Those hoping California lawmakers might delay or significantly narrow the scope of the California Consumer Privacy Act (“CCPA”) before it takes effect on January 1, 2020, were disappointed last week, when the legislature adjourned without making major changes to the state’s landmark privacy law. The legislature’s adjournment increases the urgency of efforts to enact privacy legislation at the federal level, where Congress is quickly running out of time to do something before the end of the year.
Given the broad scope of the CCPA (described in our client alerts here and here) and the federal proposals under discussion, the outcome of this sprint to the finish line matters to any organization that collects, uses, processes, stores, or shares personal information. If efforts at the federal level fall short, organizations need to be prepared to comply with the CCPA, including the technical amendments that passed in the recently concluded legislative session. K&L Gates can assist clients under either scenario. Our public policy team is actively engaged in the privacy debate at the federal level, and our privacy and data protection attorneys can help clients develop effective compliance strategies for the CCPA and other laws. This alert describes the current state of play in both areas and what clients can expect heading into year-end.
Federal Legislation: Never Say Never
The bipartisan enthusiasm for federal privacy legislation at the outset of the 116th Congress has gradually turned into a stalemate, with Republicans and Democrats deadlocked on the central questions of whether and to what extent a federal privacy law should preempt state laws like the CCPA. Republican lawmakers (and industry) view preemption as the sine qua non of the federal legislative effort, arguing that the whole point of a federal law is to avoid inconsistent state-by-state regulation. Democrats however, and the powerful California delegation in particular, believe the CCPA should set the baseline for privacy at the national level and that states should retain authority to adopt laws and regulations that are more stringent than the federal standard. The two parties are also divided on questions related to enforcement, with some Democrats seeking to expand on the CCPA’s private right of action for individuals to bring suit over certain violations — which Republicans (and industry) oppose.
The distance between the parties on these issues has somewhat eclipsed their general agreement on most other aspects of potential privacy legislation. Both parties see a need for greater user control over personal information, enabled in part by greater disclosure of how organizations collect, use, process, share, and store such information. They also favor an expanded regulatory and enforcement role for the Federal Trade Commission (“FTC”), which has limited authority under current law. Perhaps most importantly, the parties are united in their deep concern about the tech industry generally and their growing skepticism (albeit for different reasons) about its role in American life. It is this dynamic as much as anything else that could prompt a compromise that leads the way to federal legislation this year.
In the Senate, the effort to develop bipartisan consensus legislation is being led by Commerce Committee Chairman Roger Wicker (R-MS) and Ranking Member Maria Cantwell (D-WA). Both senators are said to be actively engaged in good-faith negotiations. If successful, we expect a bill to be introduced later this month for consideration in an October markup. In parallel, a number of other senators have already introduced legislative proposals or have said they are working on draft bills. If the Wicker/Cantwell negotiations falter, it’s possible that one of these other efforts could emerge as the Senate’s leading position on privacy. Productive discussions are also reportedly taking place in the House. However, given that the legislative debate in the House has been more partisan to date, the Senate’s ability to advance consensus legislation will likely determine whether a federal privacy law moves forward this year.
Even if lawmakers fail to advance broad privacy legislation, there is still potential for action on discrete aspects of the privacy debate. In particular, there is bipartisan interest in enhancing privacy protections for children — including raising the age threshold for certain protections under the existing Children’s Online Privacy Protection Act (“COPPA”) from 13 to 16. Congressional discussions on COPPA dovetail with the FTC’s consideration of potential amendments to its implementing regulations for the law; the agency plans to hold a workshop on COPPA in October.
Meanwhile, in California . . .
As Congress debates federal legislation, policymakers in California are proceeding full speed ahead with preparations for implementation of the CCPA. Part of this effort has included consideration of a series of technical and substantive amendments to the law, which were the focus of a flurry of industry lobbying — mainly focused on exempting online ad tracking from the law’s consent requirements. Although that effort ultimately fell short, the legislature passed a series of other amendments summarized at the end of this alert. Notably, these amendments include a one-year delay in the CCPA’s application to certain employment and other business-related information, as detailed below.
In addition to statutory amendments, the California Attorney General (“AG”) is charged with promulgating implementing regulations for the CCPA no later than July 1, 2020. Although the law takes effect on January 1, the AG is barred from enforcing it until six months after publication of these regulations or July 1, 2020, whichever comes first. The AG is expected to release the proposed regulations for stakeholder review and comment this fall, providing another opportunity to address implementation-related issues.
