On April 23, 2019, the California Assembly’s Committee on Privacy and Consumer Protection, which exercises jurisdiction over privacy and personal information protection matters, approved several amendment bills intended to clarify and narrow the scope of the California Consumer Privacy Act (CCPA or the Act). The CCPA, which is set to take effect in January 2020, will impose landmark burdens and obligations on businesses that in many respects go beyond those required by the EU’s General Data Protection Regulation (GDPR). Businesses nationwide will be challenged with reconciling the ambiguities in the Act, which is presently expected to look back on data collection and processing activities from as early as January 2019. Further complicating the matter is the fact that the law has been amended once and requires implementation of regulations by the California Attorney General that are not expected to be finalized until at least the end of this year.
The amendments approved by the Committee include three key clarifications of the CCPA:
(i)Employees are not “consumers” for the purposes of the CCPA;
(ii)“Personal information” will no longer include information that is merely “capable of being associated” with a particular individual and will exclude “household”-level information; and
(iii)The definition of “Deidentified” information will exclude information “capable of being associated with” a particular individual.
Six other amendment bills were also approved at the hearing, while two bills, including the expansive Privacy for All Act, were withdrawn. The approved amendment bills will now be reviewed by the Assembly’s Appropriations Committee before advancing to a full Assembly vote and, ultimately, to the California Senate. This timely movement suggests California legislators are beginning to appreciate the magnitude and business consequences of this sweeping new law.
Employee data exempted
The current text of the CCPA has been widely interpreted to cover the personal information of covered businesses’ California employees because “consumer” is broadly defined to mean any “natural person who is a California resident … however identified, including by unique identifier” and because “personal information” is defined to include both “professional and employment-related information.” Such an interpretation aligns with past consumer protection enforcement activity by other agencies, including the Federal Trade Commission, which has previously taken the positon that “employees” are “consumers.” AB 25, proposed by Committee Chairman Ed Chau, excludes employees from “consumers”:
“Consumer” does not include a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, or as an employee, an employee of,contractor, a contractor of, or agent, an agent on behalf of of, the business, to the extent their the person’s personal information is collected and used solely for purposes compatible with within the context of the person’s activities for the business as a job applicant, employee, contractor, role as a job applicant to, an employee of, a contractor of, or an agent on behalf of of, the business. For purposes of this subdivision, “contractor” means a natural person who provides services to a business pursuant to a written contract.
Notably, this would exempt personal information of California employees, job applicants, and some contractors collected in the normal business context, providing considerable relief for many covered entities. However, the inclusion of the limitation “solely” calls into immediate question whether the exception would apply to employee benefits and affinity programs. In any event, the change would be a dramatic narrowing of a costly area of compliance that critics have suggested would do little to improve privacy protections.
“Personal Information” definition narrowed
“Personal information” under the CCPA is broadly defined to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition is expansive. It goes far beyond the scope of “persona data” under the GDPR, whose scope many businesses have already complained makes full compliance effectively impossible. AB 873 narrows the scope of personal information by removing “capable of being associated with” and “household” from the definition:
“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. consumer. Personal information includes, may include, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household: consumer:
The removal of “household” data from the definition of “personal information” would bring the CCPA in line with other data protection statutes, including the GDPR, which generally links personal information to an individual natural person. The elimination of “capable of being associated with” would appear to narrow the scope of personal information by excluding information that can only be theoretically related to an individual. Even as amended, it is still unclear what the other qualifiers such as “describe” and “linked” would mean. The amended definition would still remain broader than that of the GDPR: any information relating to an identified or identifiable natural person would be personal information.
If adopted, the removal of “household” data would most significantly ease the compliance burdens of the CCPA. Guidance from the Attorney General’s planned rulemaking proceeding could further clarify the meaning of “linking” and “directly or indirectly,” which will be especially relevant for digital marketers and online advertisers.
