California’s Consumer Privacy Act Completes its 2019 Legislative Journey

Bills that have made it out of the legislative process await the governor’s signature

September 16, 2019

Friday, September 13 was the last day for bills amending the California Consumer Privacy Act (CCPA) to pass in this year’s legislative session. Assuming that Governor Gavin Newsom signs the amendments that have been sent to him into law, we now know what the CCPA will look like on its January 1, 2020 effective date. While his signature is not guaranteed, there have not been any public signs that Governor Newsom will veto any of these amendments. Governor Newsome has until October 13 to sign or veto the amendments.

The latest batch of amendments correct some of the drafting errors that made it into the CCPA as a result of its rapid enactment—the original act was resurrected from the inactive file and signed within a week during July of 2018. In addition, many of the amendments contain substantive revisions that, if signed into law, will change how the CCPA works in practice.

CCPA as Amended

There were many proposed amendments throughout the past year and, as of last Friday, six amendments survived the legislative process:   

 CCPA-Adjacent Bills

While not part of the CCPA, this interesting and potentially important amendment changed the wording in the legislative intent section of the bill and provided illustrative examples about who is and is not a data broker (and thus who is and is not subject to this bill’s requirements). These legislative findings state that businesses with “direct consumer relationships” are not data brokers. Establishing direct consumer relationships can be done very simply in this context, only requiring that a consumer to “visits a business’ premises or internet website,” or “affirmatively and intentionally interacts with a business’ online advertisements.”

If courts deem these legislative findings persuasive, social media companies and certain ad-tech players that directly interact with consumers could be excluded from the definition of data broker and thus not required to comply with the requirements of this bill, should it become law.

Bills That Failed to Pass

A few California privacy bills (CCPA and non-CCPA) that looked like they were on the verge of passing, stumbled at the finish line. The following bills, while dead for now, are likely to be resurrected in some form in the future: 

For more information regarding how the CCPA may impact your business, contact Zach Hoyt, Melissa Kern, or any other member of Frost Brown Todd's Data Privacy & Security team.