THE ESSENTIAL GUIDE TO CALIFORNIA CONSUMER PRIVACY ACT

politicopro.com/california TABLE OF CONTENTS

03 Introduction

04 How California’s Privacy Act will Protect Consumers

06 Who must Comply?

07 Personal Information Protected by CCPA

08 Who is Alastair Mactaggart?

09 Seven Things to Watch Before the End of Session

2 On June 28th, 2018, former Gov. Jerry Brown signed into law Assembly Bill 375, now referred to as the California Consumer Privacy Act, or CCPA for short.

The CCPA — the first-ever state data privacy law — is set to go into effect Jan. 1, 2020 and could set a de facto standard for other states’ consumer privacy legislation. The rule gives internet users more control over, and information about, how big companies collect and use their data, and allows the state to fine companies for violations and, under certain circumstances, lets individual Californians sue companies for failing to keep their data secure.

Keep reading this guide to get a full download on this unprecedented law, including who the CCPA will impact, how exactly it will protect consumers, and key factors to watch before the end of session.

3 HOW CALIFORNIA’S PRIVACY ACT WILL PROTECT CONSUMERS

California’s tough privacy law and the European Union’s sweeping General Data Protection Regulation have emerged as benchmarks in congressional efforts to craft federal privacy standards. California lawmakers, however, have expressed concerns that privacy protections outlined in the state’s legislation could be weakened or preempted by congressional passage of a national data privacy law. Senate Judiciary ranking member Dianne Feinstein (D-Calif.) said she would oppose efforts to water down California’s landmark privacy legislation through federal privacy rules. But Republicans and tech industry leaders are calling for federal preemption of state privacy laws in order to avoid a “patchwork” of regulations.

PRIVACY RIGHTS INITIATED BY THE CCPA

CCPA expands consumer privacy rights beyond those that typically exist in privacy-related laws, applying to the collection and use of personal information that could be directly or indirectly linked to not just a person but to a household or digital device via unique personal identifiers including customer numbers, IP addresses, pixel tags and mobile ad identifiers. Consumers have more control over how much personal information is collected directly from them or from observed digital behavior, and can hold businesses accountable for misuse of personal information.

PRIVATE RIGHT OF ACTION CCPA allows consumers to bring civil actions against businesses if unauthorized access and copying, transferral, removal, theft or disclosure of consumers’ nonencrypted or nonredacted personal information occurs as a result of inadequate security procedures and practices.

Consumers may recover damages of between $100 and $750 per incident or actual damages, whichever is greater, and can also seek court orders to stop violators from continuing unauthorized activity.

NONCOMPLIANCE FINES IMPOSED

Businesses, service providers and persons who violate CCPA face civil penalties of up to $2,500 per violation or $7,500 per intentional violation.

Fines will be deposited into a newly-created Consumer Privacy Fund in the General Fund to offset court and Attorney General costs incurred to support enforcement of the law.

4 HOW CALIFORNIA’S PRIVACY ACT WILL PROTECT CONSUMERS cont.

INFORMATION COLLECTION DISCLOSURE CONSUMER HAS RIGHT TO REQUEST PERSONAL INFORMATION COLLECTED Businesses who collect and sell California residents’ personal information must disclose to a consumer, upon request — free of charge and up to two times in a 12-month period — specific pieces of information collected about the consumer, collection sources, purpose for collection or selling of information and third parties with which it is being shared and sold.

CONSUMER HAS RIGHT TO OPT-OUT OF SALE OF PERSONAL INFORMATION Businesses and third parties must notify consumers that personal information may be sold and provide easily accessible methods to opt-out of sale at any time, free of penalty or denial of services to the consumer for doing so.

The opt-out decision must be respected by businesses for at least 12 months before businesses can request that consumers authorize sale of personal information.

CONSUMER HAS THE RIGHT TO REQUEST THAT PERSONAL INFO BE DELETED Businesses are required to disclose a consumer’s right to request that personal information be deleted from the records of businesses and third parties with whom the business shared the information.

Businesses and service providers must comply with a consumer’s deletion request upon receipt of the request.

Sources: California Legislature, California Consumer Privacy Act of 2018, POLITICO staff reports By Cristina Rivero, POLITICO Pro DataPoint

5 WHO MUST COMPLY? For-profit entities who conduct business in California and who collect and process state residents’ personal information must comply with CCPA rules if they meet at least one of three compliance criteria. Businesses do not have to be physically present in the state in order to be subject to the new law.

