It is less than 120 days until California’s ground-shifting new privacy regimen – the California Consumer Privacy Act (CCPA) – goes into effect. There is only a week left for the Legislature to pass the handful of amendment bills that still survive, and we should have the attorney general’s proposed regulations published for public comment within weeks. Furthermore, the digital advertising industry has decided on a way to address the CCPA and future laws that may give consumers the ability to opt out of data disclosures that are not necessary to provide core services to the consumer. Hopefully, many unanswered questions will be at least partially answered in the next two months. In the meantime, here are some previews.
Last Thursday night I co-hosted an event for Attorney General Xavier Becerra in Los Angeles. There was a lively conversation with the AG; these are some of the highlights:
- The AG’s office has been, as we know, consulting with stakeholders to help develop the regs. However, the AG reported that they have also consulted with EU data protection authorities to get the benefit of their experiences.
- The upcoming regulatory public comment period will be meaningful, and the AG is particularly interested in hearing about compliance challenges, inadvertent consequences and constructive suggestions for refinements. He encourages written comments with specific recommendations for edits or additional regulations.
- The AG is particularly concerned with the lack of meaningful transparency and choice for consumers regarding their personal information (PI) and will likely be concentrating on pre-collection notice and the breadth of opt-out, both in the regulations and in enforcement priorities.
- Previously an advocate against the right to cure, the AG expressed doubt that many types of violations could be capable of cure given that consumers’ rights would have been injured and the resulting damage already done. That said, he indicated that a good faith effort to interpret and comply would be met with a better response than outright noncompliance.
- While promising not to be in the “gotcha” business, and seeking to work with industry to develop sound approaches to interpretation of the title, the AG indicated that his office’s mandate is enforcement and consumer protection, and the first cases brought will be “must wins” so that examples can be made for industry, both as to the substantive issues involved and the risk of noncompliance.
Meanwhile, in Sacramento, there was little CCPA action until Friday, Sept. 6, when several pending bills were materially amended. The bills we previously reported as still live back in July remain in play and could be passed this week.
AB 874 was amended on the 4th and the 6th to bring in less-controversial elements of the stalled AB 873. AB 873 had sought to significantly modify the definition of “deidentified” to better match the existing Federal Trade Commission standard and make other revisions to the definition of what is or is not PI. Now, AB 874 maintains the existing definition of deidentified but clarifies that deidentified information and aggregate consumer information are not PI. It also now adopts AB 873’s proposal to add the word “reasonably” before “capable” as part of “capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” in the definition of PI. The biggest change that AB 874 could bring, however, is to remove the government-purpose limitation of publicly available information to qualify such data for a carve-out of the definition of PI, which would preserve the right of companies to commercially use otherwise unrestricted data published by the government regardless of consumer opt-outs or deletion rights.
The other bills amended and moving forward that could be voted on this week are:
- AB 25: Delays application of consumer rights requests of current and former employees, applicants and independent contractors until Jan. 1, 2021, giving industry a second shot at reworking how human resource matters are dealt with under the title. As amended on the 6th, it would also clarify that a business need not collect PI it would not normally collect or retain PI it would not normally retain. Other additions in the most recent amendment include the ability to require that consumer requests be made through an account if the consumer has an account. However, it would still be impermissible to require account creation merely to make a request. Language was also added allowing a business to “require authentication in light of the nature of the personal information requested” before disclosing or delivering responsive PI. The bill also expands the provision regarding training personnel responsible for handling privacy inquiries to address additional provisions of the title previously omitted (as to copy and deletion requests), but still is silent as to training about the do-not-sell right. In addition, the definition of “verifiable consumer request” is expanded to apply not only to Sections 1798.110 and .115 (information rights) but also to .100 (copies of PI) and .105 (deletion of PI), but remains silent as to .120 (do not sell).
- AB 846: Clarifies that providing benefits to consumers who agree to provide PI in order to be in a loyalty program is not discriminatory, but preserves the right to opt out and prohibits the sale of PI collected through the loyalty program, provided, however, that on the 6th that restriction was loosened to permit the sale to third parties with express consent where the use is limited to providing a program incentive sale or discount.
- AB 1564: Provides flexibility in methods of exercising rights for purely online businesses – no toll-free number requirement.
- AB 1355: Clarifies that the standard for evaluating the value of PI to determine the reasonableness of financial incentive and differential pricing exemptions to the nondiscrimination requirements of Section 1798.125 is the value to the business, not to the consumer. As amended on the 6th, the bill also would revise the Fair Credit Reporting Act exemption and temporarily exempt, until Jan. 1, 2021, information reflecting a written or verbal communication between a business and a consumer within the context of the business conducting due diligence or providing or receiving a product or service.
- AB 1146 adds exemptions for certain vehicle information shared in connection with warranty repairs and recalls.
Interestingly, as part of the amendments on the 6th, AB 25, 1355 and 1564 were amended to reflect the changes in each to Section 1798.130, and AB 25, 1146 and 1355 were similarly amended to reflect each other’s proposed changes to Section 1798.145. While the changes to one are dependent on the others passing, this consolidation suggests that the bills may have support, and soon be voted on, as a group. All these bills are at a point that they could be voted on this week, before the legislative session closes on Friday the 13th. If they pass, they will become law if the governor does not veto them before Oct. 13.
There is impending news from the other coast as well. The digital advertising industry has decided on a policy and technical solution for honoring consumer do-not-sell requests as applied to the multiparty, downstream sharing of consumer behavioral data to effectuate interest-based advertising. Stay tuned. The details are still being finalized, and we will share them with you as soon as we can. Interestingly, while the digital advertising industry has addressed the do-not-sell issue head-on, many other cookie operators are waiting for the regs before deciding whether they are going to be a business, a service provider or a third party as defined by the CCPA – the third of which would, in most cases, necessitate applicability of do-not-sell requirements upon opt-out. Similarly, many of the rights management platforms are not developing a seamless integration between their do-not-sell modules and their cookie management modules. However, some have done so and others are working toward doing so. Check back for posts on cookies and the CCPA, and the available tools for managing them for compliance with what the CCPA may ultimately require.
Finally, just a reminder that Nevada’s do-not-sell law goes into effect Oct. 1, only weeks away. Details on that law, which is far narrower than the CCPA is, are available here.
For more information on any of these issues or to discuss your preparedness for these and other potential new privacy laws, contact the author at firstname.lastname@example.org. To see a countdown clock and find resources on how to prepare for the CCPA and Nevada’s SB 220, see our U.S. Consumer Privacy Resource Center.