In our last report on the California Consumer Privacy Act (“CCPA“), which expands the rights that California residents have with respect to their personal information, we advised that the state’s Attorney General (“CA AG“) had commenced a series of public forums as it prepares regulations expected to implement the CCPA and establish compliance regimens for regulated businesses.
Seven public forum sessions were held, the last in March 2019. At the conclusion of this consultation process, the CA AG’s Privacy Unit noted that the internal CCPA rule-making process is now underway, and that an initial proposed regulation implementing provisions of the CCPA (a Notice of Proposed Regulatory Action) would issue in fall.
As this process continues, California legislators have introduced several bills designed to clarify aspects of the CCPA’s scope before the statute’s 1 January 2020 effective date. For example, in February 2019, Senate Bill 561 was introduced, which, among other things, would expand a consumer’s ability to bring a civil action for any violation of rights granted by the CCPA. This provision has not been brought to a vote. Another example is Assembly Bill 25, which among other things, would exempt from nearly all CCPA requirements, any information collected from an individual by a business in the course of that person’s acting as a job applicant, employee, owner, director, officer, medical staff member or contractor of that business. The state Assembly passed AB 25 unanimously, and it remains under consideration in California’s Senate chamber.
As noted in a prior update, Attorneys General and privacy regulators in other states are monitoring California’s rule-making process, as some form of the CCPA and its regulations may be adopted by other states frustrated by the slow pace of federal privacy regulation. For example, in May 2019, Nevada modified its data privacy statute by adding the right of Nevada residents to direct (via email, phone, or online) internet website operators not to sell any covered information the operator previously collected or will collect about the consumer. Most if not all businesses view the risk of continuing patchwork state privacy regulation as militating in favour of a uniform federal privacy standard.