On Tuesday, the California Assembly Privacy and Consumer Protection Committee began clarifying important ambiguities in the California Consumer Privacy Act. As readers of the Daily Dashboard know well, the CCPA sets out landmark privacy rights for Californians, but often in language that is either confusing or difficult to operationalize. Several bills approved at the hearing offer encouragement that the legislature may resolve several key compliance ambiguities before the attorney general’s rulemaking begins this fall. At the same time, two other bills that would have introduced new concepts to the CCPA were withdrawn and did not clear the committee in time for consideration this session.
The most significant bills approved in committee were to the CCPA’s very broad and confusing definitions of “consumer,” “personal information,” and “de-identified” information, with the acquiescence or support of Alastair Mactaggart, chair of Californians for Consumer Privacy and the funder of the proposed initiative that led to the CCPA.
Exempting employee data. Chairman Ed Chau’s AB 25, which was approved unanimously, contains an important clarification that employees are not “consumers” for purposes of the CCPA, provided that the personal data is collected and used solely within the context of the employer-employee relationship, and in the case of a contractor, only if a written contract is in place. Significantly, this exception would apply to emergency contact and beneficiary data, not just data regarding the employee/contractor/agent. In addition, Chau indicated intent also to exempt data collected and used solely in the context of a business-to-business relationship.
Safeguards to the right to obtain “specific pieces of personal information.” The AB 25 committee report contains language that the committee intends to work with stakeholders to clarify application of the CCPA access right to household data in order to ensure that access occurs in a privacy-protective manner that does not harm the privacy of other household members. Chau also mentioned concern that pre-texters could obtain sensitive information using access requests.
Clarifying personal and de-identified information. Assemblywoman Jacqui Irwin’s AB 873 was likewise approved unanimously. The bill now contains two compromise proposals that Mactaggart had put forward in the course of stakeholder negotiations on the bill. The first qualifies that personal information does not cover all “information that is ... capable of being associated” with a particular individual or household, but instead information that “reasonably capable of being [so] associated.” This provision would have the effect of placing some boundary on the CCPA’s virtually limitless, CNIL-like definition of personal data, excluding information that is only theoretically capable of being associated.
The second compromise would substitute the 2012 FTC staff report “reasonably linkable” de-identification standard for the CCPA’s current definition, which is circular with the CCPA definition of “personal information” — so is effectively no exception at all. De-identified data would mean data that “does not identify is not reasonably linkable, directly or indirectly to a particular consumer provided that the business makes no attempt to re-identify the information and takes reasonable technical and administrative measures designed to:
1.) Ensure that the data is de-identified.
2.) Publicly commit to maintain and use the data in a de-identified form.
3.) Contractually prohibit recipients of the data from trying to re-identify the data.”
This standard would provide a path and a clear incentive to de-identify data in order to limit the range of data held by companies that would be subject to CCPA requirements. For example, it would very likely have the effect of exempting IP addresses and device IDs that are maintained separately from personal data and cannot be queried or accessed by employees or third parties who could link the data. Similarly, personal information that is one-way hashed or encrypted would be exempt, as would data that is kept separately, never combined and that the business has publicly committed to maintaining in de-identified form.
Other amending bills approved at the hearing.
Other CCPA amendment bills approved during the hearing included:
1.) AB 874, a bill to create a clear and full public record exemption from the definition of “personal information.”
2.) AB 846, a bill to clarify that loyalty programs are exempt from the CCPA’s “non-discrimination” restrictions on consumers who exercise CCPA opt-out rights prohibition and to clarify confusing language in that section. The bill was narrowed somewhat during the mark-up and Chau expressed a strong view that incentives need to be directly, instead of “reasonably,” related to the value of the consumer’s data — which would be a quite different test.
3.) AB 1564, a bill to provide alternatives to the current CCPA requirement that businesses must establish a toll-free number to receive CCPA requests.
4.) AB 981, a bill that as introduced would have exempted regulated insurance companies from the CCPA but that has been amended to add numerous new privacy requirements in the Insurance Code.
5.) AB 1146, a bill to clarify that motor vehicle warranty or recall information may be shared between auto dealers and manufacturers without being subject to data deletion or “do not sell” requests.
6.) AB 1355, a Chau bill to make technical changes to the many drafting errors in the CCPA.
The two CCPA amendment bills that were withdrawn. Assemblywoman Buffy Wicks withdrew from Assembly Privacy Committee consideration AB 1760, the so-called “Privacy for All Act,” which would have dramatically expanded CCPA requirements. Its features included, among others, extending the private right of action to all privacy violations, extending the opt-out to all sharing of personal information (not just “sales”), adding data minimization requirements, and expanding the CCPA right-to-know requirement to require accounting to consumers the specific third parties to whom personal information was shared. The bill, which likely would have imposed well over a billion dollars in compliance expense, appears to have been withdrawn due to lack of support. It is now a two-year bill, although a somewhat similar bill, SB 561, was approved narrowly the Senate Judiciary Committee, and may become a vehicle for expanding enforcement of CCPA requirements, possibly through city attorney enforcement.
In a Senate Judiciary Committee hearing held the same day, Sen. Henry Stern, D-Calif., withdrew SB 753, a bill to create a CCPA exemption from the definition of “sale” the sharing of “any unique identifier only to the extent necessary to deliver, show, measure, or otherwise serve or audit a specific advertisement to the consumer.” Privacy groups had focused on stopping this bill and appear to have been successful.
Will these bills become law? It is noteworthy that CCPA amendment bills will be considered by the Senate Judiciary Committee, which is chaired by Sen. Hannah Beth Jackson, D-Calif., the sponsor of SB 561. She is likely either to try to stop some of these bills or to attempt to add elements of SB 561 to them.
Ultimately, the Senate leadership will likely need to engage actively for passage of assembly CCPA amendment bills in order for them to succeed in the Senate. However, these initial steps suggest that some legislative clarifications of CCPA requirements may pass this year.