Techwire Takeaways
• The CCPA should be effective for consumers but key areas are only broadly defined.
• Governments could have to spend more money if the law impacts data sources.
• The law has sparked international interest, as it will impact entities doing business in the state.
With nearly nine months remaining until the CCPA takes effect on Jan. 1, Washington, D.C.-based attorneys Mark Brennan, whose areas of focus include communications and privacy, and Bret Cohen, whose focus includes the Internet, cybersecurity and global data protection law, said the law will likely have considerable effect on state, county and local government — and the entities that do business with them. Among the takeaways:
• The law should be “very effective” for consumers, Cohen said, pointing out it will enable residents to specifically order that their personal information (PI) not be sold. But this could hobble government, he said: “It could cut off sources of data that are shared with third parties regardless of whether they’re in government or not. And so the government may see that leads to less important information than they were previously receiving from businesses.”
• In turn, Cohen said, this could increase the cost to government, if customers opt out of having their PI sold or shared and data sources dry up. “To the extent that consumers start exercising their right to opt out, they may need to go and purchase it elsewhere,” Cohen added.
• Pacts may be revisited, if business is potentially less able to provide data to government, Brennan said, indicating that “there may be legacy expectations by the government entities that vendors may no longer be able to meet.” “And so, you may see a wave of new procurement contract revisions or re-ups, amendments that may be needed over the next 12 to 24 months,” he said.
• The state attorney general’s interpretation of requirements, any CCPA amendments, and the ultimate definition of PI — which Brennan said “is potentially very broad” could also impact data collection. Several bills before the Legislature would further refine the CCPA; and its regulations, which will be written by the AG's Office, aren’t yet final. But if the statute ultimately treats de-identified data the same way as personally identifiable information, that could force companies to collect more information than they do now.
A representative of the AG’s press office said via email that the agency has been wrapping up the preliminary rulemaking process, keeping the Legislature updated and sponsoring new legislation to strengthen and clarify the CCPA. “We plan to publish the initial draft rules in a timeframe within the confines of the law,” the AG’s press office said.
• The definitions of “personal information,” “consumer,” and “sale,” as in, the sale of information, are currently so broad that unintended consequences could result. One, Cohen said, is that currently, the definition of “consumer” could actually encompass the information of employees of California businesses. As a result, he said, businesses in the state must consider whether to provide privacy notices and deletion rights to their employees.
• The CCPA has definitely inspired other states to “mimic” the state’s effort, Brennan said, indicating it’s possible another state could pass similar legislation and make it effective ahead of California. The act has also attracted interest from foreign sovereign entities trying to understand its implications “for some of their U.S. investments or growth activities,” he added.
• Brennan recommended that agencies prepare for the CCPA by monitoring developments from the Legislature and AG’s Office; considering a data mapping exercise to understand their data and identify third parties with whom they work; and consulting counsel to understand how local privacy, security or other requirements could be impacted by the state-level law.