ANNUAL REVENUE For-profit entities in California that acquire $25 million or more in annual gross revenue.

PERSONAL INFORMATION Businesses that buy, receive, sell or share the personal information of at least 50,000 consumers, households or devices.

REVENUE SOURCE Businesses that at least 50% of annual revenue comes from selling consumers’ personal information.

Sources: California Legislature, California Consumer Privacy Act of 2018, POLITICO staff reports By Cristina Rivero, POLITICO Pro DataPoint

6 PERSONAL INFORMATION PROTECTED BY CCPA

The law defines personal information as information that may be linked directly or indirectly to a particular consumer, household or to a device that can connect to the internet or to another device. CCPA does not apply to personal information that is publicly available from federal, state or local government records.

INFORMATION THAT CAN BE ASSOCIATED WITH A PARTICULAR INDIVIDUAL, HOUSEHOLD OR DEVICE INCLUDING BUT NOT LIMITED TO:

• CONSUMER NAME • PERMITTING ACCESS TO FINANCIAL • GEOLOCATION DATA ACCOUNTS • POSTAL ADDRESS • AUDIO, ELECTRONIC, VISUAL, • PROFESSIONAL OR EMPLOYMENT- THERMAL, OLFACTORY OR • EMAIL ADDRESS RELATED INFORMATION SIMILAR INFORMATION

• TELEPHONE NUMBER • EDUCATION INFORMATION NOT • DEVICE IDENTIFIER PUBLICLY AVAILABLE • SOCIAL SECURITY NUMBER • IP ADDRESS • HEALTH INSURANCE POLICY • DRIVER’S LICENSE OR CALIFORNIA NUMBER OR SUBSCRIBER • PIXEL TAGS IDENTIFICATION CARD NUMBER IDENTIFICATION NUMBER • MOBILE AD IDENTIFIERS • PASSPORT NUMBER • BIOMETRIC INFORMATION (PHYSIOLOGICAL, BIOLOGICAL OR • INTERNET BROWSING, SEARCH • INSURANCE POLICY NUMBER BEHAVIORAL CHARACTERISTICS AND PURCHASING HISTORY DATA • BANK ACCOUNT NUMBER • USER ALIAS • RECORDS OF PERSONAL PROPERTY, • CREDIT OR DEBIT CARD NUMBER, PRODUCTS AND SERVICES • CUSTOMER NUMBER IN COMBINATION WITH SECURITY PURCHASED CODE, ACCESS CODE OR PASSWORD

Sources: California Legislature, California Consumer Privacy Act of 2018, POLITICO staff reports By Cristina Rivero, POLITICO Pro DataPoint

7 WHO IS ALASTAIR MACTAGGART?

A real estate developer and investor based in San Francisco, Alastair Mactaggart is considered by many to be the architect and driving force behind California’s new privacy law.

HOW HE MADE HIS MILLIONS For the past twenty years, Mactaggart has been a partner at the Emerald Fund, one of the Bay Area’s leading developers. He built his wealth by running a family real estate business with an uncle, developing condos, apartments and shopping centers in California.

HOW HE GOT INVOLVED IN PRIVACY According to The New York Times, Mactaggart never worried about the need for consumer privacy laws until having dinner with a friend, a software engineer at Google. Mactaggart asked his friend if he should be worried about how much data big tech companies were collecting about him and expected his friend’s answer to be no. However, his friend’s response was the opposite, saying people would “flip out” if they knew just how much information the companies had on people. From there, Mactaggart began researching and discovered that the United States, unlike some countries, does not have a single and comprehensive law regulating the use of personal data.

HOW HE FORCED LEGISLATURE’S HAND Instead of working through the typical Sacramento channels, Mactaggart decided to create a statewide ballot initiative putting the question of data privacy directly in front of the citizens of California. Setting up an office in Oakland, Mactaggart spent nearly $3.5 million gathering signatures to qualify his measure. One week before the deadline to pull his measure, Mactaggart struck a deal with two Democrats, Sen Bob Hertzberg and Asm. Ed Chau. The two Democrats, nervous to leave the decision to voters, worked with Mactaggart on a scaled-back version of the privacy initiative that led to AB 375, or the California Consumer Privacy Act.

Sources: Capital Public Radio “Take it or Leave it” and The New York Times “The Unlikely Activist Who Took On Silicon Valley - and Won.”

