Key Takeaways:
- Don’t expect any revolutionary changes. None of the surviving amendments would radically change the CCPA’s requirements. Companies should be taking steps toward compliance in order to meet the January 2020 enforcement date.
- That said, it’s not over, yet. Debates on the surviving amendments will resume after the legislature returns from recess on Aug. 12. Bills that failed (including the private right of action) may come up again in 2020. The amendment process is far from over, and we may see some last-minute efforts to push additional changes through before 2020.
- There is significant resistance to any efforts to narrow the definition of “sale” and “personal information.” Efforts to narrow the definition of personal information (PI) and to broaden the definition of “de-identified” failed (for now), but employee information will likely be exempt for the first year of the CCPA, and loyalty programs will be allowed as long as the data is not sold.
- Keep up to date with Loeb & Loeb’s CCPA Amendments Tracker. We will be updating this after key deadlines so you have a go-to resource for the status of all the proposed bills.
Which Amendments Survived?
On Tuesday, July 9, the California Senate Standing Committee on Judiciary passed a number of bills that would update the CCPA. However, many business-friendly provisions were limited or struck as the legislature remained steadfast in its resolve not to water down consumer protections. Below are a few notes on the key bills we have been watching:
- A.B. 25 (Employee Exemption) – A.B. 25 would exempt personal information pertaining to employees, job applicants, contractors or agents of a business from the scope of the CCPA (provided that such information is collected and used “solely within the context of the person’s role” as an employee, etc.). The Senate passed this bill with three significant limitations: 1) there is a one-year sunset provision, which means the bill would expire on Jan. 1, 2021 (the hope is that during that year, the legislature will pass a separate bill to address employer surveillance); 2) employers must provide employees with privacy notices; and 3) the exemption does not apply to the consumer’s private right of action for security incidents.
- A.B. 846 (Loyalty Programs) – A.B. 846 clarifies that the CCPA does not prohibit a business from offering a different price, rate, level, or quality of goods or services to a consumer if the offering is 1) in connection with the consumer’s voluntary participation in a loyalty or rewards program or 2) “for a specific good or service with a functionality that is directly related to the collection, use or sale of the consumer’s data.” Notably, businesses cannot “sell” the personal information they collect in connection with these programs.
- A.B. 1564 (Methods for Submitting Consumer Requests) – A.B. 1564 amends the CCPA’s requirements for a business to make certain mechanisms available for consumers to submit requests under the act. In the version that passed, businesses are still required to maintain at least two designated methods for consumers to submit requests, which must include a toll-free telephone number. However, businesses that operate exclusively online AND maintain a direct relationship with California consumers are only required to provide an email address for CCPA requests.
- A.B. 1355 (Clean-Up Bill) – A.B. 1355 is a cleanup bill that addresses some drafting errors in the CCPA. Under A.B. 1355, de-identified or aggregate consumer information is clearly excluded from the definition of PI. It also clarifies that opt-in consent is only required from consumers who are under 16 years of age (i.e., opt-in consent is not required from a 16-year-old). Finally, it clarifies that the CCPA’s exemption from the prohibition on discrimination applies when the differential treatment is reasonably related to value provided to the business by the consumer’s data (rather than the value provided to the consumer, as currently drafted).
What Happens Next?
Most of the bills amending the CCPA were introduced in the California State Assembly and had to first pass the Assembly floor by a majority vote before they reached the Senate. The Senate’s point of view tends to differ from that of the Assembly, particularly on privacy and technology issues, and that has been reflected in a number of the additional restrictions and limitations the Senate has added to the assembly bills in front of it.
The bills that passed in the Senate Judiciary Committee will now proceed to the Senate Appropriations Committee and, if passed, to the full Senate for a vote. The legislature reconvenes from summer recess on Aug. 12, and some bills have already been scheduled for debate that week. If a bill is amended in the Senate and subsequently passes, it must go back to the Assembly for concurrence. If the two houses cannot agree, the bill will be referred to a two-house conference committee to resolve any remaining differences.
A bill must pass both houses of the legislature by Sept. 13, 2019, to become law, and Gov. Gavin Newsom must sign or veto the bills by Oct. 13 in order for them to go into effect on Jan. 1. We also expect that the California AG’s office will issue its notice of proposed rulemaking, identifying its draft rules, this fall.
How Can You Stay Up to Date?
If you or other members of your organization have questions about the CCPA, any of the proposed amendments or the legislative process, please contact our Privacy, Security and Data Innovations team. We will also be posting updates in our CCPA Amendments Tracker and will continue to provide you with updates throughout this process.
-
Chief Privacy & Security Partner; Chair, Privacy, Security & Data Innovations