The California Consumer Protection Act (CCPA) is nearing its final form.
With the close of the state legislature’s 2019 session on Friday, no more bills can be introduced this year, and the handful of amendments that did pass the Senate are now headed to Democratic Gov. Gavin Newsom’s desk for a signature. Newsom has until Oct. 13 to veto the bills or sign them into law.
Despite these proposed tweaks, which Newsom is expected to bless, the CCPA made it through the legislative session largely unchanged, despite intense industry lobbying.
But that doesn’t mean the CCPA, which goes into effect on Jan. 1, 2020, is set in stone.
Here’s what’s known so far and what’s still to come for California’s sweeping privacy law. [Click here for a quick and dirty guide to the statute itself.]
What does 'reasonably' mean?
One of the most noteworthy changes to the law is the addition of a single word – “reasonably” – to the definition of personal information.
Information is now considered personal if it’s “reasonably capable of being associated” with an individual or household rather than just “capable of being associated.”
“The way it read before, even relatively insignificant information could be personal information, and that would be unmanageable,” said Dan Jaffe, group EVP of government relations at the Association of National Advertisers. “It’s a very positive thing for the ad industry that they added in that word.”
Then again, the definition of personal information under CCPA is still extremely broad, he said, and the word “reasonably” itself is open to interpretation.
“Maybe you find out only after the fact that what you think is reasonable and what the attorney general thinks is reasonable are two different things,” Jaffe said.
Although the original bill calling for the definition change died in the Senate, the “reasonably” clause was later nested within a different bill that did pass (AB 874; see below).
No exemptions for targeted advertising
After months of debate, six amendments to the CCPA passed both the Assembly and the Senate. What the successful bills have in common is that they all propose fairly non-controversial, unopposed changes that lawmakers, privacy advocates and industry reps could agree on.
Conversely, some bills were almost immediately slapped down in the Senate, such as SB 753, which would have created a carve out for targeted advertising under the law.
There wasn’t much “appetite” among lawmakers to undo the fundamentals of the CCPA, said Justin Brookman, director of privacy and technology policy for Consumer Reports and a former Federal Trade Commission staffer.
“I think some folks in the advertising industry were surprised they didn’t get a lot of traction,” Brookman said. “But they did get some relief from many of the unintended consequences of the law, and we were fine with that.”
Most of the amendments exempt particular types of data from being subject to the law, including employee data, vehicle repair data, public record data and aggregate consumer information (AB 25, AB 1146 and AB 874). AB 1355 creates a one-year exemption for business data.
Another bill (AB 1202) requires data brokers to honor opt-outs and register with the California attorney general on an annual basis, while AB 1564 specifies that businesses need to provide at least two methods for consumers to submit info requests, although online-only businesses only have to provide an email address.
Two other bills – one that that would ensure CCPA doesn’t apply to loyalty programs (AB 846) and a measure that would require businesses to publicly disclose if they use facial recognition technology (AB 1281) – were tabled and will likely be picked up again when the legislature resumes in early 2020.
Practical guidance coming up
The next major milestone for the CCPA is a set of implementation regulations that will be published by the California attorney general’s office. The AG is expected to release V.1 of the regs sometime in October, likely after the governor’s Oct. 13 bill-signing deadline.
The purpose of the regs is to clarify remaining ambiguities in the law and provide practical guidance to businesses on how to comply, the sort of workaday stuff that wouldn’t appear within the statute itself, like how exactly to define unique identifiers, procedures for submitting and complying with data access requests and what the opt-out button should actually look like.
Once the AG’s office publishes the regs, there will be a 45-day comment period. If there aren’t any substantive changes to make, there will then be a 15-day comment period. If there are substantive changes, there will be another 45-day comment period.
The AG’s general enforcement of the law will begin six months after the final regs are issued or on July 1, 2020, whichever comes first.
But although we’re unlikely to see any major changes coming from the AG beyond necessary clarifications, the comment period isn’t going to be quiet. Everyone has an opinion, said Danny Sepulveda, SVP for policy and advocacy at MediaMath.
Regulators don’t create the law, they interpret the law, which is subjective, he said.
“The attorney general will have to take in views from the legislators that wrote the law, civil society actors interested in influencing the process, including academics and activists, and the industry who is looking for clear guidance and interpretation that enables the continued functioning of their services,” Sepulveda said.
More changes when the CA legislature returns
Beyond the AG’s implementation regs, the rest of the year will be relatively quiet.
But there could be more amendments to come when the California legislature comes back into session early next year. And that’s because there is still some vagueness in the law and unanswered questions.
Take the word “sale,” for example, Under CCPA, people have the right to opt out of the sale of their data, but the definition of a sale is wide ranging and goes beyond just the transfer of money.
“It can be argued that providing anything of value counts as a sale, and that’s significant, because the amount of personal information you touch and the number of related sales you have are both triggers for whether a business is covered under the law or not,” Jaffe said.
It’s also unclear whether pseudonymous data needs to be provided as part of a data access or deletion request. It would be counterintuitive to ask a business to re-identify deidentified data in order to comply with the law. The AG guidelines might help clear that up, Brookman said.
But despite any lingering uncertainty, the time to start getting ready to comply was … yesterday.
“There is little to wait and see for at this stage, [and] businesses falling under the remit of CCPA should certainly prepare for implementation,” said Omer Tene, VP and chief knowledge officer at the International Association of Privacy Professionals. “While AG enforcement starts only in July 2020, individual and class actions can and will begin before then this coming January."