California Moves Forward With CCPA Implementation
In some respects, the month of March ended up a bust from a privacy legislation perspective. The highly anticipated Washington Privacy Act failed to pass (again). Federal lawmakers made no significant progress towards a national privacy law (again). And COVID-19 brought most non-emergency legislative activity to a halt.
California was the exception. Last month California Attorney General (CA AG) Xavier Becerra issued a third draft of the regulations that will flesh out details of the CCPA. Becerra also stated publicly that he will not delay enforcement of the CCPA, scheduled to start on July 1, 2020, because of COVID-19, despite urging from industry groups. Meanwhile, the initiative to expand the CCPA is closer to qualifying for the ballot in November—though the effect that the state’s shelter-in-place order will have on efforts to gather required signatures for the referendum remains to be seen.
CCPA Implementation Takes Shape
The CCPA has now been in force for three full months, and some compliance trends have emerged.
First is the popularity of cookie consent tools—though CCPA, unlike the GDPR, does not require upfront consent for the collection of data via cookies, many companies are choosing to collect such, likely because such tools are readily available, inexpensive, and efficiently allow for implementation of opt-out rights where the use of cookies would be considered a sale.
Second is continued widespread confusion about what constitutes a sale, including whether cookie collection is a sale if the external party placing the cookie has updated its Terms of Service to include provisions that would make it a service provider under the CCPA. Some organizations are treating such collections as sales across the board; others are not, and some have gone so far as to state in their privacy policy that they are uncertain of the meaning of “sale” under the CCPA.
On the topic of service providers, the time-consuming effort to update service provider contracts is for many businesses still ongoing. The effort is also beset by confusion about what uses of data by a service provider are permissible under the definition of business purpose, in particular, where to draw the line between “undertaking internal research for technological development and demonstration” and using data for a “commercial purpose.”
The draft CA AG regulations do not shed significant light on either of these issues; enforcement actions may be necessary to settle the debate.
CCPA Regulations Move Forward
The CA AG published yet another version of the proposed rules on March 11, 2020. The CA AG has not announced how many rounds of edits will be undertaken; however, patterns have emerged across drafts indicating which regulations may be here to stay and which issues are still being discussed. For example, the draft regulations have gone through several iterations on the issue of how companies that do not collect personal information directly from a consumer should comply with the CCPA’s provisions that in general require notice “at or before the point of collection.”
The latest version would exempt such companies from this notice requirement if they do not sell the personal information they collect or if they are registered as data brokers. The new draft also removes the regulation (which first appeared in the second version) that would have exempted pseudonymous data from the CCPA’s reach, including IP addresses where the organization lacks the ability to identify them to a person, indicating a continued struggle as to how to deal with this type of data. And, it deletes the requirement to do a lookback when an individual opts out of sale to inform third parties that have received the individual’s data in the past 90 days that further sale is now restricted.
Regulations that have persisted through the drafts include:
- Requirements to offer four different privacy notices, including a notice of collection whose scope overlaps with the privacy policy;
- A requirement to honor global opt-outs such as a browser’s Do Not Track setting, though the specifics have varied slightly across versions;
- A reporting requirement for businesses that collect personal information of more than 10 million individuals in a calendar year to compile and publicly display statistics regarding the number of consumer requests they have received and responded to under the law (though the threshold increased significantly in the third version).
Little Movement to Address Sunsetting Provisions
Two key issues—employee privacy and privacy of information collected about an individual acting in a business context—were deferred in the 2019 legislative discussions through the use of sunset provisions that exempted information from certain aspects of the law until January 1, 2021. The implication of the sunsetting exemptions was that the issues would be addressed in a more permanent way in the 2020 legislative sessions.
However, with the deadline for introduction of new bills in the California legislative session having passed, no provisions have been introduced on these topics. A placeholder bill, AB2751, was introduced in February 2020, which would allow legislators to offer a substantive bill later on.
CCPA 2.0 Ballot Initiative Progress
Lost amid the buzz about CA AG regulations and now COVID-19 is the question of whether the CCPA will get an overhaul this fall. Alastair Mactaggart and his organization Californians for Consumer Privacy are working to get an initiative called the California Privacy Rights Act (CPRA) onto California’s ballot this November. If approved by a majority of voters, the CPRA would create a new state agency to enforce the law, expand the right to opt out of sharing personal information, directly regulate “cross-context behavioral advertising,” and create a new right to correct inaccurate information, among many other provisions. And as a constitutional matter, lawmakers would not be able to later pare the law back unless the changes were also ratified by voters.
To qualify for the ballot, the initiative needs to obtain 623,000 signatures by April 21, the effective deadline to allow time for counties to finish counting signatures by June 25, the last day the California Secretary of State can certify an initiative for inclusion on the ballot. This effort may be complicated by COVID-19, which is challenging organizers working on ballot initiatives in the state generally. It is also unclear whether the state will—or can—do much to alleviate this difficulty.
While Oklahoma has tolled the deadline to collect signatures for its initiatives, California’s deadline is mandated by the state constitution. Utah’s governor recently issued an executive order allowing political campaigns to collect signatures online; three California initiative campaigns have asked the state to take similar action, but have not received any response.
The CPRA may be in a better position than many initiatives, however. Californians for Consumer Privacy filed a statutorily mandated statement with the California Secretary of State certifying that they had obtained at least 25 percent of the required signatures on January 30, 2020, which is roughly on par with how long it took to reach 25 percent for their proposed 2018 ballot initiative that led the state legislature to pass the CCPA. The organization has also stated that it is “in pretty good shape with the numbers [of signatures] that we have” despite the pandemic, but have not provided specific totals.