United States: A Legal Soap Opera — As The CCPA And The CPRA Turn

The long-awaited enforcement date of July 1, 2020, for the California Consumer Privacy Act (“CCPA”) has finally arrived. However, the uncertainty that existed at the beginning of the year with respect to CCPA and its enforcement still exists. While the California Office of the Attorney General (“OAG”) has issued the final version of the implementing regulations (the “Regulations”), it is still unclear when the Regulations will actually become effective. And even when the dust settles on the CCPA and the Regulations, waiting in the wings is the California Privacy Rights Act (“CPRA”), which, if passed, will add a number of requirements that were not included in the CCPA. This Legal Update examines the status of the CCPA and the journey of the CPRA and notes what to expect next.

California Consumer Privacy Act

The CCPA is a state statute that creates new privacy rights for California residents and regulates the use of such residents' personal information by businesses through corresponding business obligations. The CCPA became effective on January 1, 2020, and became enforceable on July 1. However, even though the statute itself is now enforceable, the implementing Regulations still are not. While the OAG issued on June 2 the final text of the implementing Regulations (which have no changes from the prior version of the Regulations, which were issued on March 11), the Regulations do not become effective until they are approved by the California Office of Administrative Law (“OAL”).

When the OAL will actually approve the Regulations, though, is a mystery. The OAL, which reviews all proposed regulations in California, has until approximately September 13 to review the Regulations and determine whether they comply with the California Administrative Procedure Act (“APA”). Once the OAL has approved the Regulations, they will be filed with the Secretary of State and, upon such filing, become final. The APA generally provides that regulations filed by August 31, 2020, will become effective (and, thus, enforceable) on October 1, 2020, and Regulations filed after August 31, 2020, will become effective on January 1, 2021. In connection with its submission of the Regulations, the OAG requested that the OAL (1) expedite and complete its review of the Regulations by June 30, and (2) agree to allow the Regulations to have immediate effect upon filing. The OAL declined to expedite its review of the Regulations by June 30, and retains discretion to complete its review any time between now and mid-September. When it completes its review, it will also announce whether it is ordering the Regulations to become effective and enforceable immediately or, instead, on October 1, 2020 or January 1, 2021, as appropriate. However, it is unlikely the OAL will inform the public of its decision until it actually files the Regulations.

Although the Regulations are not finalized, the CCPA itself remains enforceable as of July 1, 2020 (and indeed, the OAG has already started issuing violation notices to companies). Numerous industry groups had asked the OAG to postpone enforcement of the Regulations until March 20, 2021, in order to allow companies to comply with any new or additional requirements. The OAG denied the request, explaining in the final Statement of Reasons for the Regulations that “[t]o the extent that the regulations require incremental compliance, the OAG may exercise prosecutorial discretion if warranted, depending on the particular facts at issue … to choose which entities to prosecute, whether to prosecute, and when to prosecute.”

Although the CCPA only became enforceable recently, there have already been a number of class action lawsuits filed claiming violations of the CCPA. The CCPA provides a limited private right of action only after a consumer's “nonencrypted or nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices” imposed by California's Information Security Law (Cal. Civ. Code § 1798.81.5). The CCPA is equally clear that private actions “shall not be based on violations of any other section” of the CCPA and that the CCPA shall not be interpreted “to serve as the basis for a private right of action under any other law,” such as the California Unfair Competition Law (UCL). Cal. Civ. Code § 1798.150(c). The legislative history of the CCPA, like the statute itself, is clear that the private right of action is limited to what the Assembly Privacy Committee called “specified data breaches.”

Despite these clear limitations, enterprising class action lawyers have filed lawsuits alleging both traditional data breach claims and other garden variety violations of the CCPA, enforcement of which is reserved for the OAG. For example, in Sweeney v. Life on Air, which is a putative class action against the owner of the group video chat app “Houseparty,” the plaintiffs' CCPA claims reach beyond the CCPA's private right of action by alleging that the defendants violated the CCPA's notice and opt-out requirements. Sweeney v. Life on Air, No. 3:20-cv-0742 (S.D. Cal. Apr. 17, 2020). The plaintiffs rely on the CCPA's broader definition of “personal information” (found in § 1798.140(o)) instead of the definition applicable to the private right of action (found in § 1798.81.5(d)(1)). The plaintiffs' non-CCPA claims, moreover, appear derivative of the CCPA's requirements—e.g., the plaintiffs allege that the defendants' business practices are “unfair” because the defendants' allegedly “false[] represent[ations]” violate “established public policy.” See id.

