We took a look at the California Consumer Privacy Act (CCPA) in early 2020, when the law had newly come into effect. The three years since our last post have been busy ones for privacy in California. In this article we’ll briefly take stock of changes to the law, rule-making, enforcement, and some of how the CCPA has influenced privacy law around the country.
Voters Amended The Law, and Gave It A New Enforcement Agency
In the November 2020 general election, California voters approved Proposition 24, a.k.a. the California Privacy Rights Act (CPRA). The CPRA did not replace the CCPA but rather amended it, and also established a first in the nation privacy regulatory agency, the California Privacy Protection Agency (CPPA). The CPPA is now responsible for writing CCPA regulations and enforcing the law through administrative enforcement actions and fines. The agency also has the authority to make grants to nonprofits and public agencies that promote, protect, or educate about privacy from a small percentage of money collected via administrative fines.
Now officially called “CCPA as amended by CPRA,” the CCPA received wide-ranging changes from the CPRA initiative. Among other things, CPRA curbed the legislature’s ability to pass amendments that might weaken the law, and data practices familiar to GDPR (Europe’s General Data Protection Regulation) practitioners such as data minimization are now included in California’s law. A few specific highlights include:
- “Sharing” consumer data is now covered right along with “selling” consumer data, closing any loopholes where businesses might argue they were not receiving payment for personal information they passed along.
- A new category of “sensitive personal information” that includes a wide array of information including identifiers like social security numbers, biometric processing, sociocultural factors like race and ethnic origin, banking information and, notably, precise geolocation was introduced. Consumers have the right to opt out of some use of this information.
- It subjects high risk data processors to additional compliance requirements including performing annual cybersecurity audits and submitting regular risk assessments to the CPPA.
- The exemption for employee data in the CCPA as it originally passed in 2018 was set to sunset in 2021, but was extended by the legislature. In Prop 24 it received a definitive end date of January 1, 2023. Meaning that employee data is now covered by the law.
The Attorney General and CPPA Have Struggled With Timely Rule-Making
Just like federal legislation, a state law like CCPA requires regulations to help implement and interpret the law. The law impacts nearly every aspect of a business that uses California consumers’ data, from contracts with service providers to the website widgets that enable consumers to access their new opt-out rights. As a result the rule-making process has failed to hit the deadlines specified in the law, and at times been rocky as regulators struggled with new subject matter like user interface design. Prop 24 required the CPPA to issue new regulations for the CCPA as amended by CPRA in July of 2022, but as of this writing the regulations had finally been enacted at the end of March 2023.
Private Plaintiffs and the Attorney General Have Taken Action
CCPA’s private right of action is limited to data breach and not other violations of the consumer rights laid out in the law. Even so plaintiffs began bringing cases promptly in early 2020, and 2022 saw a $350 million settlement by T-Mobile arising from a 2021 data breach. Plaintiffs have also attempted to use CCPA in tandem with California Unfair Competition Law (UCL) to reach violations of the law outside of CCPA’s own private right of action, although the court has rejected these efforts. All together, over 300 cases were filed between January 1, 2020 and the end of 2022. Meanwhile, the Attorney General’s office has also been active, most visibly with a headline-grabbing $1.2m settlement with Sephora, Inc. The AG’s efforts will continue into 2023, with an investigative sweep of mobile applications for CCPA compliance announced in January.
CCPA Has Inspired Other States
Following California’s lead, several states have passed new comprehensive consumer privacy laws. Virginia’s Consumer Data Protection Act came into effect on January 1st of this year, and both the Colorado Privacy Act and the Connecticut Personal Data Privacy and Online Monitoring Act are set to follow suit on July 1st. The Utah Consumer Privacy Act will close out 2023 with an effective date of December 31st. Nineteen additional states have active bills, but it remains to be seen how many will come to pass. Some states, notably Washington, have had attempts fail in previous years.
California has also passed additional privacy legislation that will draw upon CPPA expertise. The California Age-Appropriate Design Code Act, a children’s online safety bill with significant privacy compliance features, will go into effect on July 1, 2024. New York state has a similar bill in the works.
The Fight Over Preemption Killed a Federal Privacy Bill, and May Kill Again
In 2022, the House of Representatives passed H.R. 8152, the American Data Privacy and Protection Act. While the bill featured carve-outs protecting Illinois’ Biometric Information Privacy Act and Genetic Information Privacy Act from federal preemption, it would have preempted the CCPA. State law preemption was a deal-breaker for the Senate Committee on Commerce, Science, and Transportation, while leaving state comprehensive privacy laws like CCPA untouched was a deal-breaker for Republicans who were prepared to support the bipartisan bill. Ultimately the bill died in committee.
This year, President Biden urged Congress to work on federal privacy legislation in his State of the Union address. The new Congress has taken up the question again this term, with a hearing on “Promoting U.S. Innovation and Individual Liberty Through a National Standard for Data Privacy” in the House Energy and Commerce Committee on March 1st. While a bill that preempts the CCPA will most likely pass the house, the Senate’s commitment to preserving state privacy laws will continue to be an obstacle.
Quandary Peak Experts Understand the Implications of Privacy Law
Our experts provide expert witness testimony in a range of privacy cases, including biometrics, web session capture, and more. Our experience with key technologies like facial recognition, mobile software, and ad tech allows us to efficiently and accurately assess the technical issues in your case.
Quandary Peak’s technical due diligence practice is also prepared to help. The CCPA has significant implications for technology mergers and acquisitions (M&A) and due diligence processes, requiring extra scrutiny and effort in assessing related risks. Startup valuations can be directly tied to privacy practices and risks. We anticipate this will impose new challenges in post-merger acquisition, particularly in data migration and integration.