CCPA Changes Sent to Governor’s Desk as January Effective Date Draws Closer and Compliance Costs Loom Large
Several amendments to the California Consumer Privacy Act of 2018 are headed to Gov. Gavin Newsom’s desk. Issues range from the timing of employer disclosure requirements to data gathered and used in consumer identity verification, vehicle recalls and warranties, consumer credit checks, and business due diligence work. One bill, which attempted to address the non-discriminatory provisions of the CCPA and its potential impact on sellers’ popular customer rewards programs, didn’t make it out of the Senate.
Going into effect in January and still being amended in October, the CCPA continues to present a significant challenge for companies doing business in California. It is crucial for privacy officers to keep abreast of these amendments as they impact compliance efforts regarding employee data, due diligence performed on other companies, and the collection of personal information by representatives of other companies.
The compliance costs are nothing to sneeze at either. The amendments head to the governor’s desk in the wake of the state Attorney General’s regulatory impact assessment report which put the initial costs for businesses to comply with the CCPA at $55 billion. Berkeley Economic Advising and Research LLC prepared the report and arrived at the figure based on a “back-of-the-envelope” extrapolation of data gathered by technology compliance company TrustArc. While only privacy professionals at companies with more than 500 employees were surveyed by TrustArc, only 1% of California companies fit that category. In arriving at the $55 billion figure, Berkeley said it is “very possible that we are overestimating the compliance costs for smaller firms.”
What’s more, the compliance battle may not be over in January. Alastair Mactaggart of Californians for Consumer Privacy, who spearheaded the ballot initiative that led the legislature to pass the CCPA, announced a new ballot initiative for November 2020 regarding the collection of health and financial data and the imposition of penalties for sharing and selling data about children.
Here is the rundown of the CCPA amendments:
AB 25: Consumer Authentication and Employer Requirements
The CCPA prohibits businesses from requiring consumers to create accounts in order to make verifiable consumer requests. If signed, AB 25 will provide an exception to that prohibition by authorizing a business to require authentication that is “reasonable in light of the nature of the personal information requested.” However, the bill would authorize a business to require a consumer – one who has an account with the business – to submit their request through their account.
The CCPA authorizes consumers to bring private actions and requires businesses to inform consumers about the categories and purposes of the information they collect. Until Jan. 1, 2021, AB 25 would exempt from all provisions of the act (except the civil action and information disclosure provisions) information collected from a person by a business in the course the person’s relationship with that business as a job applicant, employee, owner, director or officer, medical staff, or contractor.
AB 874: Personal and Publicly Available Information
The act defines “personal information” to mean “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” AB 874 would change the definition so “capable” is modified as “reasonably capable.”
The act excludes “publicly available information” from its requirements, which it defines as “information that is lawfully made available from federal, state, or local government records if any conditions associated with that information.” It goes on to say information is not publicly available if that data is used for a purpose “not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.” Publicly available does not include aggregate consumer information or deidentified data.
AB 874 would define “publicly available” to mean “information that is lawfully made available from federal, state, or local records” (eliminating “government” from the phrase “local government records”) and would delete text listing the conditions in which data is not publicly available. The bill would, instead, provide that personal information does not include deidentified or aggregate consumer information.
AB 1146: Vehicles
Consumers have opt-out rights under the CCPA; that is, the right to direct a business not to sell their personal information to third parties. Consumers have the right to ask that data collected by a business be deleted, subject to conditions. Certain categories of personal information are excepted. AB 1146 would except from the right to opt out “vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer, if the information is shared for the purpose of effectuating or in anticipation of effectuating a vehicle repair covered by a vehicle warranty or a recall, as specified.” The bill would also except personal information that is necessary for the business fulfill the terms of a written warranty or product recall conducted in accordance with federal law.
AB 1355: Deidentified and Aggregate Data, and Differential Treatment
This bill would exclude from the definition of personal information consumer data that is deidentified or shared in aggregate.
The CCPA prohibits a business from discriminating against a consumer for exercising any of the consumer’s rights under the act. However, it allows businesses to offer different prices or types of services if the different treatment is reasonably related to the value provided to the consumer by the consumer’s data. This bill would, instead, prohibit a business from discriminating against the consumer for exercising any of the consumer’s rights under the act, except if the differential treatment is reasonably related to value provided to the business – as opposed to the consumer – by the consumer’s data.
The act requires a business to make certain disclosures to consumers regarding their rights. This bill would require a business to disclose to consumers that they have the right to request “specific pieces of information” and the “categories of information” collected on them and that they may request that the information be deleted.
The CCPA authorizes a consumer, whose nonencrypted or nonredacted personal information is hacked or disclosed because a business didn’t maintain reasonable security, to file suit under the act.
The bill would exempt reasonably secured activity involving the collection, maintenance, disclosure, sale, communication, or use of personal information bearing on a consumer’s “credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by specified parties, including a consumer reporting agency.” The bill would, until Jan. 1, 2021, also exempt personal information within the context of the business conducting due diligence or providing or receiving a product or service.
AB 1564: Web Companies
The act provides that a business is required to make available to consumers two or more reasonable and designated methods for requesting business information, such as a toll-free number or a web address. This bill would require online businesses to only provide an email address for requested information from the company and a web address if the company maintains a website.
AB 846: Loyalty Programs – Bill Now Inactive
This bill would have prohibited the CCPA from being used, as some fear it will be, to prohibit businesses from offering different prices and service levels through loyalty rewards programs. It would have specifically barred companies from offering special deals through these programs that are “unjust, unreasonable, coercive, or usurious in nature.” Also, the bill would have prohibited businesses from selling personal information collected through these rewards programs.
Concerns were raised that the non-discrimination provisions of the CCPA would be seen as interfering with loyalty rewards programs. The bill’s drafters attempted to make it clear that companies were free to charge different rates and offer different service levels to valued customers in these programs. This bill was designed, they said, to ensure the “legal survival of loyalty programs,” because the non-discrimination section of the CCPA “could lead to the end of these programs as well as unnecessary litigation.” The ban on selling to third parties was criticized by some as hindering cross-marketing which is one of the reasons companies run these programs.
After some effort and several attempts to address concerns, the bill didn’t make it out of the Senate and was placed in the legislature’s inactive file. We will keep an eye on the legislature to see if it is re-introduced in 2020.
Edited by Tom Hagy