California privacy laws mark key milestones after one month

As the infant California Consumer Privacy Act marks the completion of its first month, another California privacy law is opening a new window into the shadowy data-broker industry, with about 60 companies that trade in consumer data rushing to register with the state by today's deadline.

In some ways, the first full month of regulation under CCPA, which took effect Jan. 1, has been relatively uneventful. The wave of data-breach litigation forecast by some privacy lawyers over the comprehensive privacy and data breach law, easily the most comprehensive such law passed in US history, has yet to materialize so far.

Daily searches by MLex of the California state court system have failed to uncover a single lawsuit that alleged a CCPA violation against a company that failed to install "reasonable" security measures and that later suffered a data breach. Law firms watching litigation over the new law have also yet to detect any surge of new litigation.

It may well be too soon for that surge to appear. David Zetoony, a lawyer with the firm Bryan Cave who has been tracking the new law, believes plaintiffs are waiting for 2020 data breaches to be registered on the California attorney general's database to identify targets they may want to sue.

"We expected that there would be a 45- to 90-day delay between the time the CCPA went into effect and when litigation began to be filed," Zetoony said. "Sophisticated plaintiff's attorneys are likely going to wait until they identify data breaches that both occurred and were reported in 2020 in order to avoid the inevitable fight about whether the CCPA does, or does not, apply to a breach."

Regulatory enforcement by the California attorney general for violations of the privacy elements of the CCPA won't begin until July 1. Lawyers within the California Department of Justice, the agency under the attorney general, are still working to finalize the enabling regulations for the new law and are expected to complete that process around the same time enforcement begins.

Meanwhile, political efforts to place before California voters a ballot initiative later this year to establish an even tougher set of privacy rules than the CCPA are making progress, advocates say.

Whether or not CCPA remains unchanged after 2020, the law is already having a global impact, with companies far beyond California rushing to comply. "We're getting calls from our people in Singapore, our people in Israel, saying, 'What's going on in California?' It's very much like GDPR," said Dominque Shelton Leipzig, a lawyer with Perkins Coie who has been closely watching development of the new law. 

California's new data-broker law also reached a key milestone as January melted into February. Signed into law by Governor Gavin Newsom in October, the new statute follows Vermont's data-broker registry in creating a public list for consumers of companies that trade in consumer information with other companies, but that lack any direct relationship with consumers.

Companies like Xome Leads of Lewisville, Texas; Blackbaud, of Charleston, South Carolina; Versium of Redmond, Washington; and Skip Smasher of Temecula, California, are companies that are unknown to the vast majority of consumers, but that identified themselves as data brokers in the new registry.

The new California public registry also includes better-known names, including Spokeo, the people-search engine that was at the heart of an influential privacy case that went up to the US Supreme Court; Acxiom and ComScore. While only about 60 companies have been listed on the registry, that number is likely to grow — a spokeswoman for the California Department of Justice said other companies' applications are still being processed before they are listed on the registry.

Many of the data brokers are pushing the deadline; more than half of the companies on the registry as of late afternoon today had registered on the last two days before the 11:59 pm Jan. 31 deadline.

The new law requires the registration of data brokers defined as "a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship." Consumer credit agencies reporting under the federal Fair Credit Reporting Act, and financial institutions covered by the Gramm-Leach-Bliley Act are exempt.

Even as the privacy world closely watches the impact from CCPA, California privacy advocates are moving forward on their political campaign to place an even more sweeping law, the California Privacy Rights Act, on the November ballot.

"We are required to submit 623,212 valid signatures" to state and county election officials to qualify the measure for the ballot, said Nicolette Velazquez, press secretary for Californians for Consumer Privacy, the group pushing for the new ballot initiative. "I can tell you we are meeting or exceeding all of our current targets to qualify for the November ballot."

The proposed CPRA would triple the maximum penalty for privacy violations affecting children and teenagers under age 16, and it would establish a standalone enforcer — the California Privacy Protection Agency — to enforce and implement privacy laws and impose fines.

The proposed ballot initiative would also create a new category of sensitive personal information for consumer finances, race, biometric information, or data revealing health status or precise location. The CPRA would allow consumers to restrict the use of that information, and even block its use for all advertising or marketing.

-- With reporting by Amy Miller in San Francisco and Robert Thomason in Washington, D.C.