CCPA update: Calif. attorney general comments, new amendments signed into law

In September, California Attorney General Xavier Becerra testified at the U.S. Senate Committee on Commerce, Science and Transportation hearing regarding the need for a U.S. privacy law. Although the context of the hearing was federal privacy legislation, his testimony included important insights into how his office may approach enforcement of the California Consumer Privacy Act and what privacy issues he is focused on going forward.

In addition, several bills with privacy implications were passed by the California Legislature but not all were signed into law by Gov. Gavin Newsom, D-Calif.

Enforcement

Similar to previous comments by Supervising Deputy Attorney General Stacey Schesser, Becerra confirmed in his written testimony that beginning on the CCPA’s July 1 enforcement date, his office “began issuing notices to cure to companies with non-compliant privacy policies or missing ‘Do Not Sell My Personal Information’ links.â€� He testified the Office of the Attorney General is “verifying that service provider contracts specify limitations on the use [of] personal informationâ€� and continues to review consumer complaints.   

Becerra also highlighted the OAG’s commitment to enforcing California’s privacy laws, pointing out the substantial judgments against Equifax (2019) and Uber (2018), and the September judgment against Glow. The OAG recently settled a case with Anthem regarding a 2014 data breach for $8.69 million. (California lists its privacy enforcement actions here.) While CCPA enforcement is only a few months old, these actions demonstrate the nature of the penalties the OAG may pursue for privacy law violations, including significant injunctive relief. For example, the judgments in the Uber and Glow matters include provisions requiring defendants to put in place an “information security program� and incorporate “privacy by design� principles into its products. The Anthem judgment mandates an information security program and specific information security requirements. 

While noting the OAG’s successful enforcement actions, the attorney general also recognized the limited resources of state enforcers. He testified that “trying to defend the privacy rights of 40 million people in California alone is a massive undertaking,� adding violators “know our scope and reach are limited to remedying larger and more consequential breaches of privacy.� He advocated for new laws to include a private right of action for consumers, stating such provisions “provide a critical adjunct to government enforcement, and enable consumers to assert their rights and seek appropriate remedies.� Becerra’s position isn’t surprising. He previously introduced Senate Bill 561 with State Sen. Hannah-Beth Jackson, D-19th District, in February 2019, which would have expanded the CCPA’s private right of action to include any violation of the law, but it was unsuccessful. It will be interesting to see whether he (or others) continue to pursue this issue.

Looking ahead, the pending California Privacy Rights Act ballot initiative also may impact enforcement. If it passes in November, it will create a new enforcement agency with funding of $5 million in the fiscal year 2020–21 and $10 million thereafter. While the provisions regarding the creation and funding of the California Privacy Protection Agency would go into effect immediately, most of the CPRA provisions won’t go into effect until Jan. 1, 2023. A timeline of the key dates for the CPRA is here.

Changes to the CCPA?       

In addition to recommending a private right of action, Becerra’s written testimony identified other measures to strengthen consumer privacy rights, including ways the CCPA “could go further.â€� These include:

  • More granularity in CCPA disclosures. He suggested making the CCPA disclosure requirements more specific. Instead of businesses being required to provide “categories of sources from which the personal information is collectedâ€� or “categories of third partiesâ€� to whom information is sold, he testified “[m]ore specific disclosures, including the names of businesses that were the source or recipient of the information, should be required so that consumers can know the extent to which their information has been shared, bartered, and sold.â€�
  • Data minimization. According to Becerra, “[t]here should be a duty imposed to use a consumer’s personal information in accordance with the purposes for which the consumer allowed its collection, and in the consumer’s interest, especially with the collection and storage of sensitive information, like precise geolocation.â€� While acknowledging the CCPA requires notice at collection, he commented “moving beyond a notice-and-consent framework to contemplate use limitations would make our privacy rights more robust and balanced.â€�
  • Right to correction. Becerra stated consumers should “have the ability to correct the personal information collected about them, so as to prevent the spreading of misinformation.â€� The CPRA includes this right in Section 1798.106. This provision requires businesses that collect personal information to disclose the consumer’s right to request correction of inaccurate information and to “use commercially reasonable effortsâ€� to correct such information.
  • Civil rights protections. Becerra noted the need for “clear lines on what is illegal data use from the context of civil rights protections.â€�

This testimony provides helpful insight into the OAG’s perspective on expanding privacy protections for California consumers.

Status of privacy-related bills

Alongside the potential changes envisioned by Becerra, California’s privacy law landscape continues to shift. Newsom recently signed two amendments to the CCPA into law, Assembly Bill 1281 and AB 713. AB 1281 extends the business-to-business and employee exemptions to the CCPA until Jan. 1, 2022. If the CPRA passes in November, it provides for these exemptions to be extended until Jan. 1, 2023, and AB 1281 does not become operative.

As DLA Piper explained in this piece for the IAPP’s Privacy Tracker, AB 713 exempts U.S. Health Insurance Portability and Accountability Act deidentified information, HIPAA business associates, and extends the exemption for research. It also adds other requirements related to deidentified and reidentified information. AB 713 went into effect immediately.

SB 980, the Genetic Information Privacy Act, would have established requirements for direct-to-consumer genetic testing companies related to the collection, processing or disclosure of genetic information. While SB 980 had strong support in the legislature, Newsom vetoed it.  In his letter sending the bill back to the Senate, Newsom explained “the broad language in this bill risks unintended consequences, as the ‘opt-in’ provisions of the bill could interfere with laboratories’ mandatory requirement to report COVID-19 test outcomes.â€� The governor did, however, voice his support for the “primary goalâ€� of the bill and directed the California Health and Human Services Agency and Department of Public Health “to work with the Legislature on a solution that achieves the privacy aims of the bill.â€� According to the California Legislative Information website, SB 980 is an active bill in the Senate, and “consideration of [the] Governor’s vetoâ€� is pending.

Newsom also vetoed AB 1138, which would have required social media websites and applications to obtain parental consent before allowing children under 13 to create an account. In his veto message, Newsom reasoned “[g]iven its overlap with federal law, this bill would not meaningfully expand protections for children.� 

The IAPP is tracking amendments to the CCPA and other privacy legislation here. 

Conclusion

We continue to monitor California’s dynamic privacy law landscape, including CCPA enforcement activity, the CPRA ballot initiative and the third set of proposed modifications to the CCPA regulations issued by the OAG on Oct.12. It promises to be a busy fall for privacy practitioners.

Photo by Elena Mozhvilo on Unsplash