Resetting the California Consumer Privacy Act (CCPA)…with 2 Weeks To Go! (Part 1 of 3)

[Introduction: I recently submitted comments on the California DOJ’s draft CCPA regulations. As part of preparing my comments, I took some time to reflect on the CCPA more generally, 18 months since passage and weeks away from launch. That led to this week’s 3-part series on the CCPA. Today, I’ll talk about how we got here. Tomorrow, I’ll talk about some preliminary lessons learned. Wednesday, I’ll post my comments on the regs.]

In June 2018, California passed a major consumer privacy law called the California Consumer Privacy Act (CCPA). The CCPA was the first comprehensive consumer privacy law passed in the United States. It gives consumers several important new rights, including the right to know more about a company’s privacy practices, a right to see, delete, and download the personal information stored about them, restrictions on a company’s right to sell their personal information, restrictions on discrimination against consumers for exercising their privacy rights, and the right to sue companies for certain types of data breaches.

The CCPA comes into effect in a couple of weeks, and there have been a lot of developments in the intervening 18 months. This post recaps those developments.

The Road to Passage

The CCPA started as a ballot initiative in California. After the initiative qualified for the ballot in June 2018, its sponsor offered the California legislature a deal: pass substantially similar legislation in 7 days (the deadline to withdraw the initiative from the ballot) or let the California voters decide the initiative’s fate.

This offer created a painful, but not difficult, decision for the legislature. If the ballot initiative passed, the legislature could amend it only with a super-majority vote. Because legislative consensus is hard to obtain, the initiative, if passed, was likely to take away the legislature’s power over consumer privacy issues forevermore. Alternatively, if the legislature worked quickly, it could retain that power, even if it came at the cost of passing a terrible bill.

The sponsor’s offer set off a frenetic week of drafting and lobbying that resulted in the law’s enactment on June 28, 2018. Virtually all of this activity took place behind closed doors. There were no public hearings on the bill, and only a few lobbyists had input. As a result, the vast majority of affected businesses and consumers never had any voice about the law before it was passed—not when the initiative was drafted, and not when the legislature converted the initiative into the CCPA.

Post-Passage Amendments

Not surprisingly, the passed law contained numerous embarrassing typos and errors consistent with a closed-door rush job. The California legislature enacted some technical amendments in August 2018 that cleaned up some, but not all, of the typos.

The California legislature undertook a more comprehensive review of the CCPA in early 2019, which included the first public hearings on the law. Dozens of amendments were proposed, but only a few amendments made it into law on October 11, 2019. Some of the more significant successful amendments:

  • The CCPA’s overexpansive definition of “personal information” included job applicant, employee/contractor, vendor contact, and stockholder information, but many of the law’s provisions are nonsensical as applied to these non-consumers. The amendments removed these categories of data from the law’s scope—but only for one year. The legislature will revisit this issue in 2020.
  • Information from government records is now excluded from the CCPA’s scope. This fixes one of the most glaring and painful typos in the law.
  • The law requires businesses to offer a toll-free phone number so consumers can exercise their rights, but the amendments relaxed this requirement for web-only businesses (they can take consumer requests via email).
  • The law permits some teenagers to “opt-into” data sales (younger kids can’t opt-in themselves; only their parents can do that for them). Due to a drafting error, the age range for these empowered teens was unclear. The legislature clarified the age range is 13-15.
  • The amendments provided narrow exclusions for car dealers/manufacturers (with respect to vehicle warranty and recall information) and credit reporting information already governed by federal law.
  • The amendments globally changed “Internet” to “internet.” Not only is this a painful change for Internet old-timers, it’s mind-blowing that this amendment was prioritized over dozens of more urgently needed changes.

As should be apparent, the CCPA remains largely the same as when it was first passed. Some of the amendments aren’t minor, but generally none of them represented a structural change to the CCPA.

In addition to the CCPA tinkering, the California legislature extended the CCPA to require “data brokers” to register with the California DOJ. A data broker is “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship,” but it excludes credit reporting agencies, GLBA-related entities, and insurance entities. With this statutory foundation, the California legislature is primed to enact future anti-data broker laws.

Following this 2019 crop of amendments, the CCPA’s text is now set for its effective date of January 1, 2020. The California legislature will start a new batch of amendments in early 2020. However, there is legislative apathy for “fixing” the CCPA, and most businesses will have already incurred substantial costs to comply with the current draft. I don’t expect any major statutory changes will emerge in 2020.

DOJ Rulemaking

The CCPA delegated rule-making authority (as well as enforcement) to the California DOJ. It’s fair to say that the DOJ wasn’t looking for this responsibility. They are spending $4M+/year to hire 23 additional full-time positions and expert consultants. Furthermore, the DOJ has a litigation/enforcement mindset, and it requires a significant cultural change to do administrative rule-making and collaborate with regulated entities.

