiative from going before voters. Lawmakers spent the 2019 legislative session debating a number of amendments to the law before its effective date of January 1, 2020. These nineteen bills mostly addressed concerns raised by business interests, with seven of them passing into law. We’ve provided an analysis of those seven bills below:

• CA AB 25 exempts, until 2021, information collected by a business from an employee or job applicant. It requires reasonable authentication of the consumer for a verifiable consumer request and authorizes a business to require a verifiable consumer request through an account that the consumer maintains with the business if the consumer maintains an account.
• CA AB 874 redefines “personal information” to mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The bill defines “publicly available” to mean information that is lawfully made available from federal, state, or local records. It also provides that “personal information” does not include de-identified or aggregate consumer information.
• CA AB 1130 adds to the definition of "personal information" specified unique biometric data and tax identification numbers, passport numbers, military identification numbers, and unique identification numbers issued on a government document in addition to those for driver’s licenses and California identification cards.
• CA AB 1146 exempts from the right to opt-out vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer if shared for the purpose of effectuating or in anticipation of effectuating a vehicle repair covered by a vehicle warranty or a recall.
• CA AB 1202 requires data brokers to register with, and provide certain information to, the California Attorney General.
• CA AB 1355 provides that under the CCPA’s non-discrimination provision, a business may treat customers differently if the differential treatment is reasonably related to the value provided to the business by the consumer’s data. The bill requires a business to disclose to consumers that a consumer has the right to request the specific pieces of information and the categories of information the business has collected about that consumer as well as the fact that a consumer has the right to request that the business delete that information. The bill also exempts personal information collected and used in business-to-business communications and transactions for one year.
• CA AB 1564 provides that a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information is only required to provide an email address for submitting requests for information required to be disclosed.

California Attorney General Xavier Becerra (D) has released a draft of regulations offering guidance on how to notify consumers, handle requests about data, and avoid discriminating against consumers who exercise their rights. His office will not begin enforcement until July 1, 2020, while regulations are finalized, but it can still prosecute cases for violations that happened before between January and July of this year. 

More Legislation to Come

 Despite the landmark privacy legislation becoming law this year, expect even more action on privacy in California this session. First of all, the legislature will have to decide on what to do with temporary exemptions for information collected on employees carved out by AB 25 and the business-to-business exemption provided by AB 1355 (see analysis above).  

A push to clarify whether loyalty programs constitute discrimination under the CCPA is also likely. Although AB 1355 provides that a business may “offer a different price, rate, level, or quality of goods or service to the consumer if that price or difference is directly related to the value provided to the business by the consumer’s data”, it is not entirely clear if this means retailers can offer discounts to customers that allow their loyalty data to be sold. That would have been clarified with AB 846, but that bill was shelved just before last year’s session ended. One lawmaker has already announced plans to re-introduce the bill in 2020. And lawmakers have already filed a bill to exempt medical research data from the law.

Another Shot at the Ballot

Lawmakers could take action to head off yet another ballot measure proposed by privacy activist Alastair Mactaggart, who is pushing to place a measure on this November’s ballot called the California Privacy Rights and Enforcement Act that would:

• Create new rights around the use and sale of sensitive personal information; 
• Limit location tracking for the purpose of targeted advertising; 
• Enhance children’s privacy by tripling fines;
• Require transparency for algorithms;
• Establish a California Privacy Protection Agency; 
• Allow a private right of action if “email address plus password” are stolen due to negligence from the business; and 
• Require future amendments affecting state privacy rights to “be in furtherance of the law.”

California Governor Gavin Newsom (D) has even proposed a “data dividend” that would allow consumers to profit off the sale of their data, although specifics are sparse at this point.

Beyond CCPA

The broad, and in some cases vague, language of the CCPA will require more precise clarification from lawmakers and the attorney general to guide businesses towards compliance. Many retailers and consumer groups will be watching closely to see just how the CCPA works in practice. With such far-reaching effects, the law is certain to have unintended consequences legislators would like to avoid. The CCPA is now the law of California, with practical consequences beyond its borders, but legislative action on privacy in California and other states is not subsiding any time soon.