It seems like the California Consumer Privacy Act (CCPA) is in a state of perpetual mutation. The latest round of amendments are now meandering through the California State Assembly, and if passed, will either provide some welcome clarification, or make the law even more baffling.
Several bills are now awaiting a Senate vote, having already made it through the California Assembly Appropriations Committee, while others are still pending committee approval.
So, let’s take a quick look at the 8 primary CCPA amendments currently on the docket:
Definition of terms
Under the CCPA in its current iteration, personal information is broadly defined as any information that “identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly to a particular consumer or household”. Evidently this includes some forms of publicly available information.
De-identified information cannot be linked to an individual without the addition of other data points – or it is data that has been so modified, that there is only a minimal possibility of reidentification. Unfortunately, the CCPA currently lacks clarity in terms of the threshold for when data can be considered reasonably
de-identified under the new law.
Omer Tene, VP and chief knowledge officer at the International Association of Privacy Professionals said:
“I don’t think any of these bills vitiate the CCPA, rather, they address open policy, practical challenges and ambiguous issues, and tighten the law’s language.”
Top of the pile
There are 3 amendments that have already been approved by the appropriations committee.
AB 25 would create a carve out for employee data so that the CCPA does not apply to job applications, employees or contractors.
According to Brian Kane, COO and co-founder of Sourcepoint:
“[This] is a substantive change that may put business-to-business CRM data and employment records beyond the reach of the CCPA,”
AB 874 seeks to soften the definition of personal information by exempting information collected from public records. This is an irritation to the privacy community, because it represents a carve out for data brokers that rely on public databases.
AB 1355 also aims to clarify the meaning of personal information by excluding de-identified and aggregated consumer information.
It’s still too early to tell which of these bills will get signed off by the state governor. However, proposals that offer clarification of ambiguous aspects of the law, such as AB 25, are more likely to pass, according to Brandon Reilly, an attorney focused on privacy and data security at law firm Manatt, Phelps & Phillips.
Next in the queue
AB 846 would basically torpedo the CCPA’s “non-discrimination requirements,” which some see as the end of the line for loyalty programs.
AB 873 proposes to slightly redefine the term “personal information” from data that is “capable of being associated” with an individual or household, to data that is “reasonably capable” of being associated.
Gary Kibel, a partner at Davis & Gilbert said:
“The existing language is a concern, because it means nothing – as anyone in the ad tech industry knows, you can match anything with anything, …The definition of ‘household’ is also freaking everyone out because, how do you define a household? Do roommates count?”
AB 981 would exempt insurance providers from the requirement to comply with data deletion requests, if such data is necessary in order to complete a transaction. This is similar to the GDPR’s concept of legitimate interest.
AB 1146 would basically do the same thing, but for vehicle repair information.
AB 1564 would require affected companies to give consumers a single communication method for submitting information requests. The CCPA currently requires two methods for getting in touch. These being an email address and a toll free number.
But wait. There’s more…There is another very significant bill doing the rounds which, if passed, would empower consumers. California’s Senate Judiciary Committee has approved SB 561, which would give consumers a private right of action, in response to any violation of the CCPA. Currently this is limited to data breaches.
This would enable consumers to sue businesses that violate their privacy rights under the CCPA. California’s attorney general supports this bill, which gives the AG greater powers of enforcement of CCPA law.
What is most noticeable about the majority of proposed amendments is that they do not introduce “radical restructuring of the CCPA’s core obligations or major changes to the applicability thresholds,” said Reilly.
The science of compliance?
Given that we are already almost half-way through the year, it is likely that the Assembly amendments will move up the chain pretty quickly. Those that get the “thumbs up” should be in place by January 2020, which is when the CCPA comes into effect.
Meanwhile, businesses are in a compliance holding pattern, Kibel said, noting a “compressed timeline.”
He continued, “If the amendments are passed in September or October, that may be around the same time as when the attorney general’s implementing regulations are issued and three or four months before the start date for the law,” and added, “There’s a lot of uncertainty about how to manage compliance, especially among ad tech companies, because there are still many moving parts and the regulations have not yet been issued.”