The California Consumer Privacy Act (“CCPA”) goes into effect on January 1, 2020, but the contours of the law are still being ironed out. Following a marathon debate at a California Senate Judiciary Committee Hearing, the scope of these potential legislative changes is coming into focus. While certain bills amending the CCPA advanced without modification, others died or underwent significant revisions altering their practical impact and setting up the potential for further debate.
Passed Out of Committee With Meaningful Changes:
While some of these bills may now be in their final form, others may continue to spark debate and evolve over the coming months.
- AB 25 – would create an exemption to CCPA compliance for information collected from employees, contractors, and job applicants, but now with significant caveats.
- One-year sunset: The exception removing employment and applicant data from the scope of the CCPA would now expire on January 1, 2021. This limit, which was pushed by labor advocacy groups, is meant to force the stakeholders to continue negotiating a broader employee data privacy bill.
- Disclosure of categories and purpose of data collection: While the bill would ensure that employers do not have to respond to data access or deletion requests by individual employees or applicants, it would require employers to provide notice of the categories of data they collect and the purposes for which the data will be used. Businesses will need to consider the most efficient and effective way to notify employees, contractors, and applicants, to the extent that they do not do so already. For employees and contractors, this disclosure could be made internally (e.g., in an email or employee handbook). Businesses, however, may need to provide a separate disclosure or policy to applicants. The bill would also explicitly permit employees, contractors, and applicants to bring a private right of action under the CCPA’s data breach provision.
- AB 1564 – would revise the requirement dictating the mechanisms businesses must provide to consumers for submitting access and deletion requests. While businesses that have either a brick-and-mortar presence or no direct relationship with consumers would need to provide two designated methods including, at minimum, a toll-free number, any business that “operates exclusively online and has a direct relationship with a consumer from whom it collects personal information” need only provide an email address. For some, the bill represents a major step forward from the CCPA’s current obligation that allbusinesses provide two methods including a toll-free number. But for any businesses with a real-world presence or data about persons with whom they do not have a relationship (e.g., data brokers), the recent changes are a critical backslide from earlier versions of the bill, which would have relieved all businesses of the toll-free number requirement.
- AB 846 – the bill would clarify that the CCPA’s anti-discrimination provision does not prohibit loyalty or rewards programs, but recent modifications would explicitly prohibit businesses from selling personal information collected as part of such a program. Given the arguably expansive definition of “sale,” this change could present a significant obstacle to operating loyalty and rewards programs and could trigger further negotiation to ensure it offers a practical path forward. Moreover, unlike the prior version of the bill, the amended bill does not explicitly permit businesses to offer goods or services whose functionality is directly related to the collection, use, or sale of consumer data. Additionally, as amended, the bill requires businesses to continue offering the loyalty program to consumers even if they exercise their right to opt out of the sale of personal information.
Passed Out of Committee Without Modification:
It is expected that these bills will be approved by the California Appropriations Committee and Senate in their current form.
- AB 874 – would modify the definition of “publicly available” information to include information lawfully received from government records and clarify that personal information does not include de-identified and aggregate information.
- AB 1146 – exempts car dealers from the CCPA’s obligation to honor consumer requests to opt-out and delete vehicle and ownership information shared between a new car dealer and manufacturer for warranty and recall repairs.
- AB 1355 – fixes various minor drafting errors.
Failed in Committee or Pulled Before the Hearing:
These bills will not be up for a vote in this legislative session. They join a slate of others that stalled earlier in the legislative process, including bills that would have expanded the CCPA’s private right of action, incorporated an opt-in requirement, and amended the definition of “sale” to clarify that sharing of online identifiers used in online advertisers was not covered.
- AB 873 – would have (i) amended the definition of “personal information” to add “reasonably” to “capable of being associated with,” (ii) expanded the definition of “deidentified,” and (iii) ensured that businesses are not required to reidentify or otherwise link information that is not maintained as personal information. Without these changes, the CCPA’s definitions remain misaligned with prior FTC guidance and, depending on the California Attorney General’s interpretation and enforcement of the CCPA, could present challenges to businesses as they try to comply. Some chance remains that the bill could be voted on again in the coming weeks, but this is unlikely with the legislators on recess until August 12.
- AB 1416 – the “antifraud bill” would have: (i) allowed the “sale” of personal information even if a consumer opted out if the sole purpose of the “sale” was to prevent or detect security incidents or fraud and (ii) permitted certain disclosures to governmental agencies.
- AB 981 – would have exempted insurers from the CCPA.
Bills passed out of the Senate Judiciary Committee will now proceed to the Senate Appropriations Committee, which will analyze and approve bills no later than August 30, 2019. By September 13, 2019, all remaining bills must be approved by a majority of the California Senate, and any bills that have been amended by the Senate must also be approved by the House. If the two chambers cannot reach an agreement on a bill, it will be referred to a two-house conference committee to resolve the differences. Governor Newsom will then have until October 13, 2019 to sign or veto the approved bills. Draft regulations from the Attorney General’s office are expected in the late fall.
It is likely that the bills passed out of the Senate Judiciary Committee represent the full universe of bills amending the CCPA. That said, given the apparent obstacles to the internet advertising ecosystem and other perceived flaws in the CCPA, larger scale changes could be in the works. Senate leadership could potentially arrange for a broader compromise in which industry achieves some of their remaining priorities while privacy advocates get a win on another issue, such as enforcement.