Updates: California Privacy Rights Act (“CPRA”)

Last month, we reported on the California Privacy Protection Agency’s (“CPPA”) engagement of an Executive Director and its proposal for a rulemaking framework. The CPPA’s efforts are assisted by provisions of Assembly Bill 694 (“AB 694”), which California Governor Gavin Newsom signed last month. AB694 includes changes to California’s consumer privacy law and clarifies the CPPA’s rulemaking process. You can find the changes here.

AB 694 clarifies the timing of the CPPA’s rulemaking authority under the California Consumer Privacy Act of 2018 (“CCPA”) and the CPRA. The CPPA’s functions are outlined in California Civil Code §1798.199.40. AB 694 clarifies that the CPPA is required to exercise its rulemaking authority after the later of: (a) July 1, 2021, and (b) six months after the CPPA provides notice to the California Attorney General that the CPPA is prepared to begin rulemaking under the CCPA and CPRA.  This differs from the CPRA text, which states that the CPPA would exercise its rulemaking authority on the earlier of the two dates. The CPPA’s rulemaking proposal is here. AB 694 also makes non-substantive changes to the definitions in CPRA §1798.140, such as cleaning up punctuation.

AB 694 also incorporates changes to §1798.145 (Exemptions), proposed under AB 335. AB 694 is operative only if both AB 694 and AB 335, discussed more below, are enacted and become effective on or before January 1, 2022. Governor Newsom signed AB 694 on October 5, 2021 and AB 335 on October 8, 2021. AB 335 amends the CCPA to include an exemption to Consumers’ Right to Opt Out of Sale or Sharing of Personal Information under §1798.120, so that §1798.120 would not apply to vessel or ownership information retained or shared between a vessel dealer and the vessel’s manufacturer for the purpose of vessel repairs under warranty or pursuant to a recall.

Section 25 of the CPRA limits the legislature’s ability make changes to the CCPA/CPRA unless the changes are “consistent with and further the purposes and intent” of the CCPA as amended by the CPRA. So, while we may see further revisions of the CCPA/CPRA by legislation, do not expect any watering down of the law or delay in business obligations, such as a further extension of the exceptions for human resources or business-to-business personal information beyond January 1, 2023.

Next CPPA Public Meeting. The CPPA will be holding its next public meeting on November 15, 2021 at 9:00 A.M. PST.

Updates: Virginia Consumer Data Protection Act (“CDPA”)

The Joint Commission on Technology and Science (“JCOTS”) CDPA Work Group (“Work Group”) published its final report on points of emphasis that arose during its discussions of the CDPA. Note: the Work Group itself does not actually recommend anything in this report—only members of the group do. Furthermore, the final report does not amend the CDPA. The final report indicates that the Work Group will present its official recommendations during the upcoming legislative session. JCOTS is a permanent legislative body for the Commonwealth of Virginia that oversees development of sound technology and science policy in Virginia. You can find the full text of the CDPA here.

The points of emphasis that arose during the Work Group’s meetings included, among others:

1. Funding CDPA enforcement activities from the general fund, rather than from the Consumer Privacy Fund. The CDPA provides that all enforcement monies collected pursuant to the CDPA shall be credited to a Consumer Privacy Fund that will support the CDPA enforcement activities of the Office of the Attorney General of Virginia (“OAG”). The Virginia Attorney General’s Office recommended replacing the Consumer Privacy Fund provision so that funding for CDPA enforcement activities would originate from existing general funds instead.

2. Permitting the OAG to seek actual damages to consumers. The CDPA empowers the OAG to pursue, among other things, civil penalties of up to $7,500 for each violation of the CDPA. In recognition of the enforcement issues identified by the OAG, the OAG recommended empowering it to “pursue actual damages to consumers, to the extent they exist,” too.

3. Providing an “ability to cure” option for businesses responding to a notice of violation. The CDPA grants a 30-day cure period, during which recipients of a notice of violation from the OAG must cure any alleged CDPA violations. In its response to the OAG’s notice, the notice recipient must include an express written statement (a) that it has cured the alleged violations; and (b) represent that no further violations shall occur. The OAG recommended limiting this requirement to those situations where a potential cure exists. Relatedly, a consumer advocacy group presenting to the Work Group requested the Work Group also consider sunsetting the “right to cure” provision to “prevent companies from exploiting this provision.”

4. Recommending the use Global Privacy Controls. Several members of the Work Group and other consumer advocacy groups recommended including global privacy control in the CDPA to “allow consumers to opt-out on a wide scale and assert their rights under the [CDPA].”

5. Directing an agency to promulgate CDPA regulations. The OAG currently has exclusive authority to enforce the CDPA, but does not have the power to promulgate regulations. The Work Group identified as a point of emphasis that an agency should be directed to promulgate CDPA regulations. The Work Group’s point of emphasis did not expressly indicate that the agency should be the OAG.

Gicel Tomimbang contributed to this update.