United States: Proposed Bill Would Substantially Rewrite The California Consumer Privacy Act Of 2018


Proposed Changes At-A-Glance

  • Renames the California Consumer Privacy Act of 2018 as the Privacy for All Act of 2019
  • Requires an affirmative opt-in consent by consumers for sharing of personal information
  • Businesses can only delay, but not refuse, a consumer's right to delete data for so long as reasonably necessary for one of the exceptions to no longer apply
  • Increases transparency obligations regarding data sharing activities, including specifics of personal information shared and the entities with whom personal information is shared
  • Increases diligence requirements for service providers and narrows the safe harbor for service provider violations
  • Makes fundamental changes to a consumer's private right of action and other statutory damages, increasing potential exposure and liability to businesses
  • Incorporates broader regulatory enforcement actions
  • Delays the effective date until January 1, 2021


On April 4, 2019, California Assembly Member Wicks proposed sweeping changes to bill AB 1760, effectively repealing the California Consumer Privacy Act of 2018 (CCPA) and replacing it with the Privacy for All Act of 2019 (PAA). The proposed rewrite would increase a business's compliance obligations as well as its potential exposure to civil and regulatory liability, shifting California even closer to the requirements of GDPR. If passed, the PAA will go into effect on January 1, 2021, giving businesses one additional year to implement the new requirements.

Requirements of the PAA

  • Affirmative Opt-In Consent. While the CCPA only required opt-out consent for the selling of personal information, the PAA would require businesses to provide California consumers with an affirmative opt-in consent to share that consumer's personal data. Furthermore, sharing under the PAA includes all forms of selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating and, unlike the CCPA, no monetary or valuable consideration is required. Like other affirmative opt-in consent requirements, businesses will not be able to pre-check the opt-in consent — consumers must perform an affirmative act for the consent to be valid. In addition, the collection of data from children under 13 years of age still requires opt-in consent from a parent or guardian.
  • Exceptions to Right to Delete. The PAA would also significantly restrict a business's ability to refuse a California consumer's request to have his or her personal information deleted. Under the PAA, a business will only be able to delay its compliance with a consumer's request for deletion only for so long as reasonably necessary until one of the enumerated exclusions no longer applies. Under the PAA, a business would be required to automatically comply with the request once none of the exceptions apply without a further request from the consumer. Additionally, the business will be required to delete all of the consumer's data regardless of the source, not just data collected from that consumer by the business.
  • Increased Disclosure Obligations. Under the CCPA, businesses were only required to disclose the categories of personal information shared and the categories of third parties with whom the personal information was shared. Under the PAA, businesses would be required to also disclose the specific pieces of personal information disclosed as well as the specific third parties to whom the personal information was disclosed. Businesses will also be required to contractually prohibit downstream recipients from re-identification of consumer information, and must make reasonable efforts to ensure service providers comply with the PAA.
  • Expanded Definition of Personal Information. The CCPA already had a broad definition of personal information, which included information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household. The PAA would expand the definition of personal information to include information that could be linked with a device, including, for example, network MAC addresses and device serial numbers. However, while the CCPA excluded from the definition of personal information publicly available information made available from federal, state, and local government when the information was used for a purpose compatible with the purpose for which the information was maintained, under the PAA all information (other than biometric information) lawfully made available from federal, state, or local governments would be excluded.
  • Increased Liability for Violations by Service Providers. The PAA would significantly expand exposure to liability of businesses for their service providers' violations of the PAA. Under the CCPA, a business was not liable for the violations of its service providers if, at the time of the disclosure of personal information, the business had no knowledge of or reason to believe the service provider intended to violate the CCPA. Under the PAA, a business would not be liable for its service providers' violations of the PAA only if the business has made reasonable efforts to ensure that the service provider will comply with the PAA and the business has no actual knowledge of or reason to believe that the service provider violated the PAA. Essentially, the PPA creates a duty on businesses to audit their vendors and confirm their compliance with PPA.
  • Increased Private Rights of Action. Under the current version of CCPA, a California consumer could bring a private right of action only for data breaches resulting from failures to reasonably protect personal information and only after the consumer provided the business notice and an opportunity to cure. Under the PAA, California consumers would be able to bring a private right of action for any violation of the PAA without providing the business pre-suit notice or an opportunity to cure. The PAA also explicitly permits California consumers to recover reasonable attorney's fees in addition to other statutory damages of no less than $100 and up to $750 or any other relief the court deems proper.
  • Increased Regulatory Enforcement. The PAA would expand the scope of potential regulatory actions from actions brought by the Attorney General's office with a 30-day cure period to actions brought by any district attorney, city attorney, or county counsel with no cure period. In addition to injunctive relief, fines remain at up to $2,500 for each unintentional violation and up to $7,500 for each intentional violation.

