CCPA Law Summary & Compliance Guide for California Consumer Privacy Act

 
The California Consumer Privacy Act (CCPA) is bringing a GDPR-lite law to the United States. Businesses have six months to one year to come into compliance before enforcement of the nation’s most advanced data privacy law begins between January 1st and July 1, 2020.  Clarip has put together this summary guide to the new California privacy law which:

– Provides an overview of AB-375 with its original text, amendment (SB 1121) and possible future CCPA amendments;
– Compares the CCPA to the European Union’s General Data Protection Regulation (GDPR);
– Discusses the rights California will offer to its 40 million residents such as the rights to opt out, opt in, access and delete;
– Summarizes specific, key sections of the legislation for businesses;
– Highlights the impact and penalties of noncompliance; and
– Discusses the necessary compliance efforts for those businesses impacted by the law, including an overview of the software and other services that Clarip offers.

 
 GET OUR FREE WHITE PAPER ON THE NEW CALIFORNIA LAW …

Updated: August 1, 2019

 
The California Consumer Privacy Act was adopted in June 2018 and received its first amendment by the California legislature in August 2018 via SB 1121. It is possible it will be amended at least once more between now and 2020 as the legislature considers additional substantive changes suggested by businesses. We will be keeping a close eye out for any preliminary discussions in the legislature of amendments to the California Consumer Privacy Act so that we can notify you of them on the Clarip Privacy Blog. As of July 1, 2019, there were nine CCPA amendments that passed the California State Assembly and are being considered by the California State Senate. Most of them have been referred to the Senate Judiciary Committee. Six amendments are now headed from the Senate Judiciary Committee to the Appropriations Committee in mid-August.

We will also be closely following any clarifications on enforcement of the law issued by the CA Attorney General. The law assigns the AG with the power to issue regulations about the law related to business compliance as well as take enforcement action. The AG has completed the preliminary public discussions (including 7 public forums and a written submission process). Over the next few months, the AG will be preparing the preliminary version of the CCPA regulations for release in Fall 2019 (anticipated).

 

 
Business Compliance

Organizations simply can not afford to ignore the California Consumer Privacy Act. The law authorizes substantial fines and consumer damages for the failure to comply with its terms. By the time that the law goes into effect, the data protection authorities in Europe will be exercising their enforcement power from the General Data Protection Regulation (GDPR) to sanction companies up to 4% of global annual revenue. All eyes will then be on the California Attorney General to see if they follow suit and enforce the new law strongly.

The law also creates a new private right of action for consumers to sue businesses for unauthorized disclosures of their personal information as a result of the failure to exercise reasonable security practices. It will give consumers the ability to bring class action lawsuits seeking statutory damages of up to $750 per incident per person or actual damages for data breaches against companies.

When do businesses need to be ready? The law has an effective date of January 1, 2020 and Attorney General enforcement is currently scheduled to go into effect on or before July 1, 2020. Learn more about the CCPA compliance dates.

Clarip provides privacy software and consulting services to assist companies in their CCPA compliance efforts. Call 1-888-252-5653 or contact us online to schedule a software demo or discuss the specific needs of your organization.

Don’t delay. Many businesses are still working through their GDPR compliance initiatives because they did not move quickly enough during the two year delay in enforcement. The window for compliance with the California privacy law is shorter – companies should begin preparing immediately for the new law. And the law’s 12-month lookback period has already begun.

This is not the only privacy law that applies to businesses operating in California. Be sure to review the other California privacy laws as CCPA does not replace Shine the Light or CalOPPA.

 

 
Importance of the Law for Consumers

The California Consumer Privacy Act offers consumers the right to opt out of the sale of their personal information, the right to access their personal information, and the right to delete their personal information. Although it doesn’t apply to at least some small businesses (an area of dispute between supporters and opponents), one estimate so far suggests that more than 500,000 businesses in the United States will need to provide these rights to California consumers.

The law has had an important effect on driving the conversation about privacy laws in the United States. There have been calls for other states to act to follow California and protect the rights of their residents’ personal information in light of the unprecedented data collection that is happening online. And business leaders are calling on Congress to adopt comprehensive privacy legislation in order to avoid the possibility of 50 different data privacy regulations applying to online businesses and technology companies.

The new California privacy law may also drive changes in protections for citizens in other states if companies decide that it is too difficult to implement different systems across multiple geographies. Companies may decide that it is easier to provide the right to opt out and the data subject access rights to everyone.

