As we reported in April, May and June, a number of potentially significant amendments to the California Consumer Privacy Act (CCPA) continue to make their way through the state legislative process. Below we provide a summary of recent developments from earlier this month, including changes that may materially affect how businesses approach their CCPA compliance efforts.
Bills That Passed With Amendments
AB 25: Changes to the Employee Exception
This bill has been closely watched since its introduction, as the inclusion of employees in the definition of "consumers" covered by the CCPA could represent a serious compliance burden for certain companies. Initially, the bill would have amended the definition of "consumer" to exclude job applicants, employees, contractors and agents whose personal information was collected and used in the context of the employment relationship, essentially removing HR data from the scope of the CCPA. That exception has now been limited, and it will expire entirely following a one-year grace period. Specifically:
- The exception does not apply to the private right of action set forth in Section 1798.150. Employees may bring civil actions for data security breaches affecting personal information maintained by their employers.
- The notice requirement in Section 1798.100(b) will apply to these individuals as of January 1, 2020.
- The entire exception will become inoperative as of January 1, 2021.
Accordingly, businesses must prepare to provide their employees with CCPA-compliant notice regarding the collection and use of personal information as they would for any other consumer. It appears the delay with respect to other CCPA requirements was inserted in the latest amendments to allow stakeholders time to address concerns regarding employee surveillance.
AB 846: Exception for Loyalty Programs
This bill allows a business to offer discounts and other benefits to consumers in the context of a voluntary loyalty/rewards program, so long as the business does not sell consumer personal information collected through the program. Without this exception, a business arguably could be considered to be violating Section 1798.125, which prohibits discriminating against consumers who exercise their rights (e.g., deletion) by not "rewarding" those who choose not to allow the business to retain their personal information.
AB 1564: Methods for Exercising Consumer Rights
This bill would allow online-only businesses to provide an email address for consumers to exercise their CCPA rights; such businesses would not also be required to provide a toll-free telephone number.
Bills That Passed Without Amendments
AB 874: Edits Concerning "Publicly Available" Personal Information
This bill alters the definition of "publicly available" information that is excluded from the definition of personal information. Personal information is considered "publicly available" if it is "lawfully made available from federal, state, or local government records." Originally, the CCPA further specified that personal information would not be considered "publicly available" if it were used for a purpose that was not compatible with the purpose for which it was maintained and made publicly available; that element of the definition has been stricken.
AB 1355: Fixes Drafting Errors
This bill includes a number of revisions to correct drafting errors, including a substantive change of the word "consumer" to "business" in Sections 1798.125(a)(2) and (b)(1). This clarifies that differential pricing or other incentives that might otherwise be considered discriminatory may be permissible if the differential treatment is reasonably related to the value of the consumer's personal information to the business. As originally drafted, the clause stated that differential treatment would have to be reasonably related to the value of a consumer's personal information to the consumer; this would have required businesses to make determinations regarding subjective value judgments of individual consumers.
Revisions in this bill also clarify that a business must obtain opt in consent to sell personal information from consumers who are 13, 14 or 15 years old, but that opt-in consent is not required from a 16-year-old.
Bills That Did Not Pass
AB 873: Definition of Deidentified
This bill failed to pass out of committee, but reconsideration has been granted. It would have clarified the definition of "deidentified information" to align with the Federal Trade Commission's standard, which requires that deidentified information be "reasonably" incapable of being associated with an individual. Critics of the bill argued that it would create a loophole for using information such as IP addresses, which generally are unique enough to be associated with specific individuals; proponents stressed that the FTC standard is broadly recognized and understood and thus would promote consistent application.
AB 1416: Fraud and Government Exception to Sales Following Consumer Opt-Out
This bill was pulled before the hearing. It would have permitted businesses to sell the personal information of consumers who had exercised their "Do Not Sell" right "for the sole purpose of detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity, provided that the business and the person shall not further sell that information for any other purpose." Critics of this bill claimed that the exception would allow businesses to ignore "Do Not Sell" requests, and possibly prevent individuals from opting out of the sale of their personal information to government authorities.
What Happens Next?
The bills that passed the Senate Judiciary Committee without amendment on July 9 will proceed to the Senate Appropriations Committee and, if they pass, will go to the full Senate for a vote. Bills that were amended in the Senate and pass the full Senate vote will be returned to the Assembly for concurrence.
A bill must pass both legislative houses by September 13, 2019 to become law. Although the legislature is in recess from July 12 to August 12, time remains for further compromises and amendments before the September 13 deadline. At that point we will know which amendments have survived, and Governor Gavin Newsom will have until October 13 to sign or veto those bills. Also, it is expected that Attorney General Xavier Becerra will publish proposed CCPA regulations in September. We will continue to monitor these bills and the AG's rule-making process, as well as legislative developments in other states and at the federal level.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.