Changes to the California Consumer Privacy Act put forward by regulators were approved in late March, ushering in a new era of privacy regulations for businesses operating in the state.
The revised provisions expand consumer rights and introduce additional compliance challenges for businesses.
The modifications to the CCPA, the first and the most comprehensive privacy law in the United States, raise the bar for organizations seeking to comply with the evolving privacy landscape.
Meanwhile, several other states have data privacy laws coming online in the months to come, and there remains discussion in Congress about a national privacy law.
In California, the CCPA gives consumers in the state more control over the personal information that businesses collect about them.
The law went into effect at the start of 2020, which was after the European Union’s privacy law, the General Data Protection Regulation.
In November 2020, California voters approved a proposal to amend the CCPA. The California Privacy Rights Act built upon the CCPA by adding a new concept — sensitive personal information — and also by imposing new requirements around data sharing.
In the most recent tweaking of California’s law, the state agency tasked with enforcing data privacy announced final regulations on March 30 to implement the amended CCPA.
One of the biggest impacts of the regulations is that they provide clarity to the areas where there were questions, Rachael Ormiston, head of privacy for the data privacy platform Osano, told Legal Dive.
Joan Stewart, a partner in the Washington, D.C., office of Wiley Rein, identified the top three considerations for businesses facing the new Golden State requirements.
First, more businesses will have to comply, Stewart said.
Previously, California’s privacy law only applied to consumers. The law exempted business contacts and employees’ personal information as well as business data. The new law expands the scope of the law to include “those two buckets of individuals,” she said.
Also, if you only operated in a business-to-business environment, then the law probably didn’t apply, Stewart said.
Now, she said, you have to look at the personal information you collect from those business relationships and also factor in the personal information you collect from employees and how you are using that information.
“That’s going to pull in a lot of businesses,” Stewart said.
Second, universal opt-out requests cannot be ignored.
Stewart said the implementing regulations and California Attorney General Rob Bonta made it clear in the Sephora enforcement agreement last year that universal opt-out has to be honored.
The Sephora settlement resolved allegations that the beauty and personal care product retailer violated the CCPA.
The AG alleged that Sephora didn’t disclose to consumers that it was selling their personal information and didn’t process user requests to opt out via user-enabled global privacy controls. It also didn’t cure violations within 30 days.
Bonta called technologies like Global Privacy Control “a game changer” for consumers but only if companies are upfront about their use of data. “These rights are meaningless if businesses hide how they are using their customer's data and ignore requests to opt out of its sale,” he said.
GPC is a feature found in some browsers and plug-ins. It asks websites not to sell the user’s personal data. Some companies viewed compliance with the request not to sell the information as optional.
Covered organizations must have a mechanism in place right now to handle universal opt-out requests, Stewart said.
“It’s going to be a struggle for a lot of businesses to implement,” Stewart said, because not all browsers have integrated a global privacy signal.
Kara Hilburger, senior counsel at Octillo, a boutique law firm based in New York that focuses exclusively on data privacy and security, said in an email to Legal Dive that the CPRA extended requirements from data selling to include data “sharing.”
The CPRA defines data sharing as “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer's personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.”
Under the CCPA, many businesses relied on the fact that they were not engaged in traditional “selling” of consumer data to avoid complying with this clause, Hilburger said.
However, with this expanded definition as well as the Sephora agreement, businesses should review existing data sharing relationships to determine whether a contract is required and whether consumers should be provided data rights.
In addition, businesses should consider whether they may also need to include a link on their website saying “Do Not Sell or Share My Information” or provide an alternative method of opting out as specified in the CPRA regulations.
Another concern for California businesses is “double enforcement,” Stewart said.
Businesses that violate the privacy requirements could face the ire of both the state’s attorney general and the newly formed California Privacy Protection Agency.
Enforcement of the CPRA begins July 1, which is also when the California Privacy Protection Agency joins the AG in its state privacy law enforcement efforts.
“It’s really important that companies revisit their compliance plan,” Stewart advised.
Other privacy laws
California businesses won’t be the only ones grappling with new privacy compliance requirements in the months to come.
Demonstrating a growing recognition of the importance of data protection, Colorado and Connecticut’s privacy laws become effective July 1. Utah’s privacy laws go into effect later this year on December 31.
The Virginia Consumer Data Protection Act went into effect on Jan. 1.
Additionally, a federal privacy law has been a subject of debate in Congress. Last year, a bill made some legislative progress on Capitol Hill but it didn’t get over the finish line.
The federal legislation has its detractors. California elected officials and the California Privacy Protection Agency have expressed opposition to the portion of the federal proposal that could potentially preempt state laws and regulations on privacy.
Gov. Gavin Newsom, Bonta and the CPPA have called on Congress to “set the floor and not the ceiling in any federal privacy law, and to allow states to provide additional protections in response to changing technology and data privacy protection practices.”