May 28, 2020

May 27, 2020

Subscribe to Latest Legal News and Analysis

May 26, 2020

Subscribe to Latest Legal News and Analysis

Like a Butterfly, Will the CCPA Continue to Evolve?

California legislators have passed many bills to amend the California Consumer Protection Act since the law was passed. Last week there was significant developments in the status of those bills, as we reported. In addition to dropping the concept of a private right of action for non-breach matters, there are other key things to keep in mind. Some are good news for corporations, but some pending bills that would have helped clarify the law are not moving forward. On the pro-business side, employers and businesses that focus on handling employee data will be happy to learn of the revised definition to consumers. On the pro-consumer side, however, a bill was withdrawn that would have allowed the sharing of unique consumer identifiers for marketing purposes without being considered a “sale,” drawing a chorus of “shucks” from businesses alike. Keep reading for the details.

First, a bill that would specifically exclude employees from the definition of “consumers”  (AB 25) has been approved by the committee and is now before the full Assembly. Second, a bill that would narrow the definition of personal information (AB 873) is also moving forward. That bill changes narrows the definition to anything “reasonably capable of being associated with…a particular consumer or household” instead of just “capable of being associated with” a consumer or household.  Third, a bill expanding the definition of “deidentified” (as opposed to personal information which does identify a person) is moving forward (AB 873). As proposed, “deidentified” would mean information “that does not identify and is not reasonably linkable, directly or indirectly, to a particular consumer” provided related technical and administrative controls are in place. And Fourth, a bill that would eliminate times when the public records exception would apply (AB 874);  In short, this would increase the number of situations where a business would not have to comply with CCPA because the data at issue is exempt from the Act.

Five additional bills, which are aimed at correcting more minor issues, are also progressing through the legislative process: (1) addressing drafting errors (AB 1355); (2) giving more methods to receive consumer requests (AB 1564);  (3) allowing motor vehicle information to be shared for warranty or repair purposes without being subject to consumer requests (AB 1146); (4) removing certain consumer rights where necessary to complete a transaction initiated by the insurer (AB 981); and (5)  explaining that customer loyalty programs are exempt from the Act’s anti-discrimination provisions (AB 846).

As reported, the bill to allow for a private right of action was stalled (SB 561). A bill that would have prevented businesses from sharing personal information without the consumer’s consent was also withdrawn (AB 1760). It also would have expanded enforcement powers beyond the AG and limited the use of personal information to only what is necessary. Finally, a bill that would have further narrowed the definition of sale was withdrawn (SB 753).

Putting it into Practice: We will continue to monitor the development of these bills. In the meantime, companies should keep in mind that CCPA will become effective January 1, 2020.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.


About this Author


Rebecca Mackin is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.


Craig Cardon serves as Co-chair of Sheppard Mullin’s Privacy & Data Security Group and as the International Liaison for the firm’s China offices. Craig is a partner in the Entertainment, Technology and Advertising and the Intellectual Property Groups in Sheppard Mullin's San Francisco and Century City offices.

Areas of Practice

Craig enjoys a broad advertising, privacy and ecommerce focused practice. He primarily represents brands, retailers, ad agencies, ad networks and other business involved in advertising, marketing and the data associated with it.  

Rachel Hudson, Lawyer, Sheppard Mullin, Intellectual Property Practice Group

Rachel Tarko Hudson is an associate in the Intellectual Property Practice Group in the firm's San Francisco office.

Areas of Practice

Rachel advises clients in the retail, technology, media, and other industries in online and mobile e-commerce transactions and vendor agreements, intellectual property licensing, commercial and development agreements, and other transactional matters. She assists clients in complying with domestic and international privacy laws, clearing advertising campaigns, conducting contests and sweepstakes promotional initiatives, and...

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

Brian D. Anderson, Intellectual Property, Attorney, Sheppard Mullin, Law firm

Brian D. Anderson is an associate in the Intellectual Property Practice Group in Sheppard Mullin's San Francisco and Palo Alto offices. He is a member of the Entertainment, Media, and Technology Industry Team.

Areas of Practice

Brian enjoys a broad intellectual property and commercial transactions, corporate, advertising and privacy and data security practice.

He focuses his practice on structuring and negotiating intellectual property and technology deals, such as...