February was a busy month for those monitoring the latest developments with the California Consumer Privacy Act (CCPA). After the month kicked off with a series of California Attorney General Informational Sessions, the California State Assembly’s Privacy and Consumer Protection Committee conducted a hearing with testimony from interested parties, including Alastair Mactaggart (the architect of the initiative that led to the enactment of the CCPA), representatives from the California Attorney General’s Office, public interest groups, and industry groups. This hearing also coincided with the introduction of new proposed amendments to the CCPA that would, among other things, require businesses to disclose an estimate of what they paid or received for the sale of consumer data. The month culminated with the introduction of a Senate Bill that would greatly expand the reach of the CCPA by, among other things, granting consumers a private right of action for all CCPA violations and not just data breach violations. 

California State Assembly Hearing

On February 20, 2019, the California Privacy and Consumer Protection Committee of the State Assembly received testimony from witnesses concerned about the clarity of the language contained in the CCPA, the impact of the CCPA on consumers and businesses, and suggested improvements to the CCPA. The most noteworthy testimony came from Stacey Schesser, Supervising Deputy Attorney General on Consumer Protection. Schesser proposed expanding the CCPA’s private right of action to allow consumers to sue businesses based on all violations of the CCPA and not just for data breaches. In addition, Schesser maintained that businesses should not be entitled to seek compliance guidance from the AG’s Office, and finally criticized the Act’s 30-day cure period as a “get out of jail free” card. As discussed below, Schesser’s comments essentially previewed a proposed amendment to the CCPA that was introduced the following week.

Representatives of various industry groups continued to request that the Legislature amend the CCPA to clarify many of its key components, including whether employee data would be exempt from the CCPA’s definition of personal information, what the alleged exception to the CCPA’s nondiscriminatory provision actually means, and to limit the definition what constitutes personal information under the CCPA. While it is possible that this testimony will lead to the introduction of bills proposing clarifying language, all of the recent legislative activity has been focused on language to expand consumer protections under the CCPA.

Senate Bill AB 561

Consistent with Schesser’s testimony before the Assembly, on February 25, 2019, Attorney General Xavier Becerra and State Senator Hannah Beth Jackson introduced Senate Bill 561. If passed, SB 561 would amend the CCPA as follows:

  • The Attorney General’s office would no longer be required to issue advisory opinions to individual businesses. Instead, the Attorney General would be permitted to “publish materials that would provide businesses and others with general guidance on how to comply with the [CCPA].”
  • Businesses would no longer have a 30-day right to cure a CCPA violation. Although it is unclear how businesses could cure certain violations of the CCPA, it is notable that the Legislature seems intent on doing away with a safe harbor provision that is common in many California consumer laws.
  • Finally, and most importantly, SB 561 would expand the private right of action to cover any violation of the CCPA. If implemented, this would dramatically increase the litigation risks that businesses will face and will likely lead to an increased call from industry groups for the federal government to issue legislation that will effectively preempt the CCPA.

Additional California Legislation

Although SB 561 was the most notable legislative proposal, other bills relating to the CCPA were also introduced in the Assembly on February 20, 2019.

  • AB 846 addressed industry concerns the customer loyalty programs would be effectively prohibited under the CCPA based on the CCPA’s prohibition on non-discriminatory services. AB 846 “would clarify that the California Consumer Privacy Act of 2018 does not prohibit a consumer from choosing to participate in a customer loyalty program that offers incentives such as rewards, gift cards or certificates, discounts, or other benefits and would further clarify that a business that offers a customer loyalty program may continue to offer rewards, gift cards or certificates, discounts, or other benefits associated with a customer loyalty program in a manner that is reasonably anticipated within the context of a business’s ongoing relationship with a consumer.” Although AB 846 is a positive step forward in the sense that it validates the continuing existence of rewards programs, it does not resolve the confusion surrounding the CCPA’s prohibition of non-discriminatory pricing on the one hand while purporting to allow businesses to offer different prices, rate, level, or quality of goods or services if that price or difference is “directly related to the value provided to the consumer by the consumer’s data.
  • AB 950 seeks to impose additional obligations on businesses collecting data from California consumers by requiring them to disclose the average monetary value to the business of that data, and, in cases where the business sells consumer data, to disclose, upon receipt of a verifiable request, the actual price that it received for the consumer’s data.

Dykema’s Take

The key takeaway is that the Legislature is so far focused almost entirely on revising the law to ensure that it is more consumer friendly.  While businesses have been requesting numerous clarifications for months, the Legislature’s focus appears to be on the Attorney General’s and consumers’ requests first.  Entities—including businesses, service providers, and third parties, who receive consumer (broadly defined a California resident) data—must be increasingly aware of their obligations under the CCPA because California’s Legislature has made it clear that come January 1, 2020, there will be increased risks for those who do not comply. In light of a 12 month lookback period under CCPA, that risk could expand to consumer data received in 2019.

To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.