The enactment in June 2018 of California's sweeping new privacy law, the California Consumer Privacy Act, has both increased momentum for enactment of a general federal privacy law and spurred state legislatures to consider privacy bills of their own. A series of widely publicized incidents involving major technology companies' data handling practices and the coming into force of the European Union's General Data Protection Regulation have increased the urgency of both efforts. This report reviews proposals at the state level for privacy legislation. A prior report reviewed proposals at the federal level.

The CCPA

On June 28, 2018, California's then-Governor Jerry Brown signed into law Assembly Bill 375, a sweeping privacy law that provides Californians with broad notice, access, and deletion rights concerning many types of personal information and that permits consumers to opt-out of the sale of their personal information. The law was introduced and passed within a week to head off a similar ballot initiative. Realizing that the CCPA was flawed and required amendments, the California Legislature adopted, and Governor Brown signed, Senate Bill 1121, also titled "the California Consumer Privacy Act of 2018," on September 23, 2018. The CCPA as amended takes effect on January 1, 2020, but the California Attorney General may not bring an enforcement action under it until six months after the publication of the final regulations described below or July 1, 2020, whichever is sooner.

Our alert on the CCPA is here, and a short summary follows.

The CCPA is the first comprehensive state privacy law, and it borrows heavily from concepts in the GDPR. It speaks broadly in defining California consumers' rights, covered businesses' obligations, and the definitions of terms such as "consumer," "personal information," "sell," and "household."

Under the CCPA, covered businesses must, upon a verified consumer's request, make disclosures regarding both the categories and specific pieces of personal information regarding the consumer, as well as the sources, uses, and sharing of the consumer's personal information. Covered businesses must also, in response to verified requests, make specific disclosures regarding the sale or disclosure of consumers' personal information "for valuable consideration." Covered businesses also may not sell consumers' personal information without giving notice and a chance for affected consumers to opt out. The CCPA's requirements do not apply to consumer information that is deidentified or in the aggregate.

Covered businesses must also place a link on their website "homepage" (defined to include all web pages where personal information is collected), titled "Do Not Sell My Personal Information," that redirects to a webpage that enables a consumer to opt out of the sale of the consumer's personal information.

In addition, covered businesses must, in response to a verified request, delete personal information of the requester and make sure service providers do as well, with certain exceptions.

The CCPA further requires that covered businesses' website privacy policies be updated to include California consumers' rights under the CCPA, and to update the privacy policy annually.

The CCPA significantly broadens the definition of personal information from existing California law to mean "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." The definition includes, among other things: names and other identifiers such as IP addresses; account names; driver's license and passport numbers; commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; biometric information; internet browser and search history, interaction with a website, application, or advertisement; location information; professional or employment-related information; educational information; and inferences drawn from any of the above information to create a profile about a consumer.

The CCPA affords the California Attorney General a cause of action for violations of the CCPA, with penalties of up to $2,500 per violation and up to $7,500 for intentional violations. The CCPA also provides a private right of action for certain data breaches where the covered business did not have reasonable security procedures appropriate to the nature of the information, with liquidated damages of up to $750 per consumer per incident or actual damages, whichever is greater. There is, however, a limited 30-day right to cure provided to covered businesses to avoid such penalties.

The California Attorney General is required to promulgate regulations pursuant to the CCPA that would, among other things: (1) update the definition of "personal information" in order to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns; (2) update as needed the definition of "unique identifiers" to address changes in technology, data collection, obstacles to implementation, and privacy concerns; (3) define additional categories to the designated methods for submitting requests to facilitate a consumer's ability to obtain information from a covered business; and (4) establish any exceptions necessary to comply with state or federal law, including, but not limited to, those relating to trade secrets and intellectual property rights.

The California Attorney General's Office has held five public forums so far on the CCPA to receive input from interested stakeholders before issuing proposed rules for comment, and it plans a sixth and final public forum on March 5. The first set of written comments are due by March 8, 2019. While the CCPA requires the Attorney General to promulgate rules by July 1, 2019, the Attorney General's office has said that it will not issue proposed regulations until "the fall" of 2019. The Attorney General's Office's Power Point Slides displayed at the public forums note that the Attorney General's Office is seeking comment specifically on the following topics:

  • categories of personal information;
  • definition of unique identifiers;
  • CCPA exemptions;
  • submitting and complying with consumer requests;
  • uniform opt-out logo/button;
  • notices and information to consumers, including financial incentive offerings; and
  • certification of consumers' requests.

Following the publication of proposed rules, the Attorney General's Office will solicit a second round of comments, which the Attorney General must consider prior to promulgating final regulations. That process is likely to come to a close after the law's effective date of January 1, 2020. If so, the Attorney General would not be able to enforce the CCPA or its regulations until July 1, 2020. If the Attorney General's final regulations are released close to July 1, 2020, industry is sure to urge an amendment to law delaying the enforcement date to give companies sufficient time to come into compliance.

Read the full state legislation alert.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.