The long-awaited enforcement date of July 1, 2020 for the California Consumer Privacy Act (“CCPA”) has finally arrived. However, the uncertainty that existed at the beginning of the year with respect to CCPA and its enforcement still exists. While the California Office of the Attorney General (“OAG”) has issued the final version of the implementing regulations (the “Regulations”), it is still unclear when the Regulations will actually become effective. And even when the dust settles on the CCPA and the Regulations, waiting in the wings is the California Privacy Rights and Enforcement Act (“CPRA”) ballot initiative, which, if passed by California voters in November, will add a number of requirements that were not included in the CCPA, while also formalizing certain exemptions. This Legal Update examines the status of the CCPA and the journey of the CPRA and notes what to expect next.
California Consumer Privacy Act
As those who have long followed the saga will know, the CCPA is a first-of-its-kind state statute that creates new privacy rights for California residents and regulates the use of their personal information (“PI”) by covered businesses, most notably by requiring notice of the collection, use, and sale of PI and creating consumer rights of deletion and to opt out of the sale of PI . The CCPA became effective on January 1, 2020, and became enforceable on July 1. However, even though the statute itself is now enforceable, the implementing Regulations still are not. While the OAG issued on June 2 the final text of the implementing Regulations (which have no changes from the prior version of the Regulations, which were issued on March 11), the Regulations do not become effective unless and until they are approved by the California Office of Administrative Law (“OAL”).
While some have argued the Regulations go beyond what the CCPA allows in certain areas, we assume OAL will approve the Regulations nonetheless. When OAL will do so, though, is a mystery. The OAL, which reviews all proposed regulations in California, has until September 13 to review the Regulations and determine whether they comply with the California Administrative Procedure Act (“APA”). Once the OAL has approved the Regulations, they will be filed with the Secretary of State and, upon such filing, become final. The APA generally provides that regulations filed by August 31, 2020 will become effective (and, thus, enforceable) on October 1, 2020; regulations filed after August 31, 2020 will become effective on January 1, 2021. In connection with its submission of the Regulations, the OAG requested that the OAL (1) expedite and complete its review of the Regulations by June 30, and (2) agree to allow the Regulations to take immediate effect upon filing. The OAL declined to finalize its review of the Regulations by June 30, and retains discretion to complete its review any time between now and mid-September. OAL equally retains discretion to make the Regulations effective immediately upon filing or, instead, on October 1, 2020 or January 1, 2021, as appropriate, under the standard APA rules. However, it is unlikely the OAL will inform the public of its decision until it actually files the Regulations.
Although the Regulations are not finalized, the CCPA itself remains enforceable as of July 1, 2020 (and indeed, the OAG has already started issuing violation notices to companies). Numerous industry groups had asked the OAG to postpone enforcement of the Regulations until March 20, 2021, in order to allow companies to comply with any new or additional requirements by the Regulations. The OAG denied the request, explaining in the final Statement of Reasons for the Regulations that “[t]o the extent that the regulations require incremental compliance, the OAG may exercise prosecutorial discretion if warranted, depending on the particular facts at issue … to choose which entities to prosecute, whether to prosecute, and when to prosecute.”
Although the CCPA only became enforceable recently, there already have been a number of class action lawsuits filed claiming violations of the CCPA. The CCPA provides a limited private right of action only after a consumer’s “nonencrypted or nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices” imposed by California’s Information Security Law (Cal. Civ. Code § 1798.81.5). The CCPA is equally clear that private actions “shall not be based on violations of any other section” of the CCPA and that the CCPA shall not be interpreted “to serve as the basis for a private right of action under any other law,” such as the California Unfair Competition Law (UCL). Cal. Civ. Code § 1798.150(c). The legislative history of the CCPA, like the statute itself, is clear that the private right of action is limited to what the Assembly Privacy Committee called “specified data breaches.” The legislature doubled down on this position in 2019 by rejecting a bill proposed by the Chair of the Senate Judiciary Committee (and supported by the OAG) to expand the private right of action beyond the data breach context.
