Debate Over CCPA Amendment Heats Up as Business Preparations Ramp Up
The debate over the California Consumer Privacy Act (CCPA) is heating up now that the California legislature is back in session, the Attorney General has completed two of the six public discussion forums, and the federal government is still mired in the shutdown debate. Meanwhile, we are seeing businesses preparing in earnest as the lookback period has begun and there is less than a year before the effective date of January 1, 2020.
On Thursday, 41 California privacy lawyers, professionals and professors urged the California legislature to make major changes to California’s new privacy law. It was organized by Professor Eric Goldman of Santa Clara University School of Law. The letter is addressed to four leaders of the Senate and Assembly, rather than Assemblyman Ed Chau and Senator Robert Hertzberg, the original sponsors of AB 375.
The letter highlighted six areas of concern about the CCPA law:
1. Application to Stakeholders Who Did Not Provide Input. The letter suggests that the legislature conduct broad-based fact gathering from multiple constituencies as part of an amendment to the CCPA because these groups did not have input into the sweeping changes of the original law.
2. Compliance Costs for Small Businesses. The letter points out the low requirements to reach the threshold to be a covered business and urges the legislature to increase the amount for data possessed or scale back small business compliance obligations.
3. Inconsistencies with the GDPR. The letter suggests harmonizing the CCPA with GDPR to avoid creating a new round of compliance work which would not make an incremental improvement sufficient to justify the cost.
4. The CCPA Counterproductively Undermines Consumer Privacy. The letter questions whether the data subject access rights provided will actually increase privacy protections for users as businesses must make data identifiable to meet the requirements as well as collect more data to verify the identity of a consumer to permit them to exercise the rights appropriately.
5. Overbroad Definitions. The letter points to ambiguity in numerous key definitions, including “business”, “consumer, “personal information”, “households”, “service provider” and “third party”.
6. Extraterritorial Reach. The letter raises questions about the application to businesses located outside California, including affiliates of California businesses, the amount of California business required to reach the threshold, and the Constitutionality of application to activity outside California.
Here is a link to the PDF of the letter.
It is possible that the California legislature will allow the Attorney General’s Office to address some of these issues through the rulemaking process. The CaAG is still early in that process, seeking public comments through February before it completes draft rules for businesses. Nevertheless, it seems likely that the letter will garner a response from privacy organizations in support of the bill, as well as fuel business lobbying efforts for an additional amendment before summer.
If the debate over AB-375 and the SB-1121 amendments is reopened in the California legislature, another section that will probably be up for changes is the section permitting businesses to have different prices for consumers that do not exercise their rights. A recent survey by the Center for Data Innovation found that 27 percent of respondents were willing to pay a monthly subscription fee in exchange for reduced data collection by a company. The section likely needs additional clarity before businesses can safely rely on it to serve this segment of the population.
Despite the possibility of changes before the effective data of January 1, 2020, businesses still need to be preparing for the law to go into effect now. There is no guarantee that the legislature makes substantial changes or decides to delay the implementation date (even though it has authorized up to a six month delay in enforcement). As far as the possibility of federal preemption, there was a pretty intense lobbying effort around it last fall, but the shutdown will probably diminish those odds if it continues to drag on. We are seeing many businesses preparing now that the lookback period is in effect rather than take a wait and see approach on either of these fronts. As GDPR demonstrated, there are a lot of details in privacy regulations and organizations need to be preparing now in order to be ready by January 1.
Other Blog Posts on the California Consumer Privacy Act:
California AG Holds First Public Forum for CCPA Rulemaking in San Francisco
New Mexico Privacy Bill Copies CCPA – Consumer Information Privacy Act Introduced in NM Legislature
CCPA Rulemaking Public Forums Announced by California Attorney General
CCPA Compliance Note: The Lookback Period Starts on January 1, 2019
A Sale for Valuable Consideration Under California’s CCPA Defined
Consumer Organizations Defend California Consumer Privacy Act (CCPA) in Letter to Legislators
California AG Tells Congress Not to Preempt California Privacy Law
CCPA Privacy Lawsuits Implicated in United States Challenge to Injury Standing in Frank v. Gaos
PWC Survey on CCPA: Enterprise Compliance Expected at 52% by January 1, 2020
California Adopts SB-1121 Amendments to Consumer Privacy Act
Contact Clarip for Help with Your Privacy Program
The Clarip privacy software and team are available to help improve privacy practices at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, we can help through our modular GDPR software. Whether you are starting the process with GDPR data mapping automation, need privacy impact assessment software, or looking to meet ePrivacy requirements with cookie management software, Clarip can help strengthen your privacy program.
If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR software, or provide the right to opt out of the sale of personal information with our consent management platform.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.