The California Senate Judiciary Committee held a nearly 12-hour hearing on July 9th just before the impending deadline for California Consumer Privacy Act amendments to pass in advance of its Jan. 1, 2020, effective date.
The hearing provided actionable insights on targeted areas that businesses should address in their compliance plans.
The biggest impacts from the hearing come from those bills reshaping the scope of data covered by the CCPA, which took the form of Assembly Bills AB 25 and AB 873. The Judiciary Committee compromised by, on the one hand, rejecting AB 873 which generally narrowed the definitions of “personal information” and “deidentified information,” but, on the other hand, passing AB 25, with revisions, to exclude employee data from CCPA coverage in most but not all circumstances.
Here is how the most anticipated amendments shook out: three amendments advanced with revisions, one passed without amendment, one was defeated in a deadlock vote, and one was pulled from consideration prior to the hearing. The notable amendments that advanced were further revised before vote, eroding the strength of the proposed exemptions under the Act.
In particular, the Judiciary Committee advanced Assembly Bills AB 25 (generally excluding employee data from the statute), AB 846 (exempting customer reward and loyalty programs from prohibition on price discrimination), AB 874 (narrowing the definition of “personal information”), and AB 1564 (limiting the contact methods businesses must make available for consumer information requests), with AB 874 as the only bill of these four passed without amendment and recommended for placement on the Senate Appropriations Committee’s consent calendar.
Assembly Bills AB 873 (amending the definitions of “deidentified information” and “personal information”) and AB 1416 (exempting businesses complying with government information requests or disclosing data to protect from or cure data breaches) were both stopped in their tracks in committee, with AB 873 failing in a deadlock vote and with Assemblyman Ken Cooley, author of AB 1416, removing the bill from consideration before the hearing.
The amendments voted through the Judiciary Committee indicate that the California legislature is willing to extend some compromises to clarify obligations imposed by the CCPA, but is not willing to rubberstamp blanket exemptions that limit the scope of the Act.
The advanced bills will proceed to the Senate Appropriations Committee after the legislature’s summer recess, which began July 12 and ends August 12. In the interim, businesses must continue to prepare for CCPA compliance, keeping in mind the final version of the statute remains a moving target.
Under Assembly Bill 25, employers now know that employee data may be exempt from some CCPA provisions if the bill ultimately passes, but there will likely be exceptions to the general rule. AB 25 initially sought to exclude employee data from the CCPA completely, allowing companies to draw a clear line between consumer data and employee data. Revisions applied during the July 9 hearing watered down the bill but preserved certain exemptions for data collected solely for employment purposes.
The revised AB 25 still maintains the private right of action for data breaches and requires that employers provide notice to employees of the type of employee data collected and the reason for the collection. This is significant because in the event the state legislature passes the current bill, employers must provide notice about employee data collection and establish the basis for collecting employee data, and improper disclosure of employee data can still be the subject of a private lawsuit.
However, employee data will not trigger other consumer rights under the CCPA, including the right to access, deletion, and opt-out, for at least one year until January 1, 2021. The Committee added the one-year sunset provision as incentive for proponents of the exemption to encourage legislation to more specifically address employee personal information in the next year.
Data related to applicants, employees, contractors, or agents will still create a risk of exposure, though employees will have more narrow rights with respect to that data. Therefore, companies preparing for compliance now should keep in mind the type of employee data in their records and prepare data security measures that apply equally to their employee data.
Loyalty and Reward Programs
Under AB 846, companies can plan to maintain their loyalty and reward programs, but cannot sell the personal information collected as a result of those programs.
Companies need not scrap their current programs but should assess them carefully through data mapping to determine what data is collected, how that data is used, and whether the data is sold or otherwise disclosed to any third party.
One looming question concerning AB 846 is whether a “sale” contemplates the disclosure of reward program data between multiple commonly-owned entities that may use the data for cross-marketing. Companies should take a careful look at their disclosure agreements and revise loyalty and reward programs as necessary to remove any financial consideration for exchanging reward program data and selling such data.
Contact for Online Businesses
As passed through the Judiciary Committee, AB 1564 requires that businesses with direct in-person customer contact still provide at least two methods for consumer requests, one of which must be a toll-free phone number. The second method may be either an email address or a mailing address. The bill also creates a different standard for exclusive online businesses, which need only provide an email address for consumer requests.
Online businesses preparing for compliance can now forego implementing a second method of contact to accept CCPA information requests. This should make life easier for companies that operate solely online without physical locations.
The July 9 hearing did not result in any wide-sweeping changes to the general protections under the statute.
The take-away is that businesses should continue to prepare CCPA compliance plans and data security measures based on a conservative definition of “personal information,” including consumer data and employee data. While employee data will not trigger some consumer rights under the CCPA, employers must notify employees of the data collected and can still face litigation for data breaches disclosing employee data.
At any rate, businesses subject to the statute should continue to watch the legislature closely for any specific exemptions prior to January 1, 2020. It appears more unlikely, though, that the California legislature will significantly overhaul the statutory definitions or general protections for categories of data before the CCPA goes into effect.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Petrina A. McDaniel is a partner in Atlanta with Squire Patton Boggs’ Litigation and Data Privacy & Cybersecurity practices. McDaniel is a commercial litigator and Certified Information Privacy Professional (CIPP/US) whose practice uniquely blends complex litigation, regulatory compliance, and privacy counseling.
Keshia Lipscomb is a member of Squire Patton Boggs’ Litigation Practice. She focuses her practice on complex commercial litigation and nationwide class action matters, including cases involving insurance coverage, contract disputes, product liability, and consumer protection statutes.