The California Consumer Privacy Act is regulation in flux.
A flurry of amendments to the law are now wending their way through the California State Assembly that would, if passed, either clarify certain aspects of the law or defang it – depending on whom you ask.
“It’s all part of the philosophical debate between the industry and privacy advocates,” said Gary Kibel, a partner at Davis & Gilbert.
Some of the bills have already advanced through the California Assembly Appropriations Committee, which means they could soon be on their way to a Senate vote, while others are still pending the committee’s approval.
Here’s a quick and dirty guide to all eight primary CCPA amendments currently on the docket – plus one wild card Senate bill that has lawyers sharpening their pencils.
For advertisers and marketers, the most important amendments concern the definition of personal information and the notion of de-identification, said Omer Tene, VP and chief knowledge officer at the International Association of Privacy Professionals.
Under CCPA as it stands, personal information is broadly defined as any information that “identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly to a particular consumer or household” – including, ostensibly, some forms of publicly available information.
De-identified information cannot be linked to someone without adding in other data points, or it’s data that’s been so modified that the chance of reidentification is minimal. The CCPA is unclear, however, on the threshold for when data is considered reasonably de-identified under the law.
“I don’t think any of these bills vitiate the CCPA,” Tene said. “Rather, they address open policy, practical challenges and ambiguous issues, and tighten the law’s language.”
Three amendments already have appropriations committee approval.
AB 25 would create a carve out for employee data so that CCPA doesn’t apply to job applications, employees or contractors.
“[This] is a substantive change that may put business-to-business CRM data and employment records beyond the reach of the CCPA,” said Brian Kane, COO and co-founder of Sourcepoint.
AB 874 seeks to soften the definition of personal information by exempting information collected from public records. It particularly irritates the privacy community, because it represents a carve out for data brokers that rely on public databases.
AB 1355 also aims to clarify the meaning of personal information by excluding de-identified and aggregated consumer information.
It’s too early to say which of these bills will eventually make it to the governor’s desk for a signature, but any proposals that appear to clarify ambiguous aspects of the law, like AB 25, for instance, are much more likely to pass, said Brandon Reilly, an attorney focused on privacy and data security at law firm Manatt, Phelps & Phillips.
Next in line
Five additional bills are still pending before the Assembly Appropriations Committee.
AB 846 would scupper CCPA’s “non-discrimination requirements,” which some have interpreted as a death knell for loyalty programs. (Retailers, rejoice.)
AB 873 proposes to tweak the definition of “personal information” from data that is “capable of being associated” with an individual or household, to data that is “reasonably capable” of being associated.
“The existing language is a concern, because it means nothing – as anyone in the ad tech industry knows, you can match anything with anything,” Kibel said. “The definition of ‘household’ is also freaking everyone out because, how do you define a household? Do roommates count?”
AB 981 would exempt insurance providers from having to comply with data deletion requests if that data is necessary to complete a transaction, which sounds a lot like the GDPR’s concept of legitimate interest. AB 1146 would pretty much do the same thing, but for vehicle repair information.
And, finally, AB 1564 would require businesses to give consumers just one method for getting in touch to submit information requests. CCPA now requires two: a toll free number and an email address.
Piece of the action
Actually, there’s one more significant bill circulating, and it could be a biggie if it’s passed. The California Senate Judiciary Committee recently approved SB 561 which would give consumers a private right of action, now limited to data breaches only, in response to any violation of the CCPA.
In other words, consumers would be able to sue companies that infringe on their privacy rights under CCPA. California AG Xavier Becerra supports the bill, which also gives the attorney general greater CCPA enforcement powers.
Most of the proposed amendments are striking in that they do not introduce “radical restructuring of the CCPA’s core obligations or major changes to the applicability thresholds,” Reilly said.
SB 561 is a major exception.
“There would be crazy amounts of litigation,” Kibel said.
Compliance, not a science
The Assembly amendments will probably move quickly and whichever make the cut should be in place by the time the CCPA goes into effect in January 2020, Tene said.
In the meantime, businesses are in a compliance holding pattern, Kibel said, noting a “compressed timeline.”
“If the amendments are passed in September or October, that may be around the same time as when the attorney general’s implementing regulations are issued and three or four months before the start date for the law,” he said. “There’s a lot of uncertainty about how to manage compliance, especially among ad tech companies, because there are still many moving parts and the regulations have not yet been issued.”