By: Joshua Mooney
Enacted in June 2018, the California Consumer Privacy Act (CCPA) has been criticized for its broad scope, the burdens it would impose on businesses, and its textual ambiguities. The legislation arose from a controversial privacy ballot to expand California consumer privacy rights through amendments to the California Constitution. To avoid the ballot’s effect, the CCPA was hastily written and enacted – approximately one week from drafting to reaching the Governor’s desk – to appease the ballot’s backers. Now that approximately eight months remain before the CCPA takes effect (January 1, 2020), some changes appear to be coming to address some of the raised concerns.
The CCPA represents a fundamental change in privacy law. The Act has extraterritorial reach and given that California constitutes the world’s fifth largest economy the legislation will have dramatic impact on companies located throughout the United States and beyond. The CCPA grants “consumers,” defined as California residents, explicit rights regarding their personal information held by for-profit companies. Those include the right to (1) access their personal information (Civ. Code Sec. 1798.100); (2) know what personal information is being collected (Civ. Code Sec. 1798.110); (3) know whether personal information is being sold or disclosed to third parties (Civ. Code Sec. 1798.115); (4) request the deletion of personal information (Civ. Code Sec. 1798.105); (5) opt-out of the Sale of personal information (Civ. Code Sec. 1798.120.); and (6) equal service and price to those who choose to exercise any right under the Act (Civ. Code Sec. 1798.125).
On April 23, the California Assembly’s Committee on Privacy and Consumer Protection passed several Assembly Bills that would amend the CCPA. Some of the most significant amendments include:
- Modification of the definition of “consumer” to exclude employment-related data. Specifically, the amendment would exclude from the definition of “consumer” “a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant or as an employee, contractor, or agent, on behalf of the business, to the extent their personal information is used for purposes compatible with the context of the person’s activities for the business as a job applicant, employee, contractor, or agent of the business” (AB25). This change addresses criticism that information collected in the employment context should not fall within the CCPA’s broad scope and requirements.
- Modification of the definition of “personal information” by removing the phrase “is capable of being associated with” and the term “household.” The new definition for “personal information” reads “information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a particular consumer. Personal information may include, but is not limited to, the following if it identifies, relates to, describes, or could be reasonably linked, directly or indirectly, with a particular consumer” (AB873). This change should eliminate some ambiguities and make the broad scope of the term clearer.
- Modification of the definition of “personal information” to exclude consumer information that is deidentified, or aggregate consumer information. The definition for “deidentified” would be amended to mean “information that cannot or does not reasonably identify, or link, directly or indirectly, to a particular consumer, provided that the business makes no attempt to reidentify the information, and takes reasonable technical and administrative measures designed to: (1) ensure that the data is deidentified; (2) publicly commit to maintain and use the data in a deidentified form; and (3) contractually prohibit recipients of the data from trying to reidentify the data” (AB873). The current treatment of deidentified data as personal information was a big departure from GDPR and HIPAA, and seemed somewhat nonsensical. This change – which would exclude from the definition of “personal information” that information which cannot identify a consumer – adds further consistency and clarity to the Act.
- Modification of the definition of “personal information” to exclude publicly available information (AB874).
Finally, and separately, Senate Bill 561 would create a private right of action for violations of the CCPA. While commentators hail many of the proposed changes to the CCPA as pro-business, SB561 does not fall within this category. SB561 has been backed by California Attorney General Becerra, who has stated that the Attorney’s General Office is ill-equipped to enforce the measures of the CCPA. However, many worry – rightfully – that a private cause of action could unleash a floodgate of litigation, much like the Telephone Consumer Protection Act (TCPA). The bill also would eliminate the 30-day cure period currently afforded to violating businesses.
Each of these bills still requires passage by both houses of the California Legislature, which is projected as likely. We will continue to track this pending legislation. Additional changes may come.