California lawmakers hoping to scale back, expand, or at least clarify the scope of the state’s groundbreaking privacy law have seen their first real victories as Assembly and Senate committees approved eight of at least eighteen bills proposing amendments to the California Consumer Privacy Act (CCPA). Significant developments following the recent committee hearings include the following:
CCPA Overhauler Bows Out, For Now. Easily the most significant bill under consideration has been AB 1760, which proposes modifications to the CCPA that mirror those of Europe’s infamously restrictive GDPR. The bill was withdrawn from assembly consideration at the last moment and converted into a “two-year bill.” As a result, the legislature will reconsider the bill at the beginning of the 2020 legislative session but will only have until January 31st to vote it into law.
De-identification Exemption Correction. The language of the CCPA as passed in 2018 contains a small but significant typo. The statute incorrectly states that “publicly available” information does not include de-identified or aggregate consumer information when it should state that “personal information” does not include such information. AB 874 proposes to correct this typo. The bill would also narrow the definition of personal information by excluding all information contained in publicly available government records. Currently, personal information excludes data from government records only if the recipient uses it for a purpose that is compatible with the government’s purpose for maintaining the records.
Expanded Private Right of Action. Despite having the full support of the California Attorney General behind it, SB 561 was only approved by a very narrow margin, signaling that it will likely require amending to gain additional support if it is to succeed moving forward. As it stands now, the bill will create a private right of action for violations of the CCPA and eliminate the 30-day opportunity to cure that would have given businesses a chance to correct their mistakes before a lawsuit could be filed. Additionally, it removes the provision allowing businesses or third parties to seek the opinion of the AG’s office on ambiguities in the CCPA’s requirements.
Employment Information Exemption. AB 25 has been one of the most popular proposed amendments and was unanimously approved by the committee. It will modify the CCPA’s definition of “consumer” by excluding employment information that is collected and used solely within the context of the employee-employer relationship. The bill has gained enough traction that many lawmakers expect to see it in the final version of the CCPA.
Personal and De-identified Information Clarification. Also gaining unanimous approval, AB 873 proposes subtle but highly impactful modifications to the current definitions of “personal information” and “de-identified information.” The bill will qualify that personal information does not cover all information “capable of being associated with” a particular household or individual, but rather information “reasonably capable of being [so] associated.” Additionally, the bill substitutes the 2012 FTC staff report’s “reasonably-linkable” de-identification standard for the CCPA’s current definition which is circular with the CCPA’s definition of “personal information.” As a result, businesses will have a clear incentive to de-identify as much information as possible to place it outside the bounds of the CCPA.
While somewhat less significant, the following bills were also approved by the Assembly:
- AB 846 – Clarifies that loyalty programs are exempt from the CCPA’s “non-discrimination” restrictions and clarifies confusing language in that section.
- AB 1564 – Provides alternatives such as email addresses and websites to the current CCPA requirement that businesses must establish a toll-free number to receive CCPA requests.
- AB 981 – Originally intended to exempt regulated insurance companies from the CCPA but now adds new privacy requirements to the California Insurance Code.
- AB 1146 – Clarifies that auto dealers and manufacturers may share motor vehicle warranty or recall information regardless of consumer deletion or “do not sell” requests.
There are many more hearings, proposed changes and legislative obstacles ahead before any of these bills successfully amend the CCPA. However, the recent committee approvals and overall level of support for certain bills are signals that the legislature may amend the CCPA one or more additional times before it takes effect.
About Mac Murray & Shuster LLP
Mac Murray & Shuster (M&S) provides consumer protection regulatory compliance and defense counsel to businesses nationwide in highly regulated industries including teleservices, financial services, debt collection, healthcare, and charitable contributions. Led by former state regulators, including a former Ohio Attorney General, M&S helps clients thrive against a complex regulatory landscape through proactive compliance management and representation in litigation and other matters before state attorneys general and federal agencies including the FCC, FTC, and CFPB. Visit mslawgroup.com to learn more.
This article was originally published on Mac Murray & Shuster’s Compliance Now blog and was written by Adam Steele.