The end of the year is quickly approaching, and with it so too is the effective date for the California Consumer Privacy Act (CCPA) – January 1, 2020. Over the summer the California Legislature debated various proposed amendments to the CCPA and last month it finalized six bills that were sent to the governor’s desk for signature. The bills do not change the fundamentals of the CCPA, but they do provide some clarification to and provide temporary relief for businesses from some of the law’s provisions.
Below is a summary of each amendment bill:
- AB 25 allows a business to require reasonable authentication of a consumer in light of the nature of the personal information requested. It also allows a business to require that a consumer submit requests through the consumer’s account, if the consumer maintains an account with the business. The amendment also exempts employee information—personal information collected in the course of the natural person acting as a job applicant, employee, owner, director, officer, medical staff member or contractor—from the definition of personal information for one year, until January 1, 2021. The exemption also covers employee emergency contact information and information used to administer benefits, but it does not apply to a business’s obligation to provide notice to employees about its collection practices or employees’ eligibility for the data breach provision’s private right of action.
- AB 874 adds “reasonably” to the definition for personal information, so it includes the phrase “reasonably capable of being associated with . . . a particular consumer or household.” The bill also clarifies that any information made available by federal, state or local government is “publicly available” and is not personal information. The amendment also eliminates the provision of the CCPA stating that publicly available information that a company uses in a manner incompatible with the purpose for which it was originally collected by the government is considered covered personal information. Finally, AB 874 clarifies that personal information does not include de-identified or aggregate information (as each term is defined by the CCPA).
- AB 1146 adds a new exception to a consumer deletion request that allows a business to deny the request if the information is needed to “fulfill the terms of a written warranty or product recall conducted in accordance with federal law.” It also creates an industry-specific exemption from the right to opt out of the sale of personal information for vehicle or ownership information maintained or shared between an automobile dealer and a manufacturer if it is maintained or shared for certain purposes.
- AB 1202 requires “data brokers” – defined as a “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship” – to register with the California attorney general.
- AB 1355 is a “clean-up” amendment that addresses various elements of the CCPA. Most notably, it adds a one-year exemption for personal information exchanged in certain business-to-business communications. It also makes clear that a covered business does not have to collect or retain consumer information for CCPA purposes that it would not otherwise collect or retain in its ordinary course of business. Finally, it clarifies that businesses must disclose to consumers their right to request specific pieces of information a business has collected about them, and includes some changes to the CCPA’s exception for consumer-credit information covered by the Fair Credit Reporting Act (FCRA).
- AB 1564 states that an exclusively online business with a direct relationship with a consumer need not provide a toll-free phone number to which consumers can submit a request for disclosure of information. It need only provide consumers with an email address.
Additional clarification in the form of draft regulations is expected from the California attorney general in late October or early November and he has stated his intent to finalize the regulations before the new year.
That is not the end of changes for the CCPA, however. The Legislature will debate the two sunset provisions and determine whether to let them expire, extend them for a period of time or make them permanent during next year’s legislative session. Proposed bills that failed to move forward during this session may be reintroduced, along with new amendments.
California May Be First in Wave of State Privacy Legislation
The 2018–19 legislative season saw 16 state legislatures introduce comprehensive privacy bills, and Maine and Nevada passed laws that mimicked at least some portion of the CCPA. A number of states have a chance at passing CCPA-like legislation and new frameworks may appear now that state legislators have the example of California and another year of input from stakeholders on which to build legislation. Momentum for state-level privacy efforts is likely to continue in 2020. Here are a few states to watch in the new year:
- Washington nearly passed the Washington Privacy Act in the spring, but the legislation stalled in the House after easily passing the Senate with a 46-1 margin. The bill took inspiration from both the CCPA and the GDPR, and included elements of both. In addition to the consumers’ rights found in the CCPA, the Washington Senate bill included GDPR-like rights to rectification and to not face solely automated processing decisions. Ultimately the gap between the technology industry, which supported the bill, and critics from consumer privacy advocates, who objected to the bill, could not be closed. Major industry players, including Microsoft, were involved in drafting the bill, but privacy advocates took issue with its permissive facial-recognition technology provisions and its allegedly weak protections for consumers. The bill failed to receive a vote on the House floor. Sen. Reuven Carlyle, the author of the Senate bill, said that the Legislature is “committed to 2020” after failing to pass a comprehensive privacy law in 2019.
- New York introduced a comprehensive bill towards the end of its legislative cycle. The bill, named the New York Privacy Act, would supplant the CCPA as the strictest state privacy law in the country. Similar to Washington’s effort, the New York Privacy Act draws inspiration from both the CCPA and the GDPR, but it includes a broad private right of action and places a fiduciary duty on businesses to act in the best interest of a consumer with regard to privacy. It is not clear if the bill has a chance to pass in its current form, but the Legislature hosted expert panels and sought commentary from various invested parties before the legislative session concluded. It is likely that momentum for privacy-protective legislation will continue into the new session.
- Illinois introduced a bill that proposed the Data Transparency and Privacy Act. The proposed statute is not as expansive as the CCPA, but Illinois has a history of leading the country on legislating technology issues with the Biometric Information Privacy Act from 2008.
Other states, including Massachusetts, Minnesota, New Jersey and Texas, among others, introduced bills last legislative session and may be poised to iterate on those proposals in the coming year.
The CCPA may be coming into focus, but other states might introduce additional uncertainty for businesses as they navigate evolving legislative requirements and consumer expectations for privacy and data security.