Businesses across the country expect Governor Gavin Newsom to sign off on new amendments to the California Consumer Privacy Act (CCPA) in the next few weeks. After last month’s state legislature session, many experts felt that the amendments were just modest updates and, in many cases, existing rules will remain largely unchanged. But even slight updates to CCPA could send shockwaves across the state.
The new law will apply to any business that generates over $25 million in gross revenue; derive at least half of their annual revenue from selling customers’ personal information; or that buy, sell or share personal information from at least 50,000 consumers, households or devices. CNBC’s Lauren Feiner reports that even small emendations to the CCPA could cost those companies upwards of $55 billion to become or remain compliant. Such compliance costs could, however, be reduced for those California companies who made efforts to comply with Europe’s General Data Protection Regulation (GDPR) when it came into effect last year. (You can download our Introductory Guide to GDPR Compliance for more information.)
The International Association of Privacy Professionals has maintained an ongoing tracker of CCPA amendments, which you can see here. But for a quicker read, we’ve selected just a handful of the new rules that could affect a wide variety of companies. Here are three amendments you should follow closely over the coming months.
Data Brokers Must Register with the Attorney General
One of the most striking amendments is AB-1202, which would require data brokers to register with the Attorney General. A data broker is defined as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. Ultimately, this new public data broker registry will give consumers access to information about how their personal information is being used.
But ensuring compliance might be an uphill battle for companies that do business in the state of California. Although most of the requirements for data brokers seem fairly straightforward, many other rules in the bill are quite vague. One such rule states that companies should provide “any additional information or explanation the data broker chooses to provide concerning its data collection practices.” If AB-1202 is signed into law, it will be interesting to track how the state enforces many of the abstract rules associated with it.
Additional Protections for Consumers Under the Age of 13
The California Consumer Privacy Act of 2018 prohibited businesses from collecting the personal information of anyone under the age of 16 without the consent of their parent or legal guardian. However, it became clear during last month’s legislative session that many lawmakers feel these restrictions aren’t strong enough.
Amendment AB-1138 would prohibit social media platforms from allowing any user under the age of 13 to create an account without the consent of that child’s parent or legal guardian. These new laws would not go into effect until July 2021, which would provide ample time for many businesses to become compliant. Still, violations of the existing legislation have been costly. Earlier this year, Google paid $170 million to settle charges that it violated children’s privacy on YouTube. Even with over a year to ensure compliance, the intricacies of AB-1138 could present challenges for social media companies around the world.
Redefining “Publicly Available” Consumer Information
Amendment AB-874 would represent the most immediate obstacle for any company that does business in California. According to the bill text, AB-874 would redefine “publicly available” to include any consumer information that is lawfully made available from federal, state, or local records. This stands in stark contrast to the new definition of “personal information,” which the bill text states includes “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
For companies required to ensure CCPA compliance, this amendment would require time-consuming and complex audits of their customer databases. However, these new definitions enable business leaders to get a head start before AB-874 becomes law. Companies can do an initial analysis to determine how much of their databases might be affected. Additionally, executives have the opportunity to ask and resolve any questions they might have regarding AB-874 before the end of the year.
If you have any questions or need advice on the implications for your business please feel free to contact us here.