California Privacy: Two Frequently Asked Questions

Recently, two questions are being asked repeatedly about California Privacy Law compliance.

  1. Should I wait for the CCPA Regulations to be final before doing any further work?
  2. Is it worth the additional effort now, considering a new California ballot initiative is going to change the law anyway?

No, you should not wait.  Yes, it is worth the effort now.  And, here’s why.

Wait til the regs are final?

The Attorney General’s office has just affirmed it’s intent to begin enforcement of the  California Consumer Privacy Act Regulations on July 1, 2020. And, the AG just submitted its final proposed regulations under the CCPA to the California Office of Administrative Law (OAL).  One can safely assume that there will be either no further changes, or that further changes will be minimal.  This is not a reason to wait, particularly in light of the California AG’s stated intent to begin enforcement July 1.

Won’t the new privacy law change everything?

The new privacy law, the California Privacy Rights Act (“CPRA”) if it happens, will supplement the CCPA, not replace it entirely.  For the most part, the CPRA would amend the CCPA by granting additional rights to California consumers and impose additional obligations on businesses that buy, sell or share their personal information.  It would not eliminate rights.  And, it is likely that either the CPRA will pass as it is as a ballot proposition or, as with the CCPA,  there could be a compromise law which imposes many of the same  additional obligations.  That would not eliminate rights either.  So, your work now will not be wasted and would lighten the burden when the new requirements come.

A new law appears likely to happen because “Californians for Consumer Privacy,” the sponsor of the CPRA, announced that it has submitted well over 900,000 signatures to qualify for the November 2020 ballot.  The number of signatures currently required is 623,212, meaning it is likely that there are a sufficient number of valid signatures.  And, recent polling indicates that 88% of Californians would vote yes for the ballot measure.

Additional sources:

Whether the new law will be the CPRA, or some compromise, is an open question.  The CCPA was itself a compromise that arose out of the same Californians for Consumer Privacy group dropping a prior ballot initiative.

Among the additional rights and obligations in the proposed CPRA, the more significant that would affect your business’s compliance efforts are:

Consumers are given the right to prohibit businesses from tracking their precise geolocation for most purposes, including advertising, to a location roughly equal to 250 acres or 1/3 of a mile.  This means a business could not track which restaurant or store you frequent, or if you sleep with your partner in the same room.

A new type of personal information, called “sensitive personal information” (SPI), is created for personal information such as health and financial information, racial or ethnic origin, sexual orientation and precise geolocation.  A consumer would be given the right to limit the use or sale of sensitive personal information.

Disclosure is required around automated decision-making and profiling, particularly as concerns employment, housing, credit and politics.

Personal information may not be retained for longer than is reasonably necessary for the disclosed purpose given to the consumer.

Consumers are given the right to correct inaccurate personal information.

“Advertising and marketing,” “cross-context behavioral advertising” and “sharing” are now defined in ways that indicate that the disclosure of personal information related to behavioral advertising is subject to the right of a consumer to opt-out even if it is not a sale.

“Consent” is defined strictly, so that acceptance of general or broad terms does not constitute consent and the use of a “dark pattern” or a user interface to subvert or impair user autonomy cannot be used to obtain consent.

There are several other significant changes proposed as well, such as the establishment of a California Privacy Protection Agency, further protection of children’s rights and preventing the weakening of the law except by a new referendum. Full details are found here.

As is evident from the above, your CCPA efforts today would not be in vain.  If anything, likely additional compliance burdens argue for the importance of getting ahead of the Tsunami now.