State of the Union: CCPA and Beyond in 2020

Data Protection Report - digital privacy, CCPA and cybersecurity

On New Year’s Day, you may have received emails from numerous companies saying their privacy policies have changed, or noticed a link at the bottom of many companies’ homepages stating “Do Not Sell My Info.” These are two of the more visible requirements of the California Consumer Protection Act (CCPA) and companies are still in the process of rolling out other requirements. For those of you that are in the EU or doing business with companies that offer products or services to EU residents, this might have felt like the movie “Groundhog Day.”

To understand the various approaches to CCPA compliance, we reviewed the websites of 50 companies in the Fortune 500® and noticed a few trends:

Most companies do not have a “Do Not Sell My Personal Information” Button on their homepage. Only a quarter of the companies we reviewed included the “Do Not Sell My Info” button/link on their website homepages and only a few companies had the link in a conspicuous size or color. The majority of companies that did include the button/link were in the retail sector. Note: the button/link is only required if the business “sells” personal information and many companies may still be finalizing their CCPA programs. In addition, we note that certain websites are using geofencing, which means the website may not display the “Do Not Sell” link or pop-up notice for the revised privacy policy if the website visitor is using an IP address that is registered outside of California. This should be taken into consideration when researchers are conducting a review of the websites or if a California resident is looking to submit a CCPA-related request while traveling outside of California.
Companies are approaching “sale” very differently. The CCPA requires that businesses disclose whether or not they sell Personal Information (PI). The companies we reviewed that included this disclosure did so in various ways, such as: “we do not sell your PI to marketing companies,” “we do not sell your PI to third parties,” “we do not sell your PI for discounts,” and, more affirmatively—“we do not, have not, and will not sell your PI.” A few companies simply included CCPA’s broad definition of sale in the privacy policy and stated that under CCPA’s definition, “a sale may or may not have occurred.”
Companies are split on whether to offer CCPA rights to non-California consumers. Many companies’ privacy policies explicitly state that requests will only be processed for California residents and often the first question on their online web request form is “are you a California resident?” Some companies are offering CCPA rights to all consumers while many others do not specifically mention their scope, but enable any user to submit a request.
Many companies are providing a California-specific notice. About half of the companies we reviewed created a separate privacy policy or notice for California consumers. This is often included as a link at the bottom of the homepage next to the privacy policy, or in a California-specific section of the privacy policy. Given that other states are actively considering CCPA-like legislation, these businesses may ultimately consider consolidating these policies to avoid rolling out additional state notices.
Companies are offering different methods to submit requests. Most companies we reviewed offer an online web request form for consumers to submit their CCPA requests. Typically, the same online form is used regardless of the type of request (e.g., access, deletion, or opt-out) and a few companies seem to use the same tool, third party, and/or infrastructure for GDPR requests. In addition, about half of the companies we reviewed simply direct consumers to their standard company contact information page to submit requests (e.g., email, phone, mail). Another handful of companies, mostly technology companies, direct users to their online privacy portal where they can submit requests and control their privacy settings manually.
Many companies are not in full compliance with the proposed regulations. On October 10, 2019, the California Attorney General (AG) issued for public comment the Proposed Text of Regulations to clarify components of the CCPA. Although the proposed regulations are not final, many companies we reviewed have not implemented various aspects of the proposed regulations.
The information requested for the verification process is generally consistent. Most companies are requesting similar information to verify requests and requesters, including, at a minimum, name, email address, phone number, postal address, as well as a CAPTCHA challenge or confirmation email. There are a few outliers; however, with some companies requesting notarized signatures, social security numbers, VIN numbers, and others refusing to accept requests unless the user has an account with the company.

In summary, companies are taking very different approaches to CCPA compliance. While many companies have embraced the spirit of the law (e.g., sending courtesy emails describing CCPA rights, updating their privacy policies, and/or implementing the “Do Not Sell” link), the specifics are much more complex. We encourage you to review our data protection report blogs and contact us on how to help your business become CCPA compliant. We have our cross-referenced CCPA-related articles below.

Below is what we expect in terms of new legislative activity at the state and federal level in 2020.

Ballot Initiative

Even before the CCPA has gone into effect, another ballot initiative was filed with the California AG on September 25, 2019, and an amended ballot initiative was received by the AG on November 13, 2019. This version has some potential surprises for companies subject to CCPA and is worth monitoring.

