On June 28, 2018, the California governor signed into law AB 375, a sweeping new data privacy bill that will go into effect on January 1, 2020. Known as the California Consumer Privacy Act of 2018 (CCPA), the law was enacted by the California legislature in response to a ballot initiative that would have created a different consumer privacy law that many in the industry viewed as more burdensome. Not long after AB 375 became law, the legislature amended the CCPA by passing SB 1121, which the governor signed into law on September 23, 2018. And the legislature recently amended the CCPA once again. Before adjourning on September 13, 2019, the legislature approved five bills that the California governor must sign or veto by October 13, 2019. The California Attorney General (CA AG) is now expected to take up the rulemaking process in the coming months.
The CCPA applies to companies doing business in California that collect personal information from California residents and satisfy certain thresholds for company revenue or amount of data. The law defines personal information broadly to mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a specific consumer or household. The CCPA also creates new rights for consumers with respect to their personal information, including the right to know about, access, delete, and opt-out of the sharing or selling of the personal information businesses collect about them. The CA AG will enforce the CCPA and may seek injunctive relief and impose civil penalties for violations. The CCPA also contains a private right of action that permits consumers to obtain statutory damages and injunctive relief if their personal information becomes subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business's failure to implement and maintain reasonable security procedures and practices.
Companies subject to the CCPA will likely need to make significant changes to their business practices in order to comply with the law. With the CCPA's January 1 effective date only about 100 days away, companies should ensure they are taking steps to implement any necessary changes by this date. Please see our CCPA Compliance Checklist for more detailed compliance information. The Venable team is here to help guide you through this process and ensure your company is prepared for the January 1 compliance date.
To keep you informed of the latest CCPA developments and preview what to expect in the months ahead, we have provided below more information about (1) the legislature's recent amendments to the CCPA and (2) the CA AG's impending rulemaking process interpreting the law.
California Legislative Update
Before adjourning on September 13, 2019, the California legislature approved five bills to amend the CCPA: AB 25, AB 874, AB 1146, AB 1355, and AB 1564. The legislature declined to pass AB 846, which would have restricted the sale of loyalty program data. California Governor Gavin Newsom must sign or veto each of the bills by October 13, 2019.
A summary of the amendments is provided below.[1] For ease of reference, we have organized the amendments by the type of change they made to the CCPA. These changes include (A) clarifications and technical fixes; (B) changes to definitions; (C) exemptions and exceptions; and (D) new regulatory authority and concepts.
CCPA Amendments
A. Clarifications and Technical Fixes |
|
Summary | Bill |
Privacy policies and specific pieces of personal information.
|
AB 1355 |
Reasonable authentication.
|
AB 25 AB 1355 AB 1564 |
Verifiable consumer requests through an established account.
|
AB 25 AB 1355 AB 1564 |
Required methods of submitting CCPA requests.
|
AB 25 AB 1355 AB 1564 |
Sale disclosure.
|
AB 1355 |
Age limits for opt-in consent to sales for minors aged 13–15.
|
AB 1355 |
Nondiscrimination right and the value provided to a business by a consumer's data.
|
AB 1355 |
Private right of action.
|
AB 1355 |
Deidentified and aggregate information.
|
AB 874 AB 1355 |
Personal information collection and retention.
|
AB 25 AB 1146 AB 1355 |
B. Changes to Definitions |
|
Summary | Bill |
Addition of reasonableness modifier to definition of personal information.
|
AB 874 AB 1355 |
Publicly available information.
|
AB 874 AB 1355 |
C. Exemptions and Exceptions |
|
Summary | Bill |
Employee data exemption.
|
AB 25 AB 1146 AB 1355 |
Business-to-business data exemption.
|
AB 25 AB 1146 AB 1355 |
Fair Credit Reporting Act (FCRA) exception.
|
AB 25 AB 1146 AB 1355 |
D. New Regulatory Authority and Concepts |
|
Summary | Bill |
Household data.
|
AB 1355 |
Written warranty deletion exception.
|
AB 1146 |
Vehicle information.
|
AB 25 AB 1146 AB 1355 |
The California legislature declined to pass AB 846, a bill that would have limited the sale of personal information collected through loyalty programs to instances when the consumer expressly consented to the sale of such data to a specific third party. AB 846 also would have required businesses to give consumers the option to participate in the loyalty program, on equal terms with other participants, without consenting to the sale of the consumer's personal information to any third parties. Finally, the bill would have required any third-party recipients of loyalty program data to use the information only for the purposes of identifying the consumer as an eligible member of the business's loyalty, rewards, premium features, discounts, or club card program; third parties would not have been permitted to retain, use, or disclose the personal information for any other purpose.
CCPA Rulemaking Process
With the California legislature having adjourned, the focus now turns to the rulemaking process. The CCPA requires the CA AG to promulgate regulations furthering the purposes of the CCPA, including regulations on specific topics identified in the law.2 Among the topics slated to be addressed are the following:
- updated categories of personal information subject to the CCPA
- the definition of unique identifiers
- exceptions to the CCPA that are necessary to comply with state or federal law
- submitting and complying with consumer requests
- the development and use of a uniform opt-out logo/button
- notices and information to be provided to the consumer, including financial incentive offerings
- verification of a consumer's request, and
- household data
The rulemaking process will commence when the CA AG promulgates the proposed regulations.3 As the following chart illustrates, the public comment phase will then begin and may last anywhere from 60 days to 90 days or longer depending on the nature and extent of any changes the CA AG makes in response to comments:
CCPA Rulemaking Timeline |
|
CA AG promulgates proposed regulations implementing the CCPA |
|
45-day period to comment on the content of the regulations |
|
CA AG makes changes to proposed regulations constituting "substantial and sufficiently related changes," i.e., changes that are reasonably foreseeable based on the notice of proposed action | CA AG makes changes to proposed regulations constituting "substantial, but not sufficiently related changes," i.e., "major" changes that are not reasonably foreseeable based on the notice of proposed action |
15-day period for additional comments | CA AG must issue new notice in the California Regulatory Notice Register and provide for new comment period of at least 45 days |
60 days | 90 days or longer |
The CCPA's regulatory enforcement date ultimately depends on this regulatory process, as the CCPA becomes enforceable on the earlier of July 1, 2020, or six months after the CA AG publishes its final rules implementing the law.4
Our CCPA Compliance Checklist offers detailed information to help your company be prepared and in compliance.
Regardless of the date regulatory enforcement begins, however, the CCPA becomes operative on January 1, 2020. For this reason, as indicated above, companies should be ready for CCPA compliance by this date. Moreover, the regulatory enforcement trigger does not apply to the CCPA's private right of action for certain data security breaches. That private right of action will become effective on January 1, 2020.
Please contact our team for any assistance as you seek compliance with the CCPA.
Footnote
1 This summary is based on the most up-to-date versions of the CCPA amendments that have been made publicly available, all of which are dated September 6, 2019.
2 Cal. Civ. Code § 1798.185.
3 For more information on the rulemaking process anticipated under the CCPA, please see https://oal.ca.gov/rulemaking_process/.
4 Cal. Civ. Code § 1798.185(c).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.