The California Consumer Privacy Act of 2018 (the CCPA) becomes operative on January 1, 2020, but a crop of proposed amendments signal that it may not have yet taken its final form. Late last week, two CCPA amendment bills passed the Assembly, and several others were approved in committee. Numerous other CCPA amendment bills are currently being heard in committee, and two were recently withdrawn.
Amidst this flurry of legislative activity, it can be difficult for businesses to keep track of the various proposed CCPA amendments, their viability, and the practical impact of their passage. Below is our team’s initial summary of the current bills, organized by their progress in the Legislature.
Bills Passed by State Assembly
On May 9, 2019, the following bills passed the California Assembly and were read for the first time in the Senate:
- AB 874 would expand the exclusions from the statutory definition of “Personal Information” (PI) by defining “publicly available” information (which is excluded from the definition of PI) as information that is lawfully made available from federal, state, or local government records, and specifying that PI does not include de-identified or aggregate consumer information.
- AB 1355 is intended to correct a number of the CCPA’s drafting errors. Notably, the bill would exclude de-identified or aggregate consumer information from the definition of PI (similar to AB 874), and clarify that opt-in consent is required before a business can sell the PI of consumers who are at least 13 years of age but less than 16 years of age (i.e., clarifying that opt-in consent is not required from a 16-year-old). The bill also would provide that the CCPA prohibits discriminating against the consumer for exercising any of the consumer’s rights under the CCPA, except if the differential treatment is reasonably related to value provided to the business by the consumer’s data (rather than reasonably related to the value provided to the consumer, as currently provided in the CCPA).
Bills Approved by Committee
- SB 561 was approved by the Senate Judiciary Committee in April and endorsed by California Attorney General Xavier Beccera. The bill would expand the CCPA’s private right of action to permit a consumer to sue a business for any violation of the Act, rather than only in the case of certain data security events. The bill would also permit the attorney general to publish materials providing general guidance on how to comply with the CCPA, as well as eliminate a business’ ability to cure violations of the Act within 30 days of receiving notice to avoid civil penalties. The bill was subsequently placed on the Appropriations Committee’s suspense file (a holding place for bills with a significant fiscal impact).
Passed Assembly’s Consumer Protection & Privacy and Appropriations Committees
- AB 25 would exclude from the CCPA’s scope PI that is collected and used solely for purposes related to an individual’s role as a job applicant, employee, contractor, or agent of a business.
- AB 846 would provide that a consumer’s voluntary participation in a customer loyalty program is exempt from the CCPA provisions that prohibit a business from discriminating against a consumer for exercising his or her rights under the Act.
- AB 1146 would exempt from the CCPA motor vehicle warranty or recall information retained or shared between auto dealers and manufacturers.
- AB 1564 would amend the mechanisms that a business must make available for consumer access requests. It would require a business to make available, in a reasonably accessible form, either a toll-free telephone number or an email address and physical address to receive such requests. The bill would also specify that a business operating exclusively online need only provide an email address for access requests.
Passed Assembly’s Consumer Protection & Privacy Committee; Referred to Appropriations Committee
- AB 873 would place limits around the definitions of PI and “de-identified.” PI would include specified information that is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household. “De-identified” would align with the FTC’s de-identification standard and include information that does not identify, and is not reasonably linkable, directly or indirectly, to a particular consumer.
- AB 1416 would establish exceptions to the CCPA for a business that:
- Provides a consumer’s PI to a government agency solely for the purposes of carrying out a government program, provided specified requirements are met.
- Sells the PI of a consumer who has opted-out of the sale of his or her PI for the sole purpose of detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity, provided that there are no further sales of the PI for any other purpose.
Bill Introduced, Referred to Assembly’s Privacy & Consumer Protection Committee
- AB 950 would require that a business post on its website the average monetary value of a consumer’s PI to the business. In cases in which it sells consumer data, the business would be required to disclose the average price it is paid for a consumer’s data and, upon receiving a verifiable request, the actual price that it was paid for a consumer’s data. The bill would also establish a Consumer Data Privacy Commission.
Bills Withdrawn
- SB 753, which would have exempted from the definition of “sale” the sharing of “any unique identifier only to the extent necessary to deliver, show, measure, or otherwise serve or audit a specific advertisement to the consumer.”
- AB 1760, which would have: extended the private right of action and eliminated the opportunity for a business to cure a CCPA violation within 30 days (similar to SB-561, discussed above); established a right to opt-in consent by which a business would be prohibited from sharing (i.e., not only selling) a consumer’s PI without consent; required a business to limit its use and retention of PI to that which is reasonably necessary to provide a service or conduct an activity; and expanded the CCPA’s enforcement provisions to apply to county district attorneys and city attorneys, among others.
In summary, these bills seek to make incremental changes to the CCPA—and, in some cases, to expand the private right of action for consumers—but they would not fundamentally change the fact that the CCPA will impose substantial new compliance obligations on companies. Thus, while it may be tempting to delay preparing for the CCPA until the statutory language seems more settled, companies may be better served by starting to prepare for their new obligations under the CCPA, particularly obligations that may require more significant lead time, such as preparing to handle California residents’ requests for access and deletion of their personal information.
Please refer to our CCPA Resource Center for additional information and resources on the CCPA, as well as our legal updates.