 

 
Impact of Possible Federal Privacy Regulations

Congress seems likely to create a comprehensive nationwide privacy law applying to online and technology businesses in the next few years. The White House has been meeting with business stakeholders to solicit ideas for a proposal on privacy. However, there is much work to be done going forward and there is a decent possibility that Congress ultimately is unable to find a consensus around a single bill and take action.

The likely impact on state laws of White House and Congressional efforts on privacy is currently unknown. Some bills leave state legislation on privacy and data security mostly untouched. Others expressly preempt them according to the text of the legislation. Even if the bill does not explicitly provide for preemption, the judiciary may nevertheless decide to interpret them as having preclusive effect.

We will have to wait and see what impact the emerging law will have on state laws like the California Consumer Privacy Act. Businesses and business groups have already started lobbying the United States Congress and White House to enact a federal privacy law that preempts state regulations on data privacy and/or security.

 

 
History of the CCPA

A California real estate developer spent more than $3 million promoting the new data privacy law in California. Because California allows laws to be adopted by the voters in addition to the legislature, the related organization Californians for Consumer Privacy got more than 600,000 signatures to put a proposed privacy law on the November 2018 ballot.

Before the privacy initiative went on the ballot, Californians for Consumer Privacy struck a deal with the CA legislature to withdraw it in exchange for the passage of a substantially similar law. The California Consumer Privacy Act was passed unanimously by the legislature and signed by the California Governor at the end of June 2018. The bill was rushed through because of the deadline to withdraw the ballot initiative from the November 2018 vote.

Some changes are expected before its effective date in 2020 and the Attorney General must issue regulations on the law after public input. Many expect businesses to use this time to lobby the legislature to weaken the bill. However, the implementation period is still six months shorter than the European Union’s two year implementation for the GDPR.

Various states have proposed bills to consider passing versions of the CCPA. We are tracking those other states efforts and you can find the latest on the Clarip Privacy Blog.

 

 
CCPA Amendments

The first amendment to the California Consumer Privacy Act was passed by the California legislature in late August and signed by California Governor Jerry Brown in September 2018. It was called SB 1121 and billed as only for “technical corrections”. Since it passed, there have been additional calls for amendments both by the bill’s supporters, consumer organizations, and business organizations.

There were over a dozen bills proposed to amend, extend or reference the CCPA during the 2018-19 legislative session. On December 3, 2018, California Assembly Member Ed Chau introduced AB-25 into the California Legislature, supported by coauthors Senators Bill Dodd and Bob Hertzberg. AB 25 was initially a short bill serving as a placeholder to beat the February 22, 2019 deadline for the introduction of new legislation, and declaring the intent of the California Legislature to enact legislation relating to the California Consumer Privacy Act of 2018. It has since been modified to exclude employees from the definition of consumer in the CCPA. Additionally, Republicans in the California legislature have announced a #YourDataYourWay policy package on Data Privacy Day in January which could ultimately extend some of the CCPA rights.

Another amendment that seems to have some support within the California legislature involves removing part of the application of the CCPA from loyalty programs.

We are attempting to maintain the current version of the CCPA text. The latest version followed the SB-1121 amendments. If other amendments are passed, we will update that link.

 

 
Privacy Rights Offered by the CCPA

Right to Opt Out: Consumers will be able to opt out of the sale of their personal information by businesses. The law requires a covered business to post a link titled Do Not Sell My Personal Information on their home page and their privacy policy (with some minor exceptions). This right will probably need to be interpreted broadly by businesses because the definition of sale includes almost any sharing for value (except for sharing to service providers that meet that particular exception).

Right to Opt In: Businesses must have opt-in consent for children under 16 years old to sell their personal information. Under 13 years of age, businesses must obtain opt-in consent from their parent or guardian. We expect that businesses will need to ask consumers their age in order to comply with this section of the law.  The CCPA imposes an actual knowledge requirement in order for there to be a violation, but a business that willfully disregards the consumer’s age is deemed by the law to have actual knowledge.

Right to Access: Consumers will have the right to request their personal information and businesses will need to disclose the categories and specific pieces of personal information the business has collected. The law defines personal information to include identifiers such as name or email address, internet activity such as browsing history, geolocation data, biometric information, personal property or purchasing records, employment-related information, protected classification characteristics, education information, audio or similar information, as well as inferences drawn from the protected information. The law also provides for certain information to be provided in a portable format.

