The 2019 California Consumer Privacy Act amendment process is finally coming to a close this week, less than four months before the law will take effect. The Legislature is scheduled to adjourn Friday the 13th, and sometime thereafter, the attorney general is expected to issue draft rules that will clarify notice and request verification obligations under the landmark law.
Overall, the CCPA amendment bills that passed the Senate Committee on the Judiciary appear on track to be enacted. However, there are several notable changes to the versions of Assembly Bill 1355 (a technical corrections bill) and AB 846 (a loyalty programs bill) that emerged from the Senate Judiciary Committee hearing in mid-July, which we discuss here.
[Update: 2:01 pm Eastern, 9/12/2019: Shortly after we published this report, news emerged that AB 846 has been shelved for the year. Assemblywoman Autumn Burke, D-Marina Del Rey, said she plans to reintroduce the bill next year.]
AB 1355
Last weekend, Assembly Judiciary Committee Chair Ed Chau released a set of heavily negotiated amendments to his technical corrections bill, AB 1355, that contain some important new clarifications and introduce a business-to-business moratorium amendment. Meanwhile, AB 846, the loyalty program bill, was amended further to clarify its restrictions on selling personal information.
The AB 1355 amendments, which we understand are very likely to pass, include: 1) modifying the definition of “personal information” as information that is “reasonably capable of being associated with” a particular consumer or household, instead of simply “capable of being [so] associated”; 2) adding a one-year B2B communications moratorium other than rights to opt out of sale of one’s personal information and non-discrimination; 3) clarifying that CCPA Section 1798.150 class-action lawsuits may not be brought for data breaches when “data breach personal information” is either encrypted or redacted (not both); 4) clarifying that deidentified and aggregate information are exempt from the statute; and 5) clarifying that the reasonableness of charging a different price or rate or providing a different level or quality of goods or services is measured in relation to the value of the personal information to the business, not to the consumer.
Definition of 'personal information'
One of the most operationally complex features of the CCPA is the law’s definition of “personal information.” As enacted, the term arguably encompasses almost every piece of information a business maintains because nearly all information can in theory be associated with an individual, even if as a practical matter it is nearly impossible to associate that piece of information to a consumer and that data is of minimal or no relevance to privacy. AB 1355 would narrow this definition by adding the word “reasonably” before the word “capable” so that now the outer boundary of this definition is any information that is “reasonably capable” of being associated with a consumer.
The amended definition is still much broader than the definition of “covered information” in the U.S. Federal Trade Commission 2012 Privacy Staff Report but now has a clearer meaning. This amendment was originally part of AB 873, which was defeated in a tie vote in the Senate Judiciary Committee, but was endorsed in Chairwoman Hannah-Beth Jackson’s committee analysis and was not controversial.
It now appears very likely to become law.
B2B exemption
Another area of confusion in the CCPA is that although the statute refers throughout to California “consumers,” the term “consumer” is defined as all California residents, even when they are not acting as consumers. As we discussed in our August 2019 CCPA update, AB 25 contains a one-year partial moratorium on CCPA application to employee, beneficiary and emergency contact information.
AB 1355 now adds a heavily negotiated one-year moratorium for personal information that a business obtains in certain B2B contexts. This moratorium, based upon a proposal by CCPA co-architect Alastair Mactaggart, applies to:
[quote]Personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency.[/quote]
Interestingly, unlike the employee data moratorium, this provision does not delay application of the opt-out (Do Not Sell) or non-discrimination rights of Sections 1798.120 and .125. But it does delay the obligation to provide notice under Section 1798.100(b), to grant access rights under Section 1798.100(a) and (d) or deletion rights under Section 1798.105, and to provide transparency under Sections 1798.110 and 115.
The B2B moratorium also extends to data security breach class action risk (Section 1798.150). The practical effect is that a “do-not-sell” request would apply to B2B data that a business obtains from a B2B interaction, but that there would be no requirement to provide notice in the B2B context. This result may better fit with B2B transactions, where providing notice of personal information use practices at or before the time of collection is often impractical.
It is important to understand the limited scope of this B2B moratorium.
The moratorium applies only to information obtained by a business through a communication or transaction with a California resident acting for another entity. It therefore does not appear to apply to information obtained from a third party, such as a list provider. The moratorium also applies only to communications or transactions occurring “solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from” the other entity.
For this reason, the amendment does not appear to reach B2B cold-calling or other marketing communications not initiated by the other entity. Like the employee moratorium, this provision expires Jan. 1, 2021, promising a renewed discussion of employee privacy legislation — this time in a transactional context — during the 2020 legislative session.
Nonetheless, if AB 1355 is enacted, this amendment should significantly reduce the burden of CCPA compliance for businesses that engage in transactions with or furnish goods or services to businesses, nonprofits or government agencies with employees or agents residing in California.
Class-action risk
AB 1355 also fixes a consequential drafting error in the CCPA’s data breach class-action section. Current law states that the class action applies to California residents' personal information, as defined in subdivision (d)(1)(A) of the state’s data security law, that is “nonencrypted or nonredacted.”
This confusing double negative would mean that unless the personal information were both encrypted and redacted, it could trigger a data breach class action. The amendment clarifies that either step is sufficient to protect the information and avoid potential class-action liability.
The California Consumer Attorneys have signed off on this change. It is significant because either encryption or redaction would be a simple defense to liability, and they are much clearer and less costly to establish than whether the defendant business had “reasonable” security.
FCRA exception
This clarification extends the Fair Credit Reporting Act exception, which currently applies only to “sale of personal information” to be used in a consumer report. The amendment clarifies that the exception applies more broadly to “any activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information” by a consumer reporting agency, by a furnisher of data and by a user of a consumer report, if the activity is “authorized by” the FCRA.
This means that the other CCPA provisions, except for the reasonable security obligation under Section 1798.150 and attendant class-action risk, will not apply to FCRA-authorized data activities. The scope of the FCRA exception is now on track to become very similar to the scope of the Gramm-Leach-Bliley Act and California Financial Information Privacy Act exceptions.
Clarifying that the CCPA does not require collecting additional personal information or lengthening retention periods
AB 1355 also adds a clarification that the CCPA does not require businesses to collect any personal information that they would otherwise not collect or retain information longer than they otherwise would retain in the ordinary course of business. The CCPA does not require doing either step, but this clarification likely relieves businesses from keeping personal information to prove compliance with a consumer request longer than for other similar information and should help resolve concerns in internal compliance discussions that businesses may be required to keep additional data in order more readily to respond to CCPA consumer requests.
Other CCPA clarifications already in AB 1355
Amendments added to AB 1355 in April fix several drafting errors in that CCPA that are worth understanding.
For one, AB 1355 fixes another material drafting error in the CCPA by adding for the first time language stating that data that are aggregate or deidentified are not personal information, which accords with the original intent of the statute. As currently in law, deidentified or aggregate information is excluded only from the definition of “publicly available,” not “personal information.”
Additionally, AB 1355 fixes a number of significant drafting errors in Section .110(c).
First, it clarifies that the privacy policy notice obligation under Section .130 applies to categories of personal information that a business has collected about “consumers” in general, not about a specific consumer. It likewise eliminates the requirement that the privacy policy include the “specific pieces” of information about the consumer, but instead that consumer has the right to request disclosure of those “specific pieces of information.”
Similarly, the amendments would clarify that the "Right to Know" obligation in Section .115(a)(2) requires notifying a consumer of the categories of personal information sold for each category of third party, instead of each individual third party.
The current statute is inconsistent as to whether opt-in consent for CCPA “sales” is required though age 15 or age 16. AB 1355 proposes clarifying that opt-in consent is required for consumers who are 15 years old or younger.
One of the murkier provisions in the current CCPA requires that the difference in any prices or rates or different levels or quality of goods or services provided to the consumer be either reasonably or directly "related to the value provided to the consumer by the consumer’s data."
AB 1135 would also clarify that in the context of loyalty programs and other consumer incentive programs, the relevant measure is the value of the data provided to the business, which, unlike the current language, is not a subjective standard.
Finally, AB 1355 fixes a significant number of cross-referencing errors within the CCPA that resulted from hasty drafting in the summer of 2018.
AB 846
As we described in our August update, AB 846 was amended in the Senate Judiciary Committee to bar any “sale” of any personal information obtained through a loyalty or discount program.
AB 846 has now been amended to create a narrow exception allowing sale in order to for a third party to provide the consumer with a financial incentive, sale or other discount, provided that two conditions are met.
First, the consumer must expressly consent to the sale to the specific third party after disclosure of “the terms of sale.” It is unclear how detailed this disclosure would need to be, but it appears to relate to the terms between the business and the third party.
Second, the third party must use the personal information “only for the purposes of identifying the consumer as an eligible member of the business’ loyalty, rewards, premium features, discounts, or club card program” and may not retain, or use or disclose the personal information for any other purpose.
It is unclear how these provisions would be interpreted, but if enacted, they are likely to make “sales” of personal information as part of loyalty programs operationally complicated. On the other hand, AB 846 would not amend the current exception to “sale” when a consumer uses or directs a business to intentionally disclose personal information, or uses the business to intentionally interact with a third party.
Conclusion
When the first CCPA amendments passed just over a year ago, there was near-universal agreement that many errors — both substantive and technical — still needed to be cleaned up. AB 1355, as amended, would take several steps to reduce confusion and simplify compliance with several operationally complex obligations in the CCPA.
There are just two days left in California’s legislative session to approve the amendments before lawmakers adjourn for the year and the CCPA goes into effect Jan. 1, 2020.
Photo via Good Free Photos