Amendments Bring New Clarity to CCPA Scope in Advance of 2020 Deadline

In the rush to pass AB-375 (the California Consumer Privacy Act (CCPA)) before the 2018 deadline to withdraw the looming ballot initiative, it was clear that amendments would be necessary.  Mere months after its passage, SB-1121 was passed to clean up technical and grammatical errors, but the more substantial revisions were anticipated this year.  In tracking those amendments, businesses have gained clarity on their 2020 compliance obligations.

One of the most substantial concessions made by the proponents of the CCPA ballot initiative was the removal of the private right of action for privacy violations, leaving enforcement to the California Attorney General.  While the CCPA created new statutory damages for private causes of actions resulting from a data breach (Cal. Civil Code §1798.150(a)(1)), enforcement of the CCPA’s privacy obligations were left to the discretion of the California Attorney General. However, California Senate Bill 561, introduced by Senator Hannah-Beth Jackson in February 2019, sought to reinstate the private cause of action for CCPA privacy violations, causing heartburn for the tech industry, which feared that a flood of class action litigation could result.

These fears were assuaged somewhat when the California Senate Appropriations Committee, which had previously placed SB 561 in the Committee’s Suspense File on April 29, 2019, declined to release the bill from the Suspense File on May 16, effectively killing it for this legislative session.  The Suspense File allows the Committee to hold legislation so that they can evaluate the potential resulting financial impact. In the case of SB 561, the Senate Appropriations analysis from April 29 stated that SB 561 would have “[u]nknown, potentially-significant workload cost pressures to the court to adjudicate lawsuits filed by consumers for alleged violation of rights granted by the act,” and further noted that “if alleged violations of the [CCPA] that would not have been litigated by the Attorney General led to the filing of four or more new large cases, eighteen or more smaller cases, or a few complex cases that took longer than six days to adjudicate, the cost pressures to the court would surpass the Suspense File threshold.”

While there is still the possibility that creative plaintiffs could attempt to pursue private causes of action against businesses for alleged CCPA violations (for example: arguing that CCPA violations constitute “unfair business practices” in violation of California’s Unfair Competition Law (Cal. Bus. & Prof. Code § 17200 et seq.), these attempts are unlikely to gain traction, based on the California Supreme Court’s prior rulings that legislative statements intending to preclude a private right of action are determinative, as well as the CCPA’s own explicit recitation that the privacy compliance obligations are not intended to “serve as the basis for a private right of action under any other law” (Cal. Civil Code Sec. 1798.150(c)).

On the other side of the aisle, several proposed amendments have been approved by the Assembly or proceeded out of committee:

AB-873 – Amends the definition of “deidentified” data, modifying the meaning from information that “cannot reasonably identify, relate to , describe, be capable of being associated with, or be linked” to a particular consumer, to instead mean information that “does not identify and is not reasonably linkable” to a particular consumer, moving deidentification measures from an absolute to a more reasonable and achievable standard. The bill also requires businesses sharing deidentified data with third parties to take “reasonable technical and administrative measures designed to … [c]ontractually prohibit recipients of the data from trying to reidentify the data.” (Approved by the Assembly on May 22, 2019)

AB-981 – Adds an additional exception to the CCPA’s scope, preventing consumers from exercising their rights of deletion or prohibition on sale of personal information with respect to information “to the extent it is necessary to retain or share a consumer’s personal information to complete an insurance transaction for a product or service … that has been requested by the consumer.”  AB-981 also substantially revises the Insurance Code sections addressing consumer privacy under California Insurance Information and Privacy Protection Act (CIIPPA) (Ca. Ins. Code Sec. 791 et seq.).  Among other revisions are the inclusion of definitions for “biometric information” and substantial expansion of the existing definition of “personal information” to mirror the CCPA. (Approved by the Assembly on May 22, 2019)

AB-1564 – Modifies the channels through which consumers may submit CCPA requests.  Under existing law, all businesses must provide a toll-free telephone number for consumers to make a request, as well as a website if the business maintains a website.  The amendment would allow a business to offer either a toll-free telephone number or an email address and physical address.  In addition, if the business operates only online, they would only be required to provide an email address for CCPA requests.  However, if they operate a website, they must “make the internet website available to consumers to submit” CCPA requests. (Approved by the Assembly on May 13, 2019)

AB-874 – Clarifies that “personal information” does not include deidentified or aggregate consumer information.  Also simplifies the definition of “publicly available” information as relating to information lawfully made available from federal, state, or local records. (Approved by the Assembly on May 9, 2019)

AB-25 – Seeks to exclude from the definition of “consumer” the personal information of any applicant, employee, contractor, or agent of a business, so long as the consumer’s personal information is only collected and used within the scope of the person’s job application or employment.  (Scheduled for full Assembly vote)

AB-846 – Attempts to clarify that the CCPA’s prohibitions on discrimination resulting from invocation of CCPA rights would not apply to loyalty or rewards programs where the consumer either voluntarily participates in the program or where the preferential offering of a good or service is “directly related to the collection, use, or sale of the consumer’s data.” (Scheduled for full Assembly vote)

AB-1146 – Excludes vehicle information from deletion obligations and other provisions of the CCPA where the vehicle information is retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer if the information is “shared pursuant to, or in anticipation of, a vehicle repair relating to warranty work or a recall.” (Scheduled for full Assembly vote)

AB-1202 – Following Vermont’s lead, this legislation would require data brokers to register with the California Attorney General and honor consumer requests to opt out of the sale of their personal information. (Scheduled for full Assembly vote)

It remains to be seen how the Assembly’s amendments are received by the Senate, but the proposed revisions appear to provide some of the clarity sought by businesses prior to the 2020 compliance deadline.  In addition, the California Attorney General is expected to release its proposed rulemaking later this year, some of the most important aspects of which will be the guidance on approved procedures for verification of consumer requests and submission of consumer requests from authorized third parties.  Of course, if you have any questions about how the CCPA affects your business, please contact Scott Lyon at 714-557-7990 or [email protected].

This blog post is not offered as, and should not be relied on as, legal advice. You should consult an attorney for guidance in specific situations.