A.B. 1146, 2019 Leg., Reg. Sess. (Cal. 2019) (exemptions: vehicle information)
A.B. 1355, 2019 Leg., Reg. Sess. (Cal. 2019) (personal information)
A.B. 1564, 2019 Leg., Reg. Sess. (Cal. 2019) (consumer privacy: consumer request for disclosure methods)
California’s 2019 legislative session wrapped just over two weeks ago, on Friday, September 13, with five new amendments to the California Consumer Privacy Act of 2018 (“CCPA”), Cal. Civ. Code § 1798.100-1798.199, headed to California Governor Gavin Newsom’s desk for signature. Governor Newsom must approve the amendments by October 13 for them to become law, with the full CCPA going into effect on January 1, 2020.
The CCPA grants state residents, among other things, the right to know what information companies have on them, the right to opt-out of the sale of that information, and the right to have it deleted altogether.
Some of Silicon Valley’s largest tech companies were concerned about the implications of this sort of statutory data protection for their business and lobbied extensively to weaken the CCPA’s requirements. Despite their efforts, the five amendments—a total of six were under consideration—that passed the California State Legislature this month made only minor changes to the Act. Some of the key points of each are summarized below:
- Assembly Bill 25 (“AB-25”)—exempts from the scope of the CCPA, until January 1, 2021, certain personal information collected on employees by businesses in human resources capacities.
- AB-874—narrows the definition of “personal information” under the Act, clarifying that it does not include “consumer information that is deidentified or aggregate consumer information” and expands the definition of information that is “publicly available.”
- AB-1146—removes the right of consumers to opt out of personal information sharing between motor vehicle dealers and vehicle manufacturers as part of vehicle repairs covered by recalls or warranties. Also allows a business to retain personal information necessary to fulfill recalls or warranties.
- AB-1355—exempts information collected as part of business-to-business (“B2B”) transactions or communications from many of the CCPA’s requirements. Also clarifies that businesses are not obligated to provide information to a consumer whose identity they cannot verify and includes some other clarifications and corrections to drafting errors.
- AB-1564—creates an exception to the CCPA general rule that businesses have to offer at least two methods for consumers to submit requests for disclosures, stating that some online-only businesses need only provide consumers with an email address for such submissions.
While the overall thrust of these bills is to weaken the consumer protections created by the CCPA, the effects are on the margins, a fact that has been hailed as a victory by consumer privacy advocates. This relative lack of substantive changes to the CCPA has worried the business community, especially since California’s law has the potential to evolve into a de facto national standard. This theory is bolstered by the current trend of other state legislatures following Sacramento’s lead, exemplified by new bills put forth recently in New Mexico and Massachusetts.
Because their efforts to defang the CCPA have been largely unsuccessful, many in the tech industry, including Amazon CEO Jeff Bezos and IBM CEO Ginni Rometty, signed an open letter to senior lawmakers advocating for a federal privacy law. Such a law would supersede any state statutes otherwise governing data privacy in more limited jurisdictions, and allow tech companies another chance to steer the conversation in a more business-friendly direction.
It is unclear how much success this new push will have on the landscape of privacy law in the United States, but with the CCPA coming into force at the beginning of the new year, further developments are surely on the horizon.