“Deidentified” information expanded
The CCPA already exempts deidentified information. However, the current definition of “Deidentified” information is substantially similar to the definition of “personal information,” rendering the exception difficult to apply and operationalize. AB 873 would amend the definition of “Deidentified” information:
“Deidentified” means information that cannot does not reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information: or link, directly or indirectly, to a particular consumer, provided that the business makes no attempt to reidentify the information, and takes reasonable technical and administrative measures designed to: (1) Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain. (2) Has implemented business processes that specifically prohibit reidentification of the information. (3) Has implemented business processes to prevent inadvertent release of deidentified information. (4) Makes no attempt to reidentify the information. (1) Ensure that the data is deidentified. (2) Publicly commit to maintain and use the data in a deidentified form. (3) Contractually prohibit recipients of the data from trying to reidentify the data.
This amendment would hopefully provide a strong incentive and operative path for covered entities to deidentify personal information that would otherwise be subject to the CCPA. For example, most of the information automatically collected by a web server (such as IP address and browser information) used for advertising or data analytics may be separately maintained from personal data to qualify for this exception, subject to additional limitations. However, as with the proposed narrowing of the definition of “personal information,” whether the changes address or provide meaningful comfort for advertisers and digital marketers remains uncertain because of the retention of the ambiguous “linking” and “directly or indirectly” language.
In any event, these proposed amendments represent a second significant effort to address major concerns of the business community while preserving the significant privacy protections the CCPA extends to Californians.
Six other approved amendments
Other CCPA amendment bills approved during the Tuesday hearing include:
- AB 874. This amendment would broaden the public records exemption from “personal information” by removing conditions limiting the application of the exemption.
- AB 846. This amendment would clarify that loyalty programs are exempt from the CCPA’s “anti-discrimination” requirement.
- AB 1564. This amendment would provide an alternative method (an email address) to the current CCPA requirement that businesses must establish a toll-free number to receive verifiable consumer requests.
- AB 981. This amendment would impose additional privacy requirements on insurance companies in the Insurance Code.
- AB 1146. This amendment would clarify that motor vehicle information may be shared between dealers and manufacturers for purposes of warranty or recall related vehicle repairs without being subject to the CCPA’s data deletion or “do not sell” requirements.
- AB 1355. This amendment would correct drafting errors in the CCPA.
Two withdrawn amendments
Two bills were withdrawn and did not clear the Committee in time for consideration. Due to lack of support, AB 1760, the so-called “Privacy for All Act,” was withdrawn. This bill would have dramatically expanded the CCPA’s scope. AB 1760 proposed, among other things, extending consumers’ private right of action to all privacy violations, extending the opt-out right from sales of personal information to all sharing of personal information, and adding data minimization requirements. The constitutionality of AB 1760 would have been in serious doubt if enacted, because of its burdens on interstate commerce, protected free speech activities, and due process concerns. Additionally, the CCPA passed unanimously in part because of compromises struck with the business community, which included a willingness to revisit problems with the draft—including those problems addressed by prior amendments in late 2018, and the current slate of proposed amendments. Also withdrawn was SB 753, a bill to exempt from the definition of “sale” the sharing of “any unique identifier only to the extent necessary to deliver, show, measure, or otherwise serve or audit a specific advertisement to the consumer.” Privacy advocacy groups had been focusing on stopping this bill, which would exclude certain digital advertising and marketing activity from the reach of the CCPA. The withdrawal of this bill suggests the CCPA may still present continued uncertainty and potential peril to many forms of online advertising and marketing activity.
These amendments are not yet law, but their consideration and progress point to the continuing uncertainty that pervades global regulation of privacy and data protection.
As a next step, the proposed amendments will be reviewed by the Assembly’s Appropriations Committee before advancing to a full Assembly vote. If passed by the Assembly, the amendment bills will be presented to the California Senate for consideration. The prospect of further amendments to the CCPA, the approaching CCPA rulemaking proceeding, and the anticipated enactment of copycat provisions by other states create ongoing uncertainty, as does the possibility of federal privacy legislation. The pending rulemaking is a particular cause of uncertainty, as the California Attorney General’s proposed regulations have yet to be published. As a practical matter, many of the CCPA’s thematic requirements align with what many consider to be better practices, but the increasing likelihood of prescriptive approaches to data collection and usage make clear that change abounds. For businesses that collect and use information, it remains certain that privacy and data protection represent one of the top emerging existential risks. Closely monitoring legal developments while working to ensure that enterprises have solid understandings of how they collect, use and share information and can manage this information in ways that are repeatable, sustainable and demonstrable represents an important tool to help to manage data-related risk.