June 7, 2019

Is the CCPA proliferating? A midyear data privacy legislative round-up

Michael Bahar, Francis Nolan, IV, Mary Jane Wilson-Bilik

+ Follow Contact

Send

Embed

Eversheds Sutherland (US) LLP While the California Consumer Privacy Act (CCPA) and its potential amendments are still a top concern for businesses, other states are showing that they will not be left behind when it comes to enhanced privacy legislation. In this legal alert, we highlight potential significant changes to the CCPA, as well as other data privacy laws that are making their way through state legislatures. In this era of great uncertainty, fortune favors the prepared. Practically, this means taking a proactive approach to privacy, and erring on the side of compliance rather than hoping for last-minute legislative reprieves.

Significant Potential Amendments to the CCPA

The CCPA is still set to go into effect in 2020—a mere seven months from now. While enforcement may be delayed until July 2020, the obligations nonetheless kick in on January 1. There is a furious pace of legislative activity surrounding the CCPA, but it may end up being all sound and fury signifying nothing—or almost nothing. In other words, those that are relying on legislative activity to result in actual legislation that may completely relieve them of their compliance burdens are playing an increasingly risky game. Here are some major developments:

Senate Bill 561

SB 561 would have expanded the CCPA’s current private right of action to any violation of the Act, changing the law’s limited private right of action that now applies only to data breaches, and magnifying the potential financial impact of the Act on businesses operating in California.
SB 561 has been held up in the Senate Appropriations Committee, upsetting the bill’s author, Senator Hannah-Beth Johnson, who chairs the Senate Judiciary Committee.
The impact of this defeat on bills that have moved from the Assembly to the Senate and may come before Senator Johnson’s committee bears watching.

Assembly Bill 25

AB 25 would exclude employees, job applicants, and contractors (employees) from the definition of “consumer” under the CCPA, so long as their personal information was collected and used by the business only in that context. This means that employers would not have to provide their employees with any CCPA rights, such as the rights of disclosure, deletion and opt-out of selling their personal information.
AB 25 has passed the CA Assembly. If it were to pass the Senate, it could be especially helpful for those businesses that have no retail customer base or those that will benefit from other exemptions under the CCPA. For example, businesses regulated by the Gramm-Leach-Bliley Act (GLBA) would have not only their GLBA customer data but also their employee data excluded from the CCPA.
It remains to be seen whether the Senate will agree to remove employees from the CCPA.

Assembly Bill 981

AB 981 was significantly amended on April 30, 2019. The current version of the bill would eliminate a consumer’s right to request a business to delete or not sell the consumer’s personal information under the CCPA, if it is necessary for the business to retain or share the consumer’s personal information to complete an insurance transaction requested by the consumer.
The bill would also amend California’s Insurance Information and Privacy Protection Act (IIPPA) to incorporate certain disclosure and other requirements from the CCPA into the IIPPA. It would also require insurance institutions, agents or insurance-support organizations to implement a comprehensive written information security program.
The California Assembly passed AB 981, and it is now up for passage in the Senate, where passage is uncertain.

Other Potential Amendments

The California Assembly passed a number of other bills to amend the CCPA, including technical amendments to the definition of personal information regarding “households” and “deidentified consumer information” (AB 873 and AB 1355) and a more controversial bill that would create an exemption for those companies that are processing consumer information in furtherance of a government program (AB 1416).

May 31 was the last day for bills to pass their originating chamber in the California legislature for this legislative session. The California Senate will now have until September 13 to pass the potential CCPA amendments it has received from the Assembly, and Governor Gavin Newsom will have until October 13 to sign into law any amendments passed by both chambers. Meanwhile, we are still waiting on the California Attorney General to pass regulations clarifying major provisions of the CCPA. While there is quite a bit of uncertainty regarding the CCPA before its effective date of January 1, there is no doubt that the major contours of the CCPA will go into effect on that date, and businesses are advised to take steps now in bringing themselves into compliance.

Nevada Senate Bill 220

California is not the only state in the West to make waves in the privacy space. Nevada just joined its neighbor as the only other state to grant consumers the right to opt out of the sale of their personal information. Senate Bill 220, which Governor Steve Sisolak signed into law on May 29, goes into effect on October 1, 2019, giving certain businesses operating in Nevada a trial run of how to implement the right to opt-out of sale of personal information before the CCPA goes into effect a few months later.

