Keeping Up With the Latest on the California Consumer Privacy Act
By Procopio Senior Counsel Elaine F. Harwell, CIPP/US
The California Consumer Privacy Act (CCPA) is a bit of a moving target. Since its passage and as we have previously addressed here and here, lawmakers anticipate making changes to the law before it takes effect January 1, 2020. Indeed, by one count, the state legislature has seen as many as 18 amendments, ranging from minor grammatical changes to significant modifications to its scope. This sweeping new privacy legislation is riding the wave of heightened attention on high-profile data breaches and privacy miscues. It imposes a number of new obligations on covered businesses while granting new rights to California residents.
What’s happening on the legislative front? Here’s the latest, starting with significant legislation that has passed.
Amendments Passed Out of Committee
AB 25 – Employment data exemption
Possibly the bill with the most wide-reaching implications, amendment AB 25–-relating to the exemption of employment data–-has passed out of committee, but with important amendments to the language since its introduction. This bill initially proposed to redefine “consumer” to exclude job applicants, employees, contractors and agents whose personal information was collected and used in the context of the employment relationship.
In short, the bill proposed to exclude from the CCPA any information an employer business collects from an employee consumer in the employment context. Labor unions, privacy groups and others came out in opposition to AB 25, arguing the exemptions go too far in eroding the rights of employee consumers, specifically with regard to employee monitoring.
To address some of the issues raised in opposition, the exception has been limited and it now also includes a sunset provision after one year. The amended bill clarifies that while employee data is excluded from many CCPA requirements, employers would be still required to inform employees what types of information they are collecting and the reasons for collecting it.
Additionally, the bill’s exemption for employee data does not apply to the private right action. Thus, employees impacted by a data breach may still bring civil actions pursuant to the rights set forth in section 1798.150 of the law.
As part of the compromise to get the billed passed, the stakeholders agreed to more comprehensive discussions over employee privacy legislation in 2020. Hence, watch out for additional legislation in the next year to further address concerns surrounding the use of employee personal information.
AB 1564 – Methods for consumers to submit requests
As originally passed, the CCPA required that businesses make available to consumers two or more methods to submit access requests, including, at a minimum, a toll-free number and a web address. The proposed bill removed the requirement that businesses make a toll-free number available to consumers and instead required either the toll-free number or an email address and a mailing address. Ultimately, AB 1564 passed with an amendment that allows online-only businesses to provide just an email address for consumers to exercise their rights. To take advantage of this exception, the business must also directly interact with its customers online.
AB 846 – Customer loyalty programs
Another bill that passed with amendments, AB 846, added a section to the CCPA that explicitly allows for businesses to operate a customer loyalty programs even if a consumer opts-out of their personal information being sold. The bill still provides that a business cannot sell the personal information of consumers collected pursuant to a customer loyalty program.
Additionally, AB 874, which clarifies the “publicly available information” exception to the definition of personal information, and AB 1355, which clarified some drafting errors, passed out of committee without change.
Amendments Failing in Committee
A number of closely watched bills proposed in the state legislature failed to pass muster and, at least for now, have been tabled.
AB 873 would have narrowed the definition of “personal information” by removing information that is “capable of being associated with” a particular consumer and information that could be linked to a particular “household.” It also proposed to slightly modify the definition of de-identified data. While the bill failed to pass the Senate, there will be a rehearing on this bill after the legislature reconvenes on August 12. The legislature will then have until September 13 to pass this amendment. Thus, it remains to be seen what will happen with this particular amendment.
AB 981 initially proposed to exempt insurance institutions, agents and other related organizations from the CCPA. This amendment failed to secure approval from the Judiciary Committee and likely will not be renewed before the end of this year’s legislative session.
California, however, has a two-year legislative calendar, with each year having its own timeline for bills to move through the process. Any bills that do not pass both houses by the end of 2019 can be picked up and continued through the legislative process in 2020 without needing to be reintroduced. Thus, while AB 981 is unlikely to become part of the CCPA before it goes into effect in 2020, this bill could be revived next year.
The same is true for other amendments that have been effectively killed, including SB 561, which would have dramatically expanded the private right of action to allow private suits with any violation of the CCPA. The bill, which had the support of Attorney General Xavier Becerra, was blocked earlier this year, but because of the two-year legislative session, it can be raised again next year.
September 13, 2019 is the last day for each house to pass bills this year. At that point, Governor Gavin Newsom will have until October 13, 2019, to sign or veto the approved bills. Bills signed by Governor Newsom will go into effect with the CCPA on January 1, 2020.
Additionally, draft regulations from the Attorney General are expected in fall 2019. A public comment period and additional public hearings will follow the publishing of the proposed text of the regulations.
We at Procopio will continue to closely monitor developments. In the meantime, given the short window until the effective date of the CCPA, covered businesses should review their current procedures and be prepared with a plan moving forward.
Elaine F. Harwell is a Senior Counsel with Procopio and a member of its Privacy and Cybersecurity Practice Group. She is an experienced business litigation attorney and a trained privacy professional. Her practice is focused on representing clients in cybersecurity and data privacy matters, including litigating claims involving privacy issues, helping clients manage emerging risks and conduct privacy risk assessments, and advising on regulatory issues. Elaine has also been involved in numerous trials as well as arbitration proceedings related to contract and general business disputes, complex unfair competition and business practice claims, and professional liability. She has earned the ANSI-accredited Certified Information Privacy Professional/United States (CIPP/US) credential through the International Association of Privacy Professionals (IAPP).