Right to Delete: Consumers can request the deletion of their personal information and businesses must do so unless it is included within one of the nine exemptions. The exceptions are specified but generally include data necessary for completing transactions, security, correcting errors, exercising free speech, CalECPA and other legal compliance, research in the public interest, and certain expected or other qualifying internal uses. We have currently examined several of the exception from the right to delete personal information. These include the research exception, the legal obligations exceptions and the internal use exceptions.

 

 
Who is covered by the law?

The law applies to businesses that are doing business in California and either have gross revenue of $25 million or more, sell or share information on 50,000 California residents or devices or households, or get 50% or more of their annual revenue from selling personal info.

Similar to GDPR coverage of organizations located outside of the borders of the European Union, the law also covers non-CA businesses that are operating in California via extraterritoriality.

 

 
CCPA Exemptions and Possible Exemptions

HIPAA – The CCPA contains a broad exclusion for certain medical information protected pursuant to federal laws.

GLBA – Some information covered by the Gramm-Leach-Bliley Act has been removed from many of the CCPA requirements.

Employees – It appears that employee data currently falls within the definition of consumer personal information although there is a proposed amendment AB-25 to remove it from the scope of the CCPA.

Small Business – The thresholds for a covered business exclude some small businesses, although it has been argued that the thresholds will apply to many small businesses so the precise line of coverage may be less than clear.

Nonprofits – The definition of business covers for-profit organizations, which would limit the applicability of the CCPA to a nonprofit organization to at least some extent.

There are also a few other exemptions that we have not covered here yet. Please do not take the above as a comprehensive list.

 

 
Key Definitions in the CCPA

Business – The business definition determines whether the CCPA covers an organization.

Consumer – The consumer definition determines whether an individual is protected by the CCPA.

Personal Information – The personal information definition helps to determine what data is covered by the CCPA.

Sale – The definition of sale is important both to the definition of a business as well as the opt-out for the sale of personal information.

Household – The household definition plays an important role in responding to data subject access rights.

Business or Commercial Purpose – The business purpose and commercial purpose definitions

Deidentified and Aggregate Information – The definition of deidentified information and aggregate consumer information is important to determine whether data falls outside the definition of personal information.

 

 
Employee Data

There has been some discussion about whether businesses with California employees will need to offer them the rights provided for by the CCPA. A pending bill in the California state Assembly, AB-25, would if passed exclude employees from the definition of consumer.

 

 
Overlap with GDPR

Many organizations operating in the European Union or acting as processors for companies operating in the EU are surely wondering to what extent their preparations for the world’s leading data privacy and security law, GDPR, cover them for California. The answer is that some of the preparations will overlap. The right to access and delete information generally overlap. However, the right to delete provides an example of how even in this area there are differences. California, for example, has nine clear exemptions that businesses can rely on which differ from the rules of GDPR.

For additional information about the rights provided for in the CCPA and GDPR, please see our comparison of the California Consumer Privacy Act and GDPR. We have also put together a special version of the analysis solely for DSARs comparing GDPR and CCPA.

 

 
What else do businesses need to know?

Privacy policies, many of which were just rewritten or otherwise modified ahead of GDPR’s May deadline, will need to be updated again. We have created an overview of the necessary privacy policy changes as well as additional information about the required Do Not Sell My Personal Information link. There is a 12 month lookback period for certain information required to be provided to consumers.

An important aspect for compliance with the law will be the ability of businesses to ensure that the request for access or deletion is valid. Businesses will need to follow specific procedures for how to verify requests from consumers. If they do not, they risk leaking consumer’s personal information.

There is a training requirement for certain individuals that may be execute requests under the individual rights questions or may be asked questions by consumers about the company’s procedures.

The law generally prohibits companies from discriminating against users that exercise their rights under the California Consumer Privacy Act. However, the financial incentives clause provides an exception to the non-discrimination requirement. If businesses find that many consumers are exercising the right to opt out, this could become an extremely important aspect of the law for businesses.

The exemption for service providers will be another important exception to the right to opt out. The law allows a business to continue sharing personal information with third parties following the exercise of the right to opt out provided that the terms of the exception are met.

