As the California Judiciary Hearings on CCPA regulation wind down the legislature begins amendments to update the law. Here’s a guide:
The California Department of Justice completed its hearings on CCPA at Stanford University on March 5, 2019. As with the Los Angeles and Sacramento hearings, attendance increased and testimony centered around a similar set of issues:
- Defining the sale of data within the context of digital advertising, loyalty programs, insurance, and service providers.
- Establishing data minimization documentation as an alternative to having to share all data collected that could possibly qualify as a piece of “personal information.
- Narrowing of the right to share household data to protect individual privacy with respect to data subject requests.
- Establishment of safe harbors for certifications.
- GDPR harmonization.
- Definition of “records” as for some small companies inquiries may contain IP addresses or data that gets small companies across the 50,000 record threshold quickly.
- Whether advertising profiles should be personal information and to what extent all IP addresses should be personal information
- Creation of a universal symbol, seal or logo for data removal requests.
As the regulatory process moves into its next phase, the legislative has begun the work of re-examining the hastily constructed statute itself. Andrew Lachman attended all the hearings and our firm, Lachman Law, provided testimony to the Assembly Internet and Consumer Privacy Committee. Our suggestions were included in the legislation proposed, which included data minimization integration and GDPR harmonization.
To date, the following amendments are most notable for fixes to the CCPA:
- SB561 (Jackson) – Restores a private right of action (the Attorney General had exclusive enforcement rights) with a $750 per incident (or actual damages), and setting forth a process to limit class actions. The Attorney General can bring an action as well to recover $7,500 per incident. The California Attorney General is supporting this bill and it is likely to pass.
- AB25 (Chau) – Fixes a loophole in CCPA that allows employment data to be considered “consumer” data; fixing the most frequently cited problem with the CCPA.
- AB846 (Burke) – Offers to exclude gift card and loyalty programs from prohibitions as long as there is notice and an opt-in that can be revoked.
- AB873 & AB874 (Irwin) – Fixes CCPA to allow companies to de-identify data and apply data minimization to avoid having to share it. This is what GDPR permits as well. It also eliminates household from the definition of “Personal Information”.
- AB981 (Daly) – Exempts insurance data for insurance companies.
- AB1355 (Chau) – Clarifies that de-identified data is not Personal Data.
- AB1416 (Cooley) – Applies GDPR exemptions to allow businesses to use and retain data to prevent fraud and defend from legal claims, even when a right to delete is requested.
- AB1564 (Berman) – Requires both a toll-free number and website access to take data subject requests.
- SB753 (Stern) – Creates an exception for Internet advertisers to serve ads to customers and deletes notification requirements of CCPA. While the Internet Advertising Bureau has been making a strong case that CCPA’s definition of “sale of data” would disrupt digital advertising models that depend on an open marketplace, the deletion of notification and removal requirements may be viewed as gutting too much of the CCPA.
Two (2) additional bills have been proposed that would expand consumer rights under CCPA:
AB1760 (Wicks) – Creates a right to opt-in for the “sharing of personal data.” This is an aggressive bill backed by many of the founders of the ballot measure. There is a reason that Opt-ins are not the standard procedure in privacy:
- First, for complex processes that require sharing amongst vendors to provide a service.
- It is unwieldy and impractical.
- It is also very hard to get, even in cases where the sharing is necessary to provide the service.
- Proposed prohibitions against discrimination against those who refuse to give permission do not make sense in cases where the sharing is central to providing the service.
AB1281(Chau) – Requires public notice for use of facial recognition technology.
Most of these changes are common sense and respond to gaps in the bill, except AB1760, which would be a whole new direction beyond any other approach to privacy and SB753, which takes away large segments of consumer notification obligations.
Several loopholes remain to be fixed:
- Applying the merger exemption to getting consent to the sale of a line of a business
- Defining a “record.” CCPA applies to companies with records on more than 50,000 Californians. While this seems large, if you count inquiries and IP addresses to websites, that number can add up very quickly for small businesses.
Even with these fixes, CCPA still will go beyond GDPR and you should begin your planning now to ensure that you are not unprepared for the beginning of 2020 when the law becomes enforceable.
Here is the February 20th CA State Assembly Committee on Privacy & Consumer Protection hearing. Fast forward to 3:38 point to see Lachman Law founder Andrew Lachman’s comments to the Committee.
Contact us for a free consultation or if you are interested in attending a CCPA workshop hosted by Lachman Law.