In the last two weeks, California legislative committees voted on several amendments to the California Consumer Privacy Act (CCPA), which is due to go into effect January 1, 2020. While each proposal requires additional approvals, including full Assembly and Senate votes, the committees' determinations provide an important development in the ongoing roll-out of the CCPA, what it will ultimately require, and how to address compliance.
The California Assembly's Privacy and Consumer Protection Committee approved amendments that included narrowing the scope of personal information, and effectively exempting employee-related information from coverage under the Act. In addition, the Senate Appropriations Committee unanimously approved S.B. 561 yesterday,1 which would expand the private right of action against entities that violate the CCPA, and is supported by Attorney General Xavier Becerra.2 These amendments, and any other legislative amendments or clarifications, will be further supplemented by the Attorney General Office's promulgation of regulations, still anticipated to be issued for public comment by Fall 2019.
The following is a summary of each of the amendments voted on in the past week, and a chart exhibiting the key changes to the existing language of the CCPA. As always, we will continue to monitor these important updates.
Senate
The Senate Judiciary Committee and the Senate Appropriations Committee both voted this month to augment the private right of action for violations of the CCPA with S.B. 561. Under the current version of the CCPA, consumers only have a private right of action for certain unauthorized disclosures of their data. S.B. 561 would permit a private right of action for any violation of the CCPA, broadly expanding the potential exposure businesses may face. The bill further removes the 30-day cure period for violations before claims can be brought by the Attorney General. Finally, the amendment removes the provision permitting businesses and third parties to seek guidance directly from the Attorney General, replacing it with a statement that the Attorney General may publish materials to provide general guidance on compliance.
Assembly
Several bills in the Assembly also continued to gain traction with a positive vote from the California Assembly's Privacy and Consumer Protection Committee:
- A.B. 25 redefines "consumer" to exclude employees, contractors, agents, and job applicants, so long as their personal information is only collected and used by the business in that context;
- A.B. 873 modifies the definition of "personal information" to narrow its scope—including by removing information relating to a household, and information "capable of being associated with" a consumer—and also redefines "deidentified" data;
- A.B. 1564 would require businesses to make available to consumers a toll-free telephone number or an email address for submitting requests, and require businesses with websites to make those website addresses available to consumers to submit requests for information;
- A.B. 846 would modify the way businesses can offer financial incentive plans to consumers in exchange for their data;
- A.B. 1146 would exempt vehicle and ownership data collected by automotive dealers and shared with the manufacturers of the vehicle sold if the vehicle information is shared pursuant to, or in anticipation of, a vehicle repair relating to a warranty or recall; and
- A.B. 981 would exempt certain insurance institutions subject to the Insurance Information and Privacy Protection Act (IIPPA) from the CCPA, and would incorporate certain disclosure and other privacy requirements into the IIPPA to be in line with the CCPA.
Notably, a proposal to revoke and revamp the CCPA, A.B. 1760—which would have required obtaining opt-in consent from consumers before sharing (not just selling) personal information, and would have generally broadened consumers' rights under the Act—was taken off hearing, and will not move forward, at least at this time.
Potential Impact of the Amendments on Businesses
Arguably the most important changes to the CCPA for businesses interacting with California consumers are the proposed amendments set out in S.B. 561; expanding the private right of action to any violations of the Act has the potential to significantly increase the number of suits brought by individuals, including data privacy class actions, and magnify the resulting financial impact of the Act businesses interacting with state residents. As before, in anticipation of this potential amendment, it is important for businesses to work now to analyze steps necessary to ensure compliance with the various provisions likely to go into effect, including as discussed in our previous client alerts ( California Consumer Privacy Act of 2018 (July 2018) and New California Security of Connected Devices Law and CCPA Amendments (October 2018)). In general, businesses should ensure that they understand the type, nature, and scope of consumer data they have collected, including where it is stored; create the processes to comply with the disclosure and other, technically difficult rights (including a Do Not Sell opt-out link on their website, and a request verification and disclosure process); revise service provider agreements for compliance; and review their privacy policies, both internal and public, to ensure that they are properly disclosing how personal data is collected, used, and potentially shared with third parties.
Certain of the proposed Assembly bill amendments, on the other hand, may serve to narrow the impact on businesses, particularly related to the scope of personal information at issue. The modifications in A.B. 25, clarifying that the CCPA is not intended to cover employees' data, could minimize the impact on companies that generally do not collect California residents' personal information other than as a result of being an employer of Californians, and also minimize logistical issues that would otherwise arise if businesses have to allow employees to exercise the rights afforded by the Act. Rather, it would shift the impact of the CCPA primarily to those businesses that rely on collecting data as a part of their business model.
The scope of personal information would be further narrowed if A.B. 873 passes, as it may eliminate some of the broader reaching—and more confusing—applications of CCPA, to household data and data that is "capable of being associated with" a consumer. The remaining language focuses on information that is linked directly, or indirectly to a particular consumer. This will also clarify some concern expressed at multiple public forums on the CCPA, regarding how verifications for data requests should work when the individual is requesting household data.
A.B. 873 also redefines "deidentified," and while several of the same guardrails would exist, the new definition would specifically require (1) contractual prohibitions on recipients of data to not reidentify such deidentified personal information, and (2) a public commitment to not reidentify the data, which may require certain internal and third party contract provision revisions, and suggested modifications to the language in consumer-facing privacy policies. As a result, it may be important for businesses to re-evaluate their contracts with suppliers, distributors, and contractors to ensure compliance for any use of deidentified data.