For example, the initiative would potentially extend the 12-month “look-back” period so that a consumer could request data from more than 12 months prior to the request with respect to information collected on or after January 1, 2022. In addition, the “Do Not Sell My Personal Information” link would change to “Do Not Sell or Share My Personal Information,” and there would be a second link called “Limit the Use of My Sensitive Personal Information.”

For a more in-depth summary of the ballot initiative, please review our blog post, available at https://www.dataprotectionreport.com/2019/12/here-we-go-again-another-ballot-initiative-for-ccpa-in-2020/.

California State Legislature Activity

The California state legislature will continue to amend the CCPA and to pass other privacy-related bills in 2020. On January 6, 2020, AB 713 was amended to become a first CCPA bill of 2020.* If passed, AB 713 would exclude the following from the CCPA scope:

Information that was deidentified in accordance with the HIPAA “safe harbor,” derived from protected health information, individually identifiable health information, or identifiable private information, consistent with specified federal policy.
A business associate of a covered entity, as defined, that is governed by federal privacy, security, and data breach notification rules if the business associate maintains, uses, and discloses patient information in accordance with specified requirements.
Personal information that is collected for, or used in, biomedical research subject to institutional review board standards and the ethics and privacy laws of an identified federal policy, specified clinical practice guidelines, or human subject protection requirements of the United States Food and Drug Administration (FDA).
Personal information of certain types that is collected for, or used in, research, as defined, and, as specified, personal information collected by a business for purposes of product registration and tracking regulated by the FDA, specified public health activities, or quality, safety, or effectiveness compliance regulated by the FDA.

In addition, AB 713 would require a business that sells or discloses information that was deidentified in accordance with specified federal law, was derived from protected health information, individually identifiable health information, or identifiable private information to disclose whether the business discloses deidentified health information derived from personal information and if so, whether that information was deidentified pursuant to specified methods. We will closely monitor AB 713 for additional updates and movement.

In addition to industry-specific bills like AB 713, we expect other bills to be introduced in California, including proposals to amend the employee privacy rights and processing of B2B data under the CCPA, which are set to expire on January 1, 2021. We are also monitoring California’s IoT security bill (SB 327), which went into effect on January 1, 2020 and requires manufacturers that sell connected devices in California to equip the device with reasonable security features.

Because 2020 is an election year, the legislative session in California is a bit shorter than last year. In 2020, August 31 will be the last day for each house of the California legislature to pass bills. September 30 will be the last day for the Governor to sign or veto bills passed by the legislature before September 1 and in the Governor’s possession on or after September 1.

What’s Next?

This year and beyond, expect rapid developments in the US privacy landscape—and not just in California. Nevada has already enacted a law requiring businesses to offer consumers a right to opt-out of the sale of their personal information (SB 220), and the proposed New York Privacy Act (S5642) would require businesses to “act in the best interest of the consumer” as it pertains to data processing, and imposes “data fiduciary” obligations on companies, requiring them to contractually pass along duties of care, loyalty and confidentiality to any recipients of personal information. Several other states, including Massachusetts (SD 341), New Hampshire (HB 1680-FN), and Virginia (HB 473) have proposed legislation with data privacy rights similar to CCPA. Notably, the New Hampshire bill is almost identical to CCPA (including a private right of action for security breaches) but does not include either the “employee” or “B2B” exceptions; and the Virginia bill merges GDPR principles with CCPA aspects.

We can also expect the debate to continue at the federal level. Especially given how fragmented the state privacy laws have become, we are expecting more industry push for federal action. Congresswomen Anna Eschoo and Zoe Lofgren recently introduced the Online Privacy Act (H.R. 4978), which would essentially bring CCPA rights to non-California residents, as well as additional user rights, such as the right to choose how long data can be kept and opt-in consent for the use of data for A.I. algorithms.

As most organizations are gearing up for the new year, many privacy practitioners will be simultaneously racing to complete compliance activities. Given the number of pending state and federal legislation in this area, we expect privacy to be a major legal consideration well into 2020. For a more global and EU-centered list of new years’ resolutions for privacy officers, please review our blog post, available at: https://www.dataprotectionreport.com/2020/01/the-privacy-officers-new-years-resolutions/#more-4619.

———————————————-

*AB 713 was originally introduced in February 2019 as a bill relating to mental health. It passed the Assembly in 2019, but was amended in January in the Senate to include CCPA terms. Consequently, if this bill passes the Senate, it will need to return to the Assembly, or the two houses will need to reconcile the differences in the bills.