By: Michelle Hon Donovan, Brandi Taylor and Angelica Zabanal
Last Friday, September 13, 2019, marked the final day for the California Legislature to vote to pass amendments intended to clarify the terms and scope of the California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020. The bills are now on Governor Gavin Newsom’s desk for approval, and the Governor will have until October 13, 2019, to sign or veto them.
Of the CCPA amendment bills that were in consideration, the following were passed:
- AB 25, regarding employee exemption
- AB 874, regarding the definition of PI (personal information)
- AB 1146, regarding warranty and vehicle repairs
- AB 1355, regarding the B2B exemption and other clarifying amendments
- AB 1564, regarding toll-free telephone number exception
Also of note, AB 1130 – a bill that does not specifically amend CCPA – also passed. This bill expands the categories of PI covered by California’s data breach notification laws, which will now include tax identification numbers, passport numbers, military identification numbers and unique identification numbers issued on a government document, as well as certain types of specified unique biometric data. This expansion is anticipated to impact liability under the CCPA’s private right of action
While not an exhaustive list of the bills that stalled during the legislative process, the following bills of note failed to be passed by the legislature:
- AB 873, regarding the definition of de-identified
- AB 846, regarding customer loyalty programs
- AB 981, regarding exemption for certain insurance transactions
While the approved amendments did not significantly overhaul the CCPA, several notable changes were made. Please see our Alert for a detailed discussion of these changes.
By Angelica A. Zabanal
When the California Consumer Privacy Act (“CCPA”) was passed last year, it was generally acknowledged that the CCPA would need to be clarified prior to its January 1, 2020, implementation. A variety of CCPA amendments are now one step closer to full passage.
Last month, the California Senate Judiciary Committee passed seven amendment bills to the California Consumer Privacy Act (“CCPA”). The bills are now headed to the Committee on Appropriations for a vote. Any bills amended by the Senate will need to return to the Assembly for a vote and a possible reconciliation. Lawmakers have until September 13, 2019 to vote on these CCPA amendments, which are summarized in their current form below:
- B. 25 (regarding Employee Exception): Amends the CCPA so that it excludes the collection of personal information (“PI”) from job applicants, employees, business owners, directors, officers, medical staff, or contractors, who would not be considered as “consumers” under the CCPA. Now amended to weaken the employee exception with a sunset exemption on January 1, 2021 and negating the exemption as it pertains to the CCPA’s notice and data breach liability provisions;
- B. 846 (regarding Customer Loyalty Programs): Excludes application of certain prohibitions in the CCPA to loyalty or rewards programs. Now amended to prohibit a business from selling consumer PI that was collected as part of a loyalty, reward, discount, premium features, or club card program;
- B. 1202 (regarding Data Brokers): Requires data brokers to register with the California Attorney General. Now amended to exclude language that would have provided consumers the right to opt-out of the sale of their personal information by data brokers;
- B. 1564 (regarding Disclosure Methods): Requires businesses to provide consumers with two methods for the submission of privacy requests, including a toll-free telephone number at a minimum. Excludes smaller online companies from the toll-free number and allows these companies to provide an email address for submitting privacy requests;
- B. 1146 (regarding Warranty and Vehicle Repairs): Exempts vehicle information retained or shared for purposes of a warranty or recall-related vehicle repair. Now amended to provide a clearer description of vehicle recalls;
- B. 874 (regarding “Publicly Available” Information): Expands definition of “publicly available” to include information that is lawfully made available from federal, state, or local government records. Amends definition of “personal information” to exclude de-identified or aggregate consumer information. (Approved by the Judiciary Committee without amendments);
- B. 1355 (regarding Opt-In Clarification): Exempts de-identified or aggregate consumer information from the definition of PI. Also clarifies that consumers over 13 years of age but younger than 16 years of age are required to opt in. Furthermore, parents need to authorize consent only for consumers under 13 years of age. (Approved by the Judiciary Committee without amendments.)
Stay tuned for more updates from Duane Morris LLP regarding the advancement of these CCPA amendments and join us for our CCPA webinar series.
Duane Morris will present The California Consumer Privacy Act of 2018 Webinar Series: Strategies for the New Era of Strict Consumer Privacy Protections. The first program, “Understanding the New California Consumer Privacy Act: Why The CCPA Applies to You and Practical Steps You Can Take Now to Comply,” will be held on Thursday, May 23, 2019, from 1:00 p.m. to 2:00 p.m. (Pacific).
For more information or to register, please visit the event website.
Privacy is like oxygen. It generally is not noticed by a consumer until it is gone. California lawmakers, however, are quite aware of privacy and have recently passed perhaps the most strict privacy law in the United States.
Only days ago, the California Consumer Privacy Act of 2018 (“the Act”) was signed into law by Governor Jerry Brown after it had been approved on a unanimous basis by the California State Assembly and the California Senate. The Act does not become operative until 2020, but when it goes it to effect, it will pack a punch. Indeed, the Act will provide great control to consumers with respect to their own personal data. Continue reading New California Law Seeks to Lead the U.S. in Online Privacy Protection