On April 30, we detailed several proposed amendments to the California Consumer Privacy Act (the “CCPA”) that were advancing in the State Assembly (see our previous blog post here). Since then, a number of the proposed amendments passed the Assembly and moved to the California Senate, where they remain under consideration.
This past week the Judiciary Committee considered a number of the bills and proposed several key amendments. These amendments are discussed below.
• AB 25. The original version of this bill excluded employees, contractors and job applicants from the definition of “consumer” provided that personal information about those categories of persons was used only for limited purposes. The bill has now been amended to provide that employees, contractors and applicants are still consumers, but that certain personal information relating to them will not be subject to the statute as long as used only for purposes relating to their status as employees, contractors or applicants to the business in question. The bill has also been amended to require delivery of privacy notices to employees, contractors and job applicants which identify personal information collected concerning those individuals and the purposes of the collection. As with the version that passed the Assembly, the private right of action and statutory damages established by the CCPA for certain security incidents will continue to apply.
Most notably, the amendment is proposed to be operative only through 2020. The intent is to provide incentive to the legislature to draft and approve a law on employee privacy. But if a new employee privacy law is not approved, then personal information about employees will be subject to the full CCPA as of January 1, 2021.
• AB 846. The amendment seeks to clarify the treatment of consumers in retail loyalty programs under the CCPA. The bill previously stated that offering “a different price, rate, level, or quality of goods or services” under a retail loyalty program was permissible if (1) a consumer volunteered for the program or (2) the offering was for a specific good or service whose functionality was directly related to the collection, use or sale of the consumer’s data. The bill has been amended to only permit differential offerings under a retail loyalty program when a consumer volunteers for the program. However, a business is prohibited from offering a program that is “unjust, unreasonable, coercive, or usurious in nature.” A business is also prohibited from selling personal information collected as part of a retail loyalty program.
• AB 873. This bill has been amended to clarify the definition of “deidentified” information and the handling of such information. The bill was amended while in the California State Assembly to define “deidentified” information as that which “does not identify and is not reasonably linkable, directly or indirectly, to a particular consumer” as opposed to the previous definition of that which “does not reasonably identify or link, directly or indirectly, to a particular consumer….” The amendment failed to pass its first hearing on July 9 after advancing to the Senate, but it has been granted reconsideration.
• AB 981. This bill originally proposed to exempt from the CCPA insurance institutions, agents, and support organizations to the extent that those institutions were already subject to California’s Insurance Information and Privacy Protection Act (IIPPA). The bill has now been amended to remove this blanket exception from the CCPA, and it now provides that a consumer may not request a business to delete or not sell the consumer’s personal information if it is necessary for the business to retain or share the consumer’s personal information to complete an insurance transaction requested by the consumer.
• AB 1146. This amendment exempts a defined category of vehicle information from the CCPA’s right to deletion and do not sell requirements. The information includes name and contact information of a vehicle owner, VIN, make, model, year, and odometer reading shared between a “new motor vehicle dealer” and the manufacturer with respect to vehicle repairs relating to warranty work or recalls. The bill states that (1) the applicable vehicle information is exempt from the right to opt out of data sales provided that the business is not using such information for reasons other than ”effectuating, or in in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall” and (2) a business is not required to delete personal information that it is maintaining to “fulfill the terms of a warranty or a federally mandated recall covering a product purchased by the consumer.”
• AB 1564. The amendment previously changed a business’s obligation to make available two or more designated methods to just one method to submit requests for information concerning a business’s collection and disclosure practices. The bill has been amended to again require a business to make available two or more methods for submitting requests, including a toll-free telephone number at minimum. If a business maintains a website, the amendment requires a business to make that website available for a consumer to submit requests. If a business operates exclusively online and has a direct relationship with a consumer from whom it collects personal information, the business is also required to provide an email address for submitting request for information.
We will continue to monitor these amendments and provide further updates as they occur.