On October 5th, California Governor Gavin Newsom signed Assembly Bill 694 (AB 694), an omnibus bill from the Committee on Privacy and Consumer Protection that amends significant portions of the California Consumer Privacy Act (CCPA).
AB 694 made several key changes to the CCPA, including redefining key terms, introducing new definitions, and changing timelines for the enforcement measures introduced in the California Privacy Rights Act (CPRA). In this article, we’ll break down how the law was amended, and what the changes mean for businesses and consumers in California.
How Does AB 694 Affect the timeline of the CPRA?
When the CPRA was passed in 2020, it created a new enforcement agency, the California Privacy Protection Agency (CPPA) to enforce the CCPA and CPRA. The CPPA was originally slated to take over enforcement responsibilities from the CA attorney general on July 1st 2021. AB 694 extended the timeline for this transfer, clarifying that the CPPA will take over enforcement efforts “On and after the later of July 1, 2021, or within six months of the agency providing the Attorney General with notice that it is prepared to assume rulemaking responsibilities under this title […]”
What CCPA Definitions Did AB 694 Amend?
AB 694 will also amend several definitions set forth by the CCPA and CPRA, clarifying issues such as what constitutes a covered business under California privacy law and what personal information falls under its jurisdiction.
According to the amendments introduced in AB 694, any business that, as of January 1st, has annual gross revenues in excess of $25M USD in the preceding calendar year and annually “buys, sells, or shares the personal information of 100,000 or more consumers or households” is covered by California’s privacy laws. Joint ventures and partnerships’ combined revenues and interactions with PII are held to the same standard.
The definition of personal information has also been amended with the following: “Personal information does not include publicly available information or lawfully obtained, truthful information that is a matter of public concern.”
‘Publicly available information is defined as “information that is lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.”
What New Definitions Did AB 694 Introduce?
In addition to amending preexisting definitions, AB 694 introduced several new definitions related to privacy, such as advertising and marketing, behavioral advertising, and consent.
Advertising and marketing is defined as “a communication by a business or a person acting on the business's behalf in any medium intended to induce a consumer to obtain goods, services, or employment.”
“Cross-context behavioral advertising” was defined as “targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”
“Non-personalized advertising” is any advertising or marketing “that is based solely on a consumer’s personal information derived from the consumer’s current interaction with the business, with the exception of the consumer’s precise geolocation.
What is the Definition of Consent Under the CCPA and CPRA?
Perhaps the most substantial change was the newly minted definition for consent, which is now defined under California law as “any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which the consumer, or the consumer’s legal guardian, a person who has power of attorney, or a person acting as a conservator for the consumer, including by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose.”
Crucially, this new definition specifies that consent must be “freely given, informed, and unambiguous. Currently, The California Consumer Privacy Act (CCPA) gives California consumers the right to know when their data is being collected, what information is being collected, and how that data is being used but does not require opt-in consent. With this expanded definition of consent, CA legislators could be setting the stage for a more stringent “opt-in” consent requirement, as seen in the GDPR.
Provisions of AB 694 will take effect on January 1, 2022.
Jeff Edwards is a tech writer and analyst with six years of experience covering compliance, information security, and IT. Jeff previously worked as a reporter covering Boston City Hall.