Monday, September 16, 2019

Sorting Through the CCPA Amendments

Image of flag of the State of California with brown bear and star
The legislative session of the California Legislature effectively ended on Friday in a flurry of activity. Privacy and data security lawyers have been closely monitoring the many amendments to the California Consumer Privacy Act. Several of those amendments are now dead, a couple failed to pass but are being held over until the next legislative session, and a handful of amendments passed. Here is my quick take (but stay tuned for more in-depth analysis as I have time to delve deeper):

The highlights of the amendments approved by the legislature are as follows:

  • The most important amendment for most organizations, and the one I have been watching most closely, is Assembly Bill 25.  Because the original language of the CCPA defined "consumer" as a "natural person," there was some uncertainty regarding the application of the law to employee data.  AB 25 was originally intended simply to make clear the original intent of the legislature that employees are not considered "consumers" per se (unless and to the extent they actually are consumers).  However, following some lobbying, AB 25 was altered, and now provides only a partial, time-limited exemption for employee (and applicant) data collected solely within the context of that role.  Businesses will need to create the notice described in the CCPA (Sec. 1798.100(b)) and provide it to employees by January 1.  The private right of action relating to data security breaches will apply to employee data, and the law will expire on January 1, 2021, when, one hopes, it will be replaced by a well-thought-out employee privacy law.  In addition, AB 25 made explicit a business's right to require reasonable verification before honoring a consumer request (DSR), and made clear that if a consumer has an online account, the business may require any requests (DSRs) to be submitted through that account.
  • AB 1202 requires annual registration by data brokers (defined, more or less, as a business that collects and sells personal information despite not having a direct relationship with consumer.  The meaning of "direct relationship" remains in question, however. (Can merely clicking on an ad create a direct relationship?)
  • AB 1146 creates exemption for vehicle ownership information which is intended to address warranty and recall concerns. 
  • AB 1564 modifies the required methods for consumer requests (DSRs).  It retains the two earlier methods…a toll free telephone number and a website address, if the business has a website. It adds, however, a provision that says if business is exclusively online, and has a direct relationship with the consumer, the business only has to provide an email address.
  • AB 874 modifies the definition of “personal information” by adding the word “reasonably” in front of “capable of being associated with,” so that theoretical but extremely difficult re-identification methods can be disregarded.  It also corrects an error to make it more clear that "personal information" doesn’t include de-identified or aggregated consumer information.  It also simplifies what is meant by “publicly available.”
  • AB 1335 is a bit of a catch-all technical corrections bill that makes technical corrections regarding how "specific pieces" of information are furnished, the applicability to 16-year-olds, and--importantly--corrects the previously inscrutable phrase "reasonably related to value of the consumer data to the consumer," which appeared to mandate clairvoyance on a massive scale. It clarifies that the data breach liability safe harbor is available if data is encrypted or redacted (rather than both encrypted and redacted...which would have been plain weird), and addresses the sticky issue of business contact information.  Finally, there is a carve-out for activities authorized under the Fair Credit Reporting Act.  
  • Not to be overlooked is AB 1130, which adds biometric data to the state’s data breach notification law (it was already in the CCPA definition). In effect, this creates a private right of action if a data security breach includes biometric information.  
Before becoming law, the amendments must be signed by the Governor of California, who has 30 days to sign them (if he fails, it's called a "pocket veto" and they fade into non-existence).

Amendments That May Rise From The Grave

Two bills which did not pass but which may (apparently) be revived in the next session are AB 846 and AB 1138. The first would have clarified that consumer loyalty programs are permissible. The second would have required parental consent for minors (younger than 18 years old) to use social media.  A consumer loyalty program bill would have been immensely helpful for consumer-facing retailers! *cough*

Dead Amendments

The "dead" amendments include those that would have (i) created an express private right of action for any violation; (ii) required disclosure of the average value of personal information; (iii) removed the “Do Not Sell” link requirement; (iv) required removal of social media information; (v) created an exemption related to government agencies; and (vi) created a carve-out for certain insurance transaction data. (See AB 981, AB 1416, AB 288, AB 873, SB 561, SB 753, AB 950 and AB 1760.)

No Action from Attorney General

California's Attorney General Xavier Becerra is required to promulgate regulations implementing certain aspects of the CCPA, but has not yet issued any proposed rules.  Perhaps he anticipated the amendments and did not want to propose rules until the legislature had adjourned and the CCPA was more or less final (for now).  Although the CCPA becomes effective on January 1, the AG cannot bring any enforcement actions until the earlier of (a) the date on which he promulgates final rules or (b) July 1, 2020.  Once the AG proposes rules, there will be a delay before they become final and enforceable: there must be a 45- day public comment period, and, if comments result in changes, there will be another 15- to 45-day waiting period.  Accordingly, it seems unlikely that the AG will be enforcing the CCPA before July 1.  Note, however, that many commenters speculate there could be retroactive enforcement, and certainly there could be private litigation before the AG's enforcement deadline, so organizations should keep their focus on the January 1 deadline. 

I hope this quick summary is helpful.  Much more will be said about each of these bills in the coming days.