United States: California Consumer Privacy Act Update — California State Committees Vote On Amendments

Last Updated: May 14 2019
Article by Mark Lyon, Cassandra L. Gaedt-Sheckter and Maya Ziv

In the last two weeks, California legislative committees voted on several amendments to the California Consumer Privacy Act (CCPA), which is due to go into effect January 1, 2020. While each proposal requires additional approvals, including full Assembly and Senate votes, the committees' determinations provide an important development in the ongoing roll-out of the CCPA, what it will ultimately require, and how to address compliance.

The California Assembly's Privacy and Consumer Protection Committee approved amendments that included narrowing the scope of personal information, and effectively exempting employee-related information from coverage under the Act. In addition, the Senate Appropriations Committee unanimously approved S.B. 561 yesterday,1 which would expand the private right of action against entities that violate the CCPA, and is supported by Attorney General Xavier Becerra.2 These amendments, and any other legislative amendments or clarifications, will be further supplemented by the Attorney General Office's promulgation of regulations, still anticipated to be issued for public comment by Fall 2019.

The following is a summary of each of the amendments voted on in the past week, and a chart exhibiting the key changes to the existing language of the CCPA. As always, we will continue to monitor these important updates.

Senate

The Senate Judiciary Committee and the Senate Appropriations Committee both voted this month to augment the private right of action for violations of the CCPA with S.B. 561. Under the current version of the CCPA, consumers only have a private right of action for certain unauthorized disclosures of their data. S.B. 561 would permit a private right of action for any violation of the CCPA, broadly expanding the potential exposure businesses may face. The bill further removes the 30-day cure period for violations before claims can be brought by the Attorney General. Finally, the amendment removes the provision permitting businesses and third parties to seek guidance directly from the Attorney General, replacing it with a statement that the Attorney General may publish materials to provide general guidance on compliance.

Assembly

Several bills in the Assembly also continued to gain traction with a positive vote from the California Assembly's Privacy and Consumer Protection Committee:

  • A.B. 25 redefines "consumer" to exclude employees, contractors, agents, and job applicants, so long as their personal information is only collected and used by the business in that context;
  • A.B. 873 modifies the definition of "personal information" to narrow its scope—including by removing information relating to a household, and information "capable of being associated with" a consumer—and also redefines "deidentified" data;
  • A.B. 1564 would require businesses to make available to consumers a toll-free telephone number or an email address for submitting requests, and require businesses with websites to make those website addresses available to consumers to submit requests for information;
  • A.B. 846 would modify the way businesses can offer financial incentive plans to consumers in exchange for their data;
  • A.B. 1146 would exempt vehicle and ownership data collected by automotive dealers and shared with the manufacturers of the vehicle sold if the vehicle information is shared pursuant to, or in anticipation of, a vehicle repair relating to a warranty or recall; and
  • A.B. 981 would exempt certain insurance institutions subject to the Insurance Information and Privacy Protection Act (IIPPA) from the CCPA, and would incorporate certain disclosure and other privacy requirements into the IIPPA to be in line with the CCPA.

Notably, a proposal to revoke and revamp the CCPA, A.B. 1760—which would have required obtaining opt-in consent from consumers before sharing (not just selling) personal information, and would have generally broadened consumers' rights under the Act—was taken off hearing, and will not move forward, at least at this time.

Potential Impact of the Amendments on Businesses

Arguably the most important changes to the CCPA for businesses interacting with California consumers are the proposed amendments set out in S.B. 561; expanding the private right of action to any violations of the Act has the potential to significantly increase the number of suits brought by individuals, including data privacy class actions, and magnify the resulting financial impact of the Act businesses interacting with state residents. As before, in anticipation of this potential amendment, it is important for businesses to work now to analyze steps necessary to ensure compliance with the various provisions likely to go into effect, including as discussed in our previous client alerts ( California Consumer Privacy Act of 2018 (July 2018) and New California Security of Connected Devices Law and CCPA Amendments (October 2018)). In general, businesses should ensure that they understand the type, nature, and scope of consumer data they have collected, including where it is stored; create the processes to comply with the disclosure and other, technically difficult rights (including a Do Not Sell opt-out link on their website, and a request verification and disclosure process); revise service provider agreements for compliance; and review their privacy policies, both internal and public, to ensure that they are properly disclosing how personal data is collected, used, and potentially shared with third parties.

Certain of the proposed Assembly bill amendments, on the other hand, may serve to narrow the impact on businesses, particularly related to the scope of personal information at issue. The modifications in A.B. 25, clarifying that the CCPA is not intended to cover employees' data, could minimize the impact on companies that generally do not collect California residents' personal information other than as a result of being an employer of Californians, and also minimize logistical issues that would otherwise arise if businesses have to allow employees to exercise the rights afforded by the Act. Rather, it would shift the impact of the CCPA primarily to those businesses that rely on collecting data as a part of their business model.

The scope of personal information would be further narrowed if A.B. 873 passes, as it may eliminate some of the broader reaching—and more confusing—applications of CCPA, to household data and data that is "capable of being associated with" a consumer. The remaining language focuses on information that is linked directly, or indirectly to a particular consumer. This will also clarify some concern expressed at multiple public forums on the CCPA, regarding how verifications for data requests should work when the individual is requesting household data.

A.B. 873 also redefines "deidentified," and while several of the same guardrails would exist, the new definition would specifically require (1) contractual prohibitions on recipients of data to not reidentify such deidentified personal information, and (2) a public commitment to not reidentify the data, which may require certain internal and third party contract provision revisions, and suggested modifications to the language in consumer-facing privacy policies. As a result, it may be important for businesses to re-evaluate their contracts with suppliers, distributors, and contractors to ensure compliance for any use of deidentified data.

