Editors’ Note: This is the first in our fourth-annual end-of-year series examining important trends in data privacy and cybersecurity in the coming year. Up next: a look at trends in the energy space.
Lists of “top” things used to come in a standard size of 10: The 10 Commandments, 10 Things I Hate About You, David Letterman’s Top 10, etc. There is even a Wikipedia page dedicated to Top 10 lists. And then, for whatever reason, people started making Top 11 lists. I won’t pretend to understand the origins of this internet phenomenon (other than to assume that some influential list-maker had an obsession with prime numbers), but I am not one to buck a trend. So, to keep this Year in Preview collection at the cutting edge of internet culture, I present this list of the Top 11 CCPA Developments to Watch Out for in 2020.
Overview of the California Consumer Privacy Act
The California Consumer Privacy Act (the “CCPA”) is a landmark information privacy law enacted in late 2018. The Act is a big deal for businesses that collect consumers’ personal information for two main reasons. First, the CCPA applies to a wide range of businesses across the country. It covers for-profit entities that “do business” in California and meet certain revenue or data-collection criteria. That means a business located in another state that sells products or provides services to California residents through the internet may have to comply with the CCPA. Second, the CCPA gives California residents (known as “consumers” under the law) rights to their personal information that are unprecedented in the United States. Consumers have the right to know certain information about how their data is collected, used, and shared; the right to delete their information in some circumstances; and the right to opt-out from the sale of their personal information. Businesses are required to make certain disclosures related to these rights and to establish processes for responding to consumer requests to exercise their rights.
The CCPA goes into effect on January 1, 2020, and California’s Attorney General has not yet promulgated final regulations to implement the law. The AG cannot enforce the law until six months after the regulations go into effect, or July 1, 2020 (whichever comes first). As of the date of this writing, there is still significant uncertainty along several fronts about what businesses need to do to comply with the law. This list touches on that uncertainty and highlights some other aspects of the CCPA to consider heading into 2020.
11. Will the Attorney General Enforce Non-Compliance that Occurred Between January and July?
Section 1798.185 of the CCPA prohibits the Attorney General from bringing “an enforcement action . . . until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.” While this clause makes clear that we won’t see any CCPA enforcement actions until the latter half of 2020, it leaves ambiguous whether those enforcement actions may cover conduct that occurred in the first half of the year. This could turn out to be an especially important ambiguity for companies that fail to comply with the Act on January 1. If the Attorney General brings an enforcement action against such a business, the business might be able to successfully argue that 1798.185 bars the action because the alleged non-compliance occurred before the July 1 enforcement date. Or, a court could take the opposite position and determine that the Attorney General can bring enforcement actions for CCPA violations that occurred before July 1 so long as the action is not initiated until after the enforcement date.
10. Will California Receive “Adequate” Status Under the GDPR?
The General Data Protection Regulation (“GDPR”) is the European Union’s data privacy law, and the CCPA is often compared to it. Both the GDPR and CCPA grant similar rights to individuals, but also contain significant differences. One key difference is that the GDPR restricts the transfer of personal data from a country within the European Economic Area to an outside country. Such transfers must be made subject to a method approved by European data privacy regulators, ostensibly to protect data subjects’ privacy.
One approved mechanism for transferring data is an adequacy decision. Under this mechanism, the GDPR permits cross-border data transfers when the European Commission has determined that the receiving country has an adequate data privacy regulatory regime. Very few countries have received such status.
There is some speculation that the CCPA may allow California to receive an adequacy determination, though it is far from certain that the state would meet the requisite criteria. If, however, California does receive an adequacy determination under the GDPR, it would mean that businesses in California would have an easier time receiving data transfers from the EEA than would businesses in the rest of the country. That advantage could become even more pronounced because the Court of Justice of the European Union is currently considering a case that may invalidate two of the mechanisms for transferring data from the EEA to the U.S. currently in use: standard contractual clauses and the EU-U.S. Privacy Shield.
9. What Does it Mean to “Sell” Personal Information?
The CCPA defines the term “sale” or “sell” broadly – very broadly. Any transfer of personal information from a business to a third party “for monetary or other valuable consideration” counts as a sale. Cal. Civ. Code § 1798.140(t). Since nearly all business relationships involve monetary or “other valuable” consideration (the point of establishing a business relationship is usually to make money), nearly every transfer of personal information between businesses is arguably a sale. Yet, the CCPA’s definition of “sale” certainly has its outer boundaries.
One key question regarding those boundaries is how they relate to online advertising. The working assumption is that when a content publisher (such as a streaming video platform) shares a user’s personal information with an advertiser and the advertiser uses that information to display targeted ads, the content publisher has “sold” the personal information under the CCPA. But the ad-tech industry is complex, and not all transfers of personal information involved in the delivery of online advertisements necessarily constitute a sale; there is already disagreement about how the definition of “sale” applies to online advertising.
8. Will the IAB’s CCPA Framework Withstand Regulatory Scrutiny?
The Interactive Advertising Bureau (IAB), a digital-ad industry group, has created a unique mechanism for the adtech industry to comply with consumers’ right to opt out from the sale of their personal information under the CCPA. The IAB’s CCPA Compliance Framework works like this:
When a consumer opts out, the content publisher sends a digital signal to notify all of the downstream businesses associated with their advertising platform that the consumer has opted out. That signal triggers a series of contractual arrangements that turn the adtech businesses into “service providers” to the content publisher. Under the CCPA, information shared between a business and service provider is not a sale, but there are restrictions surrounding how such information can be used by the service provider.
The IAB Framework calls the relationship between the content publisher and the adtech business a “Limited Service Provider” relationship. The idea is that when a consumer opts out from the sale of their information, the adtech company who still wants to display ads to the consumer becomes a service provider to the content publisher – but only for the purpose of displaying ads to that particular consumer. In other words, the service-provider relationship is limited to a single advertising transaction or series of transactions affecting a single consumer. The CCPA does not contemplate this type of relationship, and it is unclear how it will be viewed by the Attorney General. If the Attorney General decides that service provider relationships can’t be tailored to specific transactions, then the digital ad industry may be in for a significant disruption.
7. What Does it Mean to “Do Business” in California?
The CCPA applies to a company that meets certain criteria and “does business” in California. Cal. Civ. Code § 1798.140(c). Neither the CCPA nor the Attorney General’s draft regulations define the term “does business,” so some companies are left with uncertainty. Stakeholders should pay close attention to any enforcement actions in 2020 that involve a company with no physical presence in California but that sells products to consumers in the state. The working assumption is that the Act applies to such companies, in part because other California legal provisions contain broad definitions of what it means to “do business” in the state. But, early precedent on the issue will become important to determining how much contact with the state is enough to “do business” for future, closer cases.
6. What Industry Best Practices will Emerge?
One of the questions I sometimes get from clients about the CCPA is “what is everyone else doing?” It’s a difficult question to answer because everyone is doing things differently. Lawyers (outside counsel, inside counsel, and interest group lawyers) have varying interpretations of the law and the draft regulations, and the CCPA interacts differently with different business and data-use models. As the Attorney General finalizes the regulations and the law goes into effect and starts getting enforced, best practices for complying with the CCPA will emerge across affected industries. Companies should pay particular attention to how CCPA disclosures in privacy policies read, how webforms for responding to consumer rights look, and whether their competitors have decided to extend CCPA rights to users outside of California.
5. Will Other States Play Copycat?
The CCPA is a big deal because California is the largest economy in the country and because the Act applies to a substantial percentage of big businesses that aren’t physically located in the state. But California is just one state. There are 49 others – plus the District of Columbia, Puerto Rico, and other U.S. territories – that have an interest in protecting their residents’ information privacy. It would take just one state to enact a more restrictive information privacy law than the CCPA to create a new national standard, at least for businesses that collect personal information from residents across the country. For example, New York considered a bill earlier this year that would have created more robust privacy protections than the CCPA offers. Will another state steal California’s thunder in 2020? And if one does . . .
4. Will the Feds Step Up?
Calls for comprehensive federal information privacy regulation have intensified since the passage of the CCPA. Many of these calls have come from a surprising source: Big tech companies. Companies are concerned with the prospect of having to comply with 50 (or more!) sets of data privacy regulations, and would rather deal with one federal law that preempts more restrictive state laws. The House and the Senate are busy with other things right now, but a deal on federal privacy regulation could be possible in 2020 after the November election while Congress is in a “lame duck” session.
3. How Many Consumers will Exercise their CCPA Rights?
Another question that I sometimes get is whether a company should use manual or automated processes to respond to requests from consumers to exercise their CCPA rights. The right approach depends on a company’s resources, technical capabilities, and the number of consumers from whom it collects personal information. The answer also depends on how many consumers will exercise their rights – especially the Right to Know and Right to Delete, both of which require locating and either deleting or disclosing information requested by the consumer.
This is a difficult one to predict. There are 40 million people in California, and if a business chooses to extend CCPA rights to its users across the country, over 300 million in the U.S. Companies with large volumes of users may be inundated with requests when the law goes into effect on New Year’s Day 2020; but requests may taper off thereafter.
Interestingly, the draft regulations require companies that collect personal information from over 4,000,000 consumers to annually compile and disclose statistics about how many requests they receive. By December 31, 2020, we might actually have a good idea of how many consumers chose to exercise their new rights under the CCPA in 2020.
2. Will the Legislature Let Key CCPA Amendments Sunset?
California’s legislature passed the CCPA with some haste in 2018. A CCPA-like ballot measure looked likely to pass in the November election, but at the eleventh hour the measure’s sponsor – Californians for Consumer Privacy – struck a deal with the legislature to pull the ballot measure in exchange for the state enacting the CCPA. The last-minute deal resulted in a law with more than a few inconsistencies, ambiguities, and uncertainties that needed subsequent clarification. The legislature accordingly amended the CCPA several times in 2019. Most notably, California amended the Act to exempt information collected by businesses from employees and to exempt information collected in a business-to-business context. However, these amendments are scheduled to sunset on January 1, 2021. Will the legislature extend the exemptions, or decide that CCPA rights should apply to employees and to business-to-business relationships?
1. Will CCPA 2.0 Become Law?
Californians for Consumer Privacy see the CCPA as just the start for consumer privacy protections in California. In November 2019, the group filed a new privacy initiative that it wants to place on the ballot in November 2020. The California Privacy Rights Act – which is colloquially being called CCPA 2.0 – would create new consumer rights regarding sensitive personal information, geolocation data, algorithmic decision-making, and more. CCPA 2.0 would also create a dedicated regulatory agency called the California Privacy Protection Agency to enforce consumers’ privacy rights.
Just as businesses are beginning to get the hang of complying with the CCPA, they may have to start thinking about complying with CCPA 2.0.