California Passes the Toughest Privacy Law in the United States
The California Consumer Privacy Act (CCPA) was enacted on January 1, 2020, and is the toughest privacy law in the United States. It broadly expands the rights of consumers and requires businesses within its broad scope to be significantly more transparent about how they collect, use, and disclose personal information.
While it is a California law, a business outside of California must also comply if it conducts business with California’s residents (natural persons).1
As expected, California Consumer Privacy Act updates address some technical issues.
After two months of lobbying, SB 1121 includes 45 amendments which are intended to be technical edits to correct drafting errors while maintaining the substance of CCPA. Additional regulations are expected six months after CCPA’s effective date.
SB 1121 Amendments | California Consumer Privacy Act Updates
One of the amendments clarifies the definition of “Personal Information”, which is still broadly defined.
SB 1121 amends the definition of Personal Information to read:
“[Personal information includes the following] if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household…”
With this change, the list of information that was automatically considered Personal Information has been clarified as potentially being Personal Information.
Under the amended definition information that can be used to potentially identify an individual or a household, such as IP address, will now be considered Personal Information if it can be associated with an individual or household. 2
Is Public Information Considered Personal Information Pursuant to CCPA?
Because CCPA is a new law, there are many questions about its requirements and its applicability in various situations. For example, our privacy experts have been asked whether public information is considered “Personal Information” pursuant to CCPA.
If information is publicly available and it is lawfully made available to the general public from federal, state, or local government records and is used for a purpose that is compatible with the purpose for which the data is maintained is exempted from the Act.
“Publicly available” does not include consumer information that is de identified or aggregate consumer information.
As shown in the above example of deciding what is personal information or not, having your privacy team up to speed on the law and its amendments is critical for complying by January 1, 2020.
Another amendment that SB 1121 contains defers the deadline that the attorney general has to draft and adopt the law’s implementing regulations from January 1, 2020, to July 1, 2020.
The bill also delays the Attorney General’s ability to bring enforcement actions.
The Attorney General shall not bring an enforcement action under this title until six months after the publication of final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.
CCPA Amendment Definitions
“Business” means:
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
(2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business.
“Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company.
“Common branding” means a shared name, servicemark, or trademark.
“Personal Information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
The Act specifies that PI includes, but is not limited to:
(i) identifiers, such as names, aliases, addresses, and IP addresses;
(ii) characteristics of protected classifications under California or federal law;
(iii) commercial information, including records of personal property, products or services purchased, or consuming histories or tendencies;
(iv) biometric information;
(v) Internet or other electronic network activity information, such as browsing history;
(vi) geolocation data;
(vii) audio, electronic, visual, thermal, olfactory, or similar information;
(viii) professional or employment related information;
(ix) education information; and finally,
(x) any inferences drawn from any of the information identified to create a profile about a consumer.
California Consumer Privacy Act Advances Six Amendments: May 2019
State Legislators continue to consider amendments to the California Consumer Privacy Act amidst uncertainty over how companies will meet the requirements, which go into effect on January 1, 2020.
Late last month, six bills were advanced in the California Assembly that would greatly impact the force and effect of CCPA as it was enacted almost a year ago. CCPA 2019 amendments should be taken seriously by organizations with potential California consumer data use.
On April 23, 2019, the Privacy and Consumer Protection Committee passed these industry-backed amendments:
AB 25, Chau: Expressly excludes contractors, agents, and job applicants from the definition of employees, to the extent their personal information is used for purposes compatible with that context.
- This change addresses criticism that information collected in the employment context should not fall within the CCPA’s broad scope and onerous requirements.
AB 846, Burke: Seeks to modify the way businesses can offer financial incentive plans to consumers in exchange for their data by stating that the law does not prohibit businesses from offering goods or services to consumers through the consumers’ voluntary participation in loyalty, rewards, premium features, discount, or club card programs.
AB 873, Irwin: Potentially broadens the scope of “de-identified” information by removing “is capable of being associated with” and “household” from the definition of “personal information” from the definition.
AB 874, Irwin: Removes the following language from the definition of “publicly available”: “Information is not ‘publicly available’ if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.”
AB 1355, Chau: Corrects cross-references and drafting errors in the CCPA.
AB 1564, Berman: Seeks to amend the methods businesses must make available to consumers for submitting verified requests for information regarding the use of their personal information.
- If passed, AB 1564 would require businesses to make available to consumers a toll-free telephone number or an email address and a physical address for submitting requests.
- Companies that operate exclusively online would only be required to provide an email address (as opposed to the “two or more designated methods” required by the law in its current form).
In the Senate, the California Senate Appropriations Committee held a hearing on SB 561, which would expand the private right of action to allow for suits alleging a violation of any part of the law, and would also remove the “right to cure” provision that affords companies 30 days to cure an alleged violation in actions brought by the Attorney General.
The Committee voted 6-0 to place the bill in the Suspense File, where it will be held for further consideration.