The Bottom Line
For all the focus on the CCPA, it’s also worth remembering that it is only one potential problem spot when it comes to regulation of consumer privacy. A number of other states have or plan to advance similar laws — Nevada’s new privacy law takes effect on October 1, to cite just one example. And, of course, U.S. companies that collect personal information on Europeans must do so in compliance with the GDPR. These developments underscore the complexity of the current environment on privacy and the importance of careful monitoring and compliance analysis. Federal legislation could help streamline compliance obligations but remains far from the finish line. As the legislative and regulatory landscape continues to evolve, K&L Gates’ public policy and privacy/data protection teams can help clients make sense of new requirements and influence the direction of future changes.
2019 CCPA Amendments
The California legislature passed the following key amendments as part of AB-25, AB-874, AB-1146, AB-1355, and AB-1564, which now await action by the Governor:
- From January 1, 2020, through December 31, 2020, the CCPA will not apply to personal information collected by a business about a natural person in the course of that person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that personal information is collected and used solely within the context of the person’s role or former role as any of the above. The personal information exempted under this Section 1798.145(h) includes emergency contact information and information used to administer benefits for another natural person relating to the initial individual.
- From January 1, 2020, through December 31, 2020, the CCPA will not apply to personal information reflecting a written or verbal communication or transaction between the business owner and consumer, where the consumer acts as an employee, owner, director, officer, or contractor of a company (including non-profits and government agencies), and whose communication or transaction with the business occur solely within the context of the business conducting due diligence regarding receiving a product or service to or from such company. This time-limited exemption does not apply to a consumer’s opt-out or nondiscrimination rights (Sections 1798.120 and 1798.125 respectively).
- In a new addition to Section 1798.105(d)(1), a business is exempted from a consumer’s request to delete their personal information if retention of the personal information is necessary to fulfill the terms of a warranty or product recall under federal law.
- Under Section 1798.110(c)(5), amended language clarifies that a consumer has the right to request specific pieces of information that a business has collected about them (if any).
- Amendments to Section 1798.130(1)(A) exempt an online-only business that has a direct relationship with a consumer from whom it collects personal information from the requirement to provide a toll-free telephone number for consumers to submit requests. Instead, the business need only provide an e-mail address for submitting requests for information required to be disclosed.
- Also in Section 1798.130, subsection (2) was amended to allow businesses to require authentication of the consumer that is reasonable in light of the nature of the personal information requested. Additionally, where consumers maintain accounts with a business, the business may require consumers to submit requests through that account.
- In Section 1798.140, the definition of “personal information” was amended to mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or directly, with a particular consumer or household. As an exemption from “personal information,” publicly available information was simplified to mean any information that is lawfully made available from federal, state, or local government records, without any regard to the purpose for which the data is maintained.
- The Fair Credit Reporting Act exemption under Section 1798.145(d) was clarified to provide that the CCPA does not apply to any activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, by a furnisher of information who provide information for use in a consumer report, or by a user of a consumer report.
- Under Section 1798.145(g), a consumer’s right to opt-out from the sale of their information under Section 1798.120 will not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by warranty or recall. The dealer or manufacturer in receipt of such information is restricted from selling, sharing, or using that information for any other purpose.
- An amendment to Section 1798.145(l) clarifies that the CCPA, in addition to not requiring a business to re-identify or otherwise link information that would not be considered personal information, will not require a business to collect personal information that it would not otherwise collect in the ordinary course of its business or to retain personal information for longer that it would otherwise retain such information in the ordinary course of its business.
Additionally, the California legislature passed AB-1202, which addresses data brokers and subject matter tangentially related to the CCPA. Under this amendment, newly added Sections 1798.99.80 and 1798.99.82 require data brokers to register with and provide certain information to the AG, as well as to pay a registration fee. The AG also will be responsible for making a list of all data brokers available through a publicly available website. The California Governor will have until October 13, 2019, to sign or veto any bills passed by the legislature on or before September 13, 2019.
 The CCPA generally applies to a for-profit entity that:
- collects consumers’ personal information directly or through a third party;
- alone or jointly determines the purposes and means of the processing of consumers’ personal information;
- does business in the State of California; and
- meets one of the following thresholds:
- has annual gross revenues in excess of $25,000,000;
- alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
- derives 50 percent or more of its annual revenues from selling consumers’ personal information.