The California Consumer Privacy Act of 2018 (CCPA), which took effect on January 1, 2020 requires businesses that collect, share, or sell the personal information of California residents to provide a long list of privacy rights, including a notice of privacy policies, the right to request an accounting of disclosures, the right of access to their personal information, and to have it deleted. The CCPA defines these terms very broadly and apply to many businesses throughout the U.S. that collect the personal information of California residents through their physical or digital presence in the state. The California Attorney General was given authority to police the CCPA, but the state legislature delayed enforcement until July 1, 2020.
The CCPA was written and passed hurriedly in late 2018 to avert a proposed ballot initiative that would have imposed even more stringent privacy standards. The rush to preempt the ballot initiative led to provisions in the law that included a number of ambiguous and conflicting requirements. The California legislature left it to the attorney general to resolve these issues through guidance and regulations implementing the statute.
With the start of enforcement of the CCPA arriving in a few days, the journey to adoption of the implementing regulations are moving at a snail’s pace. The attorney general’s proposed regulations were submitted for the California’s Office of Administrative Law for review on June 2nd. Depending on the state’s administrative rulemaking process, formal adoption may not take place until as late as October.
The complexity and sheer size of the regulations to implement the CCPA (over 11,500 words on top of the 10,000 words in the CCPA statute) make reading, understanding and complying with the requirements challenging. A small sample of the regulations that will impact all businesses required to comply with the CCPA involves the notices provided to consumers about the personal information collected about them. The new rules will require that notices be accessible for consumers with disabilities, and for online notices to follow recognized industry standards such as the Web Content Accessibility Guide (WCAG), version 2.1. Another standard in the CCPA regulations will require all businesses to implement and maintain reasonable security procedures and practices to maintain the records of consumer requests invoking rights given under the statute.
While most attention surrounding the CCPA has focused on how it gives California consumers the rights to notice, choice and control over the personal information collected by businesses, receiving less attention are important provisions creating a duty to have reasonable security measures that prevent data breaches of personal information. Unlike the CCPA’s consumer privacy provisions which are enforced by the attorney general, consumers are given the right to sue when a data breach results in the loss or theft of their personal information. The CCPA’s provisions giving consumers a private right of action when their personal information is exposed through a data breach took effect in January and has already resulted in a number of high-profile class-action lawsuits brought by California residents.
Businesses face more uncertainty as temporary exemptions for some requirements of the CCPA sunset at the end of this year. The California legislature exempted personal information collected from job applicants, employees, and their families (HR data) from many of the rights provided to consumers for transparency and choices for how their information is shared or sold. Another one-year exemption set to end applies to personal information of consumers who are employees or owners of an entity whose data was collected in connection with business-to-business relationship (B-2-B Data).
In addition, a new ballot initiative to be voted on in November calls for further expansion of California’s consumer privacy protections. The California Privacy Rights Act (CPRA or CCPA 2.0) would significantly expand the rights of consumers over how businesses collect and share their personal information including a new right to correct information about them, creation of a state agency to enforce privacy law in California, and clarifying that all businesses have an obligation to protect the security and prevent unlawful disclosure of personal information. If a majority of California voters support the CPRA, most provisions would not become effective until January 1, 2023. However, its approval by voters would immediately extend the current exemptions for HR and B-2-B data for an additional 2 years.
There are a number of problems in CCPA that require clarification, and there is the possibility that the California legislature may further amend its provisions or that the attorney general’s regulations will be further delayed. Even though enforcement of the CCPA will begin as scheduled, some may be tempted to hold off assessing how the law may apply to their organization until all the kinks have been worked out. The bottom line is that the scope and reach of the new law to entities that do business in California makes waiting for the attorney general and legislature to get their act together is a very risky proposition.
About the AuthorFollow on Twitter More Content by David Holtzman