Because the law generally applies only to personal information, many businesses will respond to the law by turning their personal information into deidentified and aggregate information. Businesses that engage in such data minimization in the hope of avoiding the breadth of the law need to be careful to meet the law’s requirements.

Businesses are also going to look closely at several hot areas for data collection and usage as a result of the CCPA. This includes biometric information which is used for, among other things, facial recognition.

We will continue to expand this section as we explore the new law, as changes are made by the California legislature, and as the California Attorney General engages in its rulemaking process by soliciting input, holding public discussions and issuing final regulations on the implementation of the law according to its own mandates and the specific authorizations contained in the law.

 

 
Attorney General Rulemaking Process

The Attorney General has offered seven dates for public forums to allow comment on the California Consumer Privacy Act. The purpose of these meetings has been to allow the public a chance to comment on the CCPA regulations that need to be developed and issued by the California AG. The Attorney General is focused on seven areas identified in the law (according to its presentation at the public forums), although it has broad authority to issue regulations on the CCPA despite the fact that it is not normally a rulemaking body. In addition to the public comments, the Attorney General’s Office is also accepting written comments submitted by March 8, 2019.

The Attorney General’s Office has also provided an outline of the process. Based on the timing of the process and when the first draft of the proposed regulations are released, it makes it unlikely that enforcement of the CCPA will begin on January 1, 2020. It will likely be April or May at the earliest when enforcement could begin (six months after the final rules are published)..

 

 
Clarip Products for California Consumer Privacy Act Compliance

CCPA Webinars: We are creating a series of educational webinars about the new privacy law to help prepare businesses and privacy professionals for the upcoming changes. Each webinar will be designed to give compliance officers, privacy professionals and business owners actionable information about the law and how to comply. Stay tuned for additional information including a list of topics and the associated dates. Our first webinars are scheduled for mid-August and will provide a quick overview of the law as well as information about the necessary changes to privacy policies and how software can help jump start compliance efforts. Don’t have time for a webinar? Take a look at our CCPA compliance guide and checklist.

CCPA Software: We are modifying our software to enable compliance with the new California law. Whether you need consent management for the right to opt out or a DSAR portal for the right to access and delete personal information, Clarip can help you automate expensive manual tasks with our software. Our data risk intelligence scanner will help businesses identify their third-party service providers and data recipients to enable them to monitor and comply with the law. We are already a leading provider of GDPR solutions helping a number of Fortune 500 clients solve their data privacy problems.

Consulting Services: Clarip provides consulting to businesses looking to improve their privacy protections. Led by Clarip founder Andy Sambandam’s extensive experience in consulting at Deloitte and EPAM, Clarip assists clients in the performance of privacy assessments and audits, identifies weaknesses in compliance efforts, leads efforts to implement software systems and other actions typically provided by consultants to add value to an organization with the need for minimal internal resources. If you are experiencing internal problems with either IT or business processes around data privacy, the Clarip consulting team can assist you in eliminating them. Ask us about performing a CCPA Assessment as you get ready for the new privacy law!

 

 
Clarip Privacy Blog Posts Related to the California Consumer Privacy Act:

Four CCPA Amendments Scheduled for Tuesday Senate Judiciary Hearing
The California Senate Judiciary Committee has scheduled four of the California Consumer Privacy Act (CCPA) Amendments for the public hearing next Tuesday, July 9th. The hearing is scheduled to begin at 9:30 AM Pacific and continue/restart later in the afternoon at 1:30 PM. There are currently almost 50 bills scheduled to be heard in the committee hearing that day.

Changes to AB-25 Before Judiciary Committee Schedules CCPA Amendment Hearing
AB-25, the proposed CCPA amendment to exclude employee data, has seen a few changes as it awaits a hearing in the California State Senate Judiciary Committee. The changes include moving the employee exclusion from the definition of consumer in Section 1798.140 to Section 1798.145. The latest version would also allow a business to require a consumer to submit their data subject access rights request through an account if the consumer has one.

AB-25, AB-846 and AB-1416 CCPA Amendments Passed by California Assembly
Three more CCPA amendments were passed by the California State Assembly this week as it reaches the legislative deadline for passing bills in the house of origin today. The approved amendments:
AB-25 – Passed on May 29th by a vote of 77-0-3.
AB-846 – Passed on May 28th by a vote of 69-4-7.
AB-1416 – Passed on May 29th by a vote of 47-17-16.

