What Does the Legislature Have to Show for Its CCPA Amendments in 2020? Not Much (Guest Blog Post)

by guest blogger Tanya Forsheit

Professor Goldman asked me to share my two cents on the short extensions of time to the employee and business to business exemptions to the California Consumer Privacy Act (“CCPA”) that Governor Newsom signed on September 29, 2020 (AB 1281). My colleague Shely Berry and I cover the substance in our post available at Focus on the Data. [Eric’s note: the California legislature passed one other minor CCPA amendment in 2020, AB 713, which clarifies that information deidentified per HIPAA is not personal information under CCPA.]

There is a larger story here, one that seems to have been forgotten (perhaps understandably) in this age of pandemic and every day crisis. The CCPA is still one of the best examples of how NOT to craft meaningful privacy legislation. As Professor Goldman has noted on numerous occasions, it was passed under fire to avoid a ballot initiative in 2018 without any hearings or input from stakeholders – consumers, business, or privacy scholars. It was, per the parties’ understandings in the summer of 2018 when that happened, supposed to be amended in numerous ways to make it capable of being operationalized by businesses and therefore actually good for consumer privacy.

Almost none of the amendments that were designed to make the law more appropriate to the realities of doing business in California in the 21st Century were passed. Even these recently extended exemptions – which simply recognize the reality that California employees and business representatives are not consumers and should not have the same extensive rights to get copies of or delete their data – were subject to a sunset of January 1, 2021, now extended to January 1, 2022.

Indeed, the CCPA became politicized to the point that even its original author – Alastair Mactaggart – gave up on his own law and rewrote it as a new ballot initiative, Proposition 24, the California Privacy Rights Act (CPRA), which he started promoting before the CCPA itself even became effective and which will appear on the November 3 ballot. I don’t need to go down that rabbit hole – Professor Goldman has provided a thoughtful succinct analysis here as to why Californians should vote No on 24. If the CPRA passes as expected, the employee and B2B exemptions will continue until January 1, 2023, but it will be next to impossible for the legislature to ever amend the law again to carve employee or business representative data out in reasonable, limited appropriate ways.

Why do I care? Come January 1, 2023, at the latest, California businesses will have to figure out whether they are required to hand the sensitive personal information of an employee over to a member of that employee’s “household” (estranged or otherwise) who has verified that they live at the same address. Or they might have to honor a deletion request from an employee who makes that request knowing that the information at issue might soon (but bas not yet) become the subject of some complaint or accusation by another employee. Or they will have to figure out how to honor the requests of individuals who work for their suppliers to have their information deleted or turned over, without compromising the rights of other clients or employees.

None of that is good for consumer privacy. And it actually endangers the rights (privacy, safety, confidentiality, etc.) of others. Moreover, California businesses don’t have the resources for this. Many don’t even have the resources to keep their doors open during this pandemic. And those that do are wisely focusing those resources on saving jobs.

So there’s my two cents, just speaking as a privacy lawyer (on behalf of no one) who would like to see a privacy law that actually works to help consumers and doesn’t incentivize non-compliance, threaten the safety of California residents, or drive all but the largest behemoths into bankruptcy. It should never have come to this.

Prior CCPA/CPRA Posts

* Californians: VOTE NO ON PROP. 24, The California Privacy Rights Act (CPRA)
A Review of the “Final” CCPA Regulations from the CA Attorney General
The CCPA Proposed Regs’ Data Valuation Calculation Provisions Provide Flexibility, But Raise Ambiguity & Transparency Concerns (guest blog post)
My Third Set of Comments to the CA DOJ on the CCPA Regulations
Comments on the DOJ’s Proposed Modifications to the CCPA Regulations
Eric Goldman’s Comments to the California DOJ Draft Regulations for the Consumer Privacy Act (CCPA) (Part 3 of 3)
Some Lessons Learned from the California Consumer Privacy Act (CCPA), 18 Months In (Part 2 of 3)
Resetting the California Consumer Privacy Act (CCPA)…with 2 Weeks To Go! (Part 1 of 3)
And At the End of the Day, the CCPA Remains Very Much the Same (Guest Blog Post)
A Recap of the Senate Judiciary Committee Hearing on Amending the California Consumer Privacy Act (Guest Blog Post)
Want Companies to Comply with the CCPA? Delay Its Effective Date (Guest Blog Post)
Recap of the California Assembly Hearing on the California Consumer Privacy Act
A Status Report on the California Consumer Privacy Act
41 California Privacy Experts Urge Major Changes to the California Consumer Privacy Act
California Amends the Consumer Privacy Act (CCPA); Fixes About 0.01% of its Problems
Recent Developments Regarding the California Consumer Privacy Act
The California Consumer Privacy Act Should Be Condemned, Not Celebrated
A First (But Very Incomplete) Crack at Inventorying the California Consumer Privacy Act’s Problems
Ten Reasons Why California’s New Data Protection Law is Unworkable, Burdensome, and Possibly Unconstitutional (Guest Blog Post)
A Privacy Bomb Is About to Be Dropped on the California Economy and the Global Internet
An Introduction to the California Consumer Privacy Act (CCPA)