Collection of tech companies support changes to CA privacy act that bring it closer to GDPR
Proposed changes include moving from an opt-out to an opt-in consent framework for personal data use.
The California Consumer Privacy Act (CCPA) is set to take effect next year and is likely to become the de facto national privacy standard for online publishers and marketers. Ahead of this deadline, however, competing groups are lobbying for changes in its terms.
AB 1760 looks more like GDPR. A recently proposed amendment in the California legislature (AB 1760) would make major changes to CCPA, effectively repealing and replacing it with something that imposes stricter obligations on companies and has more teeth — much more consistent with Europe’s GDPR. It would allow an additional year for implementation and not go into effect until January 2021 (proposed amendment embedded below).
A group of 23 technology companies, lead by DuckDuckGo, has submitted a letter in support of the changes. The bulk of the signatories are not household names. Major internet companies, many of whom oppose CCPA in its existing form, did not sign the letter.
Proposed changes make the law tougher. Below are some of the major proposed changes to CCPA at a high level:
The name would change from CCPA to “Privacy for All Act of 2019” (PAA) and delay the effective date of the law until January 1, 2021, to allow more time for preparation and compliance.
CCPA has an opt-out consent framework; that would change to opt-in for personal data sharing. The new rules would prevent companies from sharing or selling a consumer’s personal data without prior authorization.
It carries tougher disclosure obligations for companies. For example, businesses would need to disclose specific pieces of personal data (as opposed to categories) as well as the specific third parties that are receiving the data.
Consumers that exercise their rights cannot be refused access to services or charged different prices. Conversely, this raises a question about whether companies could offer incentives for data sharing (e.g., discounts).
Companies could not refuse a consumer request to delete personal information from their databases. There could only be delays for permissible reasons under the statute. Significantly, business would be required to delete all data related to that consumer in their possession regardless of how it was acquired (first party vs. third party).
Data retention rules would look much more like GDPR: only what’s reasonably necessary for the stated use case.
- There are a range of stronger enforcement provisions and consumer legal remedies, increasing potential liability for violations.
Why you should care. It’s not yet clear whether the amendment will pass. However, if it does a tough law will get even tougher and effectively create a GDPR-like framework for personal data in the U.S. Congressional action that could pre-empt the California law is unlikely before the 2020 election. (As more people find out about AB 1760, pressure will mount for Congress to act.)
GDPR is a year old this May. It has not proven to be the data cataclysm that many feared. Accordingly, companies shouldn’t panic about CCPA or AB 1760 but educate themselves about the existing California privacy rules and the proposed amendment. If the latter comes to pass there will be an additional year to get ready, which almost nobody is doing right now anyway.
Companies that went through the GDPR compliance process will be in a much stronger position than those that did not. And unless Congress enacts new privacy legislation (unlikely), the California law(s) will be unavoidable.