On February 20, 2019, members of California’s Privacy and Consumer Protection Committee (“Committee”) held a hearing at the State Assembly to review concerns from various stakeholders regarding California’s Consumer Protection Act (“CCPA”). In particular, how the law should be amended prior to its 2020 effective date. Indeed, in its present formulation, the CCPA has given rise to a number of controversies. For example, even though not discussed during the hearing, whether the Act should, as it currently does, apply to California employee data and treat such data in the same manner it treats consumer data. The legislature is almost certain to further amend the CCPA, but it is still early and difficult to determine just how far reaching such amendments will be.
California passed the CCPA on June 28, 2018. The law was amended not long after that with Senate Bill 1121. Since its passage and despite the amendment, the Committee has received numerous requests for clarification on the rights, protections, and obligations established by the CCPA. Many stakeholders have urged the importance of additional refinements to the law – ranging from clarifying definitions and potential applicability to smaller businesses. Some of these same stakeholders, including the California’s Retailers Association, California Chamber of commerce, privacy attorneys, and others showed up at the hearing to voice some of these concerns. Below is a high-level summary of some of the concerns that were raised during the hearing.
Representative Chau opened the hearing by explaining some of the CCPA’s benefits, including how it helps protect personal information, privacy, and individual choice. He urged stakeholders to find consensus where possible and cautioned against prejudging requests and critiques from “business” and “tech.”
The Definition of “Personal Information”
Many panelists raised concerns about the CCPA’s definition of “personal information.” Some stated that unlike the EU’s General Data Protection Regulation (“GDPR”), the CCPA definition is too broad. Notably, how the current scope potentially impacts smaller businesses with limited resources. As an example, subsequent stakeholders suggested that, because the definition of personal information includes IP addresses, any blog post that gets 50,000 hits will render that business subject to the law even if they are not otherwise covered by the law.
One stakeholder exclaimed that the definition of personal information “sweeps up every scrape of data that has the theoretical capability of being associated with a consumer.” He explained that current technology allows certain experts to associate any piece of information with a person. Therefore, he argued that under the current definition, essentially all information in a business’s possession could be treated as “personal information.”
The January 1, 2020 Effective Date
Another concern was the timeframe for compliance. One privacy lawyer expressed concern about the timeline for compliance by comparing the CCPA’s January 1, 2020 enforcement date with the two years that companies had to prepare for the GDPR. She stated that not even half of all U.S. companies that must comply with the GDPR are doing so. She raised concerns that companies doing business in California (even those who have worked on GDPR compliance) are not ready for the CCPA given the amount of resources and time necessary to reinvent their compliance programs, including expanding their programs to apply to “households.”
In response to questions from several Representatives, the privacy lawyer explained that legal compliance is an ongoing process – that there is no point in time where any company will be 100% compliant, particularly businesses that do not have an unlimited amount of resources to work on a compliance program.
The Private Right of Action
Another concern was the CCPA’s private right of action and the Attorney General’s enforcement authority. The deputy attorney general suggested that the 30-day cure period under the law is essentially a “get out of jail free card” and expressed concern that the “fix it ticket” disadvantages consumers and “honest businesses that are playing by the rules.” The deputy attorney general urged the expansion of the CCPA private right of action to include “violations of the key rights” provided by CCPA, which she did not further explain.
Subsequent stakeholders expressed concern with an expansion of the private right of action. A representative from the California Chamber of Commerce stated that neither California’s courts nor businesses could handle the evitable increase in litigation if the private right of action is expanded to the entire law.
The deputy attorney general also said that the office is shooting to meet a June 30, 2020 deadline for completing its rules related to the CCPA. Further, in response to being asked by a Committee representative, the deputy attorney general stated that obligating the attorney general to issue written guidance to help businesses with compliance far exceeds the scope of the attorney general’s current obligations under the law.
The hearing illustrates the range of concerns regarding the current status of the CCPA. It further shows the diversity of affected stakeholders. Interestingly, Alastair MacTaggart (the founder of the ballot initiative of the bill) admitted that data privacy is a complicated area of the law and conceded that the CCPA “will need changes.” The legislature is almost certain to further amend the CCPA, but we anticipate that any amendments will not bring wholesale changes to the law’s scope or to the requirements generally. However, understanding how the CCPA applies to your business in its current state is extremely important given the upcoming enforcement date. We will continue to provide updates on potential amendments, clarification, guidance, and further hearings regarding the CCPA.