BREAKING: California Attorney General Xavier Becerra (AG) announced a proposed series of amendments to the California Consumer Privacy Act (CCPA) that would:

  • Expand consumers’ private right of action to include all alleged violations of their rights under the CCPA;
  • Eliminate businesses’ 30-day opportunity to “cure” alleged violations prior to being subject to civil enforcement by the AG (cure provision); and
  • Eliminate businesses’ right to ask the AG’s opinion on how to comply with the CCPA.

The AG’s surprise announcement follows last week’s legislative hearing where both promoters and skeptics of the CCPA testified before the State Assembly’s Committee on Privacy and Consumer Protection. During the hearing, the AG suggested the need for the amendments it unveiled this week.

Key takeaways from the February 20, 2019 State Assembly Hearing

Over the course of a full morning of testimony, CCPA promoters and skeptics shared their views on the good, the bad, and the areas of the CCPA that need to be improved.

  • Amendments to the CCPA – deadlines/implementation concerns. Assembly member Ed Chau, who was the CCPA’s leading Assembly sponsor last year, confirmed in his opening remarks that additional “cleanup” legislation is likely on the way in 2019. Other members of the committee in attendance expressed support for revisiting aspects of the law, but generally did not reveal the changes they thought were needed. One exception to this, Assembly member Marc Berman hinted that amendment efforts might target areas of the law that place excessive compliance burdens on businesses. As an example, he cited the CCPA’s requirement that every covered business create a toll-free number for handling consumer requests for personal information. Multiple panelists who testified before the Committee expressed concern about businesses’ ability to meet the CCPA’s implementation deadlines and/or suggested extending the compliance timeline.
  • Small business impact. The most hotly contested issue at the hearing was the impact of the CCPA on small businesses. Veronica Abreu, Chief Privacy Officer at Square, cautioned that the threshold requirements for small businesses to be required to comply with the CCPA were too low in light of the extremely broad definition of personal information. Sarah Boot of the California Chamber of Commerce and other skeptics who questioned the efficacy of the CCPA as enacted echoed this concern and warned that the costs of CCPA compliance and litigation risk management could cripple small businesses. CCPA promoters Alastair Mactaggart and former Federal Trade Commission Chief Technologist Ashkan Soltani defended the CCPA against the charge that it is overly burdensome for small businesses. Mactaggart maintained that the current thresholds would not impact small businesses as easily as the CCPA’s critics suggested. Soltani argued that businesses who meet the CCPA’s threshold requirements are likely to be crucial actors in the data sales marketplace. He testified that data brokers often turn to small businesses like local pizzerias as reliable sources of accurate consumer information.
  • The private right of action and the 30-day “cure” provision. Also widely debated was the CCPA’s private right of action provision. Stacey Schesser of the AG’s office, Lee Tien of the Electronic Frontier Foundation (EFF), and Nicole Ozer of the ACLU of California (ACLU) advocated expanding consumers’ private right of action. According to the AG, EFF, and ACLU representatives, granting consumers the right to sue for all violations of their rights under the CCPA is necessary to ensure businesses’ compliance with the law. Schesser also expressed the AG’s objection to the CCPA’s cure provision, calling it a “get out of jail free card” that hinders the AG’s ability to protect the public. In response, Boot labeled the current private right of action provision a “class action bonanza” that stands to benefit the plaintiff’s bar without advancing the compliance goals of the CCPA. Similarly, other CCPA skeptics questioned the specific “per consumer per incident” statutory damages amounts prescribed by the CCPA and advocated the addition of safe harbor provisions to protect businesses that suffer data breaches.
  • Household data and the definition of personal information. A major area of concern was the CCPA’s broad definition of personal information. In particular, many skeptics were concerned about “personal information” including information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with” not only individual consumers, but their “household[s].” The chief concerns were for the definition’s dramatic expansion of businesses’ compliance obligations, as well as the possibility that businesses might be required to divulge individuals’ sensitive information, browsing histories, and other personal information to other members of their household.

The Future of the CCPA

Based on the Assembly hearing, it is likely that the AG-supported bill will not be the only proposed amendment to the CCPA this year. With less than a year until the CCPA takes effect in January 2020, uncertainty remains as to what the law will require from businesses and what the risk of noncompliance may be. Rather than waiting for the specific requirements of the CCPA to be set in stone, businesses should be taking stock of their existing practices and consider developing thorough, multi-jurisdictional policies and compliance strategies.