California Privacy Legislation: A Timeline of Key Events

Authors: Katelyn Ringrose (Christopher Wolf Diversity Law Fellow) and Jeremy Greenberg (Policy Counsel) 

——-

Today, the California Attorney General will begin enforcing the California Consumer Privacy Act (CCPA). The California AG’s office may bring enforcement actions and seek penalties for violations of core provisions of the CCPA. The AG’s request for expedited review of regulations that supplement the CCPA is pending before the California Office of Administrative Law (OAL); the AG regulations provide additional detail regarding particular CCPA provisions.

The CCPA, which came into effect January 2020, is the first non-sectoral privacy law passed in the United States that contains broad consumer rights to access, delete, and opt out of the sale of their data. The CCPA has sparked major compliance efforts in the United States and globally, and the legislation was a long time in the making—beginning as a 2016 ballot initiative. 

In commemoration of today’s landmark enforcement date, we look back at the events that brought us to this point, and potential future ramifications. Below is a timeline of events regarding California privacy legislation from 2016 – 2020. This timeline examines the inception of the CCPA, the various amendments and lawsuits that have shaped its scope and enforcement provisions, and the current status of the California Privacy Rights Act (CPRA), or “CCPA 2.0,” recently certified for the 2020 ballot. If passed, CPRA would become effective in 2023. 

