On February 20, 2019, the Privacy & Consumer Protection Committee of the California State Assembly held an informational hearing where panelists representing different interests spoke on changes and clarifications to the California Consumer Privacy Act (CCPA). Panelists included Alastair Mactaggart, the founder of the ballot initiative of the bill, Stacey Schesser of the California Attorney General’s Office (AGO), Sarah Boot from the California Chamber of Commerce, as well as other interested parties including industry representatives, attorneys, consumer privacy advocates and professors.
Assembly member Ed Chau opened the hearing by noting that even with the passage of SB 1121, which amended the CCPA, there is more work to be done and more “cleanup” bills expected. Assembly member Chau emphasized that the law should be refined so that it is true to its legislative intent and workable for both consumers and businesses.
The first panel focused on the CCPA background and comparison to the GDPR. Mr. Mactaggart stated that the CCPA aimed to provide three rights: 1) right to know what information is being collected; 2) right to say no to sale of information; and 3) right to have information kept secure. He added that the CCPA was intended to apply to large businesses and data brokers, not mom and pop shops, and that the private right of action was limited to situations where companies were negligent with consumer’s data. Other panelists pointed out that the CCPA’s inclusion of households and devices results in the unintended consequence of many small businesses being covered by the Act and that CCPA compliance would entail substantial investment of resources beyond what many companies have sunk in for GDPR compliance.
In the second panel session, Ms. Schesser raised three issues on behalf of the AGO. First, the CCPA allows any parties to seek guidance directly from the AGO, which would divert the AGO’s resources devoted to enforcing the law. Second, the law provides business with a right to cure, which would allow even the worst “offenders” a “get out of jail free” card. Third, it lacks a private right of action for violations other than for a data breach; the AGO requested an expansion of the private right of action to include violations of other key provisions in the CCPA.
Workability and clarity were the focus of the third panel. In particular, Ms. Boot responded that an expansion of private right of action would lead to a class action bonanza, reiterated that the scope of the CCPA would require small businesses to comply, despite the intent to not do so, and addressed the problem posed by the inclusion of household. Several other issues were raised, including challenges posed by multiple databases when responding to deletion requests and argument against online advertising being deemed a “sale.”
The final panel discussed how California, through the CCPA, can maintain a lead in privacy. Speakers from the American Civil Liberties Union and Electronic Frontier Foundation made the case for strict and expansive privacy laws, like the CCPA, pointing to recent breaches and privacy violations, while other panelists responded that the CCPA needs to be fixed so that businesses can be set up for success and that there are already existing laws that provide consumers with protection.
As if on cue, two privacy bills were introduced in California on the same day: AB 846 and AB 950. AB 846 provides that the CCPA “does not prohibit a consumer from choosing to participate in a customer loyalty program that offers incentives such as rewards, gift cards or certificates, discounts, or other benefits.” AB 950 would require that a business that collects a consumer’s data “disclose to the consumer the monetary value to the business of their consumer data by posting the average monetary value to the business of a consumer’s data.” AB 950 would also establish the Consumer Data Privacy Commission to provide guidance regarding appropriate metrics and methodology for determining the value of consumer data.
The hearing and the CCPA-related bills underscore the importance of participating in the rulemaking process, keeping up with legislative developments, determining whether CCPA applies to your business and, if so, beginning the compliance process right away. Specifically, it is important to carefully understand the CCPA’s lookback provision. As currently enacted, this provision runs one year prior to the statute’s January 1, 2020 effective date, meaning the lookback obligation covers the time period beginning January 1, 2019 to present.