Last Tuesday, the California Assembly’s Committee on Privacy and Consumer Protection (Assembly Privacy Committee), which has jurisdiction over matters related to privacy, the protection of personal information and information technology, held a committee hearing in which it voted in favor of advancing eight industry-backed bills that would amend the California Consumer Privacy Act (CCPA), set to take effect on Jan 1, 2020. To the benefit of businesses, the bills, which now move on to the Assembly’s Appropriations Committee, would clarify the text and limit the scope of the unprecedented, sweeping privacy law that grants consumers a great degree of transparency and choice with respect to their personal information, defined broadly under the act. If the bills survive the Assembly’s Appropriations Committee, they will come before the full Assembly before advancing to the California Senate, and would ultimately become law if signed by the governor. Also of note, two CCPA amendment bills, discussed further below, have been withdrawn from advancement to committee consideration.
CCPA Bills Moving Forward
The Assembly Privacy Committee voted to move the following bills that would amend the CCPA forward:
AB 25 – Carving Out Employee Data
As we previously reported, AB 25 carves job applicants, employees, contractors and agents acting on behalf of a business out of the definition of “consumer” as defined under the CCPA. Consequently, this amendment, which was approved unanimously by the Assembly Privacy Committee, serves to limit the broad scope of the law by excluding employment-related personal information that is used for purposes compatible with the context of the employee’s activities for the business.
AB 846 – Exception for Customer Loyalty Programs
As we previously reported here, AB 846 clarifies that loyalty programs, rewards and coupons are exempt from the CCPA’s restriction prohibiting a business from discriminating against a consumer for exercising any of the consumer’s rights under the act. The bill clarifies that a business cannot discriminate against a consumer because the consumer exercised any of its CCPA rights by charging that consumer higher prices for goods or services, including through the use of discounts or other benefits, or by providing a lower-level quality of goods or services. However, it also sets forth the following three exceptions in which a business can offer a different price, rate, level or quality of goods or services to a consumer, including offering its goods or services for no fee: (1) the offering is in connection with a consumer’s voluntary participation in a loyalty, rewards, premium features, discount or club card program; (2) that difference is reasonably related to the value provided by the consumer’s data; or (3) the offering is for a specific good or service whose functionality is reasonably related to the collection, use or sale of the consumer’s data. The bill defines a “loyalty, rewards, premium features, discount or club card program” as “an offering to one or more consumers of lower prices or rates for goods or services or a higher level or quality of goods or services, including through the use of discounts or other benefits, or a program through which consumers earn points, rewards, credits, incentives, gift cards, or certificates, coupons, or access to sales or discounts on a priority or exclusive basis.”
AB 873 – Clarifying the Definitions of “Personal Information” and “Deidentified”
This bill, which was also unanimously approved, proposes to narrow the definition of personal information under the CCPA by removing the term “household” and the phrase “capable of being associated with.”
This bill would also amend the definition of “deidentified” to mean “information that does not reasonably identify, or link, directly, or indirectly, to a particular consumer, provided that the business makes no attempt to reidentify the information, and takes reasonable technical and administrative measures designed to:
(1) Ensure that the data is deidentified.
(2) Publicly commit to maintain and use the data in a deidentified form.
(3) Contractually prohibit recipients of the data from trying to reidentify the data.”
AB 874 – Refining the Meaning of “Personal Information” and “Publicly Available”
This bill proposes to specifically carve out of the definition of “personal information” consumer information that is deidentified or aggregate consumer information. It also changes the meaning of “publicly available” by removing the following sentence from the CCPA: “Information is not ‘publicly available’ if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.”
AB 1564 – Consumer Rights Requests
This bill proposes to amend the requirement under the CCPA that a business must make available two or more designated methods for the consumers to submit information requests required under the act. If this bill is signed into law, the CCPA would instead only require that a business make available to consumers a toll-free telephone number or an email address for submitting their requests to the business. It also requires that businesses that maintain a website make the website available to consumers so they can submit requests for information.
AB 981 – Insurance Information
This bill proposes to exempt insurance institutions, agents and support organizations to which the Insurance Information and Privacy Protection Act (IIPPA) applies from the CCPA, implementing the Legislature’s intent to harmonize the consumer privacy protections contained in the CCPA with the requirements of conducting the business of insurance and long-established protections set forth in the IIPPA.
AB 1146 – Exception for Vehicle Repair Information
This bill proposes to exempt vehicle information shared between a new motor vehicle dealer and the vehicle’s manufacturer, if the information is shared pursuant to, or in anticipation of, a vehicle repair relating to warranty work or a recall, from the scope of the CCPA. The bill defines “vehicle information” as “the vehicle information number, make, model, year, and odometer reading.” It also defines “ownership information” as “the name or names of the registered owner or owners and the contact information for the owner or owners.”
AB 1355 – Revising Drafting Errors
This bill proposes to revise mainly nonsubstantive drafting errors in the CCPA, cleaning up the text of the act.
Withdrawn CCPA Bills
The following bills aimed at amending the CCPA have been withdrawn from committee consideration:
AB 1760 – Privacy for All Act
This bill, withdrawn from the Assembly Privacy Committee’s consideration, was coined the “Privacy for All Act” and would have significantly strengthened privacy protections under the CCPA. Sponsored by a large, diverse coalition of civil rights groups and privacy advocates, it would have, among other changes, provided a right for consumers of any age to opt in before a business may share their personal information; removed any ability for businesses to provide certain financial incentives that are nondiscriminatory; limited the use and retention of personal information by a business to what is reasonably necessary to provide a service or conduct an activity, subject to certain exceptions; repealed any right to cure for businesses; and broadened the duties of businesses in connection with CCPA sections governing the disclosure, access to and deletion of consumer information, while also narrowing certain CCPA exemptions. It would have also replaced references throughout the CCPA to the “sale” of personal information with the “sharing” of personal information, as defined, and would have created expanded liability of a business for the acts of a service provider, specifically that a business must also make reasonable efforts to ensure compliance with the CCPA by the service provider.
SB 753, which was withdrawn from the Senate Judiciary Committee’s consideration, was a bill aimed at creating a carve-out to the definition of sale under the CCPA. In particular, it proposed to amend the CCPA such that a business does not sell personal information if the business, pursuant to a written contract, shares, discloses or otherwise communicates to another business or third party a unique identifier only to the extent necessary to serve or audit a specific advertisement to the consumer. The bill would have required the contract to prohibit the other business or third party from sharing, selling or otherwise communicating the information except as necessary to serve or audit advertisements from the business.
A summary of the CCPA is available here, and a comparison to the General Data Protection Regulation is available here. Responses to frequently asked questions about the business impacts of the CCPA are available here. You can find information on BakerHostetler’s CCPA compliance services here, or feel free to contact the authors.