The CCPA does not allow the DOJ to enforce the law before July 1, 2020. However, businesses cannot fully comply with the law until the DOJ completes its rule-making, and it’s not clear when that will happen. At this point, businesses will only have a few months (at most) to comply with the DOJ’s final regulations before the July 1 deadline.

The DOJ released its first draft of the regulations on October 10, 2019, but even this draft was incomplete. The CCPA requires the DOJ to design a button/logo allowing consumers to opt-out of future data sales. The initial regulations said that the first draft of the logo will come in a future rule-making draft. This will not happen before January 1, 2020, so it will remain impossible for any business to be in full compliance with the CCPA on its effective date.

The DOJ’s guidance on timing has not exactly been comforting. AG Becerra recently told Reuters: “we will look kindly on those [businesses] that … demonstrate an effort to comply…If they are not (operating properly) … I will descend on them and make an example of them, to show that if you don’t do it the right way, this is what is going to happen to you.” This is fairly standard velvet glove vs. hammer rhetoric, with a heavy emphasis on the hammer.

The CCPA (in California Civil Code 1798.185(b)) says that the “Attorney General may adopt additional regulations as necessary to further the purposes of this title.” The DOJ’s initial draft of the regulations did not exploit this freedom very much, but that may be a good thing. The few places it significantly deviated from the CCPA’s requirements were highly problematic.

For example, the regulations propose new transparency reports about larger companies’ CCPA practices. This information will be expensive to produce, but it’s not clear who will find the reported information helpful. As another example, the regulations require companies to honor browser software-based signals indicating a consumer’s desire to opt-out of data sales. However, this falsely assumes that the thousands of software programs send clear, consistent, easy to interpret, and relatively static opt-out signals.

CCPA 2.0

The initial CCPA initiative sponsors are exasperated with the legislative process, so they are collecting signatures for a new initiative, the “California Privacy Rights and Enforcement Act” (CPREA, colloquially called CCPA 2.0). CPREA proposes to codify some existing parts of the CCPA and extend it in major ways. Once again, the initiative text is being drafted by private individuals and without any legislative hearings, though the sponsors are consulting some communities for feedback.

If the CPREA passes, the initiative would make several aspects of consumer privacy functionally unmanageable by the California legislature. Furthermore, given the CPREA’s hostility towards legislative processes, the California legislature probably will not get a “pass-or-pray” option like it did with the CCPA.

The CCPA represents a major social experiment on the world’s fifth largest economy, but we still don’t know what parts actually work and what parts don’t. Yet, the CPREA proposes essentially to permanently encode some consumer privacy rules before the CCPA “experiment” even starts. That sure sounds like a bad policy approach. Nevertheless, given the ongoing privacy fears of California residents, the CPREA could find voter support.

Recap

Where things stand as of today:

  • The California legislature has undertaken two rounds of amendments, but the CCPA remains substantially the same as when it initially passed.
  • The final version of the AG rule-making won’t be available when the law takes effect on January 1, and there will likely be a mad scramble to accommodate the final regulations before the DOJ starts enforcing the law July 1.
  • A major ballot initiative to embrace and extend the CCPA is looming in ways that disrespects the substantial legislative and business compliance efforts undertaken to date.

We will see a lot of movement in the next few weeks. The law goes into effect on January 1, which means that class-action litigators can start filing data breach lawsuits. Also in January, the California legislature will start the next amendment batch, including the issue of whether the CCPA covers employee and similar data. Later in 2020, it’s likely that other state legislatures will revisit doing their own clone-and-revise of the CCPA, the DOJ will issue its final regulations, and the CPREA may qualify for the ballot.

Prior CCPA Posts

* And At the End of the Day, the CCPA Remains Very Much the Same (Guest Blog Post)
A Recap of the Senate Judiciary Committee Hearing on Amending the California Consumer Privacy Act (Guest Blog Post)
Want Companies to Comply with the CCPA? Delay Its Effective Date (Guest Blog Post)
Recap of the California Assembly Hearing on the California Consumer Privacy Act
A Status Report on the California Consumer Privacy Act
41 California Privacy Experts Urge Major Changes to the California Consumer Privacy Act
California Amends the Consumer Privacy Act (CCPA); Fixes About 0.01% of its Problems
Recent Developments Regarding the California Consumer Privacy Act
The California Consumer Privacy Act Should Be Condemned, Not Celebrated
A First (But Very Incomplete) Crack at Inventorying the California Consumer Privacy Act’s Problems
Ten Reasons Why California’s New Data Protection Law is Unworkable, Burdensome, and Possibly Unconstitutional (Guest Blog Post)
A Privacy Bomb Is About to Be Dropped on the California Economy and the Global Internet
An Introduction to the California Consumer Privacy Act (CCPA)