8 7 THINGS TO WATCH BEFORE END OF SESSION

A coordinated campaign to chip away at California’s landmark Privacy Act came to a head this week as numerous industry-backed bills ran into a roadblock: the pro-privacy chairwoman of a key policy committee. But the push is far from over, business groups say.

“There are two months to go till the end of session and we’re going to continue to raise these issues,” said Sarah Boot, a top aide on privacy policy for the California Chamber of Commerce and a former aide to Senate President Pro Tem Toni Atkins. “It’s crucial that we make these changes before the law takes effect Jan. 1 because businesses are expected to comply with the law on that date.”

THE GATEKEEPER

Privacy advocates watched in admiration Tuesday as Senate Judiciary Chairwoman Hannah-Beth Jackson (D-Santa Barbara) fended off one industry-backed bill after another. Jackson had already built a reputation on privacy rights, but with some recent changes to her committee’s ranks, she emerged as a fearsome adversary of anyone attempting to 01 weaken the Privacy Act, which she said she already considers “a weak cup of tea.” Jackson has been at the center of negotiations for months and will almost certainly be involved if business groups try to revive major bills that died Tuesday. Gut-and-amend bills would likely get referred back to her committee, where she’d be able to decide what amendments are necessary to advance to the Senate floor.

A ONE-SIDED OFFENSIVE

Tuesday’s hearings brought relief to consumer advocates and frustration to business groups, but it’s also true that privacy hawks are almost entirely on the defensive at this point. Their big bills to expand consumer rights under the new law died early in the session, including a bid backed by Attorney General Xavier Becerra — and trial lawyers — that would 02 have enabled consumers to sue businesses over violations. Look for consumer advocates to play defense for the rest of the session.

KEEPING WATCH

If business carveouts resurface, they could come in gut-and-amend bills in the final week of session in September. Privacy advocates are on the lookout for bill language. “Everything’s Frankenstein over there,” said Lee Tien, a staff attorney for the San Francisco-based Electronic Frontier Foundation. “No matter what kind of part it is, it could be revived. It could 03 be grafted onto some other vehicle.”

9 7 THINGS TO WATCH BEFORE END OF SESSION

FOR EXAMPLE

CA AB1416 (19R) by Assemblyman Ken Cooley (D-Rancho Cordova), one of the most closely watched privacy bills in the Capitol, stalled this week. It had been pushed by an alliance of county governments and business interests. It would have allowed companies to sell a consumer’s personal information to firms that detect fraud or illegal activity, 04 even if that customer had opted out of having their data sold. It also would have allowed businesses to provide a customer’s personal information to government agencies, which counties have argued is important for public services, such as foster care placements.

AND THEN THERE IS CA AB873 (19R)

The bill is an effort to narrow the Privacy Act’s scope by broadening the definition of what is considered “deidentified information,” which is explicitly exempted from the new law, and narrowing what is deemed “personal information.” Its author, Assemblywoman Jacqui Irwin (D-Thousand Oaks), rejected Jackson’s proposed changes to her bill, and 05 then watched it fail, 3-3. But a who’s who list of business lobbyists showed up to testify on the bill, and it’s hard to believe their last stand came late on a Tuesday night in July.

A SHORT-TERM DEAL

Labor and CalChamber hashed out a temporary compromise on legislation that carves out employee data from the Privacy Act’s protections, a proposal that didn’t sit well with employee unions. The employee provisions in the new version of CA AB25 (19R) by Assemblyman Ed Chau (D-Monterey Park) will expire after just one year. That buys the 06 two sides time to craft another bill addressing concerns about surveillance of workers, a deal that potentially could be cut outside the bounds of the Privacy Act.

ON THE FLY

Those who stayed up late Tuesday to watch the fate of two privacy bills were treated to a live bargaining session between Jackson and the author of a loyalty-program bill, Assemblywoman Autumn Burke (D-Marina del Rey). Burke may have surprised some of the legislation’s supporters when she agreed to restrict the sale of personal information 07 collected on rewards members. With that change, it’s quite possible that some of the AB 846 supporters will drop off. The CalChamber might be one of them. It is waiting to see the new text, Boot said.

10 POLITICO CALIFORNIA PRO HELPS POLICY PROFESSIONALS SUCCEED.

Stay ahead with exclusive reporting, analysis and tools on California policy and politics.

politicopro.com/california

Content produced outside of the POLITICO Pro Newsroom.