In March we published an extensive analysis of proposed bills that would amend or supplement the California Consumer Privacy Act (CCPA). With a number of those bills having either passed the Assembly or been withdrawn , it is a good time to update our analysis.
In the below post, we identify and analyze these bills. In doing so, we first provide a summary of where the legislative process stands. We then analyze the most significant proposed changes and takeaways. Finally, we provide a table linking to each bill, identifying the issue to which it is directed, and providing an analysis of the bill’s proposed changes.
Where The Legislative Process Stands
We have been tracking nineteen bills that would amend or supplement the CCPA. Seventeen of those bills originated in the Assembly and two originated in the Senate. The two Senate bills have failed, including SB 561, which would have expanded the CCPA’s private right of action. Thirteen of the Assembly bills have now passed that chamber. The four remaining Assembly bills have been withdrawn or not seen any movement in months.
The bills that passed the Assembly are being assigned to the Senate Judiciary Committee. That is significant. The Senate Judiciary Committee is chaired by Senator Hannah-Beth Jackson, who was the sponsor of SB 561. After that bill failed, she was interviewed by the New York Times and stated that she would fight against any bill that she perceived as weakening the CCPA:
My only goal was to make the law enforceable — whatever that law is today. And I was told, “No, no, no. We made a deal last year; we have to stick to the deal.”
So if my bill to try to make it enforceable failed because we have to stick to the deal that was made last year, efforts to undermine it, to give exclusions and exemptions — all sorts of excuses for not enforcing it — then those have to fail as well. We’ll be playing a little defense here so that we don’t end up with a bill that’s so weak it’s essentially nothing.
And it’s important, too, that we protect what we’ve got because a lot of states have looked to California.
In other words, the fact that many of these bills passed the Assembly does not mean that they are certain to pass the Senate or, even if they do, that they will pass in their current form.
What we do know is that the deadline for the legislature to pass bills is September 13. Given that the legislature takes a one month recess from July 12 to August 12, we can expect a busy four weeks in late August/early September. Also, keep in mind that the California Attorney General’s office is working on proposed regulations and has stated that it anticipates publishing a Notice of Proposed Regulatory Action in the fall.
No Reason to Delay Compliance Efforts: As we pointed out in our March analysis, there is nothing contained in the proposed bills that should cause businesses to delay compliance efforts. The CCPA’s core requirements will remain intact.
The Employee Carve-Out is Still Alive: Any business with employees in California will be happy to hear that the employee carve out bill – AB25 – passed the Assembly and is pending in the Senate.
The Expanded Private Right of Action is Dead: Businesses can breath a sigh of relief knowing that SB 561 – which would have expanded the private right of action – is dead.
Are Some Common Sense Fixes Coming?: A few of the bills discussed below are directed at fixing obvious typos in the CCPA. One such example is AB 874, which would fix a typo in the definition of “personal information” to clarify that deidentified and aggregate information is not personal information.
Beware of the Data Breach Notification Bills: Two of the bills discussed below seek to amend California’s breach notification statute. One bill would expand the types of information covered by the statute while the other would specify that notice must be provided within 45 days. Given that the CCPA allows for statutory damages for certain types of data breaches, businesses should be closely tracking these bills.
The bill would exclude certain employment-related information from the definition of consumer. The premise for this bill is that the CCPA was intended to cover consumer information, not employment information. For entities with California employees, the passage of this bill would significantly reduced their compliance burden.
The bill passed the Assembly on May 29.
This bill would have required social networking services to provide users that close their accounts the option of having their personally identifiable information permanently removed from the company’s database and records.
The April committee hearing for this bill was canceled at the request of the author.
The bill would amend § 1798.125, which currently prohibits a business from discriminating against a consumer if the consumer exercises any of their CCPA rights. The current version would exclude certain customer loyalty programs from that provision.
The bill passed the Assembly on May 28.
The bill would amend the CCPA’s much-criticized definition of “deidentified” to be consistent with the FTC’s three-part standard. It also would insert the word “reasonably” into the definition of personal information, (i.e., “reasonably capable of being associated with”).
The bill passed the Assembly on May 22.
The bill would correct the definition of “personal information” to clarify that it does not include deidentified or aggregate consumer information. The bill would also amend the definition of “publicly available” by removing the following sentence: “Information is not ‘publicly available’ if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.”
The bill passed the Assembly on May 9.
The original bill would have exempted insurance institutions, agents, and support organizations to which the Insurance Information and Privacy Protection Act (IIPPA) applies from the CCPA. However, the version that passed the Assembly only would eliminate a consumer’s right to request a business to delete or not sell the consumer’s personal information if it is necessary to retain or share the consumer’s personal information to complete an insurance transaction requested by the consumer. The bill also would make a number of changes to the IIPPA.
The bill would require that notice of a data breach be provided within 45 days. A prior version of the bill also would have linked the “reasonable security” standard in the CCPA to NIST standards. (See further discussion here)
The bill would expand the definition of “personal information” in California’s breach notification statute to include biometric information, tax identification number, passport number, military identification number or other unique identification number issued on a government document commonly used to verify an identity. Because the CCPA allows for statutory damages for breaches of personal information (as defined in the breach notification statute), this bill would expand the types of information subject to the CCPA’s statutory damages.
The bill would exempt from the CCPA vehicle information, including ownership information, retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer if the vehicle information is shared pursuant to, or in anticipation of, a vehicle repair relating to warranty work or a recall.
The bill passed the Assembly on May 23.
The bill would require “data brokers” to register with, and disclose certain information to, the California Attorney General. Subject to certain exemptions, data broker is defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”
This bill would add § 1798.300 to the Civil Code and require a business in California that uses facial recognition technology to disclose that usage in a physical sign that is clear and conspicuous at the entrance of every location that uses facial recognition technology.
The bill passed the Assembly on April 25.
The bill would correct the definition of personal information to clarify that deidentified and aggregate data is not personal information. The bill also would make a number of grammatical and internal cross-reference changes.
The bill would amend section 1798.145 to state that the CCPA does not restrict a business’s ability to (1) comply with rules or regulations adopted pursuant to and in furtherance of state or federal law, (2) provide a consumer’s personal information to a government agency solely for the purposes of carrying out a government program, including providing government services in furtherance of a government program, or (3) sell the personal information of a consumer who has opted-out of the sale of the consumer’s personal information to another person for the sole purpose of detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity, provided that the business and the person shall not further sell that information for any other purpose.
This bill would modify § 1798.130 to provide that a business can make a toll-free number or email address and physical address available for submitting verifiable consumer requests.
The bill passed the Assembly on May 13.
The bill would have significantly revised and expanded the CCPA.
The bill was withdrawn in April.
The bill would have created a private right of action for violations of the CCPA, and eliminated the 30-day cure period. It also would have replaced the provision allowing businesses or third parties to seek the opinion of the AG’s office with a provision providing that the AG’s office “may publish materials that provide businesses and others with general guidance on how to comply” with the CCPA.
The bill was withdrawn on May 16.
The bill would have amended the definition of “sale” to exclude instances in which, “pursuant to a written contract, the business shares, discloses, or otherwise communicates to another business or third party an online identifier, an Internet Protocol address, a cookie identifier, a device identifier, or any unique identifier only to the extent necessary to deliver, show, measure, or otherwise serve or audit a specific advertisement to the consumer” provided that the contract prohibits the other business or third party from sharing, selling, or otherwise communicating the information except as necessary to deliver, show, measure, or otherwise serve or audit an advertisement from the business.
The bill was withdrawn on April 23.