In September, California Attorney General Xavier Becerra testified at the U.S. Senate Committee on Commerce, Science and Transportation hearing regarding the need for a U.S. privacy law. Although the context of the hearing was federal privacy legislation, his testimony included important insights into how his office may approach enforcement of the California Consumer Privacy Act and what privacy issues he is focused on going forward.
In addition, several bills with privacy implications were passed by the California Legislature but not all were signed into law by Gov. Gavin Newsom, D-Calif.
Similar to previous comments by Supervising Deputy Attorney General Stacey Schesser, Becerra confirmed in his written testimony that beginning on the CCPAâ€™s July 1 enforcement date, his office â€œbegan issuing notices to cure to companies with non-compliant privacy policies or missing ‘Do Not Sell My Personal Information’ links.â€� He testified the Office of the Attorney General is â€œverifying that service provider contracts specify limitations on the use [of] personal informationâ€� and continues to review consumer complaints.Â Â
Becerra also highlighted the OAGâ€™s commitment to enforcing Californiaâ€™s privacy laws, pointing out the substantial judgments against Equifax (2019) and Uber (2018), and the September judgment against Glow. The OAG recently settled a case with Anthem regarding a 2014 data breach for $8.69 million. (California lists its privacy enforcement actions here.) While CCPA enforcement is only a few months old, these actions demonstrate the nature of the penalties the OAG may pursue for privacy law violations, including significant injunctive relief. For example, the judgments in the Uber and Glow matters include provisions requiring defendants to put in place an â€œinformation security programâ€� and incorporate â€œprivacy by designâ€� principles into its products. The Anthem judgment mandates an information security program and specific information security requirements.Â
While noting the OAGâ€™s successful enforcement actions, the attorney general also recognized the limited resources of state enforcers. He testified that â€œtrying to defend the privacy rights of 40 million people in California alone is a massive undertaking,â€� adding violators â€œknow our scope and reach are limited to remedying larger and more consequential breaches of privacy.â€� He advocated for new laws to include a private right of action for consumers, stating such provisions â€œprovide a critical adjunct to government enforcement, and enable consumers to assert their rights and seek appropriate remedies.â€� Becerraâ€™s position isnâ€™t surprising. He previously introduced Senate Bill 561 with State Sen. Hannah-Beth Jackson, D-19th District, in February 2019, which would have expanded the CCPAâ€™s private right of action to include any violation of the law, but it was unsuccessful. It will be interesting to see whether he (or others) continue to pursue this issue.
Looking ahead, the pending California Privacy Rights Act ballot initiative also may impact enforcement. If it passes in November, it will create a new enforcement agency with funding of $5 million in the fiscal year 2020â€“21 and $10 million thereafter. While the provisions regarding the creation and funding of the California Privacy Protection Agency would go into effect immediately, most of the CPRA provisions wonâ€™t go into effect until Jan. 1, 2023. A timeline of the key dates for the CPRA is here.
Changes to the CCPA?Â Â Â Â Â Â Â
In addition to recommending a private right of action, Becerra’s written testimony identified other measures to strengthen consumer privacy rights, including ways the CCPA â€œcould go further.â€� These include:
- More granularity in CCPA disclosures. He suggested making the CCPA disclosure requirements more specific. Instead of businesses being required to provide â€œcategories of sources from which the personal information is collectedâ€� or â€œcategories of third partiesâ€� to whom information is sold, he testified â€œ[m]ore specific disclosures, including the names of businesses that were the source or recipient of the information, should be required so that consumers can know the extent to which their information has been shared, bartered, and sold.â€�
- Data minimization. According to Becerra, â€œ[t]here should be a duty imposed to use a consumerâ€™s personal information in accordance with the purposes for which the consumer allowed its collection, and in the consumerâ€™s interest, especially with the collection and storage of sensitive information, like precise geolocation.â€� While acknowledging the CCPA requires notice at collection, he commented â€œmoving beyond a notice-and-consent framework to contemplate use limitations would make our privacy rights more robust and balanced.â€�
- Right to correction. Becerra stated consumers should â€œhave the ability to correct the personal information collected about them, so as to prevent the spreading of misinformation.â€� The CPRA includes this right in Section 1798.106. This provision requires businesses that collect personal information to disclose the consumerâ€™s right to request correction of inaccurate information and to â€œuse commercially reasonable effortsâ€� to correct such information.
- Civil rights protections. Becerra noted the need for â€œclear lines on what is illegal data use from the context of civil rights protections.â€�
This testimony provides helpful insight into the OAGâ€™s perspective on expanding privacy protections for California consumers.
Status of privacy-related bills
Alongside the potential changes envisioned by Becerra, Californiaâ€™s privacy law landscape continues to shift. Newsom recently signed two amendments to the CCPA into law, Assembly Bill 1281 and AB 713. AB 1281 extends the business-to-business and employee exemptions to the CCPA until Jan. 1, 2022. If the CPRA passes in November, it provides for these exemptions to be extended until Jan. 1, 2023, and AB 1281 does not become operative.
As DLA Piper explained in this piece for the IAPPâ€™s Privacy Tracker, AB 713 exempts U.S. Health Insurance Portability and Accountability Act deidentified information, HIPAA business associates, and extends the exemption for research. It also adds other requirements related to deidentified and reidentified information. AB 713 went into effect immediately.
SB 980, the Genetic Information Privacy Act, would have established requirements for direct-to-consumer genetic testing companies related to the collection, processing or disclosure of genetic information. While SB 980 had strong support in the legislature, Newsom vetoed it.Â In his letter sending the bill back to the Senate, Newsom explained â€œthe broad language in this bill risks unintended consequences, as the ‘opt-in’ provisions of the bill could interfere with laboratoriesâ€™ mandatory requirement to report COVID-19 test outcomes.â€� The governor did, however, voice his support for the â€œprimary goalâ€� of the bill and directed the California Health and Human Services Agency and Department of Public Health â€œto work with the Legislature on a solution that achieves the privacy aims of the bill.â€� According to the California Legislative Information website, SB 980 is an active bill in the Senate, and â€œconsideration of [the] Governorâ€™s vetoâ€� is pending.
Newsom also vetoed AB 1138, which would have required social media websites and applications to obtain parental consent before allowing children under 13 to create an account. In his veto message, Newsom reasoned â€œ[g]iven its overlap with federal law, this bill would not meaningfully expand protections for children.â€�Â
The IAPP is tracking amendments to the CCPA and other privacy legislation here.Â
We continue to monitor Californiaâ€™s dynamic privacy law landscape, including CCPA enforcement activity, the CPRA ballot initiative and the third set of proposed modifications to the CCPA regulations issued by the OAG on Oct.12. It promises to be a busy fall for privacy practitioners.
Photo by Elena Mozhvilo on Unsplash