The committees of the California legislature overseeing privacy met in late April to review amendments to the California Consumer Privacy Act. While the more controversial bills were withdrawn, what is left will still be a subject of lively discussion:
AB1760 (Wicks), creating a right to opt-in for the “sharing of personal data” and Senator Stern’s SB753, which created an exception for Internet advertisers to serve ads to customers and deletes notification requirements of CCPA were both withdrawn.
Key players on privacy legislation are Assemblymember Chau, who chairs the Assembly Privacy and Consumer Protection Committee, Assemblymember Lorena Gonzales, chair of the Assembly Appropriations Committee, Senator Hanna-Beth Jackson who chairs the Senate Judiciary Committee and Senator Anthony Portantino, who chairs the Senate Appropriations Committee. All privacy bills will have to get through these four committees. Senator Robert Hertzberg, who was a key player in the passage of CCPA will also be very important in this process.
All bills must clear their own chamber by May 31 to move forward to the other chamber.
• SB561 (Jackson) passed out of the Senate Judiciary Committee chaired by the author and was also passed by the Senate Appropriations Committee. The bill restores a private right of action (the Attorney General had exclusive enforcement rights) with a $750 per incident (or actual damages). The Attorney General can bring an action as well to recover $7,500 without a 30-day period to cure. The California Attorney General is supporting this bill and, even though this violates the original agreement that leads to CCPA’s creation, it is likely to pass.
• AB25 (Chau) passed out of the Assembly Privacy and Consumer Protection Committee (chaired by Assemblyman Chau) and the Appropriations Committee. The bill fixes a loophole in CCPA that allows employment data to be considered “consumer” data, fixing the most frequently cited problem with the CCPA.
• AB1202 (Chau) was passed out of the Privacy and Consumer Protection Committee and referred to Appropriations on suspense, which is a hold status. The bill would create a data broker registry.
• AB846 (Burke) was passed out of the Privacy and Consumer Protection Committee and referred to Appropriations. The bill offers to fix to exclude gift card and loyalty programs from prohibitions as long as there is notice and an opt-in that can be revoked. Some have argued, this bill may not be necessary since loyalty programs can just charge a small fee to get around CCPA’s current data sharing and discrimination prohibitions, but the traditional players in this space have had a historical issue with charging fees to consumers, believing it will scare consumers away.
• AB873 (Irwin) passed out of the Privacy and Consumer Protection Committee and referred to Appropriations. AB874 (Irwin) passed out of Privacy and Consumer Protection Committee and Appropriations. These bills fix CCPA to allow companies to de-identify data and apply data minimization to avoid having to share it. This is what GDPR permits as well. Also eliminates household from the definition of “Personal Information.”
• AB981 (Daly) passed out of the Insurance and Privacy and Consumer Protection Committees and was referred to Appropriations. The bill exempts insurance data for insurance companies from CCPA.
• AB1355 (Chau) was passed out of the Privacy and Consumer Protection Committees and Appropriations Committee and is awaiting the final vote of the Assembly. The bill clarifies that de-identified data is not Personal Data and changes the parameters prohibiting companies from discriminating against consumers who don’t want to share data so that companies can charge or reduce charges based on the value of the data they collect.
• AB1416 (Cooley) passed out of the Privacy and Consumer Affairs Committee and was referred to Appropriations. The bill applies GDPR-style exemptions to allow exempt the use and sharing of data to prevent fraud, identify security incidents and defend from legal claims. GDPR recital 47 expressly notes that fraud prevention is a legitimate business purpose. CCPA allows businesses to share and collect data to detect fraud already, as long as it is only disclosed for that purpose and no one “sells” that information. Due to the extremely broad definition of sale of data, which includes exchange any value or consideration, some may feel the language is not sufficiently clear, especially for companies that provide fraud detection services by pooling data of their customers. The Electronic Frontier Foundation has opposed the bill, claiming that it expands the authorization of the sale of personal data to “data brokers.”
• AB1564 (Berman) passed out of the Privacy and Consumer Affairs Committee. The bill would require both a toll-free number and website access to take data subject requests.
• AB1146 (Berman) passed out of the Privacy and Consumer Affairs Committee. It would exempt sharing automobile information for warranty purposes from CCPA.
Contact Lachman Law for all your CCPA, GDPR, data and legal compliance needs to assist you in the evolving data privacy field.