Several bills that would amend the California Consumer Privacy Act of 2018 (CCPA) cleared a major hurdle when they passed in the Senate Judiciary Committee during a late-night session on July 9, 2019. However, a number of business-friendly provisions were limited, or struck, in order to allay consumer and labor groups’ concerns and clear the way for passage. If enacted, these amendments will have a significant impact on businesses’ obligations under the CCPA.
Additionally, two highly contested CCPA amendment bills appear to have died in committee: one was voted down (though a motion for reconsideration was granted) and another was withdrawn before coming up for a vote.
An overview of the bills, including the Senate amendments and what they mean for companies doing business in California, is outlined below:
Passed Senate Judiciary Committee with Amendments
- Employee Exemption: Perhaps most notably, A.B. 25, the closely watched bill that, as passed by the California Assembly, would exempt personal information (PI) pertaining to employees, job applicants, contractors, or agents of a business from the scope of the CCPA (provided that such information is collected and used “solely within the context of the person’s role” as an employee, applicant, etc.) passed in the Senate Judiciary Committee. The Senate version contains three significant caveats that, if enacted, will have important consequences for businesses:
- The bill now contains a one-year sunset provision—if passed, the exemption would expire on January 1, 2021. As the bill’s sponsor, Senator Ed Chau, noted, this will give business, labor, and consumer groups adequate time to draft a bill regarding employer surveillance that will likely supplant the CCPA’s application in the employee context.
- The bill now requires employers to provide employees with privacy notices pursuant to §1798.100(b) of the CCPA. Such notices must notify individuals of the PI that the business collects about them and the purposes of collection.
- The exemption does not apply to the CCPA’s provision establishing a private right of action for consumers whose non-encrypted or non-redacted PI is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable safeguards. This means that employees, job applicants, contractors, and agents are not precluded from bringing a private right of action for such security-related incidents.
Takeaway: These carve-outs require businesses to factor employee, applicant, contractor, and agent data into their CCPA preparation efforts, although the bill would still relieve businesses from some of the more burdensome obligations for such personnel, such as CCPA access and deletion requests—that is, at least for the one-year moratorium period.
- Loyalty Programs: A.B. 846 passed unanimously in the Senate Judiciary Committee. In its original form, the Assembly bill sought to clarify that the CCPA does not prohibit a business from offering a different price, rate, level, or quality of goods or services to a consumer if the offering is: (1) in connection with the consumer’s voluntary participation in a “loyalty, rewards, premium features, discounts or club card program;” or (2) “for a specific good or service with a functionality that is directly related to the collection, use or sale of the consumer’s data.” However, as amended, the Senate version includes three key caveats that significantly limit the scope of the bill:
- Unlike the Assembly bill, the Senate bill excludes the offering goods or services whose functions “are directly related to the collection, use or disclosure of” PI.
- Businesses operating such programs may not sell the PI they gather in connection with the programs.
- Businesses must offer the program even if a consumer opts out of sale of his or her PI.
- Methods for Submitting Consumer Requests: A.B. 1564 would amend the CCPA’s provision dictating the mechanisms that businesses must make available for consumers to submit requests under the Act. As amended and passed in the Senate Judiciary Committee, the bill would restore the requirement that businesses maintain at least two designated methods for consumers to submit such requests, including at a minimum a toll-free telephone number (a prior amendment would have permitted businesses to provide either a toll-free telephone number or an email address, as well as a physical address, for consumer CCPA requests). The Senate amendments also narrowed an exception for businesses that operate exclusively online, which, under the original Assembly bill, would only be required to provide consumers with an e-mail address for submitting CCPA requests (and not, for example, a toll-free telephone number as well). The Senate bill includes a caveat that this exception only applies to online businesses that maintain a direct relationship with the California residents whose PI they collect.
Takeaway: Businesses that operate exclusively online but do not maintain direct consumer relationships should continue to monitor this bill and be prepared to establish and provide a toll-free telephone number for receipt of consumer requests under the CCPA. Other businesses should continue to be prepared to establish at least two mechanisms for consumers to submit requests under the Act, including a toll-free telephone number.
Passed Senate Judiciary Committee with Minor or No Amendments
- Clarifying/Expanding Exclusions from the Statutory Definition of Personal Information: A.B. 874, which passed in the Senate Judiciary Committee without amendment, would expand the exclusions from the statutory definition of PI by defining “publicly available” information as that which is lawfully made available from federal, state, or local government records, and specifying that PI does not include de‑identified or aggregate consumer information.
- Cleaning Up Drafting Errors: A.B. 1355 would, like A.B. 874, exclude de-identified or aggregate consumer information from the definition of PI. It would also clarify that opt‑in consent is required before a business can sell the PI of consumers who are at least 13 years of age but less than 16 years of age (i.e., clarifying that opt-in consent is not required from a 16-year-old). Finally, it would provide that the CCPA prohibits discriminating against the consumer for exercising any of the consumer’s rights under the CCPA, except if the differential treatment is reasonably related to value provided to the business by the consumer’s data (rather than reasonably related to the value provided to the consumer, as currently provided in the CCPA). It passed in the Senate Judiciary Committee without amendment.
- Motor Vehicle Recall/Repair Exception: A.B. 1146 would exempt from the CCPA’s notice, disclosure, and access obligations, as well as its private right of action, certain information retained or shared between motor vehicle dealer, and the vehicle’s manufacturer if the information is shared in connection with a vehicle repair covered by a vehicle warranty or a recall. It passed in the Senate Judiciary Committee with only a minor clarifying amendment.
Voted Down in Senate Judiciary Committee
- One of the more controversial CCPA amendment bills, A.B. 873, sought to limit the definition of PI to information that is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household. It would also align the definition of “de-identified” data with the FTC’s de‑identification standard, including information that does not identify, and is not reasonably linkable, directly or indirectly, to a particular consumer. The bill was criticized by the Committee Chair and privacy advocacy groups alike because it would exclude a broad swath of information from the CCPA’s scope.
Withdrawn Before Senate Judiciary Committee Vote
- Another controversial bill, A.B. 1416, was withdrawn before the July 9 Senate Judiciary Committee hearing. It would permit businesses to sell the PI of consumers who opted‑out of the sale of their PI “for the sole purpose of detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity, provided that the business and the person shall not further sell that information for any other purpose.” The bill drew the ire of consumer privacy groups, which claimed that the exception would allow businesses to ignore do-not-sell requests and, more specifically, prevent individuals from opting out of the sale of data to immigration authorities.
The bills that passed in the Senate Judiciary Committee will now proceed to the Senate Appropriations Committee and, if passed, to the full Senate for a vote. If a bill was amended in the Senate and subsequently passes the full Senate vote, it must go back to the Assembly for concurrence. If agreement cannot be reached, the bill is referred to a two-house conference committee to resolve differences.
A bill must pass both houses of the legislature by September 13, 2019 to become law, and Governor Gavin Newsom has 12 days from the date of transmittal to sign or veto the bill (unless the 12th day is a Sunday). If a bill is transmitted to the Governor after September 13, he must sign or veto the bill by October 13, 2019.