October 23, 2019

October 22, 2019

Subscribe to Latest Legal News and Analysis

October 21, 2019

Subscribe to Latest Legal News and Analysis

California Legislature Adopts Five Amendments to CCPA, But Largely Rejects Industry Efforts

On September 13, 2019—the last day of the legislative session—California lawmakers approved five amendments intended to clarify the scope of the California Consumer Privacy Act (the “CCPA”), but rejected several industry-backed proposals that would have exempted personal information used for targeted advertising and loyalty programs.

Five amendments passed:  AB 25, 874, 1146, 1355, and 1564.  As we have noted in prior posts, the version of AB 25 that ultimately made it through the legislature had changed from a more business-friendly exclusion for certain employment-related information to a compromise bill, whereby employers must still inform employees of the types of information they are collecting and the reason for doing so.  AB 25 also subjects employers to the private right of action with statutory damages in the event of a data breach, albeit only as to “personal information” as defined in California’s data breach notification law.  AB 25 has a one-year sunset provision, after which employee personal information will be treated the same as consumer personal information without further legislative action or regulatory guidance.

AB 1355 is also particularly important as it excludes from consumer personal information: (1) consumer information that is deidentified or aggregated; and (2) personal information gathered in the context of a business-to-business transaction.  While the latter exclusion has a one-year sunset provision, this exclusion provides a significant boon to businesses that engage primarily in B2B transactions, but were nonetheless previously concerned that they may hold significant amounts of personal information under the CCPA’s broad definition.

Notably, the legislature did not pass AB 846, which would have allowed companies to collect personal information to offer loyalty programs without worrying that the practice was discriminatory under the law.  The legislature also rejected proposals backed by the California Chamber of Commerce and the Internet Association—which includes Google, Facebook, and Amazon in its members—which would have increased exclusions relating to targeted advertising and fraud detection, as well as expanded the definition of “deidentified.”

Although this year’s legislative session is complete, there is still a chance that the Attorney General’s forthcoming regulations could alter the CCPA’s scope and application.  The proposed regulations are expected to be issued later this month or in October, followed by a comment period prior to finalization.

However, assuming the Governor signs passed amendments, companies now know the version of the CCPA which will go into effect on January 1, 2020, and should prepare accordingly.

Copyright © by Ballard Spahr LLP

TRENDING LEGAL ANALYSIS


About this Author

Gregory Szewczyk, Ballard Spahr Law Firm, Denver, Privacy and Litigation Attorney
Associate

Greg Szewczyk is a litigator with experience serving as a member of several trial and arbitration teams. His responsibilities include examining witnesses at trial; drafting opening and closing presentations; drafting dispositive, discovery and pretrial motions, as well as appellate briefs; taking and defending depositions; arguing evidentiary and procedural issues; preparing witnesses for testimony; and drafting scripts for direct and cross-examinations. He is also a member of the Denver office’s cybersecurity practice group.

303-299-7382
Philip Yannella, Ballard Spahr Law Firm, Philadelphia, Data Security Attorney
Partner

As Co-Practice Leader of Ballard’s Privacy and Data Security Group, and Practice Leader of the firm’s E-Discovery and Data Management Group, Philip N. Yannella provides clients with 360-degree advice on the transfer, storage, and use of digital information.

Mr. Yannella regularly advises clients on the Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), EU-US Privacy Shield, General Data Protection Regulation (GDPR), Defense of Trade Secrets Act, PCI-DSS, Telephone Consumer Protection Act (TCPA), New York Department of Financial Services Cybersecurity Regulations, ISO 27001 compliance, HIPAA Security Rules, and FTC enforcement activity, as well as eDiscovery issues—leveraging his experience serving as National Discovery Counsel for more than two dozen companies in nationwide litigation. He harnesses his deep knowledge of privacy, data security, and information governance laws to help multinational companies develop global information governance programs to comply with overlapping, and sometimes conflicting, laws. Mr. Yannella serves on the advisory board for the ACC Foundation’s Cybersecurity Survey, the largest survey of in-house counsel on cybersecurity issues.

215-864-8180