Four More CCPA Amendment Assembly Floor Votes Last Week!
The California State Assembly passed three California Consumer Privacy Act (CCPA) amendments last week in floor votes, plus another privacy bill that will regulate the opening of social media accounts by children. The privacy bills that passed were AB-873, AB-981, AB-1138 and AB-1146.

CCPA Amendment Update: May 2019
The California legislature is wrapping up the first phase of the California Consumer Privacy Act (CCPA) amendment process. Today is the last day for a fiscal committee of the California state legislature to hear and report to the floor bills introduced in their house. The next two weeks are reserved for floor votes as the deadline for bills to pass out of the house of origin is May 31st.

California Assembly Approves CCPA Amendments AB-874, AB-1355 and AB-1564
The California Assembly has unanimously approved three amendments to the California Consumer Privacy Act (CCPA) in the last week: AB-874 (personal information definition), AB-1355 (technical amendments), and AB-1564 (toll-free number alternative). The three bills will now be considered by the California Senate.

Three More CCPA Amendments Unanimously Approved by CA Assembly Appropriations Committee
Three more amendments of the California Consumer Privacy Act (CCPA) are headed towards a floor vote in the California Assembly after they were unanimously approved by the Appropriations Committee this week. The amendment are AB 846 (loyalty programs), AB 1146 (auto recalls) and AB 1564 (toll free phone number alternative).

Next Stop for CCPA Amendments AB-25 and AB-874 is an Assembly Floor Vote
The first wave of California Consumer Privacy Act (CCPA) amendments moved on to their respective Appropriations Committee hearings this week on Monday and Wednesday. The three bills were SB-561, AB-25 and AB-874. Two of the three bills made it out of the fiscal committees on consent and await a floor vote – AB-25 and AB-874.

Highlights of the CA Privacy Committee Hearing Yesterday on CCPA Amendments
It was a busy day on the California Consumer Privacy Act (CCPA) yesterday as the California Assembly Privacy and Consumer Protection Committee was scheduled to hear ten CCPA amendments and the Senate Judiciary Committee was scheduled to hear another one. Eight privacy bills were sent to the Assembly Appropriations Committee during the public hearing: AB-25, AB-846, AB-873, AB-874, AB-981, AB-1138, AB-1146 and AB-1564.

How to Prepare for CCPA Compliance Given the Uncertain Amendments and Regulations
How can businesses prepare for the CCPA amidst this uncertainty? Fortunately, there are a number of activities that covered business can undertake in order to prepare for the law that are unlikely to become a misguided effort.

CCPA Amendments to be Heard in April 23rd California Assembly Privacy Committee Hearing
The California Assembly Privacy and Consumer Protection Committee will meet Tuesday with ten proposed bills to amend the California Consumer Privacy Act (CCPA) on the agenda. The proposed bills range from technical corrections to correct and clarify items not handled in SB 1121 as well as broad, sweeping changes such as AB 1760 (previously known as the Privacy for All Act of 2019).

Senate Judiciary Committee Recommends SB 561, the Expanded CCPA Private Right of Action
Senator Jackson, the chair of the Senate Judiciary Committee, introduced SB 561 to the Committee yesterday in a public hearing. The measure was given a do pass recommendation by the Senate Judiciary Committee and was referred to the Appropriations Committee.

Latest on the Proposed CCPA Amendments
The proposed bill (SB561) to amend the California Consumer Privacy Act (CCPA) to extend the private right of action, eliminate the 30 day cure provision, and rework the section requiring Attorney General guidance for businesses is on the agenda for today’s Senate Judiciary Committee hearing in the California legislature.

AB-25 Proposes CCPA Amendment to Exclude Employees from New Privacy Law
AB-25, a bill in the California State Assembly, has been amended to exclude employees, contractors and agents from the definition of consumer in the California Consumer Privacy Act (CCPA). The bill has been referred to the Assembly’s Committee on Privacy and Consumer Protection for consideration.

CCPA Regulation Recommendations by EFF to CA Attorney General
The Electronic Frontier Foundation has published the comments it submitted to the California Attorney General as part of the California Consumer Privacy Act rulemaking process. The request for regulations centered around verifying consumer requests and the methods for opt-out requests under the Do Not Sell My Personal Information requirement.

