The CCPA is the broadest data privacy law in the United States and it provides consumers access and control over their personal information as well as allows them to have a say in how organizations collect, use, and disseminate this data. California passed the CCPA in response to the global trend of using data for almost every operational function in both the professional and personal spheres. Unfortunately, the more data there is, the higher the risk that a hacker can access private consumer information and use it for malicious reasons. Many organizations (especially big tech companies) handle large amounts of data. Without regulatory oversight, these organizations have the power to collect and distribute private consumer information for essentially any purpose that the company chooses. As such, California lawmakers wanted to provide solid protections for consumer data that are similar to the Europe Union’s General Data Protection Regulation (GDPR). To name a few:

Consumer Data Access

Consumers will have direct access to their data and can request information about how and why organizations use their personal information.

Deleting Consumer Data

Consumers have the right to delete and modify their personal data. Organizations must comply with data deletion requests (unless an exception applies).

Selling Consumer Data

Consumers have the right to opt out of sales involving their personal information. Organizations are required to alert consumers when they intend to sell such data and a must have a “Do Not Sell My Personal Information” link on their site.

Collecting Consumer Data

Organizations must notify consumers when they collect personal information and subsequently if a security breach has compromised that data.

The Data Collection Compromise

The CCPA will go into effect January 1, 2020. Both proponents and critics of the law opposed the original text due to unclear language and exemptions but notably, tech companies disfavor the law as a whole. Instead, they have lobbied for a federal privacy law that would limit consumer control and argue that consumer data drives their advertisements and overall revenue.

In response to the criticism, lawmakers have been working vigorously to clean up the language and reach compromise on the disputed provisions before the law goes into effect. Some of the pending amendments to the CCPA are:

Personal Information to Exclude

Modifying the definition of personal information to exclude data collection from job applicants, employees, contractors, or agents (Assembly Bill 25) and only include data that is “reasonably” capable of being associated with an individual (Assembly Bill 873).

What is Publicly Available Data?

Defining the “publicly available” exception contained in the definition of personal information as lawful data from federal, state, or other local government records (Assembly Bill 874).

Government Data Requests

Adding exemptions to the law for information disclosure resulting from compliance with government requests (Assembly Bill 1416).

Selling Personal Data

Adding exemptions to the law for selling information in order to detect security breaches or fraud (Assembly Bill 1416).

All of these bills (and others) need to pass in the Senate by September 13, 2019. Then, the governor has until October 3, 2019 to sign these bills into law. Even though several bills have made it through the first step of review, lawmakers have already shot down some other proposed amendments. Most notably was Senate Bill 561, which aimed to provide consumers with a broad and unrestricted right to file private lawsuits for any CCPA violation. The bill would have also removed the requirement for the attorney general’s office to issue compliance opinions when requested. If this bill had passed, California courts would have seen an incredibly high number of class action lawsuits that would have overwhelmed judges and businesses.

CCPA Violation Enforcement

Regardless of what happens, the battle surrounding the CCPA is far from over. Expect to see more proposed changes to the CCPA before and after it becomes enacted. An important aspect to watch will be how the primary enforcement mechanism, the attorney general’s office, decides to handle enforcement. The office’s compliance opinions, rules, and decisions regarding alleged violations will set the tone for how far the CCPA can go.

Courts will have a limited role in the CCPA. Consumers only have a private right of action when an organization fails to have a comprehensive data security program in place that “reasonably safeguards” certain specified data. When are these private lawsuits appropriate? What factors need to be present in order to meet the legal thresholds that comprises a “comprehensive data security program” that “reasonably safeguards” private consumer information? These are all questions that the courts and attorney general will need to answer.

Conclusion

It is likely that they will try to limit these disputes as much as possible to avoid opening litigation floodgates and keep enforcement primarily with the attorney general. The creation of a federal privacy law could also preempt the CCPA. However, enactment of a comprehensive federal privacy law in the next year or two is not currently looking promising. Stay tuned in the coming months for what is next.

To learn more about the CCPA download our latest whitepaper:  An Overview of CCPA

If you found this blog informative, you may enjoy reading Will the New CCPA Cause an Uptick in Class Action Cases?​ or The Epiq Angle Blog