May 22, 2019

May 22, 2019

Subscribe to Latest Legal News and Analysis

May 21, 2019

Subscribe to Latest Legal News and Analysis

May 20, 2019

Subscribe to Latest Legal News and Analysis

Proposed Amendments to the California Consumer Privacy Act May Limit Scope of the Act

Following the speedy enactment of the California Consumer Privacy Act (CCPA or Act) in June 2018, business and consumer advocates alike have been pressuring California lawmakers to clarify the many ambiguities raised by the Act’s sweeping requirements. California lawmakers recently responded to these calls for greater clarity by proposing a slate of amendments to address some of the more controversial provisions of the CCPA, including the definition of “personal information”, requirements regarding information sharing, and the scope of industry exemptions.

More specifically, on April 23rd, the California Assembly Privacy and Consumer Protection Committee (Committee) considered nine bills that seek to amend the CCPA to provide greater clarity for industry and consumers. The following is a summary of the proposed amendments.

Narrowing Key Definitions

AB-25 and AB-873, clarify the definitions of “personal information” and “consumer” under the CCPA. Committee Chairman Ed Chau (Chairman) proposed AB-25, which clarifies that personal information collected from job applicants, employees and contractors within the scope of that role is not covered by the CCPA. This carve-out does not apply, however, to an employee’s emergency contact and beneficiary information, which are still personal information under the CCPA. The Committee unanimously approved AB-25 for submission to the California Committee on Appropriations.

claifornia legislature

Another bill, AB-873, narrows the definition of “personal information” to information “reasonably” associated with a person. The current text defines personal information to include all information “capable of being associated” with a person. At the same time, AB-873 aligns the definition of “de-identified” data with the FTC standard – as opposed to the broader GDPR standard. Under the proposed bill, data qualifies as de-identified where the business removes all personal identifiers from the data, commits to maintain and use information in its de-identified form, and prohibits recipients of the data from re-identifying the data.

AB-873 also clarifies that a business need not re-identify personal information in order to respond to a subject access request where the data is not ordinarily maintained as personal information. This last change is particularly significant, addressing a frequently voiced concern that the CCPA would require businesses that maintain pseudonymized data to re-identify the data to respond to access or erasure requests, thereby defeating the purpose of pseudonymization.

Allowing Information Sharing

The Committee also approved a bill that would explicitly allow businesses to sell consumers’ personal information for customer loyalty programs. AB-846 clarifies that the opt-out provided to consumers for the sale of personal information does not apply to customer loyalty programs, such as grocery store discounts and airline frequent flier miles.

Exempting Information and Industries

Other bills approved by the Committee narrow the scope of the Act by exempting certain categories of information. For example, the Act currently does not apply to public information, which is defined in a very narrow way. AB-874 broadens the public record exemption by redefining “publicly available” to include all information that is made lawfully available from federal, state, and local records. This exemption would prohibit consumers from requesting the disclosure of public information contained in government records. AB-1146 allows motor vehicle warranty or recall information to be shared between automobile dealers and manufacturers by exempting such information from the scope of the right of deletion provided to consumers under the Act. AB-981 narrows the scope of the CCPA by exempting information that is already covered by the Insurance Information and Privacy Protection Act.

Rejected Proposals

Notably, the Committee rejected other proposed amendments to the Act. One dismissed proposal, SB-753, would create an exemption from the definition of “sale” to allow unique identifiers that serve or audit specific consumer advertisements – which is relevant for targeted advertisements.

Another dismissed proposal, known commonly as the “Privacy for All Act” or AB-1760, would have added data minimization requirements to the CCPA, extended the opt-out requirement to cover any sharing of personal information (not just the sale of personal information), and expanded the right-to-know requirement to allow consumers to demand disclosure of the specific third parties receiving their information. AB-1760 would have also provided a private right of action for all privacy violations. A similar measure, however, is pending in the state Senate.

Next Steps

The bills that passed the Committee are now before the Assembly Appropriations Committee, where the bills must pass by May 17, 2019. If passed by the Assembly Appropriations Committee, the bills will be submitted to a vote by the full Assembly and must pass by May 31, 2019 to move to the state Senate. The bills must then pass before September 13, 2019 to be presented to the Governor who has until October 32019 to sign or veto passed bills.

Conclusion

If enacted, the Committee-approved bills provide much-needed clarity for businesses worried about CCPA compliance. In particular, the narrowing of the definition of “personal information” to exclude employees and job applicants will likely remove many businesses from the scope of the Act. Similarly, the clarification that businesses need not re-identify personal information to respond to an access request if the business does not ordinarily maintain the data in a personally identifiable form should help incentivize companies to de-identify data.

The proposed amendments, however, do not address a number of other ambiguities under the Act – including, for example, the scope of the GLBA carve-out. Moreover, the topics addressed in the rejected amendments – including the CCPA’s application to ad tech – are likely to remain hot button issues for many businesses, who may turn to future rule-making to seek their desired changes. Even if enacted, the proposed changes to the CCPA won’t be the last word on these subjects.

Copyright © by Ballard Spahr LLP

TRENDING LEGAL ANALYSIS


About this Author

Philip Yannella, Ballard Spahr Law Firm, Philadelphia, Data Security Attorney
Partner

As Co-Practice Leader of Ballard’s Privacy and Data Security Group, and Practice Leader of the firm’s E-Discovery and Data Management Group, Philip N. Yannella provides clients with 360-degree advice on the transfer, storage, and use of digital information.

Mr. Yannella regularly advises clients on the Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), EU-US Privacy Shield, General Data Protection Regulation (GDPR), Defense of Trade Secrets Act, PCI-DSS, Telephone Consumer Protection Act (TCPA), New York Department of...

215-864-8180
Kim Phan, Ballard Spahr Law Firm, Washington DC, Business and Finance Law Attorney
Of Counsel

Kim Phan writes and speaks frequently about privacy and data security issues for a variety of industries, including consumer financial services, retail, hospitality, higher education, and utilities. Ms. Phan counsels clients on privacy and data security law in areas including the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), the Telephone Consumer Protection Act (TCPA), and other federal and state privacy and data security statutes and regulations. Her work in this area encompasses strategic planning and guidance for companies to incorporate privacy and data security considerations throughout product development, marketing, and implementation. Ms. Phan also assists companies with data breach prevention and response, including establishing effective data security programs prior to a breach and the assessment of breach response obligations following a breach.

Ms. Phan has also done extensive e-commerce and mobile counseling with clients, including adapting an augmented reality mobile game for a retail client, conducting online behavioral advertising assessments of websites in order to update and enhance website privacy policies, and establishing employee training on social media interactions with consumers.

202-661-2286
Gina M. Pickerrell Lawyer Ballard Spahr Real Estate Law Washington DC
Associate

Gina M. Pickerrell is an associate in the Real Estate Department, and is a member of the firm's Privacy and Data Security Group. As a law student, Gina participated in the full-year Harrison Institute Public Policy Clinic researching and drafting strategies for a cross-sector approach to school and hospital food procurement. Gina also interned at an educational technology company researching student data privacy on the federal and state levels. She analyzed data ownership rights, conducted privacy agreement reviews, and drafted notification letters relating to corporate compliance and...

202.661.2220