Logistically, A.B. 1564 would offer businesses some relief from providing a toll-free telephone number for requests related to the Act, offering instead an option of an email address or a telephone number, and a website address for consumers to access. While many businesses may have already included an email address for compliance with related laws, instituting a telephone number for such requests may impose additional logistical issues for businesses under the current text of the law.

Finally, for entities offering customer loyalty programs, the new provisions of A.B. 846—replacing the financial incentive provisions—will require particular attention, if passed. Primarily, businesses will need to ensure the offerings and their value must be "reasonably" related to the value of the data collected, though there may be latitude on what incentives are possible.

Comparison of Proposed Language to Original

The following chart provides a comparison of what would be key changes to the language of the CCPA as a result of the more broadly applicable amendments currently moving through the California legislature. The language crossed out in the Original Language column indicates what has been deleted from the current language of the Act, while the bolded language in the Proposed Amendment column shows what language has been added. That column contains what would be the final text if these amendments are adopted. We will continue to monitor the progress of these amendments, and will provide updates, accordingly.3

Concept Original Language Proposed Amendment
Introducing Private Right of Action for Any Violation of the Act

(S.B. 561)
(a) (1) Any consumer whose nonencrypted or nonredacted personal information, . . . is subject to an unauthorized access . . . may institute a civil action for any of the following . . . (a) (1) Any consumer whose rights under this title are violated, or whose nonencrypted or nonredacted personal information . . . is subject to an unauthorized access . . . may institute a civil action for any of the following
Excluding Employees from the Definition of Consumer

(A.B. 25)
(g) "Consumer" means a natural person who is a California resident . . . (g) (1) "Consumer" means a natural person who is a California resident . . .

(g) (2) "Consumer" does not include a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of, an agent on behalf of the business, to the extent the person's personal information is collected and used solely within the context of the person's role as a job applicant to, an employee of, a contractor of, or an agent on behalf of the business.
Redefining Deidentified (A.B. 873) "Deidentified" means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:

(1) Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.

(2) Has implemented business processes that specifically prohibit reidentification of the information.

(3) Has implemented business processes to prevent inadvertent release of deidentified information.

(4) Makes no attempt to reidentify the information.
"Deidentified" means information that does not reasonably identify or link, directly or indirectly, to a particular consumer, provided that the business makes no attempt to reidentify the information, and takes reasonable technical and administrative measures designed to:

(1) Ensure that the data is deidentified.

(2) Publicly commit to maintain and use the data in a deidentified form.

(3) Contractually prohibit recipients of the data from trying to reidentify the data.
Excluding Household and Information "capable of being associated with" from the Definition of "Personal Information"

(A.B. 873)
"Personal information" means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household. "Personal information" means information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a particular consumer. Personal information may include, but is not limited to, the following if it identifies, relates to, describes, or could be reasonably linked, directly or indirectly, with a particular consumer.
Prescribing Methods of Contacting Businesses

(A.B. 1564)
(1) Make available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, including, at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address. (1) (A) Make available to consumers a toll-free telephone number or an email address for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115.

(B) If the business maintains an internet website, make the internet website available to consumers to submit requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115.
Clarifying Non-discrimination Provision re Financial Incentives: Removing in Favor of Customer Loyalty Programs

(A.B. 846)

(a) (1) A business shall not discriminate against a consumer because the consumer exercised any of the consumer's rights under this title, including, but not limited to, by:

...

(B) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.

(C) Providing a different level or quality of goods or services to the consumer.

(2) Nothing in this subdivision prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer's data.

(b) (1) A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer's data.

(2) A business that offers any financial incentives pursuant to subdivision (a), shall notify consumers of the financial incentives pursuant to Section 1798.135.

(3) A business may enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent pursuant to Section 1798.135 which clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time.

(4) A business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.
(a) (1) A business shall not discriminate against a consumer because the consumer exercised any of the consumer's rights under this title, including, but not limited to, by:

...

(B) Charging higher prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.

(C) Providing a lower level or quality of goods or services to the consumer.

(2) Nothing in this subdivision prohibits a business from offering a different price, rate, level, or quality of goods or services to a consumer, including offering its goods or services for no fee, if any of the following are true:

(A) The offering is in connection with a consumer's voluntary participation in a loyalty, rewards, premium features, discount, or club card program.

(B) That difference is reasonably related to the value provided by the consumer's data.

(C) The offering is for a specific good or service whose functionality is reasonably related to the collection, use, or sale of the consumer's data.

(b) As used in this section, "loyalty, rewards, premium features, discount, or club card program" includes an offering to one or more consumers of lower prices or rates for goods or services or a higher level or quality of goods or services, including through the use of discounts or other benefits, or a program through which consumers earn points, rewards, credits, incentives, gift cards, or certificates, coupons, or access to sales or discounts on a priority or exclusive basis.

Footnotes

1 Although approved unanimously, S.B. 561 was placed on Suspense File, where the committee sends bills with an annual cost of more than $150,000, to be considered following budget discussions. The bill will not move forward until the Appropriations Committee releases it for a vote.

2 The Senate Judiciary Committee had previously approved the bill 6-2 on April 9, 2019.

3 Please note that the following chart does not include language modifications to the IIPPA (A.B. 981) or proposed amendments exempting information shared between automotive dealers and vehicle manufacturers (A.B. 1146), as they are of more limited application than the more general provisions that were included. If you have questions about those particular provisions, please reach out to discuss with us and we would be happy to provide further guidance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions