Did you receive a California Consumer Privacy Act (CCPA) Violation notice from the Attorney General? If so, you are among the first recipients of enforcement notices regarding California’s new privacy law. And because this law has never been enforced before, notices like the one you received are the first of their kind. By filling out this brief survey, you can help California business owners just like you understand, predict, and prepare for these new enforcement actions.
California Consumer Privacy Act
Pandemic Slows Legislation, But Prop. 24 Passage Means Major Compliance Changes
Enacted in 2018, the California Consumer Privacy Act (CCPA) is a comprehensive privacy law that applies to businesses of all sizes and affects almost every industry. It was rushed through the legislative process in 2018 to avoid a then-pending ballot initiative without the benefit of input from crucial stakeholders. In 2019, the Governor signed several bills to fix some of the issues with the CCPA before it went into effect on January 1, 2020. Also in 2019, the Attorney General published its first draft of proposed CCPA regulations, adding another layer of complexity to this brand-new legal scheme.
Despite the recent enactment of the CCPA and the promulgation of CCPA regulations by the Attorney General, the drafters of the CCPA filed a new privacy initiative to amend and replace the CCPA just weeks after the 2019 legislative session ended. Approved by voters in November 2020, that new initiative, the California Privacy Rights and Enforcement Act (CPRA), will bring significant changes to California employers in 2023.
Passage of Proposition 24 in 2020
In 2020, the Attorney General initiated CCPA enforcement and subsequently finalized CCPA regulations, which went into effect immediately in August 2020. But even though CCPA and its regulations became effective and enforceable in 2020, businesses faced another significant change in privacy law and compliance when voters passed Proposition 24 (CPRA) in the November 2020 election. CPRA makes significant changes, adds certain clarifications and expands CCPA in several ways.
New Burdens on Business
• For example, CPRA removes a critical right to cure under the CCPA. The CCPA provides that a business is in violation if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. This makes sense because most businesses still have not heard of this law, and amid the global pandemic, the constant volley of new privacy regulations has left the few business owners who are aware of this complex and unprecedented law struggling to comply. Nevertheless, the CPRA revokes this 30-day right to cure.
• In addition, the CPRA creates a new right for consumers: the right to correct. This new right allows consumers to demand that businesses correct inaccurate personal information the business has collected.
• Also, the CPRA significantly expands existing rights under the CCPA, creating new compliance burdens and costs for businesses, including an expanded right to opt out. The CCPA requires businesses that sell a consumer’s personal information to provide notice to consumers that the information may be sold and to inform consumers that they have a right to opt out. The right to opt out allows a consumer to direct a business not to sell the consumer’s personal information.
• The CPRA modifies the right to opt out by creating a new category of personal information—“sensitive personal information,” requiring businesses to treat personal information and sensitive personal information as separate categories of information. Further, a consumer has the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use to that which is necessary to serve the consumer.
• In addition to substantive changes to consumer rights, the CPRA makes drastic changes to the enforcement and regulation scheme for privacy law in California. The CPRA creates a brand-new enforcement agency named the California Privacy Protection Agency, whose responsibility it will be to levy fines, enforce consumer rights, and further regulate the obligations of businesses. These functions are currently under the authority of the Attorney General.
• Finally, one of the more shortsighted portions of the CPRA is its prohibition on future amendments. Considering the amount of amendments still needed to clarify the CCPA since its passage in 2018, preventing further changes to the newer CPRA will certainly create challenges when the statute will inevitably run into issues with which it is ill-equipped to deal. Ironically, the CPRA was put forth because the CCPA itself was ill-equipped to deal with the variety of issues that exist in the real world, as set forth below
The clarifications that came with the CPRA include changes to applicability, loyalty rewards and publicly available data.
• For example, the CPRA increases the threshold for the law’s applicability to businesses. The CCPA currently defines a “business” to include any entity that collects, receives or shares the personal information of 50,000 consumers or households annually. The CPRA increases this threshold to 100,000, effectively exempting more small businesses from its applicability.
• Another key change is that the CPRA extends the employee and business-to-business data exemption. The CCPA contains a general exemption for personal information collected in the context of employment and business-to-business relationships. This is important as the scope of personal data that an employer collects during the employment relationship could be challenging to organize, identify, disclose or delete.
For example, including an employee’s name as the contact on an invoice to a vendor could be considered personal information under the CCPA, allowing that employee to request disclosure or deletion of the document, even though the invoice is dealing with a business transaction. The CPRA extends this important exemption until January 1, 2023 to allow policy discussions around these issues to occur.
• The CPRA also clarifies that businesses may continue to offer loyalty rewards, additional features, discounts, or programs. The CCPA is ambiguous on this issue and creates a prohibition on discrimination against customers for exercising their opt-out rights with programs that are based on the use of the same personal information that the customer has requested be deleted or use-limited. The CPRA clarifies this ambiguity by stating that loyalty rewards, premium features, discounts and other programs (like club cards) are not prohibited.
• One additional clarification is that the CPRA exempts publicly available data from the definition of personal information and sensitive personal information. This exemption cures a major constitutional weakness in the CCPA, one which proponents and others believe could have well led to the complete invalidation of CCPA itself.
Attorney General Begins Enforcing CCPA Regulations
Yet another complication for businesses is the overlay of regulations to the CCPA (and ultimately the CPRA). The Attorney General finalized CCPA regulations in June 2020 and the vast majority of the regulations went into immediate effect when approved by the Office of Administrative Law in August 2020. The Attorney General issued new substantive changes to the regulations on October 12, 2020 and opened a 15-day public comment period for the proposed rules. Notably, the October 12 date is one year and one day (even accounting for a leap year) past the Attorney General’s initial Notice of Proposed Rulemaking dated October 11, 2020. Accordingly, these proposed changes may be invalid due to the failure to comply with the California Administrative Procedure Act, which requires all changes to be done within a one-year period.
Privacy Legislation and COVID-19
Amid the COVID-19 pandemic, privacy legislation focused primarily on contact tracing. Several bills were introduced in 2020 to address concerns about data collection for purposes of tracing and the privacy rights of consumers in connection with the CCPA. Due to concerns that the legislation could ultimately hamper contact tracing efforts, none of the bills passed.
Anticipated Legislative Activity in 2021
With the passage of Proposition 24, changes or amendments to the CCPA/CPRA through legislation will likely be limited. Any legislation will have to be consistent with and in furtherance of the CPRA.
The California Chamber of Commerce supports creating effective protections for consumers that are inclusive of business input. With the rapid succession of privacy law and regulations coming into effect in California, the CalChamber recognizes that businesses need time to adapt and gain compliance with this still new and complex legal framework. Accordingly, the CalChamber supports amendments to the CCPA and the CPRA that clarify and simplify compliance and promote safety and security while insulating businesses from frivolous lawsuits and unfair penalties and fines.
Agriculture and Resources
California Environmental Quality Act (CEQA)
Health Care Reform
Housing and Land Use
Labor and Employment
Privacy/Cybersecurity, Technology, Telecommunications, Economic Development, Elections/Fair Political Practices