On Wednesday, October 6, 2021, California Governor Gavin Newsom signed a series of privacy bills into law, including Assembly Bill 694 (Privacy and Consumer Protection: Omnibus Bill). Assembly Bill 694 advances several technical amendments to the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
How Assembly Bill 694 Changes The CCPA
While the changes to the CCPA & CPRA contained in AB 694 are considered relatively non-controversial—clarifications on a few specific issues have delivered another significant step forward in the evolution of privacy legislation in the United States. Among critical developments in the new law is an amendment to California Civil Code § 1798.140, which introduces key definitions related to the recognition and enforcement of privacy rules, the most notable of which removes uncertainty and provides practical guidance around the concept of consent.
Per the amendment provided by AB 694, “consent” in the context of the CPRA/CCPA means:
“…any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which the consumer, or the consumer’s legal guardian, a person who has power of attorney, or a person acting as a conservator for the consumer, including by a statement or by clear affirmative action, signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose. Acceptance of a general or broad terms of use, or similar document, that contains descriptions of personal information processing along with other, unrelated information, does not constitute consent. Likewise, agreement obtained through the use of dark patterns does not constitute consent.”
The definition provided in AB 694 is the most concrete guidance surrounding matters of consent since the CCPA was signed into law in 2018. It gives businesses a more explicit standard and method(s) to collect personal information from consumers. Importantly, as defined in AB 694, the consent language strikingly mirrors the definition provided in the GDPR.
With this emerging standard in mind, businesses should now be considering the potential legal implications of their existing mechanisms for consent, with a particularly keen eye toward whether they achieve “freely given, specific, informed, and unambiguous” indications, as advised by the new definition.
Equally important is the clarified guidance in the CPRA that describes what does not constitute consent. Most notably, “acceptance of a general or broad terms of use”—which has been a widely deployed mechanism by businesses across industries—will need to be replaced before the new standard goes into effect on January 1, 2022. In addition to consent, AB 694 also puts forth an exhaustive list of novel definitions for relevant terms such as “consumer,” “advertising and marketing,” and “contractor,” to name a few.
California Privacy Protection Agency Timeline Clarified
Another amendment in AB 694 worth highlighting clarifies the timing of the California Privacy Protection Agency’s (CPPA) ability to devise new rules. Initially, the CPRA stated that rule-making authority would become effective either July 1, 2021 or six months after the Agency provides notice to the Attorney General that it is prepared to begin rule-making, whichever is earlier. Confusingly, however, another section in the same draft stated it would be effective at the later date of the two. AB 694 removes this discrepancy by clarifying that it will be six months after the California Privacy Protection Agency provides notice to the Attorney General.
Genetic Information Privacy Act Updates Definition of PII
AB 694 was signed alongside a series of bills related to privacy, including AB 825, which encompasses the Genetic Information Privacy Act (GIPA). This significant development integrates “genetic data” into the broader realm of “personal information.” The GIPA is a welcome addition to privacy legislation in the U.S., as it is the first attempt to protect the millions who have voluntarily entrusted genetic data. The protection includes DNA samples sent to Ancestry services which have become increasingly prevalent and have recently been the subject of high-profile data breaches.
So far, 2021 has been a notable year for the advancement of more comprehensive laws surrounding privacy in the United States. As lawmakers continue to introduce rules and amendments to existing legislation, businesses should be on the lookout for new developments and thoroughly evaluate their policies & practices to ensure ongoing compliance.
Here’s the full text of Assembly Bill 694. Subscribe to our newsletter if you want to be among the first to receive updates like this one.