A Status Report on the California Consumer Privacy Act
Yesterday, I did a webinar for the California Lawyers Association on the status of the California Consumer Privacy Act (CCPA). This post recaps the discussion.
The CCPA imposes 6 new obligations on covered businesses: they have to make specified disclosures to consumers, provide consumers with a data erasure capacity, provide consumers with data portability, allow consumers to opt-out of data sales (or opt-in in the case of minors), and not discriminate against consumers on the basis of personal information. The law also creates a private cause of action for certain data breaches.
The CCPA applies to any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It’s my position that this includes any data about consumers, so this definition effectively eliminates the notion of anonymized or unattributed data.
The CCPA regulates every business with $25M+ in annual revenues, or 50%+ of their revenues from selling consumer data, or that “annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.” The CCPA purports to apply unless every aspect of commercial conduct takes place wholly outside of California.
Some of the CCPA’s Biggest Problems
The law is riddled with errors big and small. It would take many lifetimes to catalog them all. This letter sent by 41 California privacy experts flags some of the biggest issues the legislature needs to tackle:
- The CCPA affects many businesses who never had a chance to explain the law’s problems to the legislature;
- The CCPA imposes excessive costs on small businesses;
- The CCPA requires businesses to waste money complying with multiple privacy laws;
- The CCPA degrades consumer privacy in several ways;
- The CCPA’s definitions are riddled with problems; and
- The CCPA reaches beyond California’s borders.
Another big problem not mentioned in the letter: the CCPA was dumped on California’s extensive tableau of existing privacy laws with minimal efforts at harmonization. Almost certainly, some of the pre-existing laws need to be deprecated; and other laws will not make sense unless/until they are conformed. I’m not sure who will do that harmonization work.
Developments in the AG’s Office
In preparation for their rule-making process, the AG’s office has held 6 “listening sessions,” with one more remaining, in the following places: January 8, San Francisco / January 14, San Diego / January 24, Inland Empire / January 25, Los Angeles / February 5, Sacramento / February 13, Fresno / March 5, Palo Alto.
Each listening session starts with the AG’s office presenting this slide deck. Then, audience members get a chance to speak up. Many speakers just read what they’ve already submitted to the AG’s office in writing. There is no reason to believe that the AG’s office will give more weight to oral comments over written submissions, so there is no reason to attend the hearings or get hung up on recaps of the hearings. Still, I’ll be at the Palo Alto session if anyone wants to have a privacy party.
Written comments to the AG’s office are due March 8. This is absolutely the best time to get your comments into the AG’s office–before they have put pen to paper.
Two big questions:
1) Will the AG’s office make any rules addressing provisions beyond those expressly delegated to them in the law? The CCPA enumerates the following specific areas for AG rulemaking:
(1) Categories of Personal Information
(2) Definition of Unique Identifiers
(3) Exceptions to CCPA
(4) Submitting and Complying with Requests
(5) Uniform Opt‐Out Logo/Button
(6) Notices and Information to Consumer, including Financial Incentive Offerings
(7) Verification of Consumer’s Request
Very few public comments have addressed any of these topics, because most of these issues are far less problematic than the CCPA’s big structural problems. So what will the AG’s office do? Will they restrict their rule-making to the explicit sandbox designated by the legislature, or will they respond to the comments and spread their wings? I fear there will be some diffusion of responsibility: the legislature will think the AG’s office can make rules about whatever they want (that’s literally what the law says), and the AG’s office will feel constrained to defer to the legislature and will only do what the law expressly directs them to do.
2) When will the rulemaking be done, and when will the law go into effect? The AG’s office put together this handy chart of their process:
As you can see, the AG’s office plans to issue the first draft of their rules in “Fall” 2019. The draft rules will almost certainly generate a massive number of comments, plus there will be scheduled hearings to discuss them. If the first draft of the rules is issued Sept. 21, 2019 (the first day of Fall), there is absolutely no way the AG can finalize the rules before January 1, 2020. The law takes effect 6 months after the AG’s final rules, with a hard stop of July 1, 2020. I think it’s guaranteed that the law’s effective date will be July 1, 2020 and that businesses will have less than 6 months–possibly way less–to adopt their practices to the AG’s rules. It would be appropriate for the legislature to slip the July 1, 2020 hard stop further, but I doubt that will happen because the legislators will demand too high a price from “business” for this “concession.”
Developments in the California Legislature
There will be many bills to amend the CCPA. I don’t yet how many. Here is an incomplete roundup.
The Assembly Privacy and Consumer Protection Committee has scheduled an informational hearing for February 20, 9-12:
I expect to testify at the hearing.
Looking at the broader context, there are few business allies in Sacramento. Support for improving CCPA will not come from the governor’s office: Gov. Newsom used his State of the State address to endorse CCPA and propose a “data dividend” (presumably, just another tax) from Internet companies. It doesn’t appear oversight will come from the Republicans either (not that they have a lot of clout in the legislature any more); several Republicans already introduced a privacy bill (AB288, the Own Your Own Data Act) to extend, not curtail, CCPA.
I don’t see the California legislature having much appetite to fix the CCPA, either. There will be a torrent of post-CCPA privacy regulatory bills soon introduced into the California legislature. As those new bills flood the legislature, it will dilute the time and focus the legislature has to fix the many problems with the CCPA. CCPA is already old news to the legislature, while it’s a lot more exciting to manufacture brand new laws. So the odds of getting serious reform to the CCPA will be undermined by the fervor to pass more privacy laws.
Finally, it’s unlikely the tech community will speak in one voice. Apple is bashing its rivals on privacy (including calls for regulating Facebook), and Microsoft has endorsed Washington’s CCPA variant. So legislators will have no problem finding division in the tech community that will give them cover for not taking action.
Several states have introduced bills to adopt variants of the CCPA, including Washington states. Bloomberg reports on the efforts in 8 states. This proliferation is bad news. Either the other states’ laws will fix the CCPA’s mistakes (or possibly add their own) and thus increase divergence among state laws, or the bills will copy California’s mistakes and further lock in terrible policy. Either way, no one wins.
There have been numerous federal privacy bills introduced. Some propose to preempt state laws; others do not. I’ve said it many times that the sine qua non of a new federal privacy law is state law preemption. Otherwise, it just adds more law and more complexity without fixing any of the problems in states’ divergent or misguided laws (cf. how the DTSA didn’t clean up trade secret litigation, it just proliferated plaintiffs’ claims). From my perspective, a federal preemptive law is the only remaining hope we have to avoid overregulation of privacy that will destroy the Internet and put a serious dent in our economy. Yet that slim hope relies on a dysfunctional Congress, which isn’t reason for optimism.
There have been murmurs about Constitutional challenges to the CCPA. There are several angles that could be meritorious. However, I have yet to hear of anyone take any demonstrable steps forward in bringing these challenges.
* 41 California Privacy Experts Urge Major Changes to the California Consumer Privacy Act
* California Amends the Consumer Privacy Act (CCPA); Fixes About 0.01% of its Problems
* Recent Developments Regarding the California Consumer Privacy Act
* The California Consumer Privacy Act Should Be Condemned, Not Celebrated
* A First (But Very Incomplete) Crack at Inventorying the California Consumer Privacy Act’s Problems
* Ten Reasons Why California’s New Data Protection Law is Unworkable, Burdensome, and Possibly Unconstitutional (Guest Blog Post)
* A Privacy Bomb Is About to Be Dropped on the California Economy and the Global Internet
* An Introduction to the California Consumer Privacy Act (CCPA)