California: Lawmakers set about refining the CCPA
“Vague”, “confusing”, “needs clarifying”, and “difficult to implement”. These are just a few examples of feedback received so far, concerning the California Consumer Privacy Act (CCPA).
Back in August 2018, a coalition of business groups, made up of the California Chamber of Commerce, plus a wide range of industry associations, wrote to California lawmakers to request a series of amendments to the CCPA (“AB 375”) which was enacted on June 28, 2018.
The coalition’s letter requested the correction of several drafting errors, and remedial measures for certain aspects of the bill, which are deemed “unworkable” by affected businesses, in order to avoid “negative consequences unintended by the authors.”
The requested changes included modifications to definitions of terms such as “consumer” and “personal information”, and greater flexibility to create and clarify the non-discrimination in services provision..
But there are other groups that also have a vested interest in state-level privacy laws like the CCPA. And, increasingly, state lawmakers who possess insufficient knowledge of the technical aspects of data privacy have to rely on the services of outside experts, in order to codify the required protections for effective legislation. But, could this also open the gates to industry-funded lobbyists, whose aims could potentially be more in favor of the hands that feed them, than safeguarding the privacy rights of consumers?
Last Tuesday, April 23, 2019, The California Assembly Privacy and Consumer Protection Committee began the task of clarifying the reported ambiguities contained within the CCPA. As with any complex legislation, some of the language can be confusing, making the law difficult for affected parties to put into practice. The objective of the legislature, is to resolve several key compliance ambiguities before the California Attorney General’s rulemaking begins later this year.
The three most important bills approved were to the CCPA’s very broad and confusing definitions of the terms “personal information”, “consumer”, and “de-identified” information, with the support of chair of Californians for Consumer Privacy, Alastair McTaggart.
Employees are not “consumers”
Chairman Ed Chau’s AB 25, which was unanimously approved, contains an important clarification which, for the purposes of the CCPA, employees are not “consumers”, as long as the individual’s personal information is collected and used exclusively in regard to the employer-employee relationship. In the case of a contractor, a written contract must in place. This exception would apply to emergency contact and beneficiary data, not simply data regarding the employee/contractor/agent. Chau indicated intentions also to exempt data that is collected and used exclusively in regard to a business-to-business relationship.
Household data collected in privacy-protective manner
In respect of Safeguards to the right to obtain “specific pieces of personal information”, AB 25 contains language that the committee intends to work with stakeholders to clarify application of the CCPA access right to household data. This is in order to ensure that access occurs in a privacy-protective manner that does not harm the privacy of other household members.
Chairman Ed Chau also voiced his concern that pre-texters could obtain sensitive information using access requests. Pre-texters use a broad range of tactics to gain access to personal information. They often claim to represent many different types of organizations, such as banks, government agencies, local law enforcement agencies, and survey firms.
Clarification of de-identified information
Assemblywoman Jacqui Irwin’s AB 873: Clarifying personal and de-identified information, was also unanimously approved. There are now two compromise proposals contained within the bill, which Mactaggart had put forward during negotiations with stakeholders. The first certifies that “personal information” does not cover all “information that is ... capable of being associated” with a specific individual or household, but instead, information that is “reasonably capable of being [so] associated.” This provision would have the effect of placing some boundary on the CCPA’s almost limitless definition of personal data, excluding information that is only theoretically capable of being associated.
The second proposed compromise would substitute the 2012 Federal Trade Commission staff report “reasonably linkable” de-identification standard for the CCPA’s current definition, which is circular with the CCPA definition of “personal information”, In effect this is no exception at all.
De-identified data would mean data which:
“does not reasonably identify, or link directly or indirectly to a particular consumer, provided that the business makes no attempt to re-identify the information and takes reasonable technical and administrative measures designed to:
Ensure that the data is de-identified,
Publicly commit to maintain and use the data in a de-identified form, and
Contractually prohibit recipients of the data from trying to re-identify the data.”
This principle would effectively provide a path and clear incentive to de-identify data, therefore limiting the range of data being held by businesses, which would be subject to the CCPA.
By way of example, this would probably have the effect of exempting IP addresses and device identifiers, which are controlled separately from personal data and cannot be queried or accessed by employees or third parties, who could potentially link the data.
Another example is: personal information that is encrypted or one-way hashed. Such data would be exempt, as would data which is separately stored, never combined, and which the business has made a public commitment to maintaining in a de-identified form.
Approval of other CCPA amendment bills:
AB 846, a bill to clarify that loyalty programs are exempt from the CCPA’s “non-discrimination” restrictions on consumers who exercise CCPA opt-out rights prohibition and to clarify confusing language in that section. The bill was narrowed somewhat during the mark-up and Chau expressed a strong view that incentives need to be directly, instead of “reasonably,” related to the value of the consumer’s data — which would be a quite different test.
AB 981, a bill that as introduced would have exempted regulated insurance companies from the CCPA but that has been amended to add numerous new privacy requirements in the Insurance Code.
AB 1146, a bill to clarify that motor vehicle warranty or recall information may be shared between auto dealers and manufacturers without being subject to data deletion or “do not sell” requests.
AB 1564, a bill to provide alternatives to the current CCPA requirement that businesses must establish a toll-free number to receive CCPA requests.
AB 874, a bill to create a clear and full public record exemption from the definition of “personal information.”
AB 1355, a Chau bill to make technical changes to the many drafting errors in the CCPA.
Withdrawal of CCPA amendment bills
Two CCPA amendment bills were withdrawn during the hearing:
AB 1760, (AKA “Privacy for All Act”)
This bill would have substantially expanded CCPA requirements. Its features included:
Extending the private right of action to all privacy violations,
Extending the opt-out of, not only the “sale” of personal data, but to all sharing of personal information, adding data minimization requirements, as well as expanding the CCPA’s “right-to-know” rule, requiring businesses to specifically identify to consumers the names of the third parties with whom personal information was shared.
The bill, which could have imposed more than $1billion in compliance costs, was withdrawn due to an apparent lack of support. It is now a two-year bill, although a comparatively similar bill, SB 561, was narrowly approved by the Senate Judiciary Committee. The bill could possibly become a mechanism for expanding enforcement of CCPA requirements via city attorney enforcement.
Senator Henry Stern, D-Calif., withdrew SB 753, during a Senate Judiciary Committee hearing, which was held on the same day. This was a bill to create a CCPA exemption from the definition of “sale” the sharing of “any unique identifier only to the extent necessary to deliver, show, measure, or otherwise serve or audit a specific advertisement to the consumer.” Evidently, a triumph for certain privacy groups intent on stopping this bill.
Are these bills likely to become law?
CCPA amendment bills are to be considered by the Senate Judiciary Committee. The committee is chaired by Senator Hannah Beth Jackson, D-Calif., Apparently, Jackson is likely to attempt to block some of these bills, or to try adding elements of SB 561 to them.
At the end of the day, Senate leaders will need to engage actively for CCPA amendment bills to succeed in the Senate. However, these initial moves are a positive indicator that some legislative clarifications of CCPA requirements could potentially pass this year.
Does the CCPA affect your businesses? Share your comments and questions below.