Highlights of CCPA Rulemaking Comments by IAB and ANA
The deadline for comments to the California Attorney General as part of the rulemaking period for the California Consumer Privacy Act (CCPA) has passed and organizations have released some of their comments. Among them is the Interactive Advertising Bureau (IAB), which asked for clarification or rules in 17 different areas. Additionally, the Association of National Advertisers (ANA) identified nine priority issues and eleven key additional issues for the Attorney General to address. There is some overlap between the two.

CCPA Amendment & Consumer Privacy Bills in California legislature in Feb. 2019
After reading yesterday that there are more than a dozen bills in the California legislature that could amend the California Consumer Privacy Act (CCPA), we set out to track them down all of the potential CCPA amendments. There has already been one amendment and based on the statement of Assembly Member Ed Chau at the hearing of the Assembly Privacy and Consumer Protection Committee it seems likely there will be at least one more.

California AG Supports Proposed CCPA Amendments in SB 561
California State Senator Hannah-Beth Jackson announced SB561, a bill to amend the California Consumer Privacy Act (CCPA). The SB 561 amendments would extend the private right of action, eliminate the 30 day cure provision and revise the section allowing businesses to seek guidance from the California Attorney General. The changes are supported by California Attorney General Xavier Becerra.

CA Dems Defend CCPA Against Preemption; California Holds CCPA Hearing on Changes
Politico reported this week that there is an obstacle in Congress to efforts to preempt the California Consumer Privacy Act – House Democrats from California. They appear ready to defend the CCPA against federal preemption and given Democrat control of the U.S. House of Representatives, could play a substantial role in the creation of a new federal privacy law.

California GOP Defend CCPA Against Federal Preemption
Four Republican Assembly members from California sent a letter to the leaders of the US Senate Commerce Committee and US House Energy & Commerce Committee yesterday defending the California Consumer Privacy Act and urging Congress to reject calls for preemption of state privacy laws. The letter comes ahead of the Senate Commerce Committee’s hearing on Policy Principles for a Federal Data Privacy Framework next Wednesday. The House Energy Committee’s Consumer Protection and Commerce Subcommittee will also meet next week (Tuesday) on Protecting Consumer Privacy in the Era of Big Data.

State “CCPA” Privacy Bills in Rhode Island, Hawaii and New Jersey
We have already covered a number of privacy laws being considered across the country by states (New Mexico, Washington, Massachusetts, New York and North Dakota) following the passage of the California Consumer Privacy Act. We have recently learned of privacy bills in Rhode Island, Hawaii and New Jersey that we have yet to cover. Here is a brief description of each for those that are keeping track with us.

Massachusetts Considering CCPA-like Privacy Law – SD341
Massachusetts is the latest state to consider copying the California Consumer Privacy Act (CCPA). MA Senator and Democrat Cynthia Stone Creeme proposed SD341, An Act Relative to Consumer Data Privacy. The privacy bill has three cosponsors in addition to the Senator. If adopted, SD 341 would permit consumers to request a business provide a copy of their personal information, request deletion of their personal information, and opt out of certain third-party disclosures ….

Advertising & Marketing Groups Send AG Letter Seeking Flexibility on CCPA
The nation’s leading advertising and marketing trade associations have sent a letter to the California Attorney General expressing their concerns about aspects of the California Consumer Privacy Act (CCPA) along with the need for regulatory or legislative solutions. The organizations have asked the Attorney General to clarify that businesses need not just provide an all-or-nothing option for the rights specified by the law. The letter also asks for the clarification of Section 1798.110(c) to indicate that no individualized privacy policies need to be created for each consumer. They further seek a mechanism related to Section 1798.115(d), involving the prohibition on the sale of personal information not received from the consumer ….

More Technical Amendments Suggested for CCPA
Californians for Consumer Privacy and Common Sense Kids Action sent a letter in mid-January to Assemblymember Ed Chau and Senators Robert M. Hertzberg and Bill Dodd suggesting additional technical amendments to the CCPA. The letter explains the reasoning behind five changes to the law (passed in June 2018 as AB 375 and amended a few months later by SB 1121). It also makes a few other changes that are labeled self-evident typographical errors or omissions or cross-reference corrections ….

No CCPA Enforcement on January 1, 2020 according to AG Regulatory Timeline
In case there was any doubt, a timeline posted online recently by the California Attorney General makes it unlikely that enforcement of the California Consumer Privacy Act (CCPA) will start on January 1, 2020. Instead, businesses can expect that they will have at least a four month grace period and more likely five or six months before the CaAG begins CCPA enforcement ….

