Proposed Amendments to the California Consumer Privacy Act May Limit Scope of the Act
Following the speedy enactment of the California Consumer Privacy Act (CCPA or Act) in June 2018, business and consumer advocates alike have been pressuring California lawmakers to clarify the many ambiguities raised by the Act’s sweeping requirements. California lawmakers recently responded to these calls for greater clarity by proposing a slate of amendments to address some of the more controversial provisions of the CCPA, including the definition of “personal information”, requirements regarding information sharing, and the scope of industry exemptions.
More specifically, on April 23rd, the California Assembly Privacy and Consumer Protection Committee (Committee) considered nine bills that seek to amend the CCPA to provide greater clarity for industry and consumers. The following is a summary of the proposed amendments.
Narrowing Key Definitions
AB-25 and AB-873, clarify the definitions of “personal information” and “consumer” under the CCPA. Committee Chairman Ed Chau (Chairman) proposed AB-25, which clarifies that personal information collected from job applicants, employees and contractors within the scope of that role is not covered by the CCPA. This carve-out does not apply, however, to an employee’s emergency contact and beneficiary information, which are still personal information under the CCPA. The Committee unanimously approved AB-25 for submission to the California Committee on Appropriations.
Another bill, AB-873, narrows the definition of “personal information” to information “reasonably” associated with a person. The current text defines personal information to include all information “capable of being associated” with a person. At the same time, AB-873 aligns the definition of “de-identified” data with the FTC standard – as opposed to the broader GDPR standard. Under the proposed bill, data qualifies as de-identified where the business removes all personal identifiers from the data, commits to maintain and use information in its de-identified form, and prohibits recipients of the data from re-identifying the data.
AB-873 also clarifies that a business need not re-identify personal information in order to respond to a subject access request where the data is not ordinarily maintained as personal information. This last change is particularly significant, addressing a frequently voiced concern that the CCPA would require businesses that maintain pseudonymized data to re-identify the data to respond to access or erasure requests, thereby defeating the purpose of pseudonymization.
Allowing Information Sharing
The Committee also approved a bill that would explicitly allow businesses to sell consumers’ personal information for customer loyalty programs. AB-846 clarifies that the opt-out provided to consumers for the sale of personal information does not apply to customer loyalty programs, such as grocery store discounts and airline frequent flier miles.
Exempting Information and Industries
Other bills approved by the Committee narrow the scope of the Act by exempting certain categories of information. For example, the Act currently does not apply to public information, which is defined in a very narrow way. AB-874 broadens the public record exemption by redefining “publicly available” to include all information that is made lawfully available from federal, state, and local records. This exemption would prohibit consumers from requesting the disclosure of public information contained in government records. AB-1146 allows motor vehicle warranty or recall information to be shared between automobile dealers and manufacturers by exempting such information from the scope of the right of deletion provided to consumers under the Act. AB-981 narrows the scope of the CCPA by exempting information that is already covered by the Insurance Information and Privacy Protection Act.
Notably, the Committee rejected other proposed amendments to the Act. One dismissed proposal, SB-753, would create an exemption from the definition of “sale” to allow unique identifiers that serve or audit specific consumer advertisements – which is relevant for targeted advertisements.
Another dismissed proposal, known commonly as the “Privacy for All Act” or AB-1760, would have added data minimization requirements to the CCPA, extended the opt-out requirement to cover any sharing of personal information (not just the sale of personal information), and expanded the right-to-know requirement to allow consumers to demand disclosure of the specific third parties receiving their information. AB-1760 would have also provided a private right of action for all privacy violations. A similar measure, however, is pending in the state Senate.
The bills that passed the Committee are now before the Assembly Appropriations Committee, where the bills must pass by May 17, 2019. If passed by the Assembly Appropriations Committee, the bills will be submitted to a vote by the full Assembly and must pass by May 31, 2019 to move to the state Senate. The bills must then pass before September 13, 2019 to be presented to the Governor who has until October 3, 2019 to sign or veto passed bills.
If enacted, the Committee-approved bills provide much-needed clarity for businesses worried about CCPA compliance. In particular, the narrowing of the definition of “personal information” to exclude employees and job applicants will likely remove many businesses from the scope of the Act. Similarly, the clarification that businesses need not re-identify personal information to respond to an access request if the business does not ordinarily maintain the data in a personally identifiable form should help incentivize companies to de-identify data.
The proposed amendments, however, do not address a number of other ambiguities under the Act – including, for example, the scope of the GLBA carve-out. Moreover, the topics addressed in the rejected amendments – including the CCPA’s application to ad tech – are likely to remain hot button issues for many businesses, who may turn to future rule-making to seek their desired changes. Even if enacted, the proposed changes to the CCPA won’t be the last word on these subjects.