Despite these clear limitations, enterprising class action lawyers have filed lawsuits alleging both traditional data breach claims and other garden variety violations of the CCPA, enforcement of which is reserved for the OAG. Several consolidated lawsuits against Zoom and other defendants seek to convert the dissemination of PI between businesses as data breaches and otherwise allege violations of the CCPA’s notice provisions,1 violation of the opt-out requirements,2 failure to implement reasonable security,3 and permitting leaks and unauthorized access.4 Similarly, the plaintiffs in Sweeney v. Life on Air accuse the owner of the group video chat app “Houseparty” and others of violating the CCPA’s notice and opt-out requirements, relying on the CCPA’s broader definition of “personal information” (found in § 1798.140(o)) instead of the definition fond in the private right of action and the Information Security Law.5
California Privacy Rights & Enforcement Act
Even with this current flurry of activity surrounding the CCPA, yet more significant changes appear to lay ahead. As background, after the CCPA became law, the same consumer privacy advocates whose efforts led to enactment of the CCPA (i.e., Alastair Mactaggart and his group, Californians for Consumer Privacy (“CCP”)), became concerned that consumers’ privacy rights would be weakened by future amendments. To prevent that from occurring, they drafted the CPRA as a voter initiative, and submitted it to the OAG in October 2019 to begin the process of qualifying the proposal for inclusion on the November 3, 2020 ballot. If approved by voters, the new law would strengthen consumer privacy rights and limit any weakening of the law by future legislation, while also clarifying certain definitions (such as publicly available information not subject to regulation) and formalizing exemptions that are temporary under the CCPA, described below. Specifically, the law:
- establishes a new category of “sensitive personal information” and provides consumers with additional rights around the use of such information,
- establishes the California Privacy Protection Agency to enforce the law,
- adds a consumer right of correction,
- expands the private right of action to apply to individuals whose email addresses (in combination with a password or security question that would permit access to the account) are compromised, and
- expands the right to know and the right to opt-out.
It has not been a smooth road to get the CPRA on the ballot, though. In order to qualify for the ballot, the CPRA’s sponsors had to obtain close to 625,000 verified signatures. Although Mactaggart and the CCP began collecting voters’ signatures as early as December 2019, their efforts were slowed down by the COVID-19 pandemic and California’s shelter-in-place orders, so they were not able to submit their signatures to the California Secretary of State until May 1, 2020. Due to this delay in submitting the signatures and the Secretary of State’s subsequent delay in notifying the county registrars, it appeared the signature verification process might not be completed until June 26, 2020, which would be a day after the deadline to qualify for the November ballot. To ensure that the signatures were verified in time, Mactaggart sued the Secretary of State for not “immediately” notifying the county registrars and requested the court to order the county registrars to complete their verification process by June 25, 2020. The court ultimately agreed with Mactaggart, and the CPRA qualified for the November ballot on June 24, 2020.
If the CPRA passes in November, it will supersede the CCPA starting on January 1, 2023. The CCPA and its implementing Regulations would remain in effect in the interim. The CPRA also will immediately extend to January 1, 2023, the CCPA’s current business-to-business (B2B) and employee data exemptions, which are currently scheduled to sunset at the end of this year. The latest polling data shows that 9 out of 10 California voters would support the ballot measure, so the CPRA is likely to pass. In addition, because Mactaggart had spoken to and incorporated the feedback of numerous industry groups into the final version of the CPRA, it is unlikely there will be significant pushback from industry.
If, by chance, the CPRA does not pass in November, the CCPA and its Regulations will remain in force. This also means that, unless a bill is passed extending the exemptions, the B2B and employee exemptions would sunset at the end of the year. A bill has been proposed to extend these exemptions until January 1, 2022; however, nothing has been passed yet. If no bill is passed, a special session would likely be required to address the proposed extensions of these exemptions, as the legislature would not be in session in November or December. If no special session is held, the B2B and employee exemptions will sunset at the end of the year, creating a new array of concerns for businesses.
Stay tuned. We’ll keep you up-to-date on the latest developments in this drama and what might unfold over the remaining episodes this season.