2018: the year of privacy. May 25, 2018, the EU’s General Data Protection Regulation (GDPR) goes into effect and on June 28, 2018 California, to avoid a voter ballet initiative, passes a hastily drafted bill aimed directly at companies who sell the personal information of California consumers. The passage of the California Consumer Privacy Act (CCPA) sets off a chain reaction and other states adopt similar legislation. And just like that, in a matter of months, US companies have to face consumer privacy from an entirely new direction. The race for federal preemption is launched. But a federal law on consumer privacy which would un-seed state momentum has not yet seen the light of day, so California, responding to criticism in drafting and intent, works quickly to amend the CCPA and clean it up in time for its January 1, 2020 effective date.
The CCPA applies to all consumer (any resident of California) personal information a business stores in either physical or electronic form. Businesses must comply with the bill if they: (i) earn $25,000,000 or more per year in revenue; (ii) annually buy, receive, sell, or share the personal information of 50,000 or more California consumers for commercial purposes; or (iii) derive 50% or more of their annual revenue from selling the personal information of California consumers. The CCPA gives California consumers the right to opt- out of the sale of their personal information, where “sale” means selling, releasing, disclosing, making available, etc. a consumer’s personal information to another business or third party for monetary or other valuable consideration.
California lawmakers proposed several amendments to the CCPA during the 2019 legislative session. These bills had until May 31, 2019 to pass their legislative House of origin, and those that succeeded are now under consideration by the other House. A final, identical version must pass both Houses by September 13, 2019. Governor Newsom will then sign or veto each bill by October 13, 2019.
The proposed amendments fall into two general categories - those that clarify existing terms and obligations in the CCPA along with those that alter the scope of the CCPA’s protections.
AB-25 clarifies the definition of a “consumer” under the CCPA. The amendment articulates that the CCPA does not cover the personal information of job applicants, employees, agents, and contractors to the extent a business gathers and uses such information within the scope of the person’s role as an applicant, employee, agent, or contractor. The CCPA would, however, continue to protect an employee’s emergency contact and beneficiary information.
AB-873 narrows the definition of protected personal information from the prior standard of information “capable of being associated with” a person to information “reasonably associated” with a person. This bill would similarly narrow the definition of “de-identified data” to only include data “reasonably linkable” to a person rather than data “capable” of being linked to a person. Finally, AB-873 clarifies that businesses do not have to re-identify personal information to respond to a subject access request when the business does not ordinarily maintain the data as personal information.
AB-874 expands the definition of “publicly available” information to include any information lawfully made available from government records. The CCPA currently excludes publicly available information from its definition of personal information. Businesses would therefore no longer need to limit their use of such data to a manner compatible with the government’s purpose in making the data available.
AB–846 explains that the CCPA does not prohibit businesses from offering reward programs exclusively to consumers who allow data collection. The CCPA prohibits companies from discriminating against consumers who exercise their CCPA rights. This amendment, however, clarifies that selective loyalty reward programs are not prohibitively discriminatory unless they include an unjust or coercive aspect.
AB 1355 excludes de-identified and aggregate consumer information from the CCPA’s definition of protected personal information. This amendment would further allow businesses to discriminate against consumers who exercise their rights under the CCPA, so long as the differential treatment stems from a loss of value otherwise provided by personal data. Finally, this bill would require businesses to specifically disclose to consumers that consumers have the right to see and request deletion of their personal information.
AB–1146 exempts certain vehicle and ownership information from the CCPA’s right of deletion and right to opt-out. This would allow auto dealers and manufacturers to share car warranty and recall information related to vehicle repairs.
AB–981 narrows the scope of the CCPA by exempting information already covered by the Insurance Information and Privacy Protection Act. This exemption eliminates a consumer’s opt-out rights under the CCPA if a business needs to retain or share their personal information to complete an insurance transaction that the consumer requested.
AB-1416 adds various exemptions to the CCPA, subject to a four-year sunset. The amendment specifies that any obligations that the CCPA imposes on businesses shall not restrict a business’s ability to…
- Comply with rules and regulations adopted in furtherance of state or federal laws
- Provide a consumer’s personal information to a government agency solely for the purposes of carrying out a government program
- Sell the personal information of a consumer to another person solely to protect against or prosecute illegal and fraudulent activity or for detecting security incidents, if both the sender and recipient do not further sell that information for any other purpose
AB 1202 compels data brokers to register with the state Attorney General. The bill defines a data broker as a business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The Attorney General would then make these registration details publicly available. Doing so will provide consumers with more information about parties indirectly collecting their data and allow consumers to exercise their CCPA rights such as opting out of data collection.
AB 1281 commands businesses using facial recognition technology to disclose that usage. The bill specifically requires such businesses to post clear and conspicuous physical signs at every entrance covered by the facial recognition technology.
AB 1564 modifies the CCPA requirement that businesses provide consumers with at least two methods for submitting information disclosure requests including a phone number and website address (if applicable). This amendment would instead require business to only make available a phone number or email address and a physical address, with businesses that operate exclusively online only needing to provide an email address.
SB 561 would expand a consumer’s right to institute a civil action for CCPA violations. The current CCPA only allows consumers to sue when a business’s negligence leads to the theft or disclosure of a consumer’s data. This bill would extend that right to other breaches of the CCPA. The amendment would further remove the 30-day cure period for businesses notified of an alleged violation. Finally, the bill allows the attorney general to prepare materials advising businesses on how to comply with the CCPA. (*Note: This bill was placed on the Suspense File since it had a projected fiscal impact over $150,000. The Senate will hear this bill once the state budget is prepared.)
Some proposed amendments to the CCPA have already failed to pass during this legislative session. While lawmakers can propose similar amendments in future sessions, the provisions in the following bills will not impact the CCPA before it goes into effect. These failed amendments nevertheless provide valuable insight into potential changes to the CCPA that might arise in the future.
AB 1760, otherwise known as the Privacy For All Act, would have significantly revised the CCPA. The bill would have provided a private right of action for consumers whose data was stolen or disclosed due to a business failing to implement or maintain reasonable security measures. The amendment would also have prohibited businesses from sharing personal information unless a consumer specifically opted-in to the sharing, and would have prevented discriminating against consumers who chose not to opt-in. The bill would furthermore have limited businesses to using and retaining consumers’ personal information only to the extent reasonably necessary to provide a service or conduct an activity.
SB 753 created an exemption from the CCPA’s definition of a “sale.” Under this bill, sharing or disclosing data with a third party to generate specific advertisements to a consumer would not meet the definition of a sale. This bill would have allowed much greater data sharing for generating targeted advertisements.
AB 288 required social network services to allow consumers who closed their accounts to request the company permanently remove the consumer’s personal information from the company’s database. The bill defines a social networking service as an internet platform that
- offers users an account that requires unique identifier and password
- allows users to connect with other accounts
- allows users to transmit electronic content like pictures and messages between connected accounts
- complete a transaction for which it collected personal information
- detect security incidents or prevent against fraudulent activity
- identify and repair errors that impair existing intended functionality
The continually-increasing importance of consumer data ensures that data privacy will remain a contentious and important issues for years to come. Furthermore, with no federal regulation on the issue, state laws such as the CCPA will define the extent of the protection consumers can expect to have over their personal information. And although the CCPA granted significant rights to consumers, these amendments make clear that businesses and consumers will continue grappling over the substance of the CCPA even after it goes into effect on January 1, 2020.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm of approximately 725 lawyers practicing throughout a network of 14 offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy and technology sectors. Throughout our 179-year history, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.