CCPA Amendment Update June 2019 – Twelve Bills Survive Assembly and Move to the Senate

|

By Michelle Bae and Jeremy Greenberg

Privacy professionals seeking clarity on compliance with the California Consumer Privacy Act (CCPA) are monitoring numerous amendment bills introduced in the California State Assembly and the California State Senate. Twelve bills garnered the votes needed to pass the Assembly and moved to the Senate for further revision and voting. The Assembly’s calendar prohibits consideration of new bills this session, which means that any amendments enacted prior to the CCPA’s 2020 effective date will be based on these bills. California’s complex legislative process makes tracking amendments yeoman’s work.

This post provides clarity to an otherwise murky process by: 1) presenting an overview of the California state legislative process; 2) identifying a CCPA timeline and key deadlines; 3) analyzing the CCPA amendments that recently passed the Assembly along with noteworthy bills that failed in the Senate; and 4) outlining likely next steps for amendment efforts prior to the law’s effective date.

Legislative Process

Four moving parts of the California State Legislature impact the content and status of CCPA amendment bills: the California State Assembly, California State Senate, California Governor, and California Attorney General’s Office.

The Legislature consists of both the California State Assembly (lower house) and the California State Senate (upper house). While bills may be introduced in either house, amendments introduced in the Assembly must first pass the Assembly floor with a majority vote before moving to the Senate for further amendment and votes.

Bills that pass the Senate are sent to the Governor to be either signed into law or vetoed. In addition to any legislative amendments, the California Attorney General’s Office can clarify or modify CCPA requirements by promulgating regulations under its CCPA rulemaking authority. As part of the preliminary rulemaking process, the California AG has held seven public forums and concluded the comment period. As mentioned during the January 14th public forum, the Attorney General is likely to issue draft regulations this fall, followed by a formal notice and comment period.

Timeline and Key Deadlines

The bills that passed the Assembly have moved to the Senate for committee process, which will continue for the coming months.

CCPA Amendment Bills

Below is a summary of the key provisions of each CCPA amendment bill that passed the Assembly and moved to the Senate for further consideration:

Bill No. Subject Summary
AB 25 Exemption of “employee” from definition of “consumer” – Exempts employees and contractors from the definition of “consumer.”
AB 846 Loyalty programs – Permits loyalty programs with the consumer’s affirmative consent and voluntary participation;
– Prohibits loyalty programs that are unjust, coercive, or unreasonable.
AB 873 Definition of personal information – Revises definition of de-identification to include data that does not identify and is not “reasonably linkable” to a consumer;
– Revises definition of personal information as being “reasonably linkable” to a consumer.
AB 874 Carve-outs from personal information – Redefines and excludes “publicly available information” from the definition of personal information;
– Clarifies that personal information does not include de-identitied or aggregated data.
AB 981 Insurance transactions –  Removes consumer’s right to delete or not sell personal information if it is necessary to perform an insurance transaction.
AB 1138 Social Media: Parent’s Accountability and Child Protection Act – Requires parental/guardian consent for children under 13 to create an account with a social media website or app.
AB 1146 Exemption for vehicle information – Exempts vehicle information shared between a new auto dealer and a vehicle manufacturer when information is shared or retained pursuant to, or in anticipation of, a vehicle repair relating to warranty work or recall.
AB 1202 Data broker requirements – Defines a “data broker” and requires data brokers to register with and provide certain information to the Attorney General, and failure to register may lead to liability (civil penalties, fees and costs).
AB 1281 Facial recognition technology: disclosure – Requires businesses that use facial recognition technology to disclose that usage in a physical sign that is clear and conspicuous at the entrance of every location that uses facial recognition technology.
AB 1355 Addressing differential treatment and disclosures – Under the non-discrimination provision, allows differential treatment of a consumer who has exercised CCPA rights if the differential treatment is reasonably related to value provided to the business by the consumer’s information;
– Requires businesses to disclose in their privacy policy consumer’s right to request specific pieces of information and the categories of information collected by businesses.
AB 1416 Exceptions for businesses – Allows an exception for businesses to:
– Provide personal information to a government agency solely for the purposes of carrying out a government program;
– Sell personal information of consumers who have opted-out of sale solely for the purpose of detecting security incidents, fraud or illegal activity prevention.
AB 1564 Consumer requests – Requires businesses to make available a toll-free number or a physical address and email address for submitting requests;
– A business that exclusively operates online is only required to provide an email address for requests.

Below is an analysis of two noteworthy bills that failed in the Senate, which contain top-of-mind concerns for privacy professionals. Although these particular bills will not move forward this year, they are noteworthy because the senators who authored the bills will now vote on, and potentially revise, bills passed by the Assembly.

Bill No. Subject Summary
SB 561 Private right of action – Authored by Senator Hannah-Beth Jackson, the bill would have expanded the private right of action to privacy violations, including statutory damage class actions, and eliminated the 30-day right to cure.
SB 753 Exemption of targeted advertising, definition of sale – Authored by Senator Stern, the bill would have allowed a carve-out for certain targeted advertisements from selling requirements and narrowed the definition of “sale.”

Next Steps and What to Expect

Attention is shifting to the bills that have passed the Assembly and are under consideration by the Senate. While it is impossible to accurately predict which amendments will pass the Senate, it is important to note that the Senate has traditionally exhibited a different sensibility than the Assembly, and it is possible that Senators, such as Sen. Hanna Beth Jackson (author of SB-561) and Sen. Henry Stern (author of SB-753), might attempt to rewrite amendments or vote against amendments that do not align with ideals championed by the failed amendments.

Bills approved by the Senate will then cross the Governor’s desk to be either signed into law or vetoed in mid-October. We expect the California AG’s office will clarify ambiguities via its CCPA rulemaking authority in the fall. With all of these elements at play, it is safe to say that a dynamic amendment process will continue over the next several months.

Privacy professionals would be prudent to expect that the core provisions of the CCPA will likely remain intact. And although some of the amendments under consideration could result in significant ramifications if signed into law, it is crucial for companies to focus on the core obligations of CCPA to comply with the 2020 effective date.