Download this Timeline

• April 14, 2016 – After four years of drafting and negotiations, the General Data Protection Regulation (GDPR) is adopted by the European Union.
• October 12, 2017 – Alastair Mactaggart, Rick Arney, and Mary Stone Ross file a ballot initiative containing the preliminary language of the California Consumer Privacy Act (CCPA). Reportedly, Mactaggart’s interest in privacy was inspired by a conversation with an ex-Google engineer at a cocktail party. In California, once the requisite number of signatures are qualified by the Secretary of State, the initiative is approved to appear on an upcoming ballot, where pursuant to a majority vote, the initiative will become state law.
• December 18, 2017 – California Secretary of State Alex Padilla announces that the ballot initiative proponents, now called Californians for Consumer Privacy, are cleared to begin collecting petition signatures—the group has 180 days to collect the signatures of 365,880 registered California voters.
• January 3, 2018 – The 2018 California Legislative Session begins.
• February 13, 2018 – Assemblymember Ed Chau introduces S.B. 1121 to the California Senate Committee on Rules, a bill containing much of the same language as the ballot initiative.
• May 25, 2018 – The GDPR goes into effect. On the same day, the California Senate Committee on Appropriations passes S.B. 1121, as amended, with a vote of 5-2.
• May 30, 2018 – The California Senate approves S.B. 1121 with a floor vote of 22-13, and the bill is referred to the California Assembly.
• June 21, 2018 – Californians for Consumer Privacy reportedly reach a deal to withdraw the proposed ballot initiative if S.B. 1121 is passed and signed by the Governor. If the ballot initiative is not withdrawn by June 28, 2018, it will be placed on the 2018 ballot. If voted into law directly by voters through a ballot initiative, the law will be much harder to amend than if those same provisions are passed by the California Legislature.
• June 25, 2018 – Secretary of State Alex Padilla confirms that his office received more than the required signatures, and will certify the initiative as qualified for the November 6, 2018 General Election ballot, unless the proponents withdraw the initiative prior to that date.
• June 28, 2018 – Californians for Consumer Privacy withdraw the ballot initiative. Governor Jerry Brown signs the CCPA into law, and Assemblymember Ed Chau, who leads the California Assembly’s Privacy and Consumer Protection Committee, calls the event a “historic step” for California consumers.
• August 24, 2018 – On the last day to amend legislation on the floor, amendments to S.B. 1121 are proposed. These amendments revise drafting errors, clarify the definition of personal information, and modify certain exemptions.
• August 31, 2018 – On the last day for each house to pass bills, amendments to the CCPA pass the Senate floor. An urgency clause is adopted to bring the amendments to the Governor’s attention, and the legislature’s final recess begins.
• September 23, 2018 – Governor Jerry Brown approves the first round of CCPA amendments.
• January 7, 2019 – Governor Jerry Brown leaves office, and Governor Gavin Newsom is sworn in.
• September 13, 2019 – The California legislature approves five bills during the second round of CCPA amendments, including: AB 25, AB 874, AB 1146, AB 1355, and AB 1564—codifying exemptions for employee data, data broker registration requirements, and further clarifying the definition of personal information. Other amendments fail, including: AB 846, AB 1416, and AB 873—which would have provided anti-discrimination exemptions, exempted sharing personal information with government agencies, and amend the definition of deidentified data.
• September 25, 2019 – On the keynote stage of International Association of Privacy Professionals’ Privacy. Security. Risk. conference, Alastair Mactaggart announces a forthcoming ballot initiative, the California Privacy Rights and Enforcement Act of 2020 (CPREA). An annotated version of the CPREA is released for public comment, and the initiative would create a sensitive data classification, add obligations on processors, and require the establishment of a California Privacy Protection Agency.
• October 2, 2019 – Mactaggart submits the second draft of the CPREA ballot initiative, which contains few substantive changes from the first draft.
• October 10, 2019 – The California Attorney General’s Office releases the first draft of a set of proposed regulations, as required by the CCPA, which will operationalize and provide additional guidance for complying with the CCPA—triggering a 45-day public comment period.
• October 11, 2019 – Governor Newsom signs the second round of CCPA amendments—including AB 25, AB 874, AB 1146, AB 1355, and AB 1564—into law.
• October 16, 2019 – Californians for Consumer Privacy release findings from a poll of 777 registered California voters, finding that nearly nine out of ten voters would support a ballot measure expanding privacy protections for consumers’ personal information. 88% of all respondents said they would vote in favor of the initiative if an election were held immediately, and 4% would vote no, opposing the measure.
• November 13, 2019 – Californians for Consumer Privacy submit the final draft of the new ballot initiative, now called California Privacy Rights Act (CPRA), which includes substantive changes to previous drafts. If enough signatures are collected to place it on the ballot, the CPRA will be voted on in the 2020 election.
• December 6, 2019 – The California Attorney General’s Office releases the 250 pages of public comments from industry groups and civil society that it received regarding the CCPA and the Office’s proposed regulations.
• January 1, 2020 – CCPA goes into effect. Covered entities have six months before enforcement begins, although actions taken (or not taken) after this date could be subject to enforcement after July  1, 2020.
• February 3, 2020 – The first legal complaint citing the CCPA, Barnes v. Hannah Andersson, is filed in the Northern District of California. Plaintiffs sue retailer Hanna Andersson and Salesforce.com over a data breach suffered by Hanna Andersson, citing the CCPA.
• February 10, 2020 – The California Attorney General’s Office issues its first set of modifications to the proposed enforcement regulations.
• March 11, 2020 – The California Attorney General issues its second set of proposed modifications—modifying various definitions and removing previous requirements like the controversial opt-out icon.
• March 17, 2020 – A coalition of advertising companies sends the Attorney General a letter calling for a delay in enforcement, citing concerns related to the ongoing COVID-19 global pandemic.
• March 24, 2020 – In response to requests for delays, an advisor to Attorney General Becerra is quoted saying: “We’re committed to enforcing the law starting July 1. We encourage businesses to be particularly mindful of data security in this time of emergency.”
• May 4, 2020 – Californians for Consumer Privacy announce that despite the effects of the COVID-19 pandemic, they are able to submit over 900,000 signatures to qualify the California Privacy Rights Act (CPRA) for the November 2020 ballot.
• June 8, 2020 – Alastair Mactaggart and other members of Californians for Consumer Privacy file a petition in state court alleging that the California Secretary of State failed to verify the signatures necessary to place the CPRA on the November 2020 ballot in a timely manner. That petition claims the “one-day delay . . . may prove fatal to the people’s right to vote on this initiative,” and requests that the court order the Secretary of State to direct local election officials to report the results of signature sampling, so that the ballot initiative may be certified in time.
• June 11, 2020 – California Assemblymember Kevin Mullin proposes an amendment to the CCPA, AB 713, which would institute new contractual obligations for de-identified data and modify the research or public health exemptions.
• June 19, 2020 – A California Judge grants Californians for Consumer Privacy’s petition, ordering counties to quickly finish verifying signatures to qualify the CPRA for the general ballot by June 25.
• June 24, 2020 – The Elections Division of the office of the California Secretary of State reports that it received 623,212 signatures for certification of the CPRA ballot initiative, and that the Secretary of State will certify the initiative.
• June 25, 2020 – The CPRA ballot initiative is officially certified to appear on the November 2020 general ballot, exactly two years after the CCPA ballot initiative was certified to appear on the November 2018 ballot. If CPRA is passed, its prospective effective date will be January 1, 2023.
• June 30, 2020 – The Attorney General issues a reminder to California consumers regarding their rights under the CCPA, after tweeting that he will begin enforcement of the CCPA on July 1, 2020.
• July 1, 2020 – Enforcement of the CCPA begins. Although “mindful of the challenges imposed by COVID-19,” the Attorney General remains dedicated to this enforcement date, and requests expedited review of the final proposed regulations, requesting that the Office of Administrative Law complete its review within 30 business days.

