An (Interim) Update on California’s Privacy Law
Privacy in Focus®
You all know that California passed a massive privacy law in in June 2018. You may know how rapidly the bill (AB 375) was passed. And you probably also know that there’s an enormous amount of confusion about what the California Consumer Privacy Act of 2018 (CCPA) will eventually say and what some of the key provisions mean. We have some interim news – but there’s still a long way to go.
The Law Itself
Unlike most current U.S. national laws, the CCPA is intended to have general applicability, independent of industry sector. Essentially, a business that collects personal information about California residents is covered by this law, unless there is a defined exception. The big exceptions are (1) certain companies covered by other privacy laws (such as HIPAA and Gramm-Leach-Bliley) and (2) those with $25 million or less in annual revenue or which have personal information on fewer than 50,000 people or derive less than 50% of their revenue from sale of personal information.
There are major open issues even about this coverage. The law did not make clear whether the revenue threshold was for California or more generally. The status of nonprofits may be unclear. There is ongoing debate about whether employee information is covered, and many of the exceptions (such as whether the HIPAA exception applied to “business associates”) were not at all clear. There is significant confusion about what “financial incentives” are permitted, and what financial considerations would constitute unpermitted discrimination.
What Information is Covered and About Whom?
The law applies to “personal information” about California residents, which is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The law defines such categories incredibly broadly – not only to include “normal” identifiers (e.g., name, address, Social Security Number, driver’s license number), but also (among others):
- Characteristics of protected classifications under California or federal law;
- Commercial information (records of personal property, products, or services purchased, or other purchasing or consuming histories or tendencies);
- Biometric information;
- Internet information including browsing history and search history;
- Geolocation data; and
- Inferences drawn from any information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
The Substance of the Law: Individual Rights
The California law is different from the EU GDPR in at least one way, because it focuses on individual rights rather than dictating how a company must act. It provides individuals the ability to learn about a company’s activities, and in turn dictate – for a particular individual – some ways in which the company can use an individual’s data. Among the key (and challenging to implement) rights are:
- The right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.
- The right to request that a business delete any personal information about the consumer which the business has collected from the consumer (a right with many exceptions).
- The right to request that a business that collects personal information about the consumer disclose to the consumer a broad range of information including (1) the categories of personal information it has collected about that consumer; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purpose for collecting or selling personal information; (4) the categories of third parties with whom the business shares personal information; and (5) the specific pieces of personal information it has collected about that consumer.
- The right to request that a business that sells the consumer’s personal information, or that discloses it for a business purpose (defined separately in the law), disclose to that consumer: (1) the categories of personal information that the business collected about the consumer; (2) the categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold; and (3) the categories of personal information that the business disclosed about the consumer for a business purpose.
- The right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information (what the law calls “the right to opt out”). For this right, companies must (among other things) provide “a clear and conspicuous link” on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet web page that enables a consumer to opt out of the sale of the consumer’s personal information.
What has Happened Since the Law was Passed?
Not surprisingly, efforts to modify the legislation began almost immediately. A coalition of corporate entities, including the California Chamber of Commerce and many other industry associations, submitted to the legislature a formal letter seeking a variety of changes. (The letter is available here and here. According to this coalition,
While the full implications of the hastily passed AB 375 are far from being fully understood, in this letter, we propose amendments to address drafting errors, and to fix aspects of this bill that would be unworkable and that would result in negative consequences unintended by the authors. It is important to fix as many of these problems as soon as possible. The stakes are too high to delay any further – for consumers, businesses, the Attorney General, and the economy.
There was a consumer coalition letter submitted in response, available here. This coalition noted that (from its perspective) “the sky is not falling.” It then summarized its concerns as follows:
The majority of the Chamber letter’s proposed changes are substantive in nature and would fundamentally water down the CCPA’s privacy protections. Even when the letter does identify a provision where a technical fix is needed, the proposed solution is often excessive in nature and would run counter to the clear intention of the legislation.
The California Attorney General submitted his own letter on potential changes, available here. The AG expressed concern that the law imposed “several unworkable obligations and serious operational challenges” for the AG’s Office, and that “failure to cure these identified flaws will undermine California’s authority to launch and sustain vigorous oversight and effective enforcement of the CCPA’s critical privacy protections.”
Following this initial wave of lobbying, the California legislature rushed through a set of amendments (SB 1121) to the California Consumer Privacy Act before the end of the legislative session on August 31, 2018 (as of this writing, this provision has not yet been signed by the Governor).
These amendments tackled some of the ambiguities and confusion resulting from the original law. The bill expanded some of the coverage exceptions (although some of these changes may have made things even more confusing, particularly related to the health care exemption and its applicability to business associates). New exemptions were added, for example, related to clinical research subject to privacy controls under the Common Rule.
Beyond these scope exemptions, the bill addressed both enforcement and the right of consumers to sue – two of the most controversial elements of the initial law. The amendments seemed to clarify that the consumer right to sue exists only for certain data security breaches – and not more generally for violations of the “privacy” parts of the legislation. We can expect more debate on this provision.
There also were other changes related to enforcement. The requirement that a consumer notify the AG of a future lawsuit was removed. The penalty structure has been clarified. Most significantly, given the enormity of the implementation challenges and the confusion about the substance of the law, as well as the requirement (or expectation) that regulations would be issued to help explain the law, the deadline for regulations was extended and the enforcement date for the law has been pushed back until July 1, 2020.
What Is Still to Come?
These amendments – assuming they are signed into law – are likely to not be the last step in the evolution of the CCPA. Like the law itself, these amendments were rushed into effect to meet a legislative deadline. Many of the provisions identified by the Chamber of Commerce letter have not been addressed at all, and we can expect significant legislative pressure to continue to revise the law. We also will see regulations from the California Attorney General about the law.
Impact on the National Debate
The California law – along with global pressure due to GDPR – has led to an increased interest at the national level in national privacy legislation. The Administration is beginning some efforts to identify a potential legislative framework. Some companies would like to see a U.S. law that would meet the European Union’s “adequacy” standard. Other companies – some the same and some different – are concerned about other states that might choose to copy California’s approach and see a national law with pre-emptive effect as better than a multiplicity of state laws. All of these national efforts are in their infancy.
Because of the peculiar path of the California law (the referendum initiative and the subsequent fast-track legislative process), there may be little short-term likelihood that other states will pass their own versions of the California law. Nonetheless, companies in all industries should both (1) pay close attention to the California developments, as many companies will face California compliance requirements; and (2) at the same time, become engaged in the growing national debate over national privacy legislation. Companies impacted by this law also should begin compliance preparations (although I would not move too far down the road with compliance activities just yet until some of these issues are clarified) and, in general, consider how to approach the question of whether to apply this California law on a broader national basis.
© 2019 Wiley Rein LLP