With less than three months to go before amendments to California’s far reaching data privacy law need to be signed into law, the CCPA landscape may be changing yet again, as several amendments debated in the state Senate Judiciary Committee on July 9th underwent significant modifications. Eight proposed CCPA amendments were on the committee’s agenda, and several were hotly debated in an hours-long session that extended late into the night. In the end, two of the bills had substantive modifications, another was stalled, one was defeated, and the rest made it out of the committee, with limited changes. Here we summarize the highlights.
- AB 25 – Employee Information. AB 25 was originally a consensus bill to exclude employee personal information from the scope of the law, consistent with the law’s focus on “consumers.” Pressure from organized labor forced a change: employee information will now remain subject to the law, and businesses will need to disclose the type of employee data they collect, with whom it is shared, and why. However, businesses won’t be required to provide employees with CCPA access and deletion rights. The bill has a January 1, 2021 sunset clause, paving the way for further debate about how employee data should be treated under the CCPA.
- AB 846 – Customer Loyalty Programs. Legislators kept provisions that allow businesses to offer differential pricing through customer loyalty programs without violating the CCPA’s non-discrimination provision. However, under the current formulation of the bill, businesses that collect personal information through their loyalty programs would not be able to sell that information.
- AB 873 – Definitions of Deidentified Data and Personal Information. The bill that would have changed the definitions of “deidentified” data and “personal information” did not pass on a tie-vote, but will be reconsidered by the committee. The proposed amendment would have narrowed the definition to information that “does not reasonably identify, or link, directly or indirectly, to a particular consumer,” removing references to information that cannot “relate to, describe, [or] be capable of being associated with” a particular consumer. The bill also sought to replace the law’s multi-pronged safeguards with a more general requirements consistent with the FTC’s 2012 Staff Report describing characteristics of deidentified data and add a “reasonableness” requirement to the definition of personal information (information that is “reasonably capable of being associated with . . . a consumer”).
- AB 1416 – Sharing Personal Information with Governmental Agencies. The one CCPA bill that went down in defeat would have allowed businesses to share consumers’ personal information with governmental agencies in connection with governmental programs and also sell the personal information to companies engaged in providing data security.
The CCPA amendments were not the only privacy bills that were on the Judiciary Committee’s hot seat. A bill (AB 1395) that would have regulated the collection of voice recordings through smart speaker devices was defeated.
The bills that survived will now progress to the appropriations committee (where necessary), and those that were amended in the Senate will need to be voted on again by the Assembly. Bills that survive those rounds will be considered by the full Senate, where further amendments are also possible.
Just months before the country’s most far-reaching data privacy law goes into effect, only one thing is certain: the halls of the state capital will be quiet for the next few weeks. On July 11th, legislators’ summer recess begins and they won’t return to Sacramento until August 12th.