The Scoop On Employee Data, Deidentified Data and Loyalty Programs

On July 9, over a 12-hour committee hearing, the California Senate Standing Committee on Judiciary voted on amendments for the California Consumer Privacy Act (CCPA). Tech companies, business groups, lobbyists and privacy advocates were all particularly focused on amendments AB 25, AB 846 and AB 873.

AB 25

AB 25 exempts employers from some data-collecting provisions. AB 846 clarifies that reasonable loyalty programs are exempt from the CCPA’s anti-discrimination requirement in Section 1798.125. Although, an unpublished caveat was introduced at the end of the hearing for AB 846 that would ban the sale of loyalty program data by third-parties upon valid opt-outs. AB 873 would have broadened the definition of deidentified information and not fall under the restrictions of the CCPA.

Described as a CCPA clean-up bill by some Committee members, AB 25’s passage will require employers to tell employees what type of information employers are collecting about them and why (i.e., privacy notice). On the other hand, employers will not have to share specific details about what they have gathered on employees.

However, AB 25 has a sunset provision, or a one-year moratorium, that will expire on or before January 1, 2021. The provision was a compromise from the original employment-based exemptions, which opponents argued would open the door to allowing organizations to monitor employees beyond the scope of employment intrusively and outside of the business. For example, testimony during the hearing highlighted employee-monitoring techniques that were used by an employer to track employee pregnancies (see Ovia pregnancy tracking app). These types of employer intrusions are why the exemptions seemed too overly broad.

Second, under AB 25, the CCPA’s data breach provisions will apply to employees, making complete data mapping an even higher priority. This also means that employees, applicants, contractors and agents are not excluded from exercising the Private Right of Action under the CCPA for security-related incidents. AB 25’s employee exemption is still under negotiation around what an employer can and cannot collect when it comes to the employer/employee relationship.

If personal information is collected beyond the employee relationship, at what point does the employee exemption under the CCPA cease, and coverage under the CCPA for the employee/consumer apply?

In sum, companies should provide accurate privacy notices to employees. Also, consider data mapping employee data since the CCPA will require employers to inform employees on what type of information employers are collecting and sharing.

Finally, AB 25 further clarifies the authentication process, even though the California Attorney General’s Office must issue regulations clarifying the verification procedure. On authentication, AB 25 states, in part, if the consumer already has an account with the business they must submit the request through that account. Thus, if an organization leverages this process, it should ensure that the consumer’s account has mechanisms in place to submit a valid request to the organization under the CCPA.

AB 846

Under AB 846, businesses may collect consumer information through a loyalty program. Of note, the bill’s author agreed to an amendment banning the sale of that data to third parties, which has not been published by the Committee and released in writing.

Notwithstanding, AB 846 was debated on the issue of when a consumer opts-out of a loyalty program, whether or not the retailers’ afterward interactions with the consumer’s personal information should constitute a sale under the CCPA. Opponents contended that opt-outs of a loyalty program should be a defacto opt-out on further sales to third parties under the CCPA. Over the course of the discussion, it was eventually agreed to amend AB 846 to ban the sale of loyalty data to third parties upon valid authentication and opt-out as defined under the CCPA. As of this writing, it is unclear whether AB 846 will become law or will be amended yet again.

AB 873

Disagreements ensued as the hearing progressed on AB 873. Several bills were introduced to exempt businesses from complying with the deletion request from consumers under the CCPA. The exemptions in the amendments pertained to, but were not limited to:

  • Personal information that could not be reasonably capable of being linked to a consumer
  • Personal information that the business does not sell
  • Personal information that does not identify a consumer.

The amendments were rejected as it was argued the amendments weakened the CCPA.

Moreover, there were further debates concerning AB 873’s deidentified standard. One committee member indicated that if the deidentified definition was not corrected, the federal government would preempt. In particular, the 2013 FTC Staff Privacy report contains not covered data language as deidentified data, that speaks to and about covered information, which is congruent with the CCPA’s personal information definition.

What does this mean?

Businesses would be advised to look at technical controls and decipher how personal information is identified (first name, email address, social security, IP address). The personal information that identifies the consumer must technically be separated from the data, also defined as deidentified data.

The federal government’s (2013 FTC Staff Privacy report) deindentified definition differs from the CCPA in practical application. AB 873 has been blocked for now in committee but can come up again after the legislature returns from its summer recess.

Where does this leave organizations that are standing up CCPA compliance programs and deidentified data along with complying with pseudonymizing and aggregating data?

In parsing Sections 1798.140 and 1798.145 of the CCPA, as encompassing recommendations on deidentified data, organizations should:

  • Implement technical safeguards that prohibit reidentification of the consumer
  • Implement business processes that specifically prohibit reidentification of the information
  • Implement business processes to prevent inadvertent release of de-identified information
  • Make no attempts to reidentify the “de-identified” information.

CONCLUSION

The CCPA bills that passed the California Assembly in June do not guarantee approval and passage in the California Senate Judiciary Committee. The bills that did pass the Senate Judiciary Committee do not guarantee approval either on whether or not the amendments will become law (e.g., AB 25, AB 846).

The bills that passed the California Senate Judiciary Committee will now be heard in the Senate Appropriations Committee. The California Attorney General is poised to propose rules in the fall. With about six weeks left in the California legislative process, additional amendments, clarifications, expansions and exceptions are sure to abound before the final enactment of the CCPA on January 1, 2020.

Ron Naulls

Senior Manager
Technology Consulting – Security and Privacy