Big tech, big telecom and big business made a big push in the legislature to water down California’s landmark data privacy law, AKA the California consumer privacy act. They won some minor victories as the 2019 session ended, but did not succeed in making major changes.
A blog post by Christina Hyun Jin Kroll in the National Law Review has a good run down of the bills that did and didn’t make it out of the legislature and onto governor Gavin Newsom’s desk. Companies won a year’s delay in implementation of some of the protections that apply to employment-related information and data collected as a result of some business-to-business transactions, and expanded the scope of what can be considered “public information” that’s not subject to privacy restrictions. “Deidentified” and/or “aggregate” consumer information was also excluded – it’s no longer defined as “personal information”.
The battleground now moves out of the California legislature and into the governor’s and attorney general’s offices, and to federal lawmakers in Washington, D.C. Newsom has to decide whether to sign the bills into law (it’s expected he will). California attorney general Xavier Becerra has to issue detailed rules for complying with and enforcing CCPA. The law technically takes effect in January, but Becerra’s rules won’t kick in until July. His first draft is expected in the next few weeks.
There seems to be widespread agreement in D.C. that something should be done, but, naturally, no one can agree on what that something is. For now, California’s data privacy law is on track to become the de facto national standard.