Business groups seeking changes to the California Consumer Privacy Act before it takes effect in January ended their winning streak in the state Senate Judiciary Committee.

The panel late July 9 approved three of the five business-backed bills to change the law that the state Assembly passed in May, but only after amending them to include consumer-friendly provisions sought by Sen. Hannah-Beth Jackson (D), the committee chairwoman.

The committee action makes it far less likely that business interests will get all the changes to the landmark privacy law they’re seeking before it takes effect Jan. 1, 2020.

A fourth bill failed when its author refused to adopt suggested amendments, and a fifth that would have let businesses share consumer data with governments was pulled because not enough lawmakers supported it.

Consumers have the right under the sweeping law to ask a company what data it holds on them and to have that data deleted, as well as to opt out of the sale of their personal information.

The Senate bills now head to the Appropriations Committee and then, if approved there, to the Senate floor for votes. They would also have to return to the Assembly for votes on the amendments before a final bill goes to Gov. Gavin Newsom (D) for his signature.

Employer Restrictions

One of the approved bills, A.B. 25 by Assemblyman Ed Chau (D), would exempt personal information employers have about their employees from the privacy law’s requirement that it be disclosed or deleted upon request.

The committee approved Chau’s bill after he agreed to two amendments that ended stiff opposition from consumer and labor groups concerned about surveillance of employees. The amendments would require employers to inform employees about the types of information they are collecting about them, and why.

Chau said the new employer provisions would expire in one year, giving business, labor, and consumer groups time to craft another bill that would more specifically tackle employer surveillance of employees. Consumer groups want lawmakers to address how employers collect data such as location and fitness information from apps on employee phones, and data in employee files that directly relates to their employment, next year.

Loyalty Programs

The committee also approved A.B. 846 by Assemblywoman Autumn Burke (D), which would explicitly allow businesses to offer perks such as grocery store discounts and airline frequent flier miles through customer loyalty programs that rely on consumer data. But Burke agreed to amendments prohibiting the sale of data from loyalty program members.

The panel also approved A.B. 1564 by Assemblyman Marc Berman (D), which would specify that online business must provide an email address, but not a toll-free telephone number, for consumers to request information. Berman agreed to amendments that require businesses to provide two methods for consumers to make requests, including a toll-free number, unless they operate exclusively online.

Deidentified Data

The committee defeated, 3-3, A.B. 873 by Assemblywoman Jacqui Irwin (D) over concerns that her proposed change to the definition of “deidentified” data in the law would put too much information outside its purview.

Jim Halpert, an attorney with DLA Piper in Washington, DC., said the current definition of deidentified data in the law is “almost entirely circular and extremely confusing.”

Sara Boot, a lobbyist with the California Chamber of Commerce, which backed the change, said the CCPA requires companies to gather data such as security footage that’s not linked to a consumer and relink it if a consumer asks for information about themselves. That would create a larger privacy threat than if the data were never gathered, she said.

But others, including the American Civil Liberties Union, said the proposal would have eroded protections by allowing internet protocol addresses, electronic device identification numbers, and other information tied to individuals to fall outside the CCPA.

“Deidentification is not a privacy protective technique if deidentified information can identify you,” said Ariel Fox Johnson, senior counsel for policy and privacy at Common Sense Media, a nonprofit that advocates for children’s privacy protections in media and technology.

Jackson agreed, saying the CCPA will serve as a template for other states’ privacy laws, and Irwin’s proposal would have weakened it by expanding what information falls outside the law’s protections.

“We will have taken what I think is a weak cup of tea and turned it into water,” Jackson said.