Debate Over CCPA Amendment Heats Up as Business Preparations Ramp Up
The debate over the California Consumer Privacy Act (CCPA) is heating up now that the California legislature is back in session, the Attorney General has completed two of the six public discussion forums, and the federal government is still mired in the shutdown debate. Meanwhile, we are seeing businesses preparing in earnest as the lookback period has begun and there is less than a year before the effective date of January 1, 2020. On Thursday, 41 California privacy lawyers, professionals and professors urged the California legislature to make major changes to California’s new privacy law ….

California AG Holds First Public Forum for CCPA Rulemaking in San Francisco
On Tuesday January 8, 2019, the California Attorney General (in conjunction with its parent organization the California Department of Justice) completed the first of six public forums on the California Consumer Privacy Act (CCPA) that will happen in California in January and February. The forum offered speakers in San Francisco five minutes to comment on aspects of the CCPA, California’s new privacy law. There were over 100 people in attendance as photographs of the event showed a packed room (over 150 according to one report). Government representatives explained the purpose of the hearing and asked for comments on the areas identified by the CCPA for the development of AG regulations. Comments were received from 14 people and the hearing ended after about an hour when no further public comments were offered ….

New Mexico Privacy Bill Copies CCPA – Consumer Information Privacy Act Introduced in NM Legislature
A new privacy bill has been introduced into the New Mexico legislature by State Senator Michael Padilla (D) called the Consumer Information Privacy Act. SB 176 copies in large part the privacy protections and obligations of the California Consumer Privacy Act (CCPA) ….

CCPA Rulemaking Public Forums Announced by California Attorney General
The California Department of Justice has announced six public forums on the California Consumer Privacy Act (CCPA) to be held by the California Attorney General as part of the rulemaking process. The public hearings will start on January 8, 2019 in San Francisco and end in Fresno on February 13, 2019. There will also be public forums held in San Diego, Inland Empire/Riverside, Los Angeles and Sacramento ….

CCPA Compliance Note: The Lookback Period Starts on January 1, 2019
CCPA compliance will bring a range of privacy challenges for companies in 2019 whether they have already prepared for GDPR or not. Now that the calendar has turned to December, there is only a month until the lookback period for the CCPA starts and it is time to begin getting ready. What is the Lookback Period? One important aspect to keep in mind with the California privacy law is that the law has a 12 month lookback period for the information that needs to be provided to consumers ….

A Sale for Valuable Consideration Under California’s CCPA Defined
One of the areas where there is likely to be further guidance for businesses is the definition of a sale of personal information. Sale is defined by Section 1798.140(t) broadly to include releasing, disclosing, disseminating, making available, transferring or otherwise communicating to another business or third party for valuable consideration. This broad scope is in addition to the classic interpretation which includes selling to a third party for money, which also falls within the statutory definition of “sell,” “selling,” “sale,” or “sold”. However, the broad scope creates challenges for businesses that may transfer personal information between two entities without selling it in the classic sense of the word ….

Consumer Organizations Defend California Consumer Privacy Act (CCPA) in Letter to Legislators
The Electronic Frontier Foundation and fourteen other organizations wrote a letter to California’s legislators urging them to defend and improve the California Consumer Privacy Act (CCPA) this year. In addition to the EFF, the December 3rd letter is signed by ACLU of California, California Public Interest Research Group, Common Sense Kids Action, Consumer Attorneys of California, and Consumer Reports, among others. The letter asks the California legislators to: – Address internal misuse of data ….

California AG Tells Congress Not to Preempt California Privacy Law
California Attorney General Xavier Becerra told Reuters in an interview yesterday that the U.S. Congress should not preempt the California Consumer Privacy Act (CCPA), according to an article the news organization published. The CCPA provides the California Attorney General with rulemaking authority over the new California privacy law, which is slated to go into effect on January 1, 2020 ….

CCPA Privacy Lawsuits Implicated in United States Challenge to Injury Standing in Frank v. Gaos
The Supreme Court will hear from the Solicitor General of the United States in the challenge to the settlement of a privacy lawsuit against Google at the end of October. In its amicus curiae brief supporting neither party, the United States questioned whether the plaintiffs articulated a sufficient injury to support Article III standing. If it is decided that the Article III standard has not been met, the case could have important ramifications on the right to a cause of action provided in the California Consumer Privacy Act (CCPA) ….

