A number of bills seeking to amend the California Consumer Privacy Act of 2018 (CCPA) have been introduced this year, none more closely watched than SB 561, which would have extended the private right of action under the CCPA from security breaches to any violation of the CCPA. Despite support from leading privacy groups and the California Attorney General, who has said his office lacks the resources to enforce the law on its own, the bill stalled in the Senate Appropriations Committee, likely signaling its demise. This will be welcome news to the many businesses concerned about the specter of private litigants enforcing the CCPA’s numerous and often vague privacy requirements. SB 561 also would have relieved the Attorney General of the burden of issuing advisory opinions on CCPA compliance to regulated businesses and eliminated the law’s 30 day cure period for violations.
In other welcome news for businesses subject to the CCPA, personal information of employees and other workers may be carved out of the law, thanks to AB 25, which would exclude from the definition of “consumer”:
a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor [i.e., natural person in a written service contract with the business] of, or an agent on behalf of, the business, to the extent the person’s personal information is collected and used solely within the context of the person’s role as a job applicant to, an employee of, a contractor of, or an agent on behalf of a business.
The California State Assembly’s Privacy and Consumer Protection Committee and Appropriations Committee have voted unanimously to advance the bill. Importantly, Californians for Consumer Privacy, the influential organization behind the ballot measure that led to the CCPA’s adoption, has acknowledged the need for clarity on CCPA’s application to employee data and has not opposed AB 25.
Other proposed CCPA amendments still pending in the legislature include:
- AB 846. Clarifies that it is not unlawfully discriminatory for a business to charge more or decrease service quality for a consumer who exercises CCPA rights in a manner that would impede a loyalty, rewards or similar program in which the consumer voluntarily participates, or impede the collection, use or sale of consumer data to which the service’s functionality is directly related.
- AB 873. Redefines “Deidentified” to refer to information that does not identify, and is not reasonably linkable, directly or indirectly, to a particular consumer, provided that the business makes no attempt to reidentify the information and takes reasonable technical and administrative measures designed to ensure that the data is deidentified, publicly commits to maintain and use the data in a deidentified form, and contractually prohibits recipients of the data from trying to reidentify it. The bill also clarifies that information capable of being associated with a particular consumer or household is “personal information” only if it is reasonably capable of such association.
- AB 874. Clarifies that “publicly available” means information that is lawfully made available from federal, state, or local records, regardless of the purpose for which it is used, and that “personal information” does not include deidentified or aggregate consumer information.
- AB 981. Creates an exemption for entities regulated by the California Insurance Information and Privacy Protection Act.
- AB 1146. Creates an exemption for vehicle information shared between a new auto dealer and a vehicle manufacturer if the information is retained or shared pursuant to, or in anticipation of, a vehicle repair relating to warranty work or a recall.
- AB 1355. Fixes various drafting errors, including a clarification that the CCPA’s nondiscrimination provisions allow differential treatment of a consumer who has exercised CCPA rights if the difference (e.g., higher price or lower service quality) is reasonably related to the value provided to the business by the consumer’s personal information.
- AB 1416. Exempts sales of personal information for the purpose of detecting security incidents, fraud prevention, and related prosecution.
- AB 1564. Clarifies that a business operating exclusively online need only provide an email address for submitting information requests under the CCPA, and need not also provide a toll-free phone number.
- Week of May 28. Bills that pass out of committee go the floor and must pass the full chamber by May 31.
- June 3. For bills that pass the Assembly, hearings start in the Senate committees (usually same as the Assembly committees that took up the bill).
- July 10. Deadline for completion of Senate policy committee hearings and passage of bills to fiscal committees.
- July 12-August 12. Recess.
- August 30. Last day for fiscal committees to report bills to the floor.
- September 6. Last day for floor amendments.
- September 13. Last day for each chamber to pass bills.
- October 13. Last day for Governor to sign or veto bills passed.
SB 561’s expansion of the private right of action under the CCPA would have been game changing, and its blockage is a major victory for businesses. However, the CCPA in its current form poses no small challenge – plaintiffs still have a private right of action for security breaches starting on January 1, and the CCPA remains enforceable by the Attorney General and potentially city and county attorneys.
If AB 25 passes, as now appears more likely, it will substantially lighten the compliance lift by taking HR data out of scope. But should businesses gamble on its passage? A reasonable hedge would be to assess the level of effort required to address HR data as part of CCPA compliance efforts, follow AB 25 closely, and hold off on the work as long as possible until either AB 25 passes or until it must begin to complete it by the January 1, 2020 deadline. Even if AB 25 passes and businesses get a reprieve on HR data, CCPA compliance by January 1, 2020 will still require significant effort (and completing the work in time to avoid the year-end rush and holiday intrusions will require more still).