Are we there yet?

On June 28, 2018, California became the first in the nation to adopt a sweeping new privacy regime inspired by the European Union's General Data Protection Regulation. Unless revised by forthcoming attorney general regulations or preempted by federal law, the new law called the Consumer Privacy Act of 2018 (Cal. Civ. Code Section 1798.100, et seq.) will go into effect Jan. 1, 2020, and significantly impact how covered businesses collect, use and disclose California residents' "personal information."

The CCPA is a unique legislative animal. It is the brain child of a California real estate developer who turned the concept into 2017 ballot initiative proposal. By June 2018, the initiative had gained enough signatures to qualify for the November 2018 ballot, and had garnered the attention of the business community and California legislators. Because of the challenges of changing laws passed through California's direct ballot system, including the requirement that a ballot initiative can only be undone by two-thirds of the popular vote (or else modified by a 70 percent vote from both state houses), the business community and privacy advocates agreed on a compromise that would codify the CCPA into law in exchange for the ballot initiative being withdrawn. After months of negotiation, the CCPA was passed and signed into law on the same day, June 28, 2018 (also the last day to withdraw the initiative). The CCPA was amended once in September 2018, which cleaned up nonsubstantive drafting errors.

The CCPA, as amended, integrates many elements of the ballot initiative, which itself was inspired in part by the GDPR. The CCPA is therefore a byproduct of compromises made between the business community and privacy advocates, reflected in the fact that the CCPA incorporates broad consumer rights that would not have been in the underlying ballot initiative (including the right to deletion, right to specific pieces of information, and the separate treatment of minors data through an opt-in mechanism), certain items being excluded (such as the whistleblower provision), and certain items being limited (such as the private right of action and nature of the public enforcement entity).

Notwithstanding this compromise, the CCPA has undergone intense scrutiny since its passage. Business groups have sought clarification of the CCPA's broad definitions of "personal information" and "consumer." Consumer groups have attempted to strengthen the CCPA's protections to ensure any approved exception does not swallow the rule. And while the attorney general has been working on implementing regulations expected to be released this fall, numerous CCPA amendments have made their way through the California Legislature.

Below we examine some of the more critical pending amendments and their current procedural posture. But before doing so, and at the risk of sounding like an episode of school-house rock, it's first important to summarize the California legislative process as it relates to pending legislation. California is a bicameral state, with an Assembly and a Senate. After a bill is introduced in either chamber, it is assigned to a policy committee where it undergoes debate and a vote. For the CCPA, the committees of jurisdiction are the Privacy and Consumer Protection Committee in the Assembly and the Committee on the Judiciary in the Senate. The deadline for initial bills to move out of policy committee for the 2019 legislative session expired on May 3. The last day for each house to pass bills introduced earlier this year is May 31. If passed, the bill will move to the other chamber where members will rinse and repeat. If a bill is amended in the second chamber, it must go back to the house of origin for concurrence, which is agreement on the amendments. If agreement cannot be reached, the bill is referred to a two house conference committee to resolve differences. If both houses approve the bill, it goes to the governor for either signature or veto. The last day for the governor to sign or veto bills passed by the Legislature is Oct. 13.

Now that we know how the sausage is made, let's dig in.

AB 25 (Chau): Excluding Employee Data. Since its passage, one of the biggest criticisms of the CCPA has been that the definition of "consumer" is too broad because it not includes traditional consumers (i.e., someone who purchases a good or service) but also employees, business to business partners, and non-consumers. AB 25 seeks to remedy this issue by excluding from the definition of "consumer" any natural person whose personal information has been collected by a business in the course of a person acting as a job applicant or as an employee, contractor, or agent, on behalf of a business, to the extent the information collected is used for those purposes. The author of AB 25 has also indicated a desire to exclude business to business transactions, but no amendment has been introduced. AB 25 was passed out of the Assembly Privacy and Consumer Protection Committee on April 24 by unanimous vote, and passed out of the Assembly Appropriations on May 1 by unanimous vote. It is now headed to the Assembly floor for a full vote, which must take place on or before May 31.

SB 561 (Jackson): Expanding The Private Right Of Action. The CCPA, as amended, provides only a limited private right of action relating to negligent data breaches. The remaining portions of the CCPA may only be enforced by the attorney general. This was a key compromise between business and privacy interests in getting the CCPA passed. SB 561, which seeks to expand the private right of action to permit civil enforcement of the entire statute, would upend that compromise. SB 561 would also remove the attorney general's advisory opinion role, and remove the cure period for business. SB 561 is sponsored by California Attorney General Xavier Becerra, and was introduced by Sen. Hannah-Beth Jackson. But it's not clear how the amendment will fare in the Assembly, where some of the CCPA's principle negotiators may be hesitant. SB 561 passed with a unanimous vote out of the Senate Committee on the Judiciary on April 8, and passed through the Senate Appropriations Committee on April 29. SB 561 will now go to the Senate floor for a full vote, which must take place on or before May 31.

