What can we learn from the new California privacy law ? To a privacy layperson, this question is clearly a very timely question given the intense legislative activity that has been coming out of the Golden State in the past couple of years.
How the new California Privacy Law came about
Since the California Consumer Privacy Act of 2018 (CCPA) was adopted, several sets of draft regulations were passed by the California Attorney General have, often to clarify some of the CCPA’s provisions which clearly needed to be amended and restated.
This is not surprising, as the CCPA was, after all, passed with a bit of urgency under a hard deadline to enact the bill in time to withdraw the November 2018 ballot initiative. This rush resulted in a compromise between the AB 375 statute that combines the initial ballot initiative and the original AB 375 bill’s text, and led to the drafting of sometimes contradictory and confusing terms.
The rush to legislate this new California privacy law was further fueled by continued pressure from various industry groups arguing that the new law hinders innovation by placing too many operational hurdles for companies to comply.
As a result, what would normally sound as a rather simple question “What is the new California privacy law” does not call for a simple answer. Indeed, the California legislature revisited the CCPA – which was passed on June 28, 2018 – just two months later to address drafting errors and make minor amendments and clarifications with Senate Bill 1121, which was passed into law on September 23, 2018.
Debate about the CCPA’s scope and requirements continued in the State’s 2019 legislative session. By the session’s end in October 2019, Governor Newsom signed six bills into law that amended or altered the CCPA’s scope. Several other CCPA-related amendments were considered in 2020, leading to the passing into law of three new bills in late September 2020 (AB 713, AB 1281, and SB 1371).
Focus on the latest CCPA modifications
In parallel, following the adoption of the CCPA in June 2018, the California Attorney General’s office released successive sets of modifications to the initial CCPA regulations of October 11, 2019. In a space of a few months, from February 10 to December 10, 2020, no less than four sets of modifications to the Act’s Regulations were released.
For more information on the key provisions of the CCPA and how to comply with them please read my article. For an explanation on some of the key modifications to the draft CCPA regulations, please read my article on this topic.
While all these modifications were introduced, directly in response to legislative efforts to water down the CCPA, Alastair Mactaggart, the sponsor of the 2018 CCPA ballot initiative and his Californians for Consumer Privacy advocacy group filed another ballot initiative on November 2020 for a voter-enacted statute to amend and expand the CCPA and bring it closer to the original scope of the first ballot initiative.
On November 3, 2020, California voters approved the California Consumer Privacy Rights Act of 2020 (CPRA), which amends the CCPA in a number of areas, bringing it even closer to the 2016 European General Data Protection Regulation (GDPR). For a comparative analysis of some of the key differences between the CCPA and the GDPR, please read my article on this topic.
Most of the CPRA’s substantive CCPA amendments do not take effect until January 1, 2023. However, except for access requests, the CPRA’s new obligations will apply to all personal information of California residents collected by businesses on or after January 1, 2022. For more information on the key provisions of the CPRA, I invite to read my article on this topic.
In conclusion, to the simple question of “What is the new California privacy law” one can only provide a complicated answer. The new California privacy law is a combination of the CCPA, the CCPA Regulations, and the CPRA’s new requirements. Any business doing business in California should therefore craft their privacy compliance roadmap in adherence to a multi-faceted and multi-layered legislative and regulatory framework. Companies that have already brought their processing activities in compliance with the GDPR could certainly leverage their GDPR compliance efforts as part of the transatlantic privacy compliance roadmap. For more information on this read my articles in French and English.