Pandemic, economic freefall, and unfamiliar regulatory constraints are buffeting U.S. businesses, and California is poised to add even more privacy obligations.
In November of 2017, more than 629,000 California voters signed petitions to qualify a prototype of the California Consumer Privacy Act for the ballot. In response to the measure's qualification, California’s legislature enacted the California Consumer Privacy Act of 2018 (CCPA) into law. The CCPA went into effect on January 1, 2020, with enforcement set to begin on July 1, 2020.
Companies serving consumers in California are suffering. According to Bloomberg.com, more than 30 million Americans have filed for unemployment benefits since March 15, 2020, and its weekly confidence measure has declined substantially in 12 of the last 14 weeks – the single greatest decline in that span in more than three decades. In a letter to California’s Attorney General, a group of businesses and trade associations cited the COVID-19 crisis as having “encumbered businesses in their earnest efforts” to create CCPA compliant programs and requested a delay in enforcement.
The AG denied this request. Sarah Lovenheim, the California Attorney General’s spokesperson responded to the letter by saying “Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first,” and stressing the importance of consumer privacy during this crisis. Since then, on June 1, the California Attorney General submitted the final set of proposed regulations to the California Office of Administrative Law, who normally (expanded for COVID-19) has thirty days to approve the regulations and file it with the Secretary of State. The AG requested that the regulations become effective immediately upon filing.
And now businesses may be subject to more severe regulations. On May 4, 2020, Californians for Consumer Privacy announced that “submitting well over 900,000 signatures to qualify the California Privacy Rights Act for the November 2020 ballot.” The same group that prompted California’s legislature to act two years ago.
The California Privacy Rights Act (Ballot Initiative or Privacy Initiative), as proposed by the Californians for Consumer Privacy, would make significant changes to the CCPA, provide consumers additional rights, and create new oversight of the law. Some of these changes include adding a new class of information, “sensitive personal information” which triggers additional rights and obligations, requiring additional disclosures, and providing consumers the right to correct inaccuracies about their personal information. The Ballot Initiative would also increase fines on violations of the CCPA’s opt-in to sale requirement for children’s data, and make amendments to the data breach provisions of the CCPA.
The Privacy Initiative creates a new category for “sensitive personal information,” which is defined in the proposal to include Social Security Number, driver’s license number, passport number, financial account information, precise geolocation, race, ethnicity, religion, union membership, personal communications, genetic data, biometric or health information, and information about sex life or sexual orientation. California consumers would have the right to prohibit the use of sensitive personal information for advertising or marketing.
The new Ballot Initiative creates new disclosure obligations for businesses and requires those businesses to strictly honor the representations made in their disclosures. New disclosure obligations under the initiative include the period of time for which they will retain personal information, the reasons for which they collect personal information, and the amount of personal information collected. Deviation from those representations would constitute a Ballot Initiative violation. In addition, a business must disclose when and how automated decision making is used for decisions that significantly affect a consumer’s life.
The CCPA grants minors who are under 16 years old the right not to have their personal information sold without their guardian’s opt-in to allow data collection. The Privacy Initiative would expand that opt-in ability to data shared, as well. Further, it would triple the fines for violation of this specific obligation.
The California Ballot Initiative also follows the European Union law on data protection and privacy, the GDPR, in a few significant ways, including providing consumers the right to correct and creating a separate oversight authority. Article 16 of the GDPR gives consumers the right to rectify inaccurate personal data. Similarly, the Ballot Initiative would give a consumer the right to request that a business that “maintains inaccurate personal Information about the consumer correct such inaccurate personal Information.”
The California Ballot Initiative would also follow the Europeans into creating an entirely new privacy-focused bureaucracy to which companies would need to answer. The EU built such a set of privacy regulators decades ago, and when GDPR went into effect, a major regulatory development was the Article 51 requirement that each EU Member State-designate an independent, public authority to be responsible for monitoring the application of GDPR. The CCPA is set to be enforced by the state Attorney General. The Privacy Initiative, however, would create the California Privacy Protection Agency, which would be responsible for enforcing and implementing consumer privacy laws and imposing administrative fines.
Business groups argue that the Ballot Initiative will add further burdens. The National Federation of Independent Business (NFIB), a small business association, wrote a letter to the Californians for Consumer Privacy on May 5, 2020, requesting the Privacy Initiative be withdrawn from consideration. Citing existing confusion involved with CCPA compliance, and the impact of compliance costs during a period of “hardship caused by the COVID-19 virus,” the NFIB stated that the Ballot Initiative would “impose additional burdens on employers and job seekers and harm the state economy at a time when we need to support the recovery.”
Despite business concerns directed at the Privacy Initiative, the California legislature is also moving to add business burdens to CCPA, not provide companies with relief. A California State Assembly bill, AB-3119, is working its way through the state legislature. The bill, if passed, would substitute the definition of a “sale” under the CCPA with the term “share” and replace the definition of “sale.” AB-3119 defines “share” to mean, subject to specified exceptions, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party and would define “sell” to mean sharing for monetary or other valuable consideration.
The bill would prohibit a business from collecting, sharing, retaining, or using a consumer's personal information if specified requirements are not met. The bill would create an assessment of whether collecting, sharing, retaining, or using a consumer’s personal information “is reasonably necessary to provide a service or conduct an activity that a consumer has requested.” In addition, AB 3119 would prohibit a business from sharing personal information without affirmative consent to the sharing of information. Entities would need to procure a consumer's opt-in consent separately from any other permission or consent.
As entities continue to navigate the economic crisis and the pandemic, compliance with California privacy laws may yet become more complicated. The Ballot Initiative and the legislative proposal, AB-3119, would create more obligations for businesses, grant more rights to consumers, and require changes in practice that were molded for the CCPA as it exists. While California’s privacy landscape awaits enforcement of the CCPA, the Privacy Initiative and state legislature propose shaking it up - again.