Compliance Deadline Unchanged by New 2020 Ballot Initiative
Californians for Consumer Privacy, the group behind the forthcoming California Consumer Privacy Act (CCPA), announced on September 25th that it filed a November 2020 statewide election ballot initiative that would broaden the scope of data privacy rights under the CCPA.
The proposed measure has no effect on the CCPA’s January 1, 2020 effective date.
Alastair Mactaggart, the real estate developer-turned-privacy activist whose efforts culminated in the state legislature’s passage of the CCPA, has indicated his view that the CCPA is “a great baseline” but that additional privacy rights and protections are needed to combat evolving tech tools increasingly exploitative of consumers’ data.
California Privacy Rights and Enforcement Act 2020 Overview
Major features of next year’s ballot initiative titled the California Privacy Rights and Enforcement Act of 2020 include:
Sensitive PI. The introduction of a definition for “sensitive personal information (PI)”–including health information, precise geolocation, and the contents of a consumer’s private communications (requires opt-in prior to the sale of a consumer’s sensitive PI), and a right to opt-out of the use of sensitive PI for advertising or marketing purposes;
Privacy Agency. The establishment of a new California Privacy Protection Agency to implement and enforce the law through administrative action while leaving civil enforcement to the California Attorney General (AG);
Profiling. Transparency requirements around automated decision-making and newly defined “profiling,” in particular in matters involving possibly adverse effects on lending, employment or housing decisions;
Children’s PI Violations. A tripling of the CCPA’s fines for violations of collecting or selling the PI of minors under the age of 16 without consent (to $7,500 per violation); and
Political Disclosures. A disclosure requirement if a business uses consumer PI for “political purposes” to influence the outcome of an election to advance the business’s own interests.
Start Date and CCPA Compliance Deadline Unchanged
January 1, 2020 remains the effective date of the CCPA, which will become the most comprehensive state or federal privacy legislation in the United States.
Given the law’s relatively low threshold criteria for what constitutes an in-scope “business,” the law will have an extraterritorial application to countless companies not located in the Golden State.
Businesses across the globe should position themselves to be in as full compliance with the CCPA as possible by its effective date.
The California AG will likely not begin formal CCPA enforcement actions until July 1, 2020 due to administrative rules around the law’s implementing regulations.
However, the CCPA takes effect on Jan. 1 and includes the popularly named twelve-month “look back” requirement for verifiable consumer requests to access one’s personal information.
Thus, organizations should already be maintaining accurate records of consumers’ PI dating back to January 1, 2019.
And, apart from the verifiable consumer requests realm, when AG enforcement begins by July 1st 2020, the AG will likely be able to retroactively enforce against CCPA violations dating back to the law’s New Year’s Day 2020 effective date.
February 2020 CCPA Proposed Revisions
Additional revised proposed regulations to the CCPA were released on February 10, 2020.
As communicated in the “Information about the rulemaking process” issued by the Office of the Attorney General previously, if any changes were made to the proposed regulations, they would publish “another draft for more public comment” and “give the public at least 15 days (or longer, depending on the extent of the revision) to comment.”
Prior statements by Attorney General Becerra led us to expect regulations in January, so it appears the timeline may be extended at some point, but how this will impact the enforcement date is unknown.
Currently, there has been no indication that the enforcement date of July 1 will be pushed back at all.
Both the redlined and clean versions are published online.
Request for Deletion Revisions
One of the more controversial proposed elements previously was that businesses unable to verify a request for deletion would treat that unverified request as a “Do Not Sell” request (§ 999.313(d)(1)).
That has been removed along with the requirement to indicate which method of deletion was performed – deleted, de-identified, or aggregated.
Another concerning proposed element was that a request for deletion had to go through a two-step process. Now, the two-step confirmation is suggested, but not required (§ 999.312(d)).
Opt-Out Clarifications
A controversial requirement that was removed was one requiring businesses to communicate a consumer’s opt-out of sales to any parties to whom the business sold the data in the prior 90 days (§ 999.315(f)).
Under the new proposed regulations, businesses are required to process opt-outs within 15 business days and if there is a sale made during that time, the business must contact those third parties and direct them to remove the consumer’s data.
New CCPA Definitions
Key clarifications include the definition of “household” (§ 999.301(k)) means a person or group of people who:
(1) reside at the same address,
(2) share a common device or the same service provided by a business, and
(3) are identified by the business as sharing the same group account or unique identifier.
Previously the definition was “a person or group of people occupying a single dwelling.
The new definition better accommodates the reality of the knowledge a business may have about households.
Another key clarification came with the new section 999.302 on Guidance regarding the interpretation of CCPA definition.
This new section of the proposed regulations provides:
Whether information is personal information, as that term is defined in Civil Code section 1798.140, subdivision (o), depends on whether the business maintains information in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”
For example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be personal information.
This is welcome news to many companies as it may change the conversation around cookies. It does not end the conversation, but it does change some of the recent focus.
