Privacy professionals seeking clarity on compliance with the California Consumer Privacy Act (CCPA) are monitoring numerous amendment bills introduced in the California State Assembly and the California State Senate. Twelve bills garnered the votes needed to pass the Assembly and moved to the Senate for further revision and voting. The Assembly’s calendar prohibits consideration of new bills this session, which means that any amendments enacted prior to the CCPA’s 2020 effective date will be based on these bills. California’s complex legislative process makes tracking amendments yeoman’s work.
This post provides clarity to an otherwise murky process by: 1) presenting an overview of the California state legislative process; 2) identifying a CCPA timeline and key deadlines; 3) analyzing the CCPA amendments that recently passed the Assembly along with noteworthy bills that failed in the Senate; and 4) outlining likely next steps for amendment efforts prior to the law’s effective date.
Four moving parts of the California State Legislature impact the content and status of CCPA amendment bills: the California State Assembly, California State Senate, California Governor, and California Attorney General’s Office.
The Legislature consists of both the California State Assembly (lower house) and the California State Senate (upper house). While bills may be introduced in either house, amendments introduced in the Assembly must first pass the Assembly floor with a majority vote before moving to the Senate for further amendment and votes.
Bills that pass the Senate are sent to the Governor to be either signed into law or vetoed. In addition to any legislative amendments, the California Attorney General’s Office can clarify or modify CCPA requirements by promulgating regulations under its CCPA rulemaking authority. As part of the preliminary rulemaking process, the California AG has held seven public forums and concluded the comment period. As mentioned during the January 14th public forum, the Attorney General is likely to issue draft regulations this fall, followed by a formal notice and comment period.
Timeline and Key Deadlines
The bills that passed the Assembly have moved to the Senate for committee process, which will continue for the coming months.
CCPA Amendment Bills
Below is a summary of the key provisions of each CCPA amendment bill that passed the Assembly and moved to the Senate for further consideration:
|AB 25||Exemption of “employee” from definition of “consumer”||– Exempts employees and contractors from the definition of “consumer.”|
|AB 846||Loyalty programs||– Permits loyalty programs with the consumer’s affirmative consent and voluntary participation;
– Prohibits loyalty programs that are unjust, coercive, or unreasonable.
|AB 873||Definition of personal information||– Revises definition of de-identification to include data that does not identify and is not “reasonably linkable” to a consumer;
– Revises definition of personal information as being “reasonably linkable” to a consumer.
|AB 874||Carve-outs from personal information||– Redefines and excludes “publicly available information” from the definition of personal information;
– Clarifies that personal information does not include de-identitied or aggregated data.
|AB 981||Insurance transactions||– Removes consumer’s right to delete or not sell personal information if it is necessary to perform an insurance transaction.|
|AB 1138||Social Media: Parent’s Accountability and Child Protection Act||– Requires parental/guardian consent for children under 13 to create an account with a social media website or app.|
|AB 1146||Exemption for vehicle information||– Exempts vehicle information shared between a new auto dealer and a vehicle manufacturer when information is shared or retained pursuant to, or in anticipation of, a vehicle repair relating to warranty work or recall.|
|AB 1202||Data broker requirements||– Defines a “data broker” and requires data brokers to register with and provide certain information to the Attorney General, and failure to register may lead to liability (civil penalties, fees and costs).|
|AB 1281||Facial recognition technology: disclosure||– Requires businesses that use facial recognition technology to disclose that usage in a physical sign that is clear and conspicuous at the entrance of every location that uses facial recognition technology.|
|AB 1355||Addressing differential treatment and disclosures||– Under the non-discrimination provision, allows differential treatment of a consumer who has exercised CCPA rights if the differential treatment is reasonably related to value provided to the business by the consumer’s information;
|AB 1416||Exceptions for businesses||– Allows an exception for businesses to:
– Provide personal information to a government agency solely for the purposes of carrying out a government program;
– Sell personal information of consumers who have opted-out of sale solely for the purpose of detecting security incidents, fraud or illegal activity prevention.
|AB 1564||Consumer requests||– Requires businesses to make available a toll-free number, physical address, and an email address for submitting requests;
– A business that exclusively operates online is only required to provide an email address for requests.
Below is an analysis of two noteworthy bills that failed in the Senate, which contain top-of-mind concerns for privacy professionals. Although these particular bills will not move forward this year, they are noteworthy because the senators who authored the bills will now vote on, and potentially revise, bills passed by the Assembly.
|SB 561||Private right of action||– Authored by Senator Hannah-Beth Jackson, the bill would have expanded the private right of action to privacy violations, including statutory damage class actions, and eliminated the 30-day right to cure.|
|SB 753||Exemption of targeted advertising, definition of sale||– Authored by Senator Stern, the bill would have allowed a carve-out for certain targeted advertisements from selling requirements and narrowed the definition of “sale.”|
Next Steps and What to Expect
Attention is shifting to the bills that have passed the Assembly and are under consideration by the Senate. While it is impossible to accurately predict which amendments will pass the Senate, it is important to note that the Senate has traditionally exhibited a different sensibility than the Assembly, and it is possible that Senators, such as Sen. Hanna Beth Jackson (author of SB-561) and Sen. Henry Stern (author of SB-753), might attempt to rewrite amendments or vote against amendments that do not align with ideals championed by the failed amendments.
Bills approved by the Senate will then cross the Governor’s desk to be either signed into law or vetoed in mid-October. We expect the California AG’s office will clarify ambiguities via its CCPA rulemaking authority in the fall. With all of these elements at play, it is safe to say that a dynamic amendment process will continue over the next several months.
Privacy professionals would be prudent to expect that the core provisions of the CCPA will likely remain intact. And although some of the amendments under consideration could result in significant ramifications if signed into law, it is crucial for companies to focus on the core obligations of CCPA to comply with the 2020 effective date.