The California Consumer Privacy Act (CCPA), which was enacted in June of 2018 and will go into effect on January 1, 2020, is likely to undergo additional changes as the California Legislature enters the final stretch of the legislative year. We have previously updated you on legislation supported by the California Attorney General that would expand the scope of the law and increase consumer’s opportunities for consumers to bring lawsuits for alleged violations of the law. The good news is that the worst aspects of these proposed changes were defeated in committee and will not be enacted this year. The bad news is that some of the more important proposed business-friendly protections have been narrowed.
Background of the CCPA
In June of 2018, California adopted AB 375, the strongest privacy law in the nation. The new law bears many similarities to the European Union General Data Protection Regulation (GDPR), which famously purports to give consumers the “right to be forgotten.” The California law gives consumers residing in California several new rights, aiming to bring more control and transparency to the trade and use of people's personal data. It also, for the first time, provides consumers with the ability to sue companies that mishandle their data without ever having to prove harm due to the misuse.
AB 25 — Employee information
The Assembly unanimously approved AB 25, which sought to modify the definition of “consumer” to exclude “a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business, to the extent the person’s personal information is collected and used solely within the context of the person’s role as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business.”
However, a coalition opposed AB 25, expressing concern that the exemptions would go too far in eroding the rights of employees who are also consumers, fought the bill in the Senate Judiciary Committee. AB 25’s author, Assemblymember Ed Chau, agreed to amend the law to clarify that employers subject to the CCPA would still be required to inform employees who are also consumers what categories of personal information they collect and the purposes for which such personal information shall be used.
In addition, Assemblymember Chau also agreed to look at this issue further in the future. Therefore, if AB 25 is signed into the law, the exemption for employee data would only be effective for the 2020 calendar year and would be inoperative on or after January 1, 2021.
After the amendments the Senate Judiciary Committee passed the bill unanimously. It is currently in the Senate, and is widely expected to pass for signature by the Governor.
AB 1146 — Vehicle recall
AB 1146 is sponsored by the California New Car Dealers Association and is sailing through the legislature with little opposition. AB 375 originally exempted businesses from the requirement to delete consumer information on request if the information was necessary to fulfill the terms of a written warranty. AB 1146 adds to this exemption consumer information that is necessary to administer a “product recall conducted in accordance with federal law.” In combination, these two exemptions will allow dealers to maintain consumer data such as contact information and vehicle information in order to administer vehicle warranties and recalls.
The bill passed out of the Assembly on a unanimous basis in May. It passed out of the Judiciary Committee earlier in July on a unanimous basis, and is now before the Senate Appropriations committee.
AB 846 — Customer loyalty programs
The CCPA included anti-discrimination rules that prohibit businesses from discriminating in company’s provision of services against customers who opt to have their information deleted. Business groups immediately identified this as a problem, as it could render customer loyalty programs inoperable. AB 846 attempts to address these concerns, though it has faced some opposition and has been amended.
Under the CCPA, companies may not discriminate against consumers who opt to have their data deleted, though they may charge an additional fee for their services that is reasonably related to the value of the consumer data. Companies may also offer a financial incentive to the customer for providing the data.
Loyalty programs did not fit neatly into these exemptions, as they are typically free programs. AB 846, as amended, addresses this by allowing companies to offer a different “price, rate, level, or quality of goods or services to a consumer” when the offer is related to the “consumer’s voluntary participation in a loyalty, rewards, premium features, discounts, or club card program.” In addition, businesses may not sell personal information that is collected as party of such a program.
The bill passed out of the Assembly with only 4 no votes. It has been amended several times, though, and may continue to see changes. There is wide interest in reaching a consensus on this legislation, though, as loyalty programs are popular with consumers.
SB 561 — 30-Day cure period and Attorney General opinions
In a bit of good news, a law supported by the California Attorney General will not become law this year. SB 561 deleted the 30-day cure period currently provided for under the CCPA. Section 1798.155(b) allows businesses 30 days from the date of receiving notification of an alleged noncompliance to cure the alleged violations before a civil action could be commenced. This bill would have allowed for enforcement under the CCPA immediately, without prior notice, eliminating the 30 day right to cure entirely, leaving businesses open to statutory penalties with no option to cure the problem to avoid liability.
SB 561 also sought to eliminate the option provided to businesses and other third parties under Section 1798.155(a) to seek the opinion of the Attorney General on how to comply with the CCPA. The bill would instead have require the Attorney General to publish general public guidance about the law. While this provision did not directly affect businesses’ potential liability under the law, it would greatly reduce their ability to seek advice that could form the basis for future defenses or otherwise establish guidance related to difficult compliance issues presented by the law.
The bill passed the Senate with 46 yes votes and 19 no votes. It was then held in the Assembly Appropriation Committee suspense file and will not advance this year. Nonetheless, this is one to watch in the future, as it would have a deep impact on business’s ability to cure problems and increase liability.
All said, with the except of a few positive clarifications regarding employees and transfer of data in connection with vehicle warranty work and recalls, and subject to regulations that are still in the process of being created by the California Attorney General. it appears that the CCPA will become effective at the beginning of next year with little added during this year’s legislative session to ease compliance for dealers. For more information on these developments or how Scali Rasmussen can help you with CCPA compliance, please contact a member of our privacy regulatory team.