Other information that was added included guidance around when mobile apps should provide just-in-time notice (§ 999.305(a)(4)), accessible notices (various sections), and that “do not sell my personal data” link is not required in the notice at the collection of employment-related information (§ 999.2305(e)).
March 2020 CCPA Proposed Revisions
The Department of Justice of California published yet another round of draft CCPA (California Consumer Privacy Act) regulations on March 7, 2020.
In the most recent version, the “redlined” version is color-coded to easily identify the original draft regulations, the first set of modifications, and this second set of modification. The redlined and clean versions are published online.
The Office of the Attorney General previously provided guidance that if changes are “substantial and sufficiently related,” the changes will be published with an abbreviated comments period of 15 days (this modification and the last one met these requirements).
If changes are not made or are “non-substantial and sufficiently related,” no publication for comments will occur. Only “major changes” would require a full 45-day comment period.
Some of the key changes include:
- Removal of § 999.302 which was added in the last version addressing that an IP address that is otherwise not associated with identifying information is not personal data. No sections were added or modified in the newest version to address IP addresses.
- Addition of § 999.305(d) clarifying that “[a] business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information.”
- An addition was made that if a business that denies a consumer’s request to delete sells personal information and the consumer has not already made a request to opt-out, the business shall ask the consumer if they would like to opt out of the sale of their personal information and shall include either the contents of, or a link to, the notice of right to opt-out in accordance with section 999.306. (§ 999.313(d)(7)).
- Clarification that the notice provided at the collection of employment-relation information does not need to contain a link to the business’s privacy policy.
- Additional clarifications were added around information provided in response to consumers’ requests to know (§ 999.305(f)(2)), what to publish about selling minors’ data (§ 999.308(c)(9)), a description of biometric data that is to be provided where the biometric data itself cannot be provided in response to a request to know (§ 999.314(c)(4)), and descriptions of categories of sources and business purposes in the privacy policy (§ 999.308(c)(1)(e) and (f).
Once a version is reached wherein there are no changes made, according to the “Information about the rulemaking process,” the Office of the Attorney General will prepare and submit the final rulemaking record to the Office of Administrative Law (“OAL”) for approval, including the summaries and responses to each public comment received.
The OAL has 30 working days to determine if all of the procedural requirements are met and if so, the regulations will be filed with the Secretary of State.
June 2020 Enforcement and CPRA Update
California Consumer Privacy Act Definitions
For the CCPA, the definition of “business” was clarified in the regulations that the revenue prong of $25M applies to all revenue, and not simply revenue within California.
This was a point of confusion for business leaders trying to interpret the often vague text of the CCPA.
CCPA July 1 Enforcement
In regards to enforcement recent communications from the California AG’s office revealed, “The OAG has determined that any delays in implementation of the regulation will have a detrimental effect on consumer privacy as more and more Californians are using online resources to shop, work, and go to school.”
Despite the COVID-19 pandemic, it is clear that the AG’s office is serious about protecting Californian’s personal data and unlikely to waiver on the impending enforcement date.
One of the hot topics in California privacy has been whether or not the use of internet cookies constitute a “sale” as defined by the CCPA.
The attorney general’s comments in the “Final Statement of Reasons” confirm that the office considers this determination to be highly fact-specific and recommends that companies should seek clarification from counsel.
Under the CPRA, there is a new definition of “sharing” that addresses the cookie scenarios.
“Share,” “shared,” or “sharing” means sharing, renting, releasing, disclosing, disseminating, making oval/able, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and o third party for cross-context behavioral advertising for the benefit of a business In which no money is exchanged. (§1798.140(ah)(1)).
CCPA “Opt-Out” Solution
One of the main aspects of CCPA compliance is fulfilling consumer rights requests as consumers have the right to opt-out of the sale of their personal information.
As such, the ability for consumers to exercise this right must be found in an easy-to-find location on your website.
With TrustArc Cookie Consent Manager now integrated with TrustArc Individual Rights Manager, you can display the “Do Not Sell My Personal Information” link on your cookie banner, providing transparency and improved user experience to your consumers.
In addition, TrustArc Cookie Consent Manager allows you to configure the consent experience based on any geographical compliance requirements as different regulations have different rules and display the applicable consent banner based on the location of the website visitor.
For example, you can display a GDPR opt-in notice banner to EU residents and a CCPA notice-only banner to California residents.
Companies are understandably in varying stages of preparedness, and with less than a month to go, prioritizing compliance elements is key.
The Path to CCPA Compliance
As businesses review their plans for CCPA compliance and the impact of these amendments, businesses need to continue to move forward with their plans because the substance of CCPA is not expected to change.
Similar to GDPR, the path to CCPA compliance requires businesses to have solid knowledge of:
- where their data sits,
- what data they have and
- what is then shared with third parties.
Data inventory and data mapping projects, policy updates and shoring up third party vendor management are all foundational compliance items companies need to be working on now.
Using technology to manage these items in the ever changing and complex world of Privacy and Data Governance needs to be a part of that compliance plan.
