On Monday, Feb. 25, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson introduced Senate Bill 561, which proposes significant amendments to the California Consumer Privacy Act (CCPA).
- The bill would expand the existing private right of action, allowing California residents to bring private lawsuits based on alleged violations of any rights under the CCPA — not just in the event of certain data breaches involving nonencrypted or nonredacted personal information. According to the bill, the goal is to “expand a consumer’s rights to bring a civil action for damages to apply to other violations under the act.”
- The bill removes the requirement that the Attorney General’s Office (AGO) provide businesses and private parties with individual legal counsel on CCPA compliance, and replaces this provision with language providing that the AGO may “publish materials that provide businesses and others with general guidance” on compliance.
- The bill strikes language providing businesses with thirty (30) days to cure an alleged CCPA violation before enforcement can occur. If enacted, the revised language would allow enforcement actions and private lawsuits to start immediately.
The Amendments Address Concerns Raised During a Feb. 20 California Assembly Hearing
The proposed amendments in SB 561 build on the AGO’s comments before the California State Assembly Committee on Privacy and Consumer Protection during a legislative hearing held on February 20th. There the AGO stressed its need for additional resources and noted that the CCPA presents “unworkable obligations and operational challenges” by (a) permitting businesses to seek individualized guidance from the AGO regarding CCPA compliance and (b) providing businesses with an opportunity to “cure” alleged violations before being held accountable. During the hearing, the AGO also criticized the lack of an expansive private right of action to allow consumers to enforce the rights afforded to them by the CCPA. Proposed SB 561 is intended to address each of these concerns.
The Assembly hearing also featured comments from legal experts and industry groups. Many of these comments echoed themes from the public forums, including concerns about (a) the definition of “personal information,” and particularly its reference to a “household”; (b) the law’s potential impact on small businesses, the online advertising industry and retailer loyalty programs; (c) the process for authenticating consumer requests; and (d) the challenges for companies that have already made a significant (and costly) effort to comply with the requirements of the European General Data Protection Regulation (GDPR).
Addressing Industry Concerns Through the CCPA Forums and Proposed Rulemaking
The AGO continues to hold public forums to hear concerns and receive input as it develops rules to clarify many aspects of the CCPA. At each public forum, the AGO indicated that it will publish a first draft of the regulations via a Notice of Proposed Regulatory Action in fall 2019. Ultimately, the AGO must adopt final rules by July 1, 2020. Attorneys from Loeb & Loeb’s Privacy, Security and Data Innovations team attended the public forums in San Francisco, Riverside, Los Angeles, Sacramento and Fresno, and we continue to work with industry organizations to submit additional written comments during this process.
At the most recent public forums, attendees (including several industry organizations such as the ANA, 4A’s and the Digital Advertising Alliance) sought clarification on the following points:
- the exception within the CCPA for personal information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act, including its application to the sale of entire portfolios (such as a credit card portfolio or a delinquent account portfolio);
- the exception within the Act’s definition of “sale” for use of information for a “business purpose,” and whether marketing and advertising would be deemed “business purposes”;
- the application of the Act to nonprofits, and the CCPA’s potentially negative impact on relationships between nonprofits and commercial partners;
- the “specific pieces of personal information” to be provided to consumers in connection with a verifiable request, and whether that requires developing individualized privacy policies for each consumer;
- the 12-month look-back period, including when this period would begin for purposes of responding to consumer requests, and whether companies are obligated to modify internal policies that currently require shorter data retention periods;
- whether companies can offer consumers options with respect to opting out of the “sale” of their data, including the option to opt out of all sales or just some sales; and
- what constitutes effective verification, including concerns around the need to collect additional personal information in order to verify a consumer request.
Commenters also raised the need for rulemaking to address the following issues created by the current drafting of the CCPA:
- the potential privacy risks raised by the inclusion of “household” in the definition of “personal information.” Because “household” is undefined, companies may be required to disclose personal information to members of a household that could include roommates or ex-partners, without permission of the consumer;
- the inclusion of “probabilistic identifiers” in the definition of “unique identifier,” which could require companies to collect or retain more data to handle consumer requests, and would disincentivize the pseudonymization of data; and
- the importance of giving companies flexibility in the type of opt-out mechanism offered, including looking to the DAA’s AdChoices icon as a preexisting mechanism to facilitate consumer choice and allowing the use of mechanisms that are closely aligned with the ways in which a company actually engages with a consumer (e.g., a web-based mechanism for web-based consumer interactions).
As those companies that are subject to the GDPR may recall, the desire for guidance and clarification must be strategically balanced against the risk of receiving an unfavorable response. Just as the (former) Article 29 Working Party often issued guidance that provided a more restrictive interpretation of the GDPR than expected (or hoped), the AGO’s rulemaking may similarly provide clarifications that increase, rather than ease, the compliance burden.
The California AGO is accepting written comments until March 8. If you or other members of your organization have comments you would like Loeb & Loeb to submit during the final forum or by email, please contact our Privacy, Security & Data Innovations Team. We will continue to provide updates throughout this process.
The final public forum is scheduled for Tuesday, March 5, at Stanford University; details can be found below. Information and materials from the prior public forums can be found here.
Final Public Forum:
Tuesday, March 5, 2019, 12:45 PM
Stanford Law School, 559 Nathan Abbott Way, Room 290, Stanford, CA 94305
Also on March 5, the California Senate Judiciary Committee will be holding a hearing, “The State of Data Privacy Protection: Exploring the California Consumer Protection Act and Its European Counterpart.” Jessica Lee, partner and co-chair of the Privacy, Security & Data Innovations group at Loeb & Loeb, will provide testimony at the hearing. Additional details regarding the hearing can be found here and below.
California Senate Judiciary Committee Hearing
Tuesday, March 5, 2019, 1:30 PM
State Capitol, Room 112, Sacramento, CA 95814