The California Attorney General’s power to enforce the California Consumer Privacy Act (CCPA) took effect today, July 1, 2020, after a busy week of CCPA-related developments that included:
- The California Privacy Rights Act of 2020 (aka “CCPA 2.0”) qualifying for California’s November 3, 2020 General Election ballot; and
- Facebook’s announcement of “Limited Data Use” designed to allow businesses to use Facebook’s advertising platform without triggering CCPA “sales.”
Attorney General Enforcement
July 1, 2020 marks the date on which the CCPA gives the Attorney General the power to enforce the CCPA. But the final proposed regulations submitted by the Attorney General to implement the CCPA have not yet been adopted. (As we discussed previously, the CCPA regulations may not become effective until as late as January 2021, depending on when they are approved by the California Office of Administrative Law.) This means that businesses are caught in the vexing position of being subject to potential enforcement action by the Attorney General without understanding when the regulations will become binding or what they will say.
Nevertheless, the Attorney General is “committed to enforcing [the CCPA] starting July 1”, as noted in his office’s press release last month. Yesterday the Attorney General reiterated his commitment to enforce the CCPA on July 1, issuing an announcement reminding consumers to exercise their CCPA rights and providing guidelines on how to exercise them. And in his announcement today, Attorney General Becerra doubled down, stating that “[t]oday we begin enforcement of the [CCPA]”.
In short, businesses should be prepared for the Attorney General to begin enforcing the requirements of the CCPA, which took effect on January 1, 2020, despite the lack of final CCPA regulations.
The California Privacy Rights Act of 2020 (CPRA)
The CPRA (aka CCPA 2.0), a ballot initiative spearheaded by the original proponent of the CCPA, was formally certified on June 25, 2020 by the California Secretary of State as having received enough signatures to appear on the November 3 ballot for California voters. Early polling indicated strong support. The final version of the measure would:
- allow consumers to correct personal information;
- limit businesses’ use of “sensitive” personal information (such as a consumer’s precise geolocation, race, ethnicity, religion, genetic data, union membership, private communications and certain sexual orientation, health and biometric information);
- apply the CCPA’s provisions on “sales” of personal information to certain “sharing” of personal information as well. These provisions would likely apply to most sharing to facilitate interest-based advertising but would exclude sharing to facilitate contextual advertising that does not leverage consumer profiles (which would settle the debate as to whether the CCPA’s sale rules extend to interest-based advertising);
- establish stricter data retention periods;
- carry increased penalties for violations; and
- establish a California Privacy Protection Agency to enforce and implement consumer privacy laws at a cost of approximately $10 million annually.
Notably, many of the CPRA’s provisions emulate Europe’s General Data Protection Regulation, such as the particular concept of “sensitive” personal information and establishment of a government regulator focused on privacy.
If passed, some provisions of the CPRA would be effective on January 1, 2021, most compliance obligations would be required by January 1, 2023, and the CRPA would be enforceable by July 1, 2023.
Facebook Builds “Limited Data Use” Controls
Whether sharing personal information for interest-based advertising constitutes a CCPA “sale” has been hotly debated since the CCPA’s passage. The CCPA defines “sale” to be any transfer of personal information for “monetary or other valuable consideration”, but the definition excludes transfers to a “service provider” that is subject to certain data use restrictions.
Last year, Google announced that some of its advertising products would be subject to “restricted data processing” designed to implement such data use restrictions and allow businesses that use these products to do so without triggering CCPA “sales.”
Facebook took a similar step last week when it released its “Limited Data Use” feature for businesses advertising on its platform. According to Facebook, a business implementing this feature—whether in the normal course or in response to a consumer requesting a “sales” opt-out—will cause Facebook to act as a service provider by prohibiting Facebook from retaining, using, or disclosing the personal information for any purpose outside of performing the service for the business. The Limited Data use feature is available for six Facebook products and will apply by default during a transition period beginning on July 1, 2020. The transition period will end for Facebook Pixel and three API-based products after July 31, 2020. For two SDK-based products, the transition period will end when the business performs certain product upgrades or upon 60 days’ notice from Facebook, whichever occurs sooner. Businesses that want Limited Data Use to apply after the transition period must take steps to implement the feature and those that wish to disable it during the transition period may do so. Notably, Facebook cautions businesses that implementing Limited Data Use may decrease the effectiveness of advertising campaigns, retargeting and measurement capabilities.