Logistically, A.B. 1564 would offer businesses some relief from providing a toll-free telephone number for requests related to the Act, offering instead an option of an email address or a telephone number, and a website address for consumers to access. While many businesses may have already included an email address for compliance with related laws, instituting a telephone number for such requests may impose additional logistical issues for businesses under the current text of the law.
Finally, for entities offering customer loyalty programs, the new provisions of A.B. 846—replacing the financial incentive provisions—will require particular attention, if passed. Primarily, businesses will need to ensure the offerings and their value must be "reasonably" related to the value of the data collected, though there may be latitude on what incentives are possible.
Comparison of Proposed Language to Original
The following chart provides a comparison of what would be key changes to the language of the CCPA as a result of the more broadly applicable amendments currently moving through the California legislature. The language crossed out in the Original Language column indicates what has been deleted from the current language of the Act, while the bolded language in the Proposed Amendment column shows what language has been added. That column contains what would be the final text if these amendments are adopted. We will continue to monitor the progress of these amendments, and will provide updates, accordingly.3
| Concept | Original Language | Proposed Amendment |
| Introducing Private Right of Action for Any
Violation of the Act (S.B. 561) |
(a) (1) Any consumer whose nonencrypted or nonredacted personal information, . . . is subject to an unauthorized access . . . may institute a civil action for any of the following . . . | (a) (1) Any consumer whose rights under this title are violated, or whose nonencrypted or nonredacted personal information . . . is subject to an unauthorized access . . . may institute a civil action for any of the following |
| Excluding Employees from the Definition of
Consumer (A.B. 25) |
(g) "Consumer" means a natural person who is a California resident . . . | (g) (1) "Consumer" means a natural
person who is a California resident . . . (g) (2) "Consumer" does not include a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of, an agent on behalf of the business, to the extent the person's personal information is collected and used solely within the context of the person's role as a job applicant to, an employee of, a contractor of, or an agent on behalf of the business. |
| Redefining Deidentified (A.B. 873) | "Deidentified" means information that |
"Deidentified" means information that does
not reasonably identify or link, directly or indirectly,
to a particular consumer, provided that the business makes
no attempt to reidentify the information, and takes reasonable
technical and administrative measures designed to: (1) Ensure that the data is deidentified. (2) Publicly commit to maintain and use the data in a deidentified form. (3) Contractually prohibit recipients of the data from trying to reidentify the data. |
| Excluding Household and Information "capable of
being associated with" from the Definition of "Personal
Information" (A.B. 873) |
"Personal information" means information that
identifies, relates to, describes, |
"Personal information" means information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a particular consumer. Personal information may include, but is not limited to, the following if it identifies, relates to, describes, or could be reasonably linked, directly or indirectly, with a particular consumer. |
| Prescribing Methods of Contacting Businesses
(A.B. 1564) |
(1) Make available to |
(1) (A) Make available to consumers a
toll-free telephone number or an email address for
submitting requests for information required to be disclosed
pursuant to Sections 1798.110 and 1798.115. (B) If the business maintains an internet website, make the internet website available to consumers to submit requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115. |
| Clarifying Non-discrimination Provision re Financial
Incentives: Removing in Favor of Customer Loyalty Programs
(A.B. 846) |
(a) (1) A business shall not discriminate against a consumer
because the consumer exercised any of the consumer's rights
under this title, including, but not limited to, by: ... (B) Charging (C) Providing a |
(a) (1) A business shall not discriminate against a consumer
because the consumer exercised any of the consumer's rights
under this title, including, but not limited to, by: ... (B) Charging higher prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties. (C) Providing a lower level or quality of goods or services to the consumer. (2) Nothing in this subdivision prohibits a business from offering a different price, rate, level, or quality of goods or services to a consumer, including offering its goods or services for no fee, if any of the following are true: (A) The offering is in connection with a consumer's voluntary participation in a loyalty, rewards, premium features, discount, or club card program. (B) That difference is reasonably related to the value provided by the consumer's data. (C) The offering is for a specific good or service whose functionality is reasonably related to the collection, use, or sale of the consumer's data. (b) As used in this section, "loyalty, rewards, premium features, discount, or club card program" includes an offering to one or more consumers of lower prices or rates for goods or services or a higher level or quality of goods or services, including through the use of discounts or other benefits, or a program through which consumers earn points, rewards, credits, incentives, gift cards, or certificates, coupons, or access to sales or discounts on a priority or exclusive basis. |
Footnotes
1 Although approved unanimously, S.B. 561 was placed on Suspense File, where the committee sends bills with an annual cost of more than $150,000, to be considered following budget discussions. The bill will not move forward until the Appropriations Committee releases it for a vote.
2 The Senate Judiciary Committee had previously approved the bill 6-2 on April 9, 2019.
3 Please note that the following chart does not include language modifications to the IIPPA (A.B. 981) or proposed amendments exempting information shared between automotive dealers and vehicle manufacturers (A.B. 1146), as they are of more limited application than the more general provisions that were included. If you have questions about those particular provisions, please reach out to discuss with us and we would be happy to provide further guidance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
