Death, Taxes, and Changes to the CCPA
On the last day of its session, the California legislature passed six bills amending the CCPA, which Governor Newsom is expected to sign into law. While we are getting a better sense of what the CCPA will mean for companies in 2020, the CCPA’s architect, privacy advocate Alastair Mactaggart, is not done with the law quite yet. Mactaggart recently submitted a new ballot initiative for November 2020 that if approved by voters, would significantly strengthen and expand the CCPA.
Businesses subject to the CCPA will need to be ready to comply with the legislature’s recent amendments by January 1, 2020—and, if it passes, implement the new ballot initiative’s requirements by January 1, 2021, as well.
CCPA Amendments in the Legislature
The recently passed amendments do not change the fundamentals of the CCPA, but they will require businesses to adjust their compliance efforts. In some respects, the amendments ease compliance burdens. For instance, they would exempt from some of the law's requirements employee data and information collected while conducting due diligence or in certain B2B contexts for a period of one year.
The bills would also make some industry-specific changes of particular interest to car manufacturers and dealers, credit reporting agencies, and companies that operate exclusively online. In addition, one bill would impose new registration obligations on data brokers, which the bill defines broadly as companies that collect and sell the personal information of California residents with whom they do not have a direct relationship.
For more details on these bills, see Davis Wright Tremaine’s recent client alert which delves into details of the amendments and their impact on compliance.
CCPA 2.0
Alastair Mactaggart, the founder and board chair of Californians for Consumer Privacy (which backed the ballot initiative that led to the enactment of the CCPA), announced a new initiative that he hopes to get on the November 2020 ballot in California. Mactaggart filed the 51-page initiative with the California Attorney General on September 25, 2019.
Officially titled the California Privacy Rights and Enforcement Act (CPREA), some commentators have dubbed the ballot initiative “CCPA 2.0” because it would make extensive changes to the original version of the CCPA enacted last year. Californians for Consumer Privacy has published an annotated version of the CPREA on its website, explaining many of the proposed changes.
Some of the most significant changes would include:
- Creating a California Privacy Protection Agency tasked with:
- Enforcing the CCPA through administrative actions (though deferring to civil actions instituted by the California Attorney General);
- Taking over the California Attorney General’s duties to issue regulations pursuant to the CCPA;
- Appointing a Chief Privacy Auditor to audit businesses’ compliance with the law;
- Promoting public awareness of consumers’ data privacy rights;
- Providing guidance to businesses regarding compliance with the CCPA; and
- Advising the California legislature with respect to privacy-related legislation.
- Adding a new category of “sensitive personal information,” which would include data such as a consumer’s Social Security number, government ID number, financial information, precise geolocation data, and race; this subset of personal information would be subject to additional use limitations:
- An extended opt-out right, meaning that consumers can direct businesses not to use or disclose their sensitive personal information for advertising or marketing purposes (the CCPA currently only allows consumers to prevent the sale of their personal information to third parties); and
- An affirmative opt-in right for the sale of sensitive personal information.
- Prohibiting businesses from collecting the personal information of children under 16 unless the child (if 13 or older) or parent has affirmatively consented to the collection (the CCPA currently restricts the sale, not the collection, of personal information from minors); penalties for any violations of the CCPA involving minors’ personal information would also be tripled, to $7,500;
- Granting consumers a right to correct inaccurate personal information;
- Imposing a duty to notify both consumers and the California Privacy Protection Agency of political purposes for which consumers’ personal information is used, e.g., the candidate involved and whether the personal information was used to support or oppose the candidate;
- Imposing a duty to notify consumers about profiling when done to determine eligibility for financial services, housing, insurance, education admission, employment, or health care services, along with “meaningful information about the logic involved”;
- Extending the right of access to require businesses to disclose a consumer’s personal information collected more than 12-months before the request “unless doing so would involve a disproportionate amount of information or would be unduly burdensome,” with those criteria to be further defined in regulations;
- Making the limited employee-data and B2B exemptions permanent, instead of sunsetting after one year;
- Defining “household” as “a group, however identified, of consumers who cohabitate with one another at the same residential address and share access to common device(s) or service(s) provided by a business”;
- Broadening the definition of “publicly available” beyond data “lawfully available” from government records to include information a business reasonably believes to be lawfully available to the general public;
- Creating a category of “large data processors” (businesses that collect over 5 million consumers’ personal information annually) that every year are required to conduct cybersecurity audits and publish risk assessments pursuant to regulations to be issued by the California Privacy Protection Agency; and
- Extending the statute of limitations for the California Privacy Protection Agency to enforce the CCPA, giving it five years after a violation to bring an administrative action.
Mactaggart’s success in getting the CCPA enacted in 2018 means that businesses should remain alert to his efforts to get the CPREA on the November 2020 ballot or, as he did last year, his possible negotiations with the California legislature to again develop a legislative alternative. If the CPREA makes it onto the November 2020 ballot and is approved by voters, it would take effect less than two months later in January 2021, giving businesses little time to prepare.
What’s Next?
The only constant for the CCPA appears to be change. We expect Governor Newsom to change the CCPA this month with his signature on the amendments, causing businesses to adjust their compliance plans for January 1, 2020. With CPREA on the horizon, businesses could be looking at even greater changes in the not-distant future.
The laws governing ballot initiatives allow Mactaggart to amend the CPREA during the public comment period (which lasts through October 25, 2019), so the initiative’s wording could even change between now and when it reaches the ballot. As permitted under the state constitution, the CPREA gives the California legislature the power to amend the law after approval by the voters (albeit only with changes that are “consistent with and further the purpose and intent” laid out in the initiative).
The bottom line is: watch this space.