What’s next? If voters in California vote for the CPRA ballot initiative in the general election on November 3, 2020, the CPRA would become effective on January 1, 2023. The proposed law contains broader substantive protections than the CCPA, including data minimization and purpose limitation obligations, a stronger opt-out of behavioral advertising, and restrictions regarding the use of sensitive data. It would also establish a new Privacy Protection Agency in California to create additional regulations and to enforce the law. 

FPF Resources on CCPA //

• FPF Comments on the California Consumer Privacy Act (CCPA), FPF Staff, commending  the Attorney General for a sincere and multi-faceted solicitation of feedback from diverse stakeholders and the public, as well as suggesting a number of key recommendations for later iterations of the bill.
• CCPA Amendment Update June 2019—Twelve Bills Survive Assembly and Move to the Senate, co-written by Michelle Bae & Jeremy Greenberg, summary of the twelve bills that passed the Assembly and moved to the Senate for further consideration, as well as key Senate bills that failed. The blog also includes a timeline of next steps and a description of the California State Legislature’s administrative process.
• CCPA 2.0? A New California Ballot Initiative is Introduced, by Jeremy Greenberg, analyzes notable provisions of the first draft of CCPA 2.0, and the next steps in the administrative procedure.
• Comparison Privacy Laws: GDPR v. CCPA, co-written by OneTrust DataGuidance and FPF, identifies the key differences between the General Data Protection Regulation (GDPR) and the legislative version of the California Consumer Privacy Act of 2018 (CCPA). That analysis noted that while the two laws share some similarities—the CCPA differs from the GDPR in some significant ways, particularly with regard to the scope of application; the nature and extent of collection limitations; and rules concerning accountability.
• Examining Industry Approaches to CCPA “Do Not Sell” Compliance, by Charlotte Kress, summarizes and compares industry tools and approaches to advertising within the CCPA’s requirements; including: the Digital Advertising Alliance’s guidelines and new icon; Interactive Advertising Bureau’s CCPA Compliance Framework for Publishers and Technology Companies; Google’s “Restricted Data Processing” mechanism; and the Network Advertising Initiative’s analysis to aid companies in determining whether a business activity may, or may not, constitute a “sale” under the CCPA.
• Child Privacy Protections Compared: California Consumer Privacy Act v. Proposed Washington Privacy Act, by Amelia Vance, compares the California Consumer Privacy Act (CCPA) with the child privacy provisions proposed within the Washington Privacy Act (SB 6281). In that post, FPF notes that the CCPA contains specific requirements regarding the sale of children’s data, while SB 6281 would place children’s data in a larger category of “sensitive data” that would enjoy heightened protection.
• A New U.S. Model for Privacy? COmparing the Washington Privacy Act to GDPR, CCPA, and More, co-written by Stacey Gray, Pollyanna Sanderson, and Katelyn Ringrose, comparing noteworthy provisions in the GDPR, CCPA, CPRA, WPA 2019, and WPA 2020, including: jurisdictional scope, definitions and structure, pseudonymous data, individual rights, obligations on companies, facial recognition provisions, and preemption and enforcement.

Additional Reading //

• An Introduction to the California Consumer Privacy Act (CCPA), by Prof. Eric Goldman and published by IAPP, covers the scope of the CCPA as well as breaks down various definitions within the law. 
• Catalyzing Privacy Law, co-authored by Anupam Chander, Margot E. Kaminski & William McGeveran, provides a close comparison of GDPR and CCPA, and argues that CCPA, rather than GDPR, is catalyzing privacy law in the U.S.
• CCPA Amendment Tracker, drafted and compiled by IAPP, includes summaries of bills that passed and failed along with key dates.

Acknowledgements to Stacey Gray, Senior Counsel (US Legislation and Policymaker Education), Polly Sanderson, Policy Counsel. 

Did we miss any key events? Let us know at [email protected].