Those interested in keeping up with the latest news impacting the California Consumer Privacy Act have been heavily focused on AB 25, and its potential to exclude employees from the scope of the CCPA. In a marathon late-night session, the California Senate Judiciary Committee weighed in July 11 on various bills – including AB 25. An while AB 25 was part of the Committee debate, that amendment may actually make the bill less useful than first intended. Additionally, another bill made it out of committee which has the potential of a far greater impact than anyone seems to be noticing.
AB 25 – The “Employee Carve-out”
In the context of ‘employment,’ AB 25 removes from the definition of “consumer”:
Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business.
This would seem, at first blush to mean that employees aren’t covered by the CCPA. However, in Committee one 4 word amendment seems to have undone some of the advantage of the bill. The Judiciary Committee included in the “carve-out to the carve-out”, namely § 1798.145(g)(3), and additional section of the CCPA. Prior to the Committee amendment, the law is structured to permit private rights of action for security breaches by employees by stating that “[t]his subdivision shall not apply Section 1798.150.” With the Committee amendment, § 1798.100(b) was added to the “carve-out to the carve-out” in § 1798.145(g)(3).
The practical effect of this amendment is that employers of California residents will now be required to provide notice about data collection practices related to employees much like they do for customers or website visitors. This will require employers with California locations to develop privacy policies for employees which look much like the policies one finds on websites.
Additionally, this employee exception is only temporary. It expires on in one year. The original objective with the temporary exception is supposed to be to give the California Legislature time to enact new employee-data related privacy restrictions. Whether anything new can actually be passed in that time remains unknown, and as things now stand, companies still need to focus on customer, marketing and other externally obtained California consumer information in their CCPA compliance efforts.
AB 846 and Loyalty Programs
On July 11, the Judiciary Committee also passed an amendment to AB 846. The original version of the bill seemed to be designed to protect business loyalty, rewards, premium features, discounts, or club card programs from unintended consequences of the CCPA’s anti-discrimination language for “financial incentives”. This is a good idea because the way the original CCPA language treated loyalty programs was not clear in the context of the financial incentives and anti-discrimination provisions of §1798.125.
While the intent of AB 846 is laudable, the Committee amendment has given rise to a significant impact on business’ capability to use the data collected from such loyalty programs. A number of market verticals (e.g. retail) regularly use their loyalty programs to cross market between businesses. Under the expansive definition of “sale” in the CCPA, these kinds of transfers could easily be considered sales, because they are a transfer of personal information between corporate entities for “other valuable consideration.”
Most notably, AB 846’s amendment added one line which will have a significant chilling effect on these kinds of arrangements – “A business shall not sell the personal information of consumers collected as part of a loyalty, rewards, premium features, discounts, or club card program.” As currently written, there is no option to get consent. There is no exception. There is no “grandfathering” for existing programs. That one line in the new §1798.126(e) effectively removes the capability to cross market between businesses. This will have a significant material impact on the financial model of these kinds of programs.
Businesses will need to consider how to draft and deploy privacy policies for their employees which are compliant with the CCPA’s notice requirements. Figuring out how to revise loyalty programs to comply with the “no sale” prohibition is also something that is required.
We will continue to monitor these developments as they move through the state house, but it is important for businesses to recognize that the final form of the CCPA is still not set in stone. As such, businesses should consider what kinds of steps they might take to mitigate the impacts of not just AB 25’s amendments, but of the effects of AB 846’s amendments. Note that these amendments may still be further revised on the floor of the Senate. The last day of the legislative session (September 13) is going to be an interesting one if the amendments to the CCPA don’t get passed sooner.