Tracy Shapiro, Partner, DLA Piper Data Protection, Privacy & Security Practice, also contributed to this article.
On Tuesday, July 9, the California Senate Standing Committee on Judiciary took up the slew of California Consumer Privacy Act amendment bills that the Assembly had passed more than a month earlier.
At the hearing, Democratic State Sen. Hannah-Beth Jackson supported two CCPA “clean-up” bills without requesting amendments. These were Democratic Assembly Privacy Committee Chairman Ed Chau’s AB 25 and Democratic Assemblymember Jacqui Irwin’s AB 874. Both sailed through her committee unanimously and are highly likely certain to become law.
Employee data moratorium and guidance on verifying CCPA rights requests
AB 25 provides a one-year moratorium for most CCPA requirements for an employee, contractor, job applicant, beneficiary and emergency contact information, provided that the information is collected and used solely in the employment context. So, for example, if an employee or contractor is also a consumer of the business that they work for, then all data collected in the consumer context will remain covered by CCPA. Likewise, if, for example, employee activity tracker data is collected as part of an employer-sponsored fitness program but is provided to a marketing or insurance company and used to offer the employee any sort of service outside of the work context, that too would be regulated by the CCPA.
However, under AB 25, two CCPA requirements will apply to this range of “employee data.” First, employers must provide employees with CCPA Section 1798.100(b) privacy notices. This means that employers should seriously consider including employee data in their CCPA data-mapping exercises in order to provide an accurate notice.
Second, the CCPA data breach class action will apply to employee data, making mapping this data even more important. The AB 25 employee data moratorium was agreed to by representatives of labor unions and the California Chamber of Commerce. Representatives of both groups testified at the July 9 hearing that they intend to work together to develop legislation to address intrusive employee monitoring for consideration next year. This monitoring legislation would likely replace the application of the CCPA to employee data, and California employers considering new employee-monitoring techniques for employees or contractors in the state may want to wait until Q4 of 2020 when California law in this area is settled.
In addition, AB 25 contains language clarifying that for all California resident requests other than “do not sell” requests, businesses may require authentication that is “reasonable in light of the nature of the personal information requested.” It further clarifies that although the CCPA prohibits businesses from requiring a resident to create an account with a business in order to submit a request, if the resident already has such an account, the business may require the consumer to submit the request through that account. The California Attorney General’s Office must issue regulations clarifying the procedure for verifying California resident requests. However, this authentication language in AB 25 provides a useful preview for businesses beginning to plan how to handle CCPA requests.
This authentication language in AB 25 provides a useful preview for businesses beginning to plan how to handle CCPA requests.
As Jackson noted at the hearing, the AB 25 provisions are the consensus product of negotiations between representatives of business, privacy and labor groups overseen by Chau. It is possible that other thorny CCPA issues related to CCPA requests (for example, requests by household members for other household members’ data or requests for account authentication data) may be addressed in AB 25 later in the legislative process, if consensus solutions can be developed.
Expanding the public record exception
Irwin’s AB 874 removes a limitation in the public records exception to “personal information” in Section 1798.140(o)(2). As passed, the CCPA denied this exception for any use of public record information “for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.” This language was criticized as unclear and potentially violative of the First Amendment, and CCPA sponsor Alastair MacTaggart expressed concern that it might be struck down as unconstitutional. AB 874 cleared the Senate Judiciary Committee on consent and is highly likely to become law. Note, however, that although the Section 1798.140(o)(2) exception uses the term “publicly available data,” it defines this term only as public record data. The means that information that is publicly available (e.g., is posted online) is very unlikely to be exempt unless it is public record data.
Bills that passed with amendments
Loyalty program and premium features clarification
AB 846, sponsored by Democratic Assemblymember Autumn Burke, Vice-Chair of the California Legislative Black Caucus, and passed by the Assembly in May, would clarify that reasonable loyalty programs are exempt from the CCPA “anti-discrimination” requirement of Section 1798.125. This bill was strenuously opposed at Tuesday’s hearing by privacy groups, who criticized it for authorizing “pay for privacy” discount programs. Burke forcefully rejected that characterization, explaining the importance of loyalty discount programs to low-income residents of her South San Francisco district.
Jackson criticized AB 846 for authorizing the “selling” of loyalty program data and extracted a commitment from the sponsor to agree to add an amendment (not yet released in writing) prohibiting the sale of loyalty program data.
As amended in committee, AB 846 has been scaled back significantly. Like the Assembly version, the Senate amendment clarifies that businesses can offer consumers a different price, rate, level or quality of goods to a consumer who has exercised any of the consumer’s CCPA rights, so long as (1) the offering is in connection with a consumer’s voluntary participation in a loyalty, rewards, premium features, discounts or club card program; and (2) the terms of that program are not “unjust, unreasonable, coercive, or usurious in nature.”
However, the Senate amendment now states that the bill has no effect on “do not sell” rights under the CCPA so that businesses must offer the program even if a consumer opts out of “sale” of their data. The Senate version also eliminates coverage of “free” programs whose functions “are directly related to the collection, use or disclosure of personal data,” which had been included in the Senate bill. These changes, which the sponsor had agreed to before the July 9 hearing, had led MacTaggart’s Californians for Consumer Privacy to drop opposition to the bill.
