California – Update on the latest amendments to the CCPA

Legislators on the California Senate Judiciary Committee voted on a number of bills in a much-anticipated July 9, 2019 hearing in Sacramento, California relating to the State’s groundbreaking privacy law, the California Consumer Privacy Act (“CCPA”). The amendments that passed relate to key issues, including the data rights of employees, the definition of excludable “publicly available” information, and changes to the Act’s non-discrimination provision. The CCPA—often compared to the comprehensive General Data Protection Regulation (“GDPR”)—currently imposes significant requirements on businesses collecting personal data of California consumers and affords California residents a host of new rights with respect to their personal data, including the right to know what data is collected and for what purpose and the right to request the deletion of their personal data.

While the CCPA is set to take full effect on January 1, 2020, the Act remains subject to amendment by the State senate. The July 9th hearing led to the passage of several significant amendments and resulted in a temporary win for CCPA proponents as a number of proposed bills facing political scrutiny either failed or were not brought to the Senate Judiciary Committee for a vote. For example, a proposed bill that would have expanded a business’ ability to share information with government entities was pulled by the author before it could be introduced in the hearing.¹

While many provisions of the CCPA were left largely intact following the hearing, there were a handful of notable bills that either passed out of the Senate Judiciary Committee or were tabled for a future vote after heated discussions. All of the proposed amendments still need to be voted on by the California State Senate and signed by Governor Gavin Newsom before they become law. A few noteworthy bills debated during the hearing are summarized below:

Amendment to Exempted Employee Information (Assembly Bill 25).²

The bill, which passed without objection, allows employers to collect personal data about their employees but requires employers to tell their employees what type of information they are collecting and the reason for doing so. Employee information collected within the regular scope of a person’s employment (and used for a business purpose like HR, payroll, insurance, etc.) will be exempt from the CCPA, at least temporarily. The bill includes a one-year sunset provision, so the exemption for employee information will only remain effective until January 1, 2021. As such, this exemption is temporary, and discussions about the CCPA’s application to employee information and employee privacy legislation are expected to continue, especially since influential California labor unions are opposed to this exemption. The bill has been re-referred to the Committee on Appropriations. 

Amendments to the Definitions of Personal Information and De-Identified Information (Assembly Bill 873).³

The proposed bill sought to revise the definitions of “de-identified”⁴ and “personal information”⁵, but  ultimately failed to pass at this time. The California legislature, however, will be in session this fall from August 12 through September 13, 2019 and it will be reconsidered at that time. The bill sought to treat information like I.P. addresses and browser fingerprints, which can potentially be used to identify specific individuals and track their online activity, as de-identified information, rather than personal information—which under the Act’s current definition is any data reasonably capable of being identified, linked or associated with a specific consumer or household. Notably, “household” data (another controversial provision of the Act) remains in the definition of personal information, but it too could be on the chopping block in the future. The bill failed to pass the Senate Judiciary Committee in a tied 3-3 vote as it was one of the most contentious bills of the hearing.

Amendments to the Definitions of Personal Information and Publicly Available (Assembly Bill 874).⁶

The bill, which was passed by the Senate Judiciary Committee, modifies the definition of “publicly available” and explicitly excludes de-identified or aggregate consumer information from the definition of “personal information”. 

Amendment to the Non-Discrimination Provision (Assembly Bill 846).⁷

This proposed bill would amend the CCPA to allow an array of consumer loyalty programs and effectively remove the non-discrimination clause previously in the Act.  In addition, the amendment permits businesses to offer different prices, rates, levels and qualities of goods if the offering is for a specific good or service which directly relates to the collection, use or sale of consumer data. Chairwoman of the California Senate Judiciary Committee, Hannah Beth Jackson, expressed concern during the hearing that should the amendment be passed, privacy could become a commodity that only the wealthy can afford. The bill passed with amendments to limit businesses’ ability to deny access to loyalty programs if a consumer has opted out and has been re-referred to the Committee on Appropriations.

The bills that passed during the hearing will next head to the Senate Appropriations Committee, and should they pass, to the full Senate floor for a final vote. The next major hearing is scheduled for August 12, 2019. As the CCPA remains a moving target considering various industry, consumer privacy and labor union lobbying efforts, our firm will continue to monitor notable developments in the legislation.

For more information, reach out to one of our firm key contacts and check out this podcast with Mary Stone Ross, one of the co-authors of the CCPA and Principal at MSR Strategies. Mary recently collaborated with Linklaters in a webinar on the global reach of the CCPA, available here.

1. AB 1416, 2019–20 Leg. Assemb. Reg. Sess. (Cal. 2019).
2. AB 25, 2019–20 Leg. Assemb. Reg. Sess. (Cal. 2019). Assemblyman Ed Chau proposed the bill, which advanced out of the committee for a vote. The original version of the bill did not require employers to tell employees about what type of information was being collected or the reason for doing so, however this provision was added the day before the hearing to appease opponents of the original bill.
3. AB 873, 2019–20 Leg. Assemb. Reg. Sess. (Cal. 2019).
4. The CCPA originally defined “deidentified” to mean “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:
(1) Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
(2) Has implemented business processes that specifically prohibit reidentification of the information. (3) Has implemented business processes to prevent inadvertent release of deidentified information. (4) Makes no attempt to reidentify the information.” Cal. Civ. Code § 1798.140(h).
5. The CCPA originally defined “personal information” to mean “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” and thus includes: names and aliases; postal addresses; online identifiers, such as Internet Protocol (IP) addresses; Internet and electronic network activity information; email addresses; account names; social security numbers; driver’s license numbers; passport numbers; and biometric information, among other categories. Cal. Civ. Code § 1798.140(o).
6. AB 874, 2019–20 Leg. Assemb. Reg. Sess. (Cal. 2019).
7. AB 846, 2019–20 Leg. Assemb. Reg. Sess. (Cal. 2019).