DBR Kicks Off Its Year-Long CCPA Webinar Series … While the CA AG Seeks Public Input on the CCPA and Lawmakers Propose Changes to It.
DBR’s CCPA Webinar Series Kicks Off
The end of February marked the beginning of Drinker Biddle’s nine-part webinar series on the new California Consumer Privacy Act of 2018 (CCPA) — one of the most significant data privacy laws in the United States.
Compliance with the new law will require considerable knowledge and effort. Our webinar series delves into the complex details and strategies that companies doing business in the state need to know. The series will feature a panel of CCPA professionals from Drinker Biddle’s Information Privacy, Security and Governance team, including Peter Blenkinsop, Jeremiah Posedel, Reed Abrahamson, and others.
The first webinar held on February 27 provided a comprehensive overview of the CCPA, including the obligations and limitations imposed on businesses that collect and process personal data of California residents, the rights of such residents, and the enforcement mechanisms and potential penalties available under the act. The DBR team also highlighted some key open issues that will hopefully be addressed or clarified by California regulators before the law becomes operative on January 1, 2020. For those who were unable to attend, a recording of the webinar and a copy of the presentation materials are available here.
Future CCPA webinars are set for:
- April 3, 2019
- May 8, 2019
- June 12, 2019
- July 17, 2019
- August 21, 2019
- September 25, 2019
- October 30, 2019
- December 4, 2019
Sign up here to receive updates and learn more about our CCPA webinar series.
California AG Seeks Input on CCPA
Under the CCPA, the California Attorney General is required to solicit broad public participation and adopt regulations to further the purposes of the CCPA on or before July 1, 2020. In furtherance of this mission, the AG’s office decided to host a series of public forums throughout California in order to collect stakeholder input, including with respect to the seven statutorily mandated subjects of rulemaking.
Participants at the forums, which began in January and will end with the seventh and final forum on March 5 at Stanford Law School, commented on a wide array of topics. However, the AG’s office did not respond to comments at the forum and no guidance was provided regarding potential CCPA regulations or compliance generally. Instead, the AG’s Office limited its comments to a prepared presentation (available here) regarding the rulemaking process and an overview of the seven rulemaking areas:
- Categories of Personal Information
- Definition of Unique Identifiers
- Establishing Exceptions Necessary to Comply with State or Federal Law
- Rules for Opt-Out of Personal Data Sale
- Adjustment of Monetary CCPA Coverage Threshold
- Rules for Privacy Notices and Information
- Rules for Verifying Customer Requests
Information regarding the rulemaking process will be posted on the AG’s website here. If you would like to receive notifications regarding future rulemaking activities from the AG’s Office, please subscribe to the AG’s email list here. Interested persons can submit written comments via email to the California Department of Justice at firstname.lastname@example.org.
Amendments Introduced to “Strengthen and Clarify” the CCPA
On February 22, California’s Attorney General and State Senator Hannah-Beth Jackson introduced legislation (SB 561) that would purportedly “strengthen and clarify” the CCPA by (1) expanding the CCPA’s private right of action to any violation of a consumer’s CCPA rights, (2) eliminating the right of businesses and other organizations to seek the opinion of the AG’s office regarding CCPA compliance, and (3) removing the existing 30-day cure period available to businesses that receive notice from the Attorney General that they are in violation of the act.
Specifically, SB 561 amends the CCPA as follows:
- Under Section 1798.150 of the CCPA grants consumers a private right of action when such consumer’s non-encrypted or non-redacted personal information is breached as a result of the business’s failure to implement and maintain reasonable security procedures. SB 561 expands the private right of action to include any other violation of the consumer’s rights under the CCPA.
- Section 1798.155(a) of the CCPA provides that a business or third party may seek the opinion of the AG for guidance on how to comply with the requirements of the CCPA. If amended, businesses would no longer have the right to seek such guidance from the AG and the AG would have the option (but not the obligation) to provide general guidance on how to comply with the provisions of the CCPA.
- Section 1798.155(a) of the CCPA states that a business is in violation of the act if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance by the AG . SB 561 eliminates this cure period, allowing the AG’s Office to immediately file suit for any alleged violation of the CCPA. However, the bill does not alter the 30-day notice and cure period that applies to private actions.
If passed as drafted, these amendments would certainly strengthen the ability of consumers (and plaintiffs’ lawyers) to seek redress for any potential violation of their rights under the CCPA. However, passage of SB 561 would result in less clarity for businesses seeking guidance on the often-ambiguous requirements of the CCPA, while simultaneously stripping the limited protection from AG enforcement actions afforded to businesses that may unintentionally violate the CCPA due to such ambiguities and lack of guidance, despite their efforts to promptly cure any su ch violations.
We will continue to monitor and update you on the status of SB 561 and any other CCPA developments as they unfold.