On August 6th, over 40 businesses and trade associations representing the technology, financial services, health, and retail sectors (the “Coalition”), wrote a letter to California lawmakers requesting that the CA Legislature scale back the ramifications of the recently enacted California Consumer Privacy Act (“CCPA”). This letter is one of the most visible efforts to amend the CCPA since it was enacted on June 28, 2018.
The CCPA was passed after one week of CA Senate and Assembly floor consideration in an effort to strike a more restrictive privacy law referendum from the November 2018 election ballot. Due to the limited ability of businesses to weigh in prior to the CCPA’s passage, the Coalition identified sections of the CCPA that it asserts are overly burdensome or impractical to implement, including the compliance deadline. These businesses are lobbying lawmakers to seek a series of legislative amendments, commonly known as technical corrections, to the CCPA to be enacted before the law takes effect in January 2020. Such technical corrections range from remedying small drafting errors to changing more significant aspects of the law that the Coalition believes would result in consequences that were unintended by the CCPA’s authors.
Given the pace of its prior consideration, California legislators began to propose legislative amendments without delay to the CCPA once the bill was passed. Shortly after passage, legislators introduced Senate Bill 1121 (“SB 1121”), which provides for comprehensive technical corrections to the underlying law.
The Coalition includes groups such as the California Chamber of Commerce, Securities Industry and Financial Markets Association, California Mortgage Bankers Association, Motion Picture Association of America, the Internet Association, TechNet, the California Cable and Telecommunications Association, the California Hospital Association, and the Alliance of Automobile Manufacturers. In its letter, the Coalition suggests changes to the CCPA, and further asks to be included in the technical corrections process, given its members’ field and technical expertise.
Under the CCPA, the California Attorney General is responsible for undertaking the rulemaking process. The Coalition identified the short deadline for the rulemaking process as its most urgent concern. Given the CCPA’s all-encompassing requirements, companies remain concerned that they will be unable to comply if the rules are not finalized in advance of the CCPA’s effective date. In the event that the intervening period is too brief, the Coalition asserts that it would result in companies hastily endeavoring to be compliant by January 2020, only to have to expend more resources once the rules are final.
SB 1121 is unlikely to advance before the CA Legislature adjourns at the end of August, and the Coalition will likely continue to lobby for similar amendments well into 2019. In order to address the issue with respect to the timing of rulemaking, the Coalition suggests in its letter that CA legislators delay the Attorney General’s rulemaking process slated to begin on January 1, 2020, and permit companies one year following the completion of the rulemaking to come into compliance with the CCPA. Doing so, according to the letter’s authors, would permit companies to comply meaningfully with the new law.
Additionally, believing that lawmakers intended for the CCPA’s private right of action to apply only to data breaches, the Coalition has proposed language in its letter to limit the private right of action accordingly, and, specifically, not to allow such actions for other potential privacy violations.
Further, the letter requests that the forthcoming technical changes narrow the CCPA’s definition of “personal information” so that it is consistent with the definition of an “identifiable person.” Specifically, the Coalition proposes that the Legislature clarify that personal information is limited to that which can be linked or reasonably linkable to a particular individual, as opposed to information which can be de-identified, or aggregate consumer information, which the CCPA presently shields. The letter’s authors believe that the CCPA’s current definition is so broad that it is meaningless and state that, “[e]very piece of data could in theory be randomly ‘associated with an individual.’” The Coalition favors the more limited definition not only because it has been the standard in prior privacy laws and regulatory guidance, but also because it is more practical for companies to comply with a definition that does not include information that has only a hypothetical connection with a consumer.
The Coalition’s letter also requests clarity on whether the employees of a company are covered by the CCPA. In order to address the confusion on this issue, the Coalition recommends modifying the definition of the term “consumer” to only include persons whose personal information has been obtained resulting from the consumer’s purchase or use of a product or service, and to affirmatively exclude from this definition employees or those who otherwise have a commercial relationship with a company. The stated intent of this amendment, according to the Coalition, is to “continue to cover information originally obtained in a consumer transaction even if it is held by a credit bureau, data broker, or other businesses. However, it would avoid the problems of including information obtained in employment and business to business situations while aligning the law with the common understanding of who is a consumer.”
In addition to these recommendations, the Coalition states that additional unintended consequences of the CCPA may emerge, and they are seeking to continue to work with lawmakers to ensure a workable solution to protect private consumer information as intended and to ensure meaningful compliance.