United States: Where Are We Now? – Taking Stock Of CCPA Amendments After May 31 Legislative Deadline

Key Points

  • May 31, 2019, was the deadline for the California Legislature to pass bills out of the chamber in which they were introduced. Several measures proposing amendments to the California Consumer Privacy Act (CCPA) passed the state Assembly and now await action in the Senate.
  • September 13, 2019, is the last day for any bill, including those containing CCPA amendments, to be passed this year. Negotiations have already begun regarding changes to CCPA amendments passed by the Assembly to try and ensure passage by the Senate.
  • Below, we provide a practical summary of pending CCPA amendments and highlight those of particular importance. Pending CCPA amendments would, among other things, effectively remove employees from the definition of consumer, explicitly exempt deidentified and aggregate information from the definition of personal information, and exclude customer loyalty programs from certain CCPA provisions.

I. Introduction

The California Consumer Privacy Act (CCPA) was drafted and passed in a little over a week in the summer of 2018. Drafters were rushing to stave off the possibility of a ballot initiative. The rushed drafting and passage process led to a final law rife with internal inconsistencies and grammatical errors. It also limited the ability of both industry advocates and privacy activists to provide thoughtful input regarding the practical effects of certain passages and limited their ability to propose effective revisions. Initial amendments passed in September 2018 fixed a few substantive and technical issues, but left many issues unresolved.

In 2019, a number of bills were introduced in the California Assembly and Senate to amend the CCPA to help address some of these outstanding issues. These bills proposed amendments ranging from significant substantive changes like an expansion of the private right of action (SB-561, now dead), to more operational revisions like enabling businesses to use an email address in addition to other means to collect consumer requests for information under the CCPA (AB-1564, now before Senate). Which of these amendments the Senate passes, and any changes it makes to the same, could impact the scope and some requirements of the CCPA.

II. Overview and Chart of Key CCPA Amendments Still in Play

As noted above, a number of measures proposing amendments to the CCPA passed the Assembly and are now awaiting action in the Senate. These bills must now be heard in Senate policy committees by July 12 and must be passed by both houses by September 13 in order to be eligible for the governor to sign into law by October 13.

Of the amendments that passed, the following are arguably the most significant in terms of their potential effect on the business community.

  • Employee Information: AB-25 – This would revise the definition of "consumer" to exclude from that definition a job applicant, employee, contractor or agent of a business only to the extent their personal information is collected and used solely within that role. Should this bill pass in its current form, this would effectively remove direct employees (and others) from the scope of the CCPA. It is less clear if this measure would also exclude information collected or used as a result of business-to-business relationships.
  • Loyalty Programs: AB-846 – This would clarify that the CCPA's nondiscrimination provision does not apply to reward or loyalty programs to which a consumer voluntarily provides their personal information if the program meets certain requirements.
  • Deidentified and Aggregate Information: AB-874 & AB-1355 – These would, among other things, clarify that deidentified information and aggregate information are excluded from the definition of personal information.
  • Information Provided to Government Agencies: AB-1416 – This would exclude from certain provisions of the CCPA: (1) a business that provides a consumer's personal information to a government agency solely for the purpose of carrying out a government program; and (2) a business that sells the personal information of a consumer who has opted out of the sale of the consumer's personal information to another person solely for security purposes.
  • Methods of Receiving Consumer Requests: AB-1564– This would permit a business to utilize an email address in addition to a physical address to receive consumer requests under the CCPA. Online-only businesses need only provide an email address.

The following chart provides a brief description of the CCPA amendments that remain pending, along with their current status. Changes to these bills are ongoing and nothing in this chart should be taken as a final description of the contents or as an indication of the likelihood of final passage of these measures.

Bill (Author)

Status and Key Dates

Description

AB-25
(Chau)

5/29: Passed Assembly (77-0-3).

5/30: Read first time in Senate, referred to Rules for assignment.

Would exclude from definition of consumer in Section 1798.140(g) people whose information is collected while they are a job applicant, employee, contractor or agent of a business only to the extent their personal information is collected and used solely within that role. Adds a definition of "contractor."

Contains language indicating legislative intent to revise provisions on specific pieces of information.

AB-846
(Burke)

5/28: Passed Assembly (69-4-7).

5/29: Read first time in Senate, referred to Rules for assignment.

Would add a new section to the CCPA (§ 1798.126) that exempts differential treatment pursuant to a consumer's voluntary participation in a customer loyalty/rewards program from the CCPA's general nondiscrimination provision. (See § 1798.125).)

AB-873
(Irwin)

5/22: Passed Assembly (73-0-7).

5/29: Referred to Senate Judiciary.

Would revise the definition of personal information to be information that "identifies, relates to, describes, is reasonably capable of being associated with . . . ." (See § 1798.140(o)(1).)

Would revise the definition of "deidentified" to mean information that is not "reasonably linkable . . . ." (§ 1798.140(h).) Would change the limitations placed on a business that uses deidentified information to the following: (1) ensure data deidentified; (2) publicly commit to maintain and use data in deidentified form; (3) contractually prohibit recipients of data from trying to reidentify data.

AB-874
(Irwin)

5/9: Passed Assembly 5/9 (76-0-4).

5/22: Referred to Senate Judiciary.

Would revise the definition of "publicly available" to eliminate the requirement that information be used for same purpose as it was originally created for in order to fall within the definition. (See § 1798.140(o)(2).)

Would add a new subsection to clarify that deidentified information and aggregate information are not "personal information." (See new § 1798.140(o)(3).)

AB-981
(Daly)

5/22: Passed Assembly (on consent calendar).

5/29: Referred to Senate Judiciary and Senate Insurance.

Would add a new exemption to eliminate a consumer's right to request a business delete or refrain from selling the consumer's personal information under the CCPA if it is necessary to retain or share the consumer's personal information to complete an insurance transaction requested by a consumer. (See new § 1798.145(f).)

AB-1146
(Berman)

5/23: Passed Assembly.

5/24: Read first time in Senate, referred to Rules for assignment.

Would add a new exemption to permit information sharing between a new motor vehicle dealer and the vehicle's manufacturer if the information is retained or shared pursuant to, or in anticipation of, a vehicle repair relating to warranty work or a recall. (See new § 1798.145(g).)

AB-1202
(Chau)

5/28: Passed Assembly (56-13-11).

5/29: Read first time in Senate, referred to Rules for assignment.

This is a standalone bill concerning data brokers that cross-references and incorporates some CCPA requirements.

Would require data brokers to meet certain requirements, including registering with the California Attorney General's Office; enabling consumers to exercise their rights under the CCPA, including to opt-out of the sale of their personal information; disclose certain information to consumers; etc.

"Data broker" means a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship, with certain defined exceptions.

AB-1355
(Chau)

5/9: Passed Assembly (76-0-4).

5/22: Referred to Senate Judiciary.

Would carry out various technical fixes to clarify or fix language in multiple CCPA provisions.

In particular, would fix the CCPA's nondiscrimination provision to clarify that it is the value of the information to the business, not the consumer, that matters. (See § 1798.125(a)(2).)

Would clarify that a consumer's right to request specific pieces of information must be disclosed in a business's online privacy policy, and opt-in consent is required to sell the personal information of children less than 16 years old.

Would clarify that deidentified information and aggregate information are not personal information. (See § 1798.140(o)(2).)

AB-1416
(Cooley)

5/29: Passed Assembly (47-17-16).

5/30: Read first time in Senate, referred to Rules for assignment.

Would exclude from certain provisions of the CCPA: (1) a business that provides a consumer's personal information to a government agency solely for the purpose of carrying out a government program; and (2) a business that sells the personal information of a consumer who has opted out of the sale of the consumer's personal information to another person solely for security purposes (i.e., detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity).

AB-1564
(Berman)

5/13: Passed Assembly (73-0-7).

5/30: Read first time in Senate, referred to Rules for assignment.

Would revise the provisions dictating the means by which businesses may permit consumers to submit requests under the CCPA to permit businesses to make available an email address together with a physical mailing address, as well as a toll-free telephone number. Businesses that operate exclusively online need only provide an email address. (See § 1798.130(1)(A).)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions