California Legislature Adopts Five Amendments to CCPA, But Largely Rejects Industry Efforts
On September 13, 2019—the last day of the legislative session—California lawmakers approved five amendments intended to clarify the scope of the California Consumer Privacy Act (the “CCPA”), but rejected several industry-backed proposals that would have exempted personal information used for targeted advertising and loyalty programs.
Five amendments passed: AB 25, 874, 1146, 1355, and 1564. As we have noted in prior posts, the version of AB 25 that ultimately made it through the legislature had changed from a more business-friendly exclusion for certain employment-related information to a compromise bill, whereby employers must still inform employees of the types of information they are collecting and the reason for doing so. AB 25 also subjects employers to the private right of action with statutory damages in the event of a data breach, albeit only as to “personal information” as defined in California’s data breach notification law. AB 25 has a one-year sunset provision, after which employee personal information will be treated the same as consumer personal information without further legislative action or regulatory guidance.
AB 1355 is also particularly important as it excludes from consumer personal information: (1) consumer information that is deidentified or aggregated; and (2) personal information gathered in the context of a business-to-business transaction. While the latter exclusion has a one-year sunset provision, this exclusion provides a significant boon to businesses that engage primarily in B2B transactions, but were nonetheless previously concerned that they may hold significant amounts of personal information under the CCPA’s broad definition.
Notably, the legislature did not pass AB 846, which would have allowed companies to collect personal information to offer loyalty programs without worrying that the practice was discriminatory under the law. The legislature also rejected proposals backed by the California Chamber of Commerce and the Internet Association—which includes Google, Facebook, and Amazon in its members—which would have increased exclusions relating to targeted advertising and fraud detection, as well as expanded the definition of “deidentified.”
Although this year’s legislative session is complete, there is still a chance that the Attorney General’s forthcoming regulations could alter the CCPA’s scope and application. The proposed regulations are expected to be issued later this month or in October, followed by a comment period prior to finalization.
However, assuming the Governor signs passed amendments, companies now know the version of the CCPA which will go into effect on January 1, 2020, and should prepare accordingly.