The CCPA and Proposed PAA Compared

CCPA
PAA
Opt-out consent for selling personal information. The term "selling" is limited to selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating for monetary or other valuable consideration. Opt-in consent for sharing personal information. The term "sharing" includes selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating, with no monetary or valuable consideration required.
Businesses can refuse to delete personal information if one of the exceptions apply. Businesses may only delay deleting personal information until none of the exceptions apply.
Must disclose the categories of personal information sold and the categories of third parties to whom the personal information is sold. Must also disclose the specific personal information shared and the specific third parties with whom the personal information is shared.
Definition of personal information means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Definition of personal information now includes information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device.
Businesses are not liable for violations by their service providers if, at the time of disclosure, they have no actual knowledge of or reason to believe that the service provider intends to commit such a violation. Businesses are not liable for violations of their service providers if (a) at the time of disclosure, they have no actual knowledge of or reason to believe that the service provider committed those violations and (b) the business makes reasonable efforts to ensure compliance by the service provider.
California consumers can bring a private right of action only for data breaches resulting from failures to reasonably protect personal data and only after a notice and opportunity to cure. Statutory damages of $100-$750 and any other relief that the court deems proper. California consumers can bring a private right of action for any breach of the PAA, with no notice or opportunity to cure. California consumers can now recover reasonable attorney's fees in addition to the statutory damages of $100-$750 and any other relief that the court deems proper.
Attorney General can bring regulatory actions with 30 days' notice and opportunity to cure. Can receive injunctive relief and fines between $2,500-$7,500 per violation. Attorney General as well as any district attorney, city attorney, or any county counsel can bring an action with no cure period. Can receive injunctive relief and fines between $2,500-$7,500 per violation.

Applicability to Businesses

The PAA would continue to apply to for-profit entities that do business in California that also determine the purposes and means of the processing of California consumers' personal information, and that either: (a) have annual gross revenues in excess of $25,000,000 (anywhere); (b) annually process the personal information of 50,000 or more California residents, households, or devices; or (c) derive at least half of their gross revenue from the sharing of personal information of California consumers.

The PAA excludes the same businesses as are excluded from the CCPA, such as: Medical Information governed by California's Confidentiality of Medical Information Act or protected health information subject to the privacy, security, and breach notification rules under the Health Insurance Portability and Accountability Act; information collected as part of a clinical trial subject to human subject protections under the Common Rule, the International Conference on Harmonisation's "Guideline for Good Clinical Practice," or the U.S. Food and Drug Administration; the sale of personal information to or from a consumer reporting agency used to generate consumer reports and in compliance with the Fair Credit Reporting Act; information processed, sold, or shared pursuant to the Gramm-Leach-Bliley Act; and information collected, processed, sold, or shared pursuant to the Drivers' Privacy Protection Act. It also would not apply when a business believes in good faith that an emergency exists that requires sharing of personal information, or when information is shared with the National Center for Missing and Exploited Children in connection with a report.

Impact on Businesses

Although the PAA, if passed, will not go into effect until 2021, it will take time for impacted businesses to comply with all of its provisions. Businesses subject to the PAA should consider the following actions in preparation for the PAA implementation:

  • Conduct a data mapping of the personal information collected by the business to understand the scope of personal information collected and how it is obtained, used, and shared with third parties.
  • Review internal policies and procedures to be able to appropriately respond to consumer requests for access to, deletion from, or information related to the sale or disclosure of their personal information.
  • Begin the planning and implementation of technological improvements to their information systems that may be necessary to process consumer requests and consumers' rights to opt-in to the sharing of personal information. Businesses may wish to consider the use of technology features that enable easy moves between opt-in and opt-out consents in the event this requirement is not present in the final law.
  • Review and update privacy policies to comply with the disclosure requirements of the PAA when it becomes necessary to do so.
  • Begin preparing training materials and planning for training all personnel who are responsible for handling consumer personal information inquiries.
  • Update contracts with third parties and/or service providers to whom consumer personal information is conveyed to ensure that the contracts explicitly limit the use of personal information to providing the services contemplated, permit the business to audit the vendor's operations for compliance with PPA and contractual terms, and require the vendor to assist with consumer requests.
  • Review vendor due diligence procedures (including audits) to verify that service providers are able to comply with the PAA.
  • Consider including defense, indemnification, and insurance provisions in favor of the business in all contracts with vendors given access to consumer information.
  • Consider using third-party audits to ensure compliance with the PAA and conducting those audits through legal counsel to support the position that the results are covered by the attorney-client privilege.

Although AB 1760 has only now been formally introduced, Assembly Member Wicks has been discussing the PAA for a few weeks. In February, she stated that "Consumers should have the right to find out what data companies have collected on them, how that information is being used, and to stop their personal information from being shared and sold." While the fate of the PAA remains in question, we expect that we will see several concepts from the PAA become law. There is already significant lobbying taking place on behalf of the PAA, including by the ACLU of California, Common Sense Kids Action, Consumer Reports, Electronic Frontier Foundation, and the Privacy Rights Clearinghouse. In addition, often considered a more liberal state, California is seeing a backlash resulting from the rushed, closed-door process of drafting the CCPA — which some have called "pay-for-privacy" and holding the right to opt out hostage — opening the door for an increasing groundswell for a "fair deal for all."

On the other hand, the PAA does not incorporate other proposed changes to the CCPA that have received significant support, making it likely that we will see the PAA amended again. For example, AB 25 proposed to remove employee personal data from the scope of the CCPA, which is not reflected in the PAA as it is currently drafted. It is also worth noting that many businesses in California are calling for the CCPA enforcement date to be pushed back, as even those business that are taking an aggressive, proactive response to complying with the CCPA fear they will not be compliant by January 1, 2020. Many businesses are also concerned about the look-back period created by the CCPA, as almost no company can say it was compliant with the CCPA as of January 1, 2019. Given all of the above and more, we are seeing efforts to push back the effective date of the CCPA to 2021, like the PAA is proposing. Nevertheless, it remains unclear whether California Governor Newsom will sign the bill into law, as the CCPA was signed into law by his predecessor, former Governor Brown.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions