June 19, 2019

CCPA Changes

If you’re wondering whether the CCPA is going to change drastically before its effective date on January 1, 2020, you are not alone. However, because of the way the California legislative process works, there is at least some good news—the time for submitting new amendments has passed, and 12 bills impacting the CCPA have made it through the California Assembly to the Senate.

Many potential amendments failed to make it this far. The most sweeping of those, the proposals to expand the CCPA’s private right of action by allowing consumers to resort to civil litigation for any violations of the CCPA (AB 1767 and SB 561), were blocked in the legislature. While we cannot predict the potential rules the California Attorney General will impose, we can guide you through these potential amendments that are awaiting Senate approval.

CCPA Amendments

Assembly Bill 25

(AB 25) exempts the collection of personal information from job applicants, employees, contractors, and agents from the CCPA. This is an amendment that the business community has argued for from the outset. Under the current language of the CCPA, personal information that businesses collect from job applicants or employees would be subject to the law. Business advocates argue that employee information is collected from people in their non-consumer capacity and should be not be subject to the same access and deletion requests.

Assembly Bill 846

(AB 846) addresses the issue of consumer loyalty programs. The CCPA prohibits price or service discrimination among consumers who opt out of the sale or request the deletion of their information. Under AB 846, voluntary loyalty, rewards, discount, club card, or premium feature programs would be exempted from the CCPA’s discrimination provisions. The same would apply to a good or service whose functionality is directly related to the collection, use, or sale of the consumer’s data.

Assembly Bill 873

(AB 873) seeks to insert the word ‘reasonably’ into the definition of personal information, so that it would read, “‘Personal information’ means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” (emphasis added to indicate change). 1798.140(o)(1). The CCPA excludes aggregate and deidentified consumer information from that definition of personal information; AB 873 seeks to update the definition of deidentified. The amended version would define it as “information that does not identify, and is not reasonably linkable, directly or indirectly, to a particular consumer, provided that the business makes no attempt to reidentify the information and takes reasonable technical and administrative measures designed to ensure that the data is deidentified, publicly commits to maintain and use the data in a deidentified form, and contractually prohibits recipients of the data from trying to reidentify it” AB 873(1).

Assembly Bill 874

(AB 874) updates the CCPA’s definition of “publicly available” to include any information that is lawfully made available from federal, state, or local government records. The current definition does not include information from public government records if it is being used for a purpose not compatible with the reason the government maintains and makes them available. This amendment would also clarify the definition of personal information to make clear that it does not include deidentified or aggregated information.

Assembly Bill 981

(AB 981) was originally introduced with language that would exempt insurance institutions, agents, and insurance-supported organizations from the CCPA However, it was amended in committee and then passed with new language that would eliminate consumers’ rights to request that a business delete or not sell their data if their personal information is necessary to complete insurance transactions that were requested by the consumers. It also amends the insurance code to harmonize some of the insurance industry’s disclosure and notice practices with the CCPA.

Assembly Bill 1035

(AB 1035) is not a CCPA-specific bill, but it is related to the CCPA in that it modifies California’s data breach reporting requirements, imposing a strict notice period of no more than 45 days for companies to disclose their data breaches.

Assembly Bill 1138

(AB 1138) is also technically an amendment of the Parent’s Accountability and Child Protection Act, but it is relevant to companies creating CCPA policies regarding children. The bill would require parental consent for children under the age of 13 to open social media or website application accounts. The verification process required by this bill would therefore have bearing on the steps a company takes with regard to users under the age of 13.

Assembly Bill 1146

(AB 1146) is geared specifically toward the auto industry. It exempts certain vehicle information from the CCPA’s right to deletion and do not sell requirements. The sharing of vehicle owner name and contact information, VIN, make, model, year, and odometer readings between manufacturers and new motor vehicle dealers related to warranty work or recalls would not be subject to the CCPA.

Assembly Bill 1202

(AB 1202) specifically applies all of the CCPA’s obligations to data brokers, including requiring the data brokers to give consumers the option to opt out of the sale of their information. It would also require brokers to register with the California Attorney General ad impose penalties for failing to register. Advertisers in particular have raised objections to AB 1202, arguing that it would be both duplicative of CCPA obligations and potentially conflict with it, ultimately reducing transparency and being unhelpful to consumers.

Assembly Bill 1355

(AB 1355) would exclude deidentified or aggregated information from the definition of personal information (something that is also part of AB 874) and also clarifies that the CCPA’s definition of permissible discrimination in pricing or service has to be reasonably related to the value the consumer’s data provides to the business itself. The current language of the CCPA requires that the discrimination be reasonably related to the value of the information to the consumer.

Assembly Bill 1416

(AB 1416) has a dual purpose. One part of it is focused on security. Specifically, it allows businesses to ““[s]ell the personal information of a consumer who has opted-out of the sale . . . to another person for the sole purpose of detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity, provided that the business and the person shall not further sell that information for any other purpose.” The other purpose of AB 1416 is to enable businesses to share information with government agencies and comply with other rules and regulations. Some commentators have expressed concern that AB1416 is overly broad , making it possible for businesses to establish their own rules and regulations and therefore build their own exceptions.

Assembly Bill 1564

(AB 1564) was passed by the Assembly on May 13, 2019. It is intended to lighten the burden of consumer requests by allowing online-only businesses the option of only being required to provide an email address or a mailing address for receiving requests and also expanding the permissible ways to receive requests to include a mailing address. As written, the CCPA currently requires that business offer at least an online and a toll-free phone number option for submitting requests.

Stay tuned for more information as these bills continue their journey through the California Legislature.

DISCLAIMER: This publication has been prepared by SixFifty, LLC to provide information of interest to our readers regarding the California Consumer Privacy Act. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. SixFifty, LLC does not provide legal advice.