The Bottom Line
- The marketing industry has been pleading for amendments to the CCPA and some helpful amendments have now been advanced. Should these amendments become law, they could offer some relief to the industry.
- Regardless, the industry is still awaiting the California Attorney General to issue implementing regulations, and those regulations will be critical to developing a comprehensive CCPA compliance program.
The California Assembly’s Committee on Privacy and Consumer Protection has approved a host of bills to amend the California Consumer Privacy Act (CCPA) that, if ultimately enacted into law as currently written, would provide some measure of relief to businesses. The bills passed by the Privacy and Consumer Protection committee have moved to the California Assembly’s Committee on appropriations for consideration. Any bills that this committee supports then will be voted on by the Assembly, before moving to the California Senate. If they pass the Senate, they would take effect if signed into law by the governor.
The CCPA
As we have discussed in previous alerts (see, for example: CCPA Update: Preparing for the CCPA – 10 Things You Can Tackle Now and CCPA Update: California Public Forums and Other Proposed State/Federal Legislation), the CCPA, which takes effect on January 1, 2020, provides various rights to consumers, including in general the right to:
- Know what personal information a business collects about consumers;
- Know what personal information a business sells about consumers, including the categories of personal information that the business sells and the categories of third parties to whom it sells that information, by category or categories of personal information for each third party to whom the personal information is sold;
- Access the specific pieces of information a business has collected about the consumer;
- Delete information that a business has collected from the consumer;
- Opt-out of the sale of the consumer’s personal information (which is an opt-in if the user is under 16 years of age); and,
- Non-discriminatory treatment.
Proposed Changes
The bills passed by the Privacy and Consumer Protection committee would amend the CCPA in a variety of ways.
For example, Assembly Bill (AB) 25 would clarify that the definition of “consumer” does not include an employee acting within the scope of his or her employment. It also would exclude from the definition of “consumer” a natural person whose personal information has been collected by a business from a job applicant, contractor or agent to the extent that this personal information is used for purposes compatible with the context of that person’s activities for the business as a job applicant, contractor or agent of the business.
As another example, AB 846 would clarify that the nondiscrimination section of the CCPA does not require businesses to eliminate customer loyalty programs, such as rewards points and programs.
AB 873 would clarify the range of data subject to the CCPA’s requirements and the steps that businesses must take to de-identify data so that those requirements more closely follow the Federal Trade Commission’s understanding of “de-identified” in its 2012 Privacy Framework.
Another bill, AB 874, would cut back on the CCPA’s expansive definition of “personal information” as it relates to information available from federal, state, or local government records, to the benefit of businesses that rely on access to these public records.
Then, AB 1564 would allow businesses the option to provide either a toll-free number or an email address – rather than requiring two methods as currently provided in the CCPA – for consumers to use to exercise their rights related to their personal information, particularly the right to know what personal information a business collects, the right to opt-out of having personal information sold to a third party and the right to have personal information deleted.
Insurers, agents, brokers, and support entities all would benefit from another bill – AB 981 – which would make it clear that the California Department of Insurance remains the single enforcer and regulator for insurance privacy under the California Insurance Code.