PWC Survey on CCPA: Enterprise Compliance Expected at 52% by January 1, 2020
PwC has released a survey of business executives on compliance with the California Consumer Privacy Act. It is the first of what we expect to be many updates from the business community over the next few years about the state of their preparations for privacy laws. The survey questioned more than 300 executives at US companies with revenues of $500 million or more. It is clear from the survey that organizations are taking the new California privacy law seriously. 86% of survey respondents rank CCPA compliance as one of their top business priorities ….

State AGs Defend Privacy Laws Against Federal Preemption
The Attorneys General of 28 states and the District of Columbia defended a state role in consumer protection on privacy in a letter to the Federal Trade Commission at the end of August as part of the public hearing process on competition and consumer protection in the 21st century ….

California Adopts SB-1121 Amendments to Consumer Privacy Act
On Friday, the California legislature delayed enforcement of the California Consumer Privacy Act by six months and made various other technical corrections when it adopted SB-1121 before closing out its 2018 legislative session. The legislature also allocated $700,000 in the California budget on Thursday for the Attorney General to begin preparing for the new privacy law ….

California AG Objects to 5 Sections of CCPA Privacy Law
California Attorney General Xavier Becerra sent a letter last week to the co-sponsors of the California Consumer Privacy Act objecting to five sections of the new privacy law. The letter has been posted online and we have summarized the objections below. They range from concerns about the law’s constitutionality to the increased enforcement cost for the state with the current limited private right of legislation ….

SB 1121 Won’t Make Substantive Changes to New California Privacy Law
… Senator Dodd’s spokesperson told the Sacramento Bee that there would be “no substantial changes” in SB 1121. Instead, any significant changes through the legislative process would be considered for 2019 after SB 1121 was passed ….

Will California’s Privacy Law Extend to the Rest of the Country?
If businesses voluntarily apply the California Consumer Privacy Act nationwide beginning in 2020, the implications for American privacy could be significant. California became the first state in the country last month to adopt sweeping changes to its privacy law following Europe’s adoption of the General Data Protection Regulation (GDPR) and the Cambridge Analytica scandal at Facebook. The law will no doubt have a significant effect on the operations of tech companies given that many of them are located in Silicon Valley or elsewhere in California. Even those companies outside of California are going to need to comply with the privacy law or face the loss of a significant consumer market. Many are expecting the California provisions to be adopted nationwide by large companies, such as Google and Facebook, rather than apply different standards in different states ….

Privacy Policy Changes Required by California Consumer Privacy Act
Expect businesses to update privacy policies again in 2019 and annually thereafter as part of compliance efforts for the California Consumer Privacy Act. The new CA privacy law requires businesses to change their privacy policy to describe consumer rights in California and provide a link to the opt-out form so consumers can request businesses stop selling their personal information ….

Big Day for California Privacy Law
The California legislature will deliver a sweeping privacy bill of rights for consumers to California Governor Jerry Brown today for signature. If Brown signs it today, the controversial ballot initiative on privacy will be pulled from the November ballot and the California people will get the nation’s first version of the privacy rights provided in GDPR ….

California to Pass New Privacy Law: CA Consumer Privacy Act
A major new consumer privacy law is coming to California as California Democrats and the leadership behind the California Consumer Privacy Act have a tentative agreement to avoid a November ballot initiative on privacy. If the California Legislature passes the agreed on privacy law and that bill is signed by California Governor Jerry Brown in the next week, the California Consumer Privacy Act will be withdrawn from the November ballot. The final ballot for November must be set on June 28th, necessitating the speedy passage of the new privacy law to avoid putting it up for a vote ….

California Consumer Privacy Act Expected on November Ballot
Privacy will get a big vote with the California Consumer Privacy Act of 2018 likely on the November 6, 2018 ballot in California. If California finds the signature requirement has been met, which seems likely, voters will have the ability to create the toughest data privacy legislation this November since Europe adopted GDPR. The California Consumer Privacy Act contains a number of measures to enhance data privacy and protection for people in California: – Businesses will need to tell consumers what categories of information they have collected on you, your devices and your children once a year, free of charge ….

 

 
For assistance with the California Consumer Privacy Act, call Clarip today at 1-888-252-5653 or contact us.