Consolidated lawsuits targeting Zoom have also asserted a broad set of theories that would expand the CCPA private right of action. Theories asserted include violations of the CCPA notice and data breach provisions by sharing personal information with third parties,¹ violation of CCPA opt-out provisions,² failure to implement reasonable security,³ and permitting leaks and unauthorized access.⁴ These complaints, which seek to enforce CCPA rights for which the CCPA expressly disclaims a private right of action, clearly represent an early attempt by the plaintiffs' bar to expand the meaning of “unauthorized access . . . or disclosure” under the CCPA.

California Privacy Rights Act

More change may be ahead of this current flurry of activity by businesses attempting to come into compliance with the CCPA and its implementing Regulations and by plaintiffs' attorneys trying to litigate “violations” of the CCPA. As background, once the CCPA became law, the same consumer privacy advocates whose efforts led to enactment of the CCPA (i.e., Alastair Mactaggart and his group, Californians for Consumer Privacy (“CCP”)), concerned that consumers' privacy rights would be weakened by future amendments, drafted the California Privacy Rights Act of 2020 (“CPRA”) as a voter initiative and submitted it to the OAG in October 2019 to begin the process of qualifying the proposal for inclusion on the November 2020 ballot. If approved by voters, the new law would strengthen consumer privacy rights and prevent any weakening of the law by future legislation. Specifically, the law:

• establishes a new category of “sensitive personal information” and provides consumers with additional rights around the use of such information,
• establishes the California Privacy Protection Agency to enforce the law,
• adds a consumer right of correction,
• expands the private right of action to apply to individuals whose email addresses (in combination with a password or security question that would permit access to the account) are compromised, and
• expands the right to know and the right to opt-out.

It has not been a smooth road to get the CPRA on the ballot, though. In order to qualify for the ballot, an initiative must obtain enough verified signatures. Although Mactaggart and the CCP began collecting voters' signatures as early as December 2019, their efforts were slowed down by the COVID-19 pandemic and California's shelter-in-place orders, so they were not able to submit their signatures to the California Secretary of State until May 1, 2020. Due to this delay in submitting the signatures and the Secretary of State's subsequent delay in notifying the county registrars, it appeared the signature verification process might not be completed until June 26, 2020, which would be a day after the deadline to qualify for the November ballot. To ensure that the signatures were verified in time, Mactaggart then sued the Secretary of State for not “immediately” notifying the county registrars and requested the court to order the county registrars to complete their verification process by June 25, 2020. The court ultimately agreed with Mactaggart, and the CPRA qualified for the November ballot on June 24, 2020.

If the CPRA passes in November, it will supersede the CCPA starting on January 1, 2023. The CCPA and its implementing Regulations would remain in effect in the interim. The CPRA will also immediately extend to January 1, 2023 the CCPA's current B2B and employee exemptions, which are currently scheduled to sunset at the end of this year. The latest polling data shows that 9 out of 10 California voters would support the ballot measure, so the CPRA is likely to pass. In addition, because Mactaggart had spoken to and incorporated the feedback of numerous industry groups into the final version of the CPRA, it is unlikely there will be significant pushback from industry.

If, by chance, the CPRA does not pass in November, the CCPA and its Regulations will remain in force. This also means that, unless a bill is passed extending the exemptions, the B2B and employee exemptions would sunset at the end of the year. A bill has been proposed to extend these exemptions until January 1, 2022; however, nothing has been passed yet. If no bill is passed, a special session would likely be required to address the proposed extensions of these exemptions, as the legislature would not be in session in November or December. If no special session is held, the B2B and employee exemptions will sunset at the end of the year, creating a new array of concerns for businesses.

Stay tuned. We'll keep you up-to-date on the latest developments in this drama and what might unfold over the remaining episodes this season.

Footnotes

1 Cullen v. Zoom (N.D. Cal.)

2 Taylor v. Zoom (N.D. Cal.)

3 See Henry v. Zoom (N.D. Cal.); see also Johnston v. Zoom (N.D. Cal.)

4 Kendrat v. Zoom (N.D. Cal.)

Originally published 03 July, 2020

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.