AB 846 (Burke): Excluding Loyalty Programs. The CCPA, as amended, prohibits a business from discriminating against a consumer because the consumer exercises any of his or her rights under the CCPA, including but not limited to by charging different prices or rates for goods or services, including through the use of discounts or other benefits. The CCPA also authorizes a business to offer financial incentives, including payments to consumers as compensation, for the collection or sale of their personal information, and to offer a different price, rate, level, or quality of goods or services if that price or difference is directly related to the value provided to the consumer by the consumer's data. AB 846 proposes to revise these anti-discrimination provisions to broaden the applicability of loyalty and discount programs, and make clear that such programs are permissible in certain circumstances. AB 846 passed out of the Assembly Committee on Privacy and Consumer Protection by unanimous vote on April 25, and has been referred to the Assembly Appropriations Committee for further consideration. The appropriations committee will need to refer AB 846 to the floor for a vote on or before May 17.

AB 1416 (Cooley): Expanding Fraud Protection Exemptions. This bill would add revisions to the opt-out provisions of the CCPA similar to those that exist in the exemptions for deletion relating to a business's ability to comply with applicable laws, rules, or regulations, and: (1) exercise, defend, or protect against legal claims; (2) protect against or prevent fraud or unauthorized transactions; (3) protect against or prevent security incidents or other malicious, deceptive, or illegal activity, or (4) investigate, report, or prosecute those responsible for protecting against fraud, unauthorized transactions, and preventing security incidents or other specified activities. The author of the bill has proposed a four year sunset provision. AB 1416 passed out of the Assembly Committee on Privacy and Consumer Protection on May 2.

AB 873 (Irwin): Excluding De-Identified/Aggregate Data. AB 873 attempts to address a critical operational uncertainty within the CCPA concerning the range of data subject to the CCPA and what steps business can take to de-identify data. The bill modifies the definition of "personal information" by striking the clause "is capable of being associated with" and striking references to "household." The bill then restructures the definition of "de-identified" to more closely follow the Federal Trade Commission's 2012 Privacy Framework understanding of "de-identified." The current definition of "personal information" mirrors the definition of "personal information" which includes the term "capable." The FTC definition focuses on a "reasonably linkable" standard that is qualified by three elements set forth in AB 873. Finally, the bill clarifies the CCPA's directive that it should not be interpreted to require a business to re-link data. The bill was voted out of the Assembly Privacy Committee with a unanimous vote on April 29 and is pending before the Assembly Appropriations Committee.

AB 874 (Irwin): Broaden Definition of Publicly Available. This bill seeks to broaden the definition of "publicly available" for purposes of the definition of "personal information," which currently excludes "publicly available" information. The bill would also correct a drafting error in the definition of personal information to clarify that personal information does not include de-identified or aggregate consumer information. This bill was passed unanimously out of the Assembly Committee on Privacy and Consumer Protection on May 1 and has been ordered to the consent calendar for a floor vote, which must take place on or before May 31.

AB 981 (Daly): Insurance Exemptions. This bill proposes to add numerous privacy protections to the Insurance Information and Privacy Protection Act to reflect the CCPA. The bill would also exempt entities subject to the IIPPA from the CCPA, with the exception of the CCPA's data breach section. This bill was passed out of the Assembly Committee on Privacy and Consumer Protection on April 29 and is currently pending before the Assembly Committee on Appropriations. The appropriations committee has until May 17 to refer the amendment to the floor for a vote.

AB 1146 (Berman): Auto Warranty/Recall Data Sharing. This bill seeks to exempt from the CCPA's right of deletion and right to opt-out any vehicle information shared pursuant to or in anticipation of a vehicle repair relating to warranty work or a recall. The bill was passed unanimously out of the Assembly Committee on Privacy and Consumer Protection on April 29 and is pending before the Assembly Committee on Appropriations. The appropriations committee has until May 17 to refer the amendment to the floor for a vote.

These pending amendments make clear that the CCPA is far from settled. With a legislative calendar that ends on Sept. 13 and with attorney general regulations slated to be released this fall for further public comment, one thing is clear - the latter half of 2019 is shaping up to be a busy time for organizations getting ready for CCPA compliance. Stay tuned.