Earlier in May, we attended the IAPP Global Privacy Summit in Washington, D.C. While GDPR continued to be discussed, the California Consumer Privacy Act (CCPA) was one of the areas with numerous sessions dedicated to the topic. The CCPA continues to be reviewed by the state legislature. At the beginning of May, we updated you on the recent amendments on the Lachman Law blog, Insights. Here are the bills amendments that survived as the May 31 origination deadline approaches (bills must clear their house of origination by May 31):
SB561 (Jackson) passed out of the Senate Judiciary Committee chaired by the author but was unanimously placed on suspense in the Appropriations Committee, putting the bill on hold indefinitely. Andrew Oxford (@andrewboxford) from the Associated Press tweeted on 5/16/2019 “the Senate Appropriations Committee is holding over a bill that would let consumers take companies to court over violations of California’s new data privacy law.
The legislation would have restored a private right of action for non-data breach events (the Attorney General has exclusive enforcement rights, except for data breaches) and allowed statutory recoveries with a right to cure only to avoid class action suits. The bill was backed by the Attorney General and many consumer groups, concerned that the Attorney General’s office did not have the resources to enforce the law and provide guidance. However, SB561 also would have violated the agreement that led to the creation of CCPA last year that took out the private right of action. Consumer and consumer attorney groups normally have a great deal of sway in the California legislature and Judiciary Chair Senator Hanna Beth Jackson was a strong ally, but we witnessed a strong push at the end by industry groups to respect the deal put together by Senator Hertzberg, and ultimately the entire committee voted to observe the original intent of the parties when CCPA was drafted. It is possible that a deal could pull the legislation back out of the suspense file, but that would be difficult granted the deep divide between advocates and opponents.
AB25 (Chau) passed out of the Assembly Privacy and Consumer Protection Committee (chaired by Assemblyman Chau) and the Appropriations Committee and is awaiting a final floor vote in the Assembly before going to the Senate. The bill fixes a loophole in CCPA that allows employment data to be considered “consumer” data, fixing the most frequently cited problem with the CCPA.
AB1202 (Chau) was passed out of the Privacy and Consumer Protection Committee and Appropriations with minor amendments. It is awaiting a final vote with the Assembly
AB846 (Burke) was passed out of the Privacy and Consumer Protection Committee and Appropriations. It is awaiting a final Assembly vote. The bill offers to fix CCPA to exclude gift card and loyalty programs from legislative “discrimination” prohibitions as long as there is notice and an opt-in that can be revoked. It was amended to allow companies to charge or offer discounts for participating in loyalty programs without such benefits or costs being considered discriminatory. Some have argued, this bill may not be necessary since loyalty programs can just charge a small fee to get around CCPA’s current data sharing and discrimination prohibitions, but the traditional players in this space have had a historical issue with charging fees to consumers, believing it will scare consumers away.
AB873 (Irwin) passed out of the Privacy and Consumer Protection Committee and Appropriations, awaiting a final Assembly vote.
AB874 (Irwin) passed the Assembly and will end up in the Senate Judiciary Committee. These bills fix CCPA to allow companies to de-identify data and apply data minimization to avoid having to share it. This is what GDPR permits as well. Also eliminates household from the definition of “Personal Information.”
AB981 (Daly) passed out of the Insurance and Privacy and Consumer Protection Committees and Appropriations. The bill exempts insurance data for insurance companies from CCPA and is awaiting a consent calendar vote in the Assembly.
AB1355 (Chau) was passed out of the Assembly and is on its way to the Senate. The bill clarifies that de-identified data is not Personal Data and changes the parameters prohibiting companies from discriminating against consumers who don’t want to share data so that companies can charge or reduce charges based on the value of the data they collect.
AB1416 (Cooley) passed out of the Privacy and Consumer Affairs Committee and Appropriations. It is awaiting a final vote in the Assembly as amended. The bill applies GDPR-style exemptions to allow the use and sharing of data to prevent fraud, identify security incidents and defend from legal claims or as required by government entities. GDPR recital 47 expressly notes that fraud prevention is a legitimate business purpose. CCPA allows businesses to share and collect data to detect fraud already, as long as it is only disclosed for that purpose and no one “sells” that information. Due to the extremely broad definition of sale of data, which includes exchange any value or consideration, some may feel the language is not sufficiently clear, especially for companies that provide fraud detection services by pooling data of their customers. The Electronic Frontier Foundation has opposed the bill, claiming that it expands the authorization of the sale of personal data to “data brokers.”
AB1564 (Berman) passed out of the Assembly. The bill would allow companies that exclusively operate online to only offer an email address for opt-out requests and submitting data subject requests and for all other companies requiring both a physical address and toll-free number to process requests.
AB1146 (Berman) is awaiting a final Assembly vote. It would exempt sharing automobile information for warranty purposes from CCPA.
Contact Lachman Law for all your CCPA, GDPR, data and legal compliance needs to assist you in the evolving data privacy field.