At Jackson’s insistence, the committee has also voted in principle to ban businesses offering these loyalty programs from “selling” the personal information gathered as part of the program. As amended, the bill will be more restrictive than the current Section 1798.125, which does allow for many types of loyalty programs already without a sale limitation, so long as any different (or free) price or rate provided to the consumer is reasonably related to the value of the consumer’s data. For this reason, it is unclear if the bill as amended will become law at all or become law in its current form.
Focusing the CCPA toll-free number requirement
AB 1564, which passed the Assembly unanimously, exempts businesses that operate exclusively online from the CCPA requirement to maintain a toll-free number for purposes of requests under Section .110 and .115. Instead, the bill allowed these online businesses to provide an email address in lieu of a toll-free number.
The bill passed the Senate Judiciary Committee with a narrowing committee amendment limiting the exception to businesses that have a direct relationship with the California residents from whom it collects personal information and requiring that if the online business maintains a website, the business must provide a method to submit requests through that website.
Auto warranty, repair and product recall exemption
AB 1146 passed the Assembly exempting from the CCPA opt out of sale requirement for vehicle or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer, as defined in Section 672 of the Motor Vehicle Code, if the information is shared for the purpose of effectuating or in anticipation of effectuating a vehicle repair covered by a vehicle warranty or a recall.
Although the bill passed the Assembly without a single “no” vote, it cleared the Senate Judiciary Committee only after being amended to limit any selling or sharing of the information for any other purpose.
Bills that were defeated
Clarifying the CCPA’s “de-identified” definition
AB 873 would amend the CCPA definition of “de-identified” data to align it closely with the exception to “covered information” in the 2012 FTC Staff Privacy report. The bill included language proposed by MacTaggart to limit the very broad range of “personal information” that is subject to CCPA requests so that the requests do not cover data that are de-identified in a manner similar to the FTC standard.
Although the language was proposed by Californians for Consumer Privacy, it was criticized by the chair and privacy groups on the basis that it would exclude a broad range of information from the reach of the CCPA. The chair proposed committee amendments that would limit the exception for de-identified data only to data that was not disclosed or shared. Irwin rejected the amendment on the ground that it would create a major disincentive to socially beneficial uses of de-identified data for public health, urban planning and innovation. AB 873 then was blocked in committee at the urging of the chair by a 3-to-3 vote, with two abstentions.
Exception to do not sell for anti-fraud, cybersecurity and government services
AB 1416, sponsored by Democratic Assemblymember Ken Cooley, would have created an exemption from the CCPA on do-not-sell right for sales of information to governments to further government services and sales of information to private sector customers for antifraud, cybersecurity and detection of illegal activity. The bill was attacked strongly by privacy groups alleging that it would prevent California residents from opting out of the sale of data to immigration authorities and that, generally, businesses could claim that they would be using data for exempt purposes and ignore do-not-sell requests. (The second argument would be equally true of the CCPA’s other exemptions.) The bill’s exemption from opt out of sales of data for the purposes of detecting fraud, cybersecurity incidents or other illegal activity was criticized in the committee analysis on the ground that it did not prohibit reuse or retention by purchasers of exempt information for secondary purposes.
The bill was withdrawn before the hearing.
Following Tuesday's hearing, it appears that the crop of CCPA amendments enacted in 2019 is likely to be considerably narrower than the crop of amendment bills that passed the Assembly in June.
However, it is highly likely that AB 25, along with the other, narrower bills (with the exception of the loyalty and rewards bill) that did pass the Senate Judiciary Committee will become law.
AB 25’s employee data partial moratorium has by far the broadest application. Entities regulated by the CCPA can now very reasonably plan on employee data being exempt from most of the CCPA requirements.
However, businesses will need to prepare more detailed employee privacy notices similar to those required for consumers. They will also need to plan to alter or secure employee data subject to California breach notice obligations to avoid a potential data breach class action in the event of “unauthorized access and exfiltration, theft or disclosure” of this data. AB 25’s clarification of permissible authentication of CCPA requests also provides a useful preview of CCPA request verification requirements that will be defined in attorney general regulations later this year.
Businesses that use public record data, that operate solely online, and auto dealers, repair companies and original equipment manufacturers all can have some confidence now that the bills clarifying the application of the CCPA to these issues are likely to become law in their amended form.
Finally, the California legislative process has at least six weeks to go. It is possible that additional consensus amendments, as well as technical amendments clarifying more of the many drafting errors in the CCPA as passed, will be agreed to by the end of session. Then, the attorney general’s proposed rules will appear in the fall.
Stay tuned ...
Jim Halpert is a partner at DLA Piper, representing a coalition of Fortune 500 companies, and has helped draft more than 200 U.S. state privacy, data security breach notification laws and consumer protection laws.
Photo credit: johrling, California Republic, via Flikr
If you want to comment on this post, you need to login.