Recapping Proposed Changes to the California Consumer Privacy Act
Because of ongoing tweaks, like a recent amendment that would expand consumers' private right to action, the California Consumer Privacy Act remains in constant flux.
The California Consumer Privacy Act of 2018 – California's new sweeping law protecting digital privacy rights – continues to appear to be very much a work in progress.
As we tick down to January 1, 2020, the date the law becomes effective, lawmakers in California continue to mill over the particulars of the legislation, including proposed new amendments, and how terms are defined.
One of the most recent amendments, Assembly Bill 25, proposed three weeks ago and amended last week, would tweak how the term "consumer" is defined, namely doing away with the term as it pertains to CCPA-covered employees and job applicants.
“’Consumer’ does not include a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business, to the extent the person’s personal information is collected and used solely within the context of the person’s role as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business,” the amended section reads.
Currently, “consumers” are broadly defined as California residents. If it passes, AB-25 would exempt employees and job applicants of CCPA-covered businesses from the rights of the Act and likely result in slightly fewer privacy headaches for businesses.
CCPA-covered businesses, for the record, are defined as any for profit business – be it a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity – that does business in California and either collects consumers’ personal information, “or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information.”
In order to be defined as a business, one would have to satisfy at least one of the following thresholds:
- Annual gross revenue in excess of $25 million;
- Annually buys, receives, sells, or shares the personal information of 50,000 or more California residents; or
- Companies that derive 50 percent or more of their annual revenue from selling consumers’ personal information.
AB-25 came a few weeks after another amendment was introduced, Senate Bill 561, designed to strengthen enforcement of the CCPA and hold violators accountable by greatly expanding to consumers a private right of action. The amendment would afford consumers the opportunity to seek legal remedies for themselves, if their rights are violated.
The original incarnation of the CCPA restricted the private right of action, mostly for incidents stemming from particular types of data breaches. In particular, it gave a right of action if any consumers' nonencrypted or nonredacted personal information is subject to unauthorized access, exfiltration, theft, or disclosure "as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information"
The SB 561 amendment, introduced by California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson in February, would broaden that scope and grant consumers a private right of action themselves if any of their rights are violated under CCPA.
By passing the amendment, consumers wouldn't have to rely on the Attorney General's office to provide guidance to businesses on how to comply with the CPPA - something which would cost tax payers money; instead the office could simply provide "general guidance," via published materials, on how to comply.
SB 561 would also eliminate the CCPA’s 30-day safe-harbor provision, essentially a grace period that could allow companies to cure a violation if they’ve violated consumers’ privacy rights before enforcement can set in.
It appears the amendment has some fans in the California Senate Judiciary Committee; it had a hearing on the bill last week and voted 6-2 to forward SB 561 to the Senate Appropriations Committee.
My SB 561 to strengthen enforcement of the California Consumer Privacy Act and hold violators accountable passed the Senate Judiciary Committee last night. This important bill will allow Californians to take back control of our privacy once and for all. #dataprivacy #CCPA pic.twitter.com/SrUrCK9h0T
— Hannah-Beth Jackson (@SenHannahBeth) April 10, 2019
As Joseph Lazzarotti, a principal for Jackson Lewis, points out in National Law Review, the change could have some severe repercussions for businesses subjected to CCPA.
"This could become very costly for businesses subject to CCPA," Lazzarotti wrote last week, "A plaintiff suing under CCPA can recover statutory damages in an amount not less than $100 and not greater than $750 per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper. With the change under SB 561, violations of rights under the statute, such as rights to certain notifications or the right to have certain information deleted upon request potentially could trigger statutory damages."
The proposed changes aren't the first and won't be the last to the CCPA.
Among the changes in SB 1121, an amendment to the Law approved in September, are tweaks to how the CCPA is interpreted in relation to the Gramm-Leach-Bliley Act, and guidance on how enforcement of the CCPA could be delayed until the earlier of six months from adoption of regulations or July 1, 2020.
Yet another amendment, AB 1790, also proposed in February, would expand consumer protections for personal information under the CCPA, by requiring companies to have consumers opt-in for the use and sharing of information, limiting use of personal information, and giving consumers the right to know what personal information companies have about them, and more.
While it remains in constant flux, as a review, the CCPA is expected to allow consumers:
- The right to ask companies to identify the personal data they collected on the consumer and whether a business is collecting or selling/disclosing their personal information;
- The right to demand that personal data not be sold or shared for business purposes;
- The right to sue companies that violate the law or that experience data breaches,
- The right to access and download their personal information in a transferrable way;
- The right to opt-out; the right to request deletion of their personal information; and
- The right not to be discriminated against.