When California lawmakers hastily enacted the California Consumer Privacy Act (CCPA) in June 2018, few expected the law — voted on after only a few days' deliberation — to remain unamended. And, indeed, the law was first amended just a few months later. But that was not the end of the story. In late April, California legislative committees voted on several amendments to CCPA, which takes effect January 1, 2020. Some of these amendments would make the CCPA a bit more business-friendly, while others would make it far more burdensome — and potentially costly — for companies.
This update summarizes these proposed amendments, which, if passed, will be further supplemented by the Attorney General Office's promulgation of regulations, which are still expected to be issued for public comment by fall 2019. The Office of the Attorney General has been holding town hall meetings throughout California in order to gather input from companies and consumer advocates to help shape these regulations.
Industry-Backed Bills Advance in the State Assembly
Several industry-backed bills in the California Assembly continue to progress, with positive votes by the Privacy and Consumer Protection Committee:
AB 25, Chau: Would expressly exclude contractors, agents, and job applicants from the definition of employees, to the extent their personal information is used for purposes compatible with that context. This change addresses criticism that information collected in the employment context should not fall within the CCPA’s broad scope and onerous requirements.
AB 846, Burke: Seeks to modify the way businesses can offer financial incentive plans to consumers in exchange for their data, by stating that the law does not prohibit businesses from offering goods or services to consumers through the consumers’ voluntary participation in loyalty, rewards, premium features, discount, or club card programs.
AB 873, Irwin: Would potentially broaden the scope of "deidentified" information by removing from the definition of "deidentified" information that is not reasonably "capable of being associated with" a consumer. For information to qualify as deidentified, under the amendment, it must not be "reasonably linkable" to a consumer, and the business must not attempt to reidentify the information. For information to be "deidentified," businesses would also need to take "reasonable technical and administrative measures designed to: (1) ensure that the data is deidentified; (2) publicly commit to maintain and use the data in a deidentified form; and (3) contractually prohibit recipients of the data from trying to reidentify the data." AB 873 would also redefine "personal information" to mean information that "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
AB 874, Irwin: Would remove the following language from the definition of "publicly available": "Information is not 'publicly available' if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained."
AB 1355, Chau: Would correct various cross-references and drafting errors in the CCPA.
AB 1564, Berman: Seeks to amend the methods businesses must make available to consumers for submitting verified requests for information regarding the use of their personal information. If passed, AB 1564 would require businesses to make available to consumers a toll-free telephone number or an email address and a physical address for submitting requests. Companies that operate exclusively online would only be required to provide an email address (as opposed to the "two or more designated methods" required by the law in its current form).
All of the bills above were endorsed by industry groups and generally opposed by privacy groups.
AB 1760 — which would have effectively repealed the CCPA and replaced it with the Privacy for All Act of 2019 (PAA) — was taken off the calendar and will not move forward at this time. The PAA would have, among other things, required affirmative opt-in consent by consumers for the sharing of their personal information.
In the Senate, Becerra's SB 561 Leaves Retailers Full of Suspense
On February 25, 2019, California Attorney General Xavier Becerra and California State Senator Hannah-Beth Jackson introduced Senate Bill 561, which would expand the CCPA's private right of action to allow for suits concerning any violation of the law, as opposed to the more limited private right of action that currently only applies to certain data breaches.
The proposed amendment would also remove a provision of the CCPA that allows businesses and third parties to seek individualized guidance from the Attorney General on how to comply with the Act. Instead, under SB 561, the Attorney General may publish materials that provide general guidance on CCPA compliance.
SB 561 also would remove the "right to cure" provision that currently allows businesses 30 days to cure violations in actions brought by the Attorney General. Thus, not only would individual guidance from the AG not be available, but businesses that do not correctly apply the ambiguous law would not have the opportunity to cure potential violations before facing steep penalties.
On April 29, 2019, SB 561 was heard in the California Senate Appropriations Committee, the Senate Committee responsible for overseeing the state's budget. The hearing involved no testimony; instead, SB 561 was placed in the Committee's Suspense File by a unanimous vote of 6-0. The Suspense File allows the Committee to hold bills with a significant fiscal impact so they can be evaluated once Committee members have a better sense of available revenue closer to the end of the term. All bills in the Suspense File are considered at the same time, and the Committee then chooses which ones to prioritize.
The fact that SB 561 was placed in the Suspense File is not surprising, and says little about its ultimate fate. Any bill with an annual cost of more than $150,000 will, with a majority of votes, move to the Suspense File; most of the 49 bills heard at the April 29th hearing were moved to the Suspense File.
We will know whether SB 561 survived Committee by May 17, which is the deadline for the Committee to report bills to the Senate Floor. If the bill survives the suspense procedure, it will be reported to the Senate floor for a vote. If it passes the Senate, then the bill will move on to the Assembly.
Governor Newsom Explores "Data Dividend"
In his first State of the State address, Governor Gavin Newsom in February expressed his intent to tax businesses for using and selling consumers' personal data: "California's consumers should also be able to share in the wealth that is created from their data. And so I've asked my team to develop a proposal for a new Data Dividend for Californians, because we recognize that your data has value, and it belongs to you."
Newsom has assigned a team to work with national data scientists and legislators to create a "data dividend" – that is, a payment that businesses that sell consumers' personal data would need to pay to the state or to the consumers themselves.
Any proposals developed by the governor would require legislative approval.
Each of the proposals above still has a long way to go—including full Assembly and Senate votes. However, these bills, if passed, could drastically impact businesses' compliance obligations, and their potential liabilities.
Given that the CCPA takes effect in less than eight months, businesses should not wait for a final version of the law before taking steps toward compliance. They should, however, closely follow developments in order to meet any new or changing requirements.