Jul 152019

Crunch Time in California – CCPA Amendments Hotly Debated and (Some) Defeated – Employee Data Is Back, Reasonable Definition of Personal Information Is Gone (For Now), and More!

Alan Charles Raul and Sheri Porath Rockwell
, , , , ,

With less than three months to go before amendments to California’s far reaching data privacy law need to be signed into law, the CCPA landscape may be changing yet again, as several amendments debated in the state Senate Judiciary Committee on July 9th underwent significant modifications.  Eight proposed CCPA amendments were on the committee’s agenda, and several were hotly debated in an hours-long session that extended late into the night.  In the end, two of the bills had substantive modifications, another was stalled, one was defeated, and the rest made it out of the committee, with limited changes. Here we summarize the highlights.

  • AB 25 – Employee Information.  AB 25 was originally a consensus bill to exclude employee personal information from the scope of the law, consistent with the law’s focus on “consumers.”  Pressure from organized labor forced a change: employee information will now remain subject to the law, and businesses will need to disclose the type of employee data they collect, with whom it is shared, and why.  However, businesses won’t be required to provide employees with CCPA access and deletion rights.  The bill has a January 1, 2021 sunset clause, paving the way for further debate about how employee data should be treated under the CCPA.
  • AB 846 – Customer Loyalty Programs.  Legislators kept provisions that allow businesses to offer differential pricing through customer loyalty programs without violating the CCPA’s non-discrimination provision.  However, under the current formulation of the bill, businesses that collect personal information through their loyalty programs would not be able to sell that information.
  • AB 873 – Definitions of Deidentified Data and Personal Information.  The bill that would have changed the definitions of “deidentified” data and “personal information” did not pass on a tie-vote, but will be reconsidered by the committee. The proposed amendment would have narrowed the definition to information that “does not reasonably identify, or link, directly or indirectly, to a particular consumer,” removing references to information that cannot “relate to, describe, [or] be capable of being associated with” a particular consumer.  The bill also sought to replace the law’s multi-pronged safeguards with a more general requirements consistent with the FTC’s 2012 Staff Report describing characteristics of deidentified data and add a “reasonableness” requirement to the definition of personal information (information that is “reasonably capable of being associated with . . . a consumer”).
  • AB 1416 – Sharing Personal Information with Governmental Agencies.  The one CCPA bill that went down in defeat would have allowed businesses to share consumers’ personal information with governmental agencies in connection with governmental programs and also sell the personal information to companies engaged in providing data security.

The CCPA amendments were not the only privacy bills that were on the Judiciary Committee’s hot seat.  A bill (AB 1395) that would have regulated the collection of voice recordings through smart speaker devices was defeated.

The bills that survived will now progress to the appropriations committee (where necessary), and those that were amended in the Senate will need to be voted on again by the Assembly.  Bills that survive those rounds will be considered by the full Senate, where further amendments are also possible.

Just months before the country’s most far-reaching data privacy law goes into effect, only one thing is certain: the halls of the state capital will be quiet for the next few weeks.  On July 11th, legislators’ summer recess begins and they won’t return to Sacramento until August 12th.

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Sheri Porath Rockwell

Century City

sheri.rockwell@sidley.com

You might also like
U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.

Substantial changes to Hong Kong’s privacy laws coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

Illinois Supreme Court Clarifies Accrual for Illinois Biometric Privacy Act Claims

For the second time in two weeks, the Illinois Supreme Court clarified the scope of the Illinois Biometric Privacy Act (BIPA) — this time in Cothron v. White Castle. The court, in a 4–3 decision, held that BIPA claims accrue each time biometric data is collected or transmitted, and not just the first time.1