CCPA Legislation Updates; Now’s the Time to Consider its Impact to Your Organization

The California Consumer Privacy Act (CCPA) continues to be a work in progress. For bills to advance, they must go through the full Assembly, the California Senate and the California governor to be enacted as law.

As the CCPA works its way through the legislative process, lawmakers in California continue to mull over the proposed amendments to clarify the legislation, limit its scope and determine how terms are defined. Summarized below are 11 bills that seek to refine the California Consumer Privacy Act and their statuses as of May 30:

AB 1760: Bill proposed to significantly change the CCPA’s provisions, including to require affirmative opt-in consent to share personal information. The bill was withdrawn from consideration by the Committee.

  • Status: Withdrawn from assembly consideration, hearing canceled at the request of the author; (legislature may reconsider January 2020, but will have until January 31 to vote into law)

SB 561: Was sidelined May 16 by the Senate Appropriations Committee. The added private right of action would have made all violations of the CCPA subject to litigation. However, when the CCPA goes into effect, the Attorney General’s office will still have the ability to seek an injunction and a civil penalty up to $2,500 for each unintentional violation and $7,500 for each intentional violation and disclosure of data collection or selling of data without permission.

  • Status: Placed on suspense file

AB 25: Seeks to clarify the definition of consumer exempting a person’s personal information only to the extent that their personal information is collected and used solely within their employee role, or similar roles within the employment context.

  • Status: Assembly passed, ordered to the Senate

AB 874: Redefines “publicly available” to mean “information that is lawfully made available from federal, state, or local government records…” with an exclusion for “’personal information” that is clear and full public record. This bill would also clarify that “publicly available” does not include consumer information that is “deidentified or aggregate consumer information.”

  • Status: In Committee process

AB 846: The non-discrimination statute of the CCPA would not apply if the business’s differential treatment of a consumer “is in connection with the consumer’s voluntary participation in a loyalty, rewards, premium features, discount, or club card program,” or related to “a specific good or service whose functionality is directly related to the collection, use, or sale of the consumer’s data.”

  • Status: Passed Appropriations Committee, pending referral

AB 873: This bill would revise the definition of “deidentified” to “information that does not identify, and is not reasonably linkable, directly or indirectly, to a particular consumer (see 2012 FTC staff report pg. 18).” Also, redefining that “personal information” does not cover “information, that which is capable of being associated,” but instead information that is “reasonably capable of being associated with” a particular consumer or household.

  • Status: Pending before the Appropriations Committee

AB 981: This bill would “eliminate a consumer’s right to request a business to delete or not sell the consumer’s personal information under the CCPA if it is necessary to retain or share the consumer’s personal information to complete an insurance transaction requested by the consumer.” The California Insurance Information and Privacy Protection Act (“IIPPA”) would harmonize similar consumer privacy protections to reflect the CCPA.

  • Status: In Committee process

AB 1355: Similar to AB 874, this bill would clarify that the “personal information” definition excludes information that is deidentified or aggregated. The bill also prohibits a business from discriminating against the consumer for exercising any of the consumer’s rights under the act, except if the differential treatment is “reasonably related to the value provided to the business by the consumer’s data.” The consumer has the “right to request the specific pieces of personal information and categories of information the business has collected about the consumer…” Disclosure can be in the business’s online privacy policy or policies, and opt-in consent is required to sell the personal information of children less than 16 years of age (not including children who are 16 years of age).

  • Status: In Committee process

AB 1416: Would amend and add that the CCPA shall not restrict a business’s ability to comply with any federal, state, or local laws. Establishes an exception for a business that provides and shares personal information with a government agency solely to carry out a government program. Also, establishes an exception for selling the personal information of consumers who have opted out of the sale “for the sole purpose of detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity…”

  • Status: Assembly passed, ordered to the Senate

AB 1564: Requires businesses to make available “a toll-free telephone number or an email address and a physical address for submitting requests” for information disclosure under the CCPA. Online-only businesses will need to provide an exclusive email address if no physical address exists. If a business maintains a website, the bill requires the business to make the website address available to consumers for submission requests.

  • Status: In Committee process

AB 1146: Exempts certain vehicle information from the CCPA shared between a new motor vehicle dealer and specified parties.

  • Status: Passed Appropriations Committee, pending referral

Is the CCPA still a work in progress? Yes, it appears that it is as additional amendments are contemplated, including the ones discussed here. The first draft of the regulation is expected by November 2019 with the final version by January 2020.

As with the data breach laws and its progressive stance, California seems to want to make the CCPA as forward-thinking as possible before its operative date. Gauging and anticipating changes to the law makes it more of a challenge for organizations to fully operationalize CCPA compliance. Many companies underestimate the time and resources required for CCPA compliance, therefore, it is imperative that companies begin to implement CCPA compliance programs well in advance of January 1, 2020.

Ron Naulls

Senior Manager
Technology Consulting – Security and Privacy