It is important to note that Nevada’s law is narrower than the CCPA in certain ways. It provides consumers only with the right to opt out of data sales for monetary consideration, and does not provide consumers with broad rights to access, portability and deletion of their data that are provided by the CCPA and by the European Union’s General Data Protection Regulation (GDPR). The CCPA’s definition of personal information, for example, is limited to personally identifiable information, which is significantly narrower than its definition of personal information, and does not apply to employees or to business-to-business contacts. Consumers will have the right to direct website operators not to sell their information, but the definition of “sale” excludes data disclosures to affiliates and data processors and disclosures that are “consistent with reasonable expectations of a consumer,” given the context. Website operator is defined as a person that: (1) owns or operates an Internet website or online service for commercial purposes; (2) collects and maintains covered information from Nevada residents that use or visit the internet website or online service; and (3) purposefully directs its activities toward Nevada (based on the Constitutional test of having a sufficient nexus to the state). Notably, the definition of an operator excludes third parties that operate, host, or manage a website on an owner’s behalf and entities and their affiliates that are subject to the GLBA or the Health Insurance Portability and Accountability Act (HIPAA). This is an entity-wide exemption that is similar to that available under Illinois’ Biometrics Information Privacy Act and is broader than the GLBA exemption under the CCPA.

New York’s Proposed Privacy Act

Not to be outdone by the West Coast, the State of New York is considering its own comprehensive data privacy bill—The New York Privacy Act (S. 5642). The bill was introduced by state Senator Kevin Thomas on May 9 and was the subject of a recent hearing of the New York State Consumer Protection Committee. The bill mirrors the CCPA in many ways: it has an expansive definition of personal information and requires businesses that process personal information of New York residents to provide those individuals with data privacy rights similar to the CCPA.

New York’s proposed privacy law would also be more expansive and different from the CCPA in multiple ways. For one, New York does not have California’s threshold requirements on the definition of a “business,” but, as currently drafted, presumably would apply to all businesses regardless of their size or revenue. New York’s law also would create a comprehensive private right of action and would not explicitly include a GLBA exemption.

It remains to be seen whether the New York Privacy Act can pass into law. As drafted, businesses would have six months from when it is signed into law to comply. The current legislative session is scheduled to end on June 19, though both chambers can be recalled if needed, until the official adjourn date of January 8, 2020.

Maine Legislative Document 946

Maine also recently took a step to protect consumer privacy online by passing Legislative Document 946 on May 31. The law prevents broadband internet service providers from using, disclosing, selling, or permitting access to consumer personal information without consumer consent, and it requires providers to provide a clear and conspicuous notice of the provider’s obligations and the consumer’s rights under the law. The law also requires broadband providers to take reasonable steps to protect customer personal information that takes into account the nature and scope of the provider’s activities, among other factors.

Massachusetts Bill S.120

Finally, the Massachusetts State Senate has recently referred a new consumer data privacy bill, S.120, to the Joint Committee on Consumer Protection and Professional Licensure. The Massachusetts law would protect any information relating to an identified or identifiable customer, and would explicitly include biometric information of all kinds into the definition of that protected information. Like the GDPR and CCPA, the Massachusetts law, if enacted, would impose notice requirements relating to the collection and disclosure of personally identifying information, including biometrics. In addition, S.120 includes a proposed private right of action that allows for up to $750 per violation, plus attorneys’ fees, for failure to abide by the law’s notice and collection requirements.

Conclusion

The flurry of state legislative activity during the first half of 2019 shows that cybersecurity and data privacy legislative efforts are not going away. Along with preparing for the CCPA, businesses will need to stay abreast of legislative activity at the federal and state levels to anticipate future requirements and adjust their legal, compliance and operational frameworks to accommodate significant paradigm shifts, as consumers increasingly raise questions about how businesses are using their digitalized personal information.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

Eversheds Sutherland (US) LLP

Contact + Follow

Michael Bahar

+ Follow

Francis Nolan, IV

+ Follow

Mary Jane Wilson-Bilik

+ Follow

less

Published In:

Biometric Information Privacy Act

+ Follow

California Consumer Privacy Act (CCPA)

+ Follow

Consumer Privacy Rights

+ Follow

Corporate Counsel

+ Follow

Data Privacy

+ Follow

Exemptions

+ Follow

Gramm-Leach-Blilely Act

+ Follow

Health Insurance Portability and Accountability Act (HIPAA)

+ Follow

Legislative Agendas

+ Follow

Pending Legislation

+ Follow

Personal Data

+ Follow

Privacy Laws

+ Follow

Private Right of Action

+ Follow

Proposed Amendments

+ Follow

Proposed Legislation

+ Follow

General Business

+ Follow

Elections & Politics

+ Follow

Privacy

+ Follow

less

Eversheds Sutherland (US) LLP on:

Is the CCPA proliferating? A midyear data privacy legislative round-up

Related Posts

Latest Posts

Written by:

Published In:

Eversheds Sutherland (US) LLP on:

"My best business intelligence, in one easy email…"