As companies get ready for the California Consumer Privacy Act’s (CCPA) effective date of January 1, 2020, compliance is complicated because there are still several moving variables:
- Draft regulations have been proposed but may not be final until after January 1, 2020.
- The recent amendments to CCPA include two important exceptions (business-to-business (B2B) and the “employee” exceptions) that sunset on December 31, 2020. It is anticipated that amendments to CCPA will be introduced in the California legislature during the 2020 session on these topics and others.
- A ballot initiative to amend CCPA may be presented directly to California voters. The proposed initiative had originally been filed with the California Attorney General on September 25, 2019, but an amended ballot initiative was received by the Attorney General on November 13, 2019. This version has some potential surprises for companies subject to CCPA.
Readers may recall that CCPA was swiftly enacted by the California legislature in 2018 in order to prevent a proposed ballot initiative covering privacy from being placed on the ballot. Some of the 2019 amendments to CCPA corrected some errors and clarified some provisions that resulted from CCPA’s rapid movement through the California legislature.
The proponents of the 2019 ballot initiative obtained the required number of signatures to have the initiative placed on the 2020 ballot. The original initiative contained many of the same changes to CCPA that were ultimately enacted by the legislature and signed by the Governor in October of 2019.
The November 13 version of the initiative still contains some provisions that were enacted by the CCPA amendments, but it also includes many other proposed changes to CCPA that could affect many companies.
Ballot Initiative – Amendments to Version 3
Highlights of the 51-page amended initiative include:
- There is still no private right of action.
- It would extend the B2B and “employee” exceptions through December 31, 2022 (proposed section 154(m) & (n)).
- Although the initiative would add many concepts from Europe’s General Data Protection Regulation (GDPR) (including provisions relating to new term “sensitive personal information”), it does not include the GDPR’s concept of “joint controller.” It does, however, include a provision for joint ventures or partnerships where each party controls at least a forty percent interest, as part of the revised definition of “Business” (proposed section 140(d)(3).
- The proposed new term “sensitive personal information” would be defined as follows in proposed section 140(ae):
“Sensitive personal information”: means: (1) personal information that reveals (A) a consumer’s social security, driver’s license, state identification card, or passport number; (B) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credential allowing access to an account; (C) a consumer’s precise geolocation; (D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication; (F) a consumer’s genetic data; and (2)(A) the processing of biometric information for the purpose of uniquely identifying a consumer; (B) personal information collected and analyzed concerning a consumer’s health; or (C) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation. Sensitive personal information is “publicly available” pursuant to paragraph (2) of subdivision (v) of Section 1798.140 shall not be considered sensitive personal information or personal information.
- The initiative would potentially extend the 12-month “look-back” period (proposed section 130(a)(2(B)). Depending upon new regulations, a consumer could request data from more than 12 months prior to the request, unless it was “impossible or would involve disproportionate effort” by the business. This change would affect information collected on or after January 1, 2022.
- The proposed initiative would also call for regulations relating to businesses “whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security” to perform an annual risk assessment and submit that assessment to the new California Privacy Protection Agency.
- The proposed new term “share” would, subject to some exceptions, be defined as follows in proposed section 140(ah):
“Share,” “shared,” or “sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring , or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.
- The proposed initiative would also add two new consumer rights: the right to correct inaccurate personal information (proposed new section 106) and a new right to limit use and disclosure of “sensitive personal information” (proposed new section 121).
- “Do Not Sell My Personal Information” link would change under the proposed new initiative. It would become “Do Not Sell or Share My Personal Information” and there would be a second link “Limit the Use of My Sensitive Personal Information. In the alternative, pursuant to new regulations, a business could allow consumers to opt-out of sales or sharing and limit the use of sensitive personal information “through an opt-out preference signal sent with the consumer’s consent by a platform, technology, or machine.” (Proposed section 135(a) & (c)).
The proposed ballot initiative illustrates that privacy—and not only in California—will continue to be a topic of interest in 2020 and beyond.