Since its inception, the California Consumer Privacy Act (CCPA) has been in a state of flux as dozens of proposed amendments have sought to modify the hastily-passed law. While numerous amendments have been proposed, even anticipated, time is running out for the California Legislature to amend the CCPA before the law’s effective date of January 1, 2020. The California Legislature’s term expires on September 13, 2019 and so any amendments must be passed by that date to be effective before January 1, 2020. On July 9th, the CCPA’s amendments picture got a little clearer as the California Senate Judiciary Committee advanced several amendments while also eroding and eliminating others. Below is a brief description of the status of some of the key amendments following the July 9th meeting.
Employee Exemption Advanced, But Narrowed
AB 25, as originally drafted, excluded employees and job applicants from the definition of “consumer,” which would have essentially removed employee data from the CCPA compliance requirements. In response to pushback from employee rights advocates, the Judiciary Committee narrowed the amendment to exempt employers from only certain obligations under the CCPA. Under the current draft, employers will still be subject to private actions by employees in the event of data breach and will still need to provide a privacy notice to employees, but will not have to honor employee opt-out and deletion requests. However, the employee exemption is set to expire on January 1, 2021 and at that time businesses will again have to fully comply with the CCPA’s requirements with respect to employee data.
Disclosure Methods Amendment Eases Burden for Online-Only Businesses
AB 1564 seeks to modify the CCPA’s current requirement that all businesses provide, at minimum, two methods for consumers to submit access and deletion requests (toll-free number and website address). Past versions of AB 1564 completely removed the requirement of implementing a toll-free number, but the Judiciary Committee advanced a version of the bill which only exempts online-only businesses from the toll-free number requirement.
Loyalty Program Amendment Modified to Exclude the Sale of Personal Information
AB 846 clarifies that the CCPA’s anti-discrimination provision does not prohibit a business from running a loyalty or rewards program. The original substance of the amendment remains largely intact, and the bill advanced by the Judiciary Committee now includes a prohibition against the “selling” of information collected in connection with a loyalty or rewards program. If passed in its current form, AB 846 could have a significant impact on loyalty and rewards programs given the CCPA’s sweeping definition of “sale.”
Judiciary Committee Tables Amendment Easing Definitions of “Deidentified” and “Personal Information”
AB 873 would: (1) expand the definition of “deidentified” to include any information that “does not identify and is not reasonably linkable” to a consumer; and (2) narrow the definition of “personal information” to include only information “reasonably” capable of being associated with a consumer or household. AB 873 failed in the Judiciary Committee, but is being held for reconsideration, meaning that passage is still possible (albeit unlikely) before the legislature’s term ends on September 13.
Those bills which were advanced by the Judiciary Committee will now move to the Appropriations Committee and, if passed there, will go to the full Senate for a vote. While some businesses have taken a “wait and see” approach to CCPA compliance, the likelihood of any drastic legislative changes (e.g., a narrowing of the law’s broad definition of “sale”) is becoming smaller and smaller. Moreover, setting up the necessary CCPA compliance framework is a time-consuming and often challenging task. Therefore, businesses subject to the CCPA should begin compliance efforts as quickly as possible.