We last checked-in on the California Consumer Privacy Act (CCPA) a little less than six months ago, shortly after the law went into effect. Since then, there’s been a lot of effort poured into refining and clarifying the law; two updates to the law’s implementing regulations and an entire new draft ballot initiative, to be exact. Good news for those seeking interpretation on the numerous ambiguities the App Association and others highlighted, right? Well, not exactly. To be frank, there is arguably more uncertainty about the future of this law than ever before. Follow along as we walk you through what has changed, what has stayed the same, and what is on the horizon for CCPA.
**For those that are newer to CCPA, check out our CCPA Primer at the end of this post, which has been updated to stay current with guidance offered in the Final Regulations**
What Has Stayed the Same: Enforcement Deadline
When Governor Brown signed CCPA into law in October 2018, the plan was to have the California Attorney General (CA AG, AG Becerra) begin enforcement on July 1, 2020. With the law going into effect on January 1, 2020, businesses would theoretically have a six-month lead time to come into compliance with the law and accompanying regulations before enforcement began. Unfortunately, numerous complications have arisen since then, which have eroded much of the benefit of that gap.
First, AG Becerra’s lengthy rulemaking process (which is only just beginning to wind-down; see below) has deprived businesses of the chance to study and come into compliance with the set of Final Regulations prior to the beginning of enforcement. As the rulemaking process dragged on, some stakeholders called for a delay of the enforcement start-date (and were quickly rebuffed) so that they would have more time to digest the Final Regulations. Then, shortly after AG Becerra reaffirmed the statutory enforcement start-date, COVID-19 hit – freezing the national economy and throwing thousands of small businesses into disarray. Yet even as businesses argued that they could barely afford to pay rent, let alone devote resources to comply with a lengthy and complicated law, AG Becerra again refused to entertain notions of a delayed enforcement start-date.
So, despite the tumultuous start to the year and long-delayed Final Regulations, enforcement will indeed begin on July 1.
What Has Changed: Final Regulations Released
On June 1, AG Becerra submitted the final version of CCPA’s implementing regulations to the California Office of Administrative Law (OAL) for approval. Normally, the OAL would take action on rules submitted on June 1 by October 1 of that calendar year. However, in this case AG Becerra requested an expedited review process in hopes that OAL could approve the regulations by the enforcement start-date of July 1. It is currently unclear whether the OAL will complete the review in time, and any slippage between approval of the regulations and July 1 would result in AG Becerra wielding enforcement authority (which he recently reiterated he intends to use no matter what OAL decides) even though businesses do not have effective Final Regulations to guide their compliance.
Setting aside the logistical trials and tribulations, the Final Regulations do touch on a few issues relevant for app developers, clarifying the law in some areas but leaving ambiguity in others.
Definition of Sale
We previously earmarked the definition of “sale” as an area of ambiguity within the law. In CCPA, “sale” is defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.” What constituted “valuable consideration” was left undefined in the law, potentially leading to confusion about transactions that do not involve monetary exchanges. The Final Regulations decline to further define “valuable consideration” and in the Statement of Reasons accompanying the Final Regulations, AG Becerra explained, “the CCPA’s use of the terms ‘valuable’ and ‘consideration’ are reasonably clear and should be understood by the plain meaning of the words.” In reality, it will likely take the continued development of case law to clarify this issue in the long run.
“Do Not Sell My Personal Information” Button
CCPA carved out authority for the CA AG to establish rules to design a uniform “Do Not Sell My Personal Information” button that businesses could use to comply with the law’s provisions on the right to opt-out of the sale of personal information. However, the design proposed in the first round of draft regulations was poorly crafted and potentially could have misled consumers into thinking they had made a privacy choice when they had not. In a series of user testing studies, INF Privacy Fellow Lorrie Cranor discovered that many users found the proposed button confusing and that alternative approaches may better communicate the information. Thanks to diligent work from Dr. Cranor, AG Becerra has since backed off from the button design and is working on a new version that could be incorporated into future regulations.
Customer loyalty programs were another area we previously noted needed further clarification. Under CCPA, businesses may not discriminate against consumers who exercise their rights under the law by charging a “different price or rate, or providing a different level or quality of goods or services to the consumer” unless that difference “is reasonably related to the value provided to the consumer by the consumer’s data.” Many believed this imperiled customer loyalty programs, since: (1) many such programs require personal information to confer the benefits to the customer; and (2) establishing that the value of the program is reasonably related to the value of the consumer’s data could be difficult in practice. On the first point, the regulations clarify that so long as businesses allow consumers to exercise their right to know, delete, or opt-out of non-program related uses of their data and still participate in the program, loyalty programs will not be considered discriminatory under the law. On the second point, the regulations provide eight methods businesses can use to determine the value of a consumer’s data, including a catchall method, “[a]ny other practical and reasonably reliable method of calculation used in good faith,” that should suffice when calculating precise monetary value of the data is not feasible.
What Is on the Horizon: CCPA 2.0
On May 4, 2020, Californians for Consumer Privacy, a group led by CCPA ballot initiative drafter Alastair Mactaggart, announced that they had submitted a new ballot initiative to be included on the November 2020 ballot. The initiative, the California Privacy Rights Act (CPRA) would replace and expand upon CCPA by creating additional obligations on businesses that handle personal information. Polling shared on the Californians for Consumer Privacy website shows that the initiative has a strong chance of approval by voters. While we won’t go into specific provisions here, it suffices to say that CPRA goes far beyond what is currently contemplated in CCPA in several areas. If approved by voters, the initiative would become law and go into effect on January 1, 2023.
Notably, though Californians for Consumer Privacy amassed far more than the requisite 625,000 signatures to qualify for inclusion on the November ballot, we do not yet know if the measure will receive approval for the ballot this year. Due to a filing delay on Mactaggart’s part, California election officials technically would not have to complete their mandated signature validation process by June 25, the last day for ballot measures to qualify. Mactaggart is currently seeking a court order to ensure that state officials complete the sampling process ahead of the deadline, but it is unclear if the court will grant his request.
Regardless, the App Association will remain attentive to developments regarding the CPRA and will continue to serve as a resource to keep you updated on any further updates to CCPA. If the past is prologue with this law, there is sure to be plenty to report.