Welcome
The United States Law Week

INSIGHT: Pending Amendments May Shape Contours of California Privacy Act

July 9, 2019, 8:00 AM

To say that the enactment of the California Consumer Privacy Act is the most highly anticipated event of 2020 would be an understatement.

Industry and privacy professionals are sitting on pins and needles as the statute is set to take effect Jan.1, 2020. Introduced roughly a year after GDPR’s May 2018 effective date, the CCPA is the most sweeping state privacy law in U.S. history, and will establish new privacy rights for California residents regarding the collection, use, and disclosure of personal information.

Proposed amendments to the CCPA have been commonplace over the past year. There have been both “technical and clarifying changes” and substantive amendments significantly impacting the scope of the CCPA.

Indeed, the California Legislature has considered proposed amendments seeking to shape threshold issues under the statute—from the type of “personal information” subject to the CCPA to the parameters and triggers for a private right of action under the act. But with less than six months to go, many questions remain unanswered.

Proposed Exemptions Pending

Twelve CCPA amendments passed through the California State Assembly in April and May and are now headed to the California Senate for a vote, and if approved there, to the governor’s desk for signature. These latest amendments could provide significant exemptions to businesses preparing to comply with the CCPA, providing clarity on businesses’ obligations and the scope of CCPA protections.

  • Assembly Bill 25 proposes limiting the definition of “consumer” under the CCPA to exclude job applicants, employees, contractors, or agents of a business to the extent that their personal information is collected and used in their roles as applicants, employees, contractors, or agents. Under this bill, consumer rights outlined in the CCPA would be unavailable to employees, including the private right of action to seek relief for a data breach impacting employment data. This bill will eliminate a potential source of liability for businesses, creating a dividing line between consumer, or customer, information, and employment data. The caveat, however, is that when an employee’s data collected outside the context of employment, the employee is treated like any other “consumer” and retains all of her CCPA rights.
  • Assembly Bill 846 proposes a revision to clarify that the CCPA’s current prohibition against businesses discriminating against consumers with higher prices or lower quality does not impact a business’s right to implement voluntary rewards or loyalty programs for customers. As currently framed, the CCPA prohibits such differential treatment generally. The amendment will clear the gray area and allow businesses to create and continue programs that reward repeat customers, without violating the CCPA.
  • Assembly Bill 874 seeks to amend the definition of “personal information” by clarifying that “publicly available” information is “information that is lawfully made available from federal, state, or local records” and that de-identified or aggregate consumer information does not qualify as “personal information.” This clarification of “personal information,” providing some clear limits on what is covered, will give businesses more guidance on exactly what type of information is subject to CCPA protections.
  • Assembly Bill 981 provides a CCPA exemption “eliminat[ing] a consumer’s right to request a business to delete or not sell the consumer’s personal information under the [CCPA] if it is necessary to retain or share the consumer’s personal information to complete an insurance transaction requested by the consumer.” This bill will give a layer of coverage limiting the obligations of insurance institutions, agents, or insurance-support organizations handling consumers’ personal information.
  • Assembly Bill 1416 proposes an exemption from certain CCPA provisions for businesses complying with government requests for consumer information and for businesses selling consumer information “for the sole purpose of detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.” These exemptions will provide some cover to businesses working with the government or with security firms to protect from or cure data breaches, without triggering more liability for those disclosures.
  • Assembly Bill 1564 seeks to amend the requirement that businesses maintain two or more ways for consumers to submit information requests to instead require that a business provide a toll-free telephone number, an email address, or a mailing address for such requests. The bill also proposes that online-only businesses need only provide an email address and that businesses maintaining websites must make the web address available for consumer requests. This amendment will ease some of the burden for business based on the web, eliminating the need for those businesses to provide extra methods for information requests beyond their usual course of business.

Expected Impact

These bills attempt to clarify businesses’ obligations under the CCPA, potentially redefining “personal information” and who the CCPA protects. To take effect by CCPA’s Jan. 1 effective date, these bills must be heard in Senate committees by July 12, passed through the Senate by Sept. 13, and signed into law by Oct. 13. Under this timeline, it will be important to watch the California Senate and their movement on these bills in the next few weeks.

As businesses ask whether they are still subject to the CCPA, whether their obligations include employee data, and whether their current systems comply with the CCPA, all eyes will be on the California Senate.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Petrina A. McDaniel is a partner in Atlanta with Squire Patton Boggs’ Litigation and Data Privacy & Cybersecurity practices. McDaniel is a commercial litigator and Certified Information Privacy Professional (CIPP/US) whose practice uniquely blends complex litigation, regulatory compliance, and privacy counseling.

Keshia Lipscomb is a member of Squire Patton Boggs’ Litigation Practice. She focuses her practice on complex commercial litigation and nationwide class action matters, including cases involving insurance coverage, contract disputes, product liability, and consumer protection statutes.