California’s Consumer Privacy Act Amendment Process Nears the Finish Line
The enactment of the California Consumer Privacy Act (CCPA) has been a marathon process, with numerous groups trying to amend the law in various ways before it goes into effect January 1, 2020. We reported in June that the process had been whittled down to just twelve amendments. Last week, the deadline for amendments passed. The reported last-minute lobbying efforts to weaken the bill appear to have been unsuccessful. Now, the legislature has until September 13 to pass the final bills. While we wait on that final deadline, let’s look at which amendments are still in play to make it into the final bill and how they have changed since shifting to the Senate.
Amendments Ready for a Vote
The following amendments all passed out of committee and are now ready for a floor vote.
- A.B. 25 was initially drafted to exclude employees, job applicants and contractors entirely from the definition of “consumer.” But the bill has now been amended so that these individuals are excluded from the CCPA for one year (until January 1, 2021), with two exceptions: employees, job applicants, and contractors are still entitled to a private right of action for data breaches, and employers are still required to provide a CCPA-compliant notice.
- A.B. 846 carves out customer loyalty programs from the CCPA’s non-discrimination provisions. The bill was amended in multiple ways to, for instance:
- Expand the exemption to all loyalty, rewards, premium features, discounts, or club card programs.
- Eliminate the requirement that the data collected had to be related to the offering of a specific good or service whose functionality is directly related to the collection, use or sale of consumer data.
- Create an exception to the prohibition on selling personal information of consumers collected as part of a loyalty, rewards, premium features, discounts or club card program. This exception is limited to situations where consumers give “express consent” to the sale, consumers have the option to participate in the program on equal terms without consenting to the sale, and the purchaser of the information only uses it to identify the consumer as a member of the particular loyalty or rewards program. The purchaser of the data cannot retain or otherwise use or disclose the information.
- A.B. 874 clarifies that deidentified and aggregated consumer information is not “personal information” under the CCPA. The Senate amended this bill by changing the definition of personal information to add the word “reasonably” to the phrase “capable of being associated with.”
- A.B. 1146 exempts certain vehicle information (such as VIN numbers) from the CCPA’s opt-out and deletion rights provisions for the purpose of facilitating vehicle recalls and warranty work. The bill was amended to more clearly describe vehicle recalls.
- A.B. 1202 requires data brokers to register with and pay a registration fee to the Attorney General on an annual basis. The bill was amended by the Senate in two significant ways:
- To add language allowing data brokers to satisfy their notice requirements by posting on their websites.
- To remove language that would have required data brokers to allow consumers to opt-out of the sale of their personal information.
- A.B. 1281 requires businesses that use facial recognition technology to post a sign disclosing that fact. This bill passed out of committee without any substantial modification and is ready for a vote. While it survived the committee process, it is worth noting that this amendment was strongly opposed by the ACLU, EFF, and Privacy Rights Clearinghouse. These organizations argued that facial recognition was a significant threat to privacy and that a notice requirement alone was insufficient to deal with this threat.
- A.B. 1355, which fixes several drafting errors but does not substantively change the CCPA, made it through committee without any significant changes and is ready for a floor vote.
- A.B. 1564 requires businesses to provide consumers two methods for submitting requests for information. This bill originally required all businesses to provide a toll-free phone number to submit requests. It was amended in the Senate to allow certain online-only businesses to satisfy their requirements with just an e-mail address.
Amendments That Died in the Senate
- A.B. 873 tried to tweak the definition of “disidentified” to add a “reasonableness” standard to whether information can be linked to a consumer. While this bill died in committee, the proposed changes were adopted as a floor amendment to A.B. 874.
- A.B. 981 tried to carve out CCPA protections involving the retention and sharing of consumer information necessary to complete an insurance transaction requested by the consumer.
- A.B. 1035 tried to modify data breach reporting requirements, including placing a strict 45-day limit for companies to disclose data breaches.
- A.B. 1416 tried to exempt information shared with governmental agencies and sold for security purposes from the coverage of the CCPA.
Pending Non-CCPA Privacy Related Legislation
In our last update we also highlighted four other privacy-related bills in play during this legislative session. Two of those bills made it through the Senate without any substantive amendments: A.B. 1130, which amends the definition of personal information in California’s data breach notification law to include biometric data and government-issued identification numbers; and A.B. 1665, which requires parental consent before a website or application can sell a minor’s personal information in a manner that is separate from that website or application’s general terms and conditions.
A.B. 1138, which prohibits social media companies from allowing persons under 13 years of age to create an account without a parent’s consent, was amended in the Senate to prohibit retention of any data provided for the purpose of parental consent. The amendment also prohibited the use of that data for any purposes outside of parental consent. The bill was further amended on the floor to include an “actual knowledge” requirement in order to impose liability. Actual knowledge is imputed if a business “willfully disregards” the consumer’s age. The bill is out of committee and ready for a floor vote.
But A.B. 1395, which attempted to expand California’s smart TV privacy bill to apply to any connected device with a voice recognition feature, appears to be dead in the water.