Insights
Technology + Privacy & Security

Uncertainty Remains in Key Provisions and Rules of California Consumer Privacy Act

By   Monder "Mike" Khoury
06.27.19
Print this page

Though the CCPA comes into force in only six months, several important aspects of the law remain unsettled, including whether the definition of “consumers” will include “employees” and whether the California Attorney General will provide guidance or a safe harbor for consumer authentication. A series of potential amendments passed the California Assembly in May and are now awaiting action by the Senate Committee on Judiciary.

With no hearings on these amendments scheduled and only 11 weeks until the deadline, the prospect for passage remains uncertain. Meanwhile, the California legislature has scheduled hearings for July 2 and 9 regarding several other unrelated data privacy bills: proposed changes to the data breach notification law (July 2), registration for data brokers (July 2), and the smart TV privacy bill (July 9). The California Legislature’s deadline to pass any bill is September 13, 2019, with the Governor’s deadline to sign or veto bills a month later, October 13.

The following amendments to the CCPA are currently pending:

 

Bill  Brief Explanation Status
AB 25 Excludes employees from definition of consumer Passed Assembly, currently before Committee on Judiciary 
AB 846 Amends the text of the exception to the CCPA’s anti-discrimination clause Passed Assembly/Committee on Rules, currently in Committee on Judiciary
AB 873 Clarifies that “personal information” does not cover all “information that is…capable of being associated” with a particular individual or household, but instead information that is “reasonably capable of being [so] associated”; revises the definition of “deidentified” Passed Assembly/Committee on Rules, currently in Committee on Judiciary
AB 874 Amends the definition of “personal information” to exclude deidentified or aggregated consumer data and amends the definition of “publicly available information” to mean information lawfully made available from federal, state, or local government records Passed Assembly/Committee on Rules, currently in Committee on Judiciary
AB 981 Eliminates a consumer’s right to request a business to delete or not sell the consumer’s personal information under the CCPA if it is necessary to retain or share the consumer’s personal information to complete an insurance transaction requested by the consumer Passed Assembly, referred to Committee on Judiciary and Committee on Insurance
AB 1355

Cleans up the wording of a number of provisions to clarify that the CCPA:

  • Requires that a business disclose “[t]hat a consumer has the right to request the specific pieces of personal information that the business has collected about that consumer”
  • Requires that businesses may disclose the personal information sold to third parties by listing the category of third party, rather than by identifying each third party
  • Excludes deidentified or aggregated consumer information from the definition of “personal information”
  • Requires that financial incentives and price differentials be reasonably related to the value provided to the business by the consumer’s data, rather than the value provided to the consumer by the consumer’s data
 Passed Assembly/Committee on Rules, currently in Committee on Judiciary 
AB 1564

Changes the designated method to submit information requests to no longer require a toll-free number in all instances. Specifically, businesses would have to offer:

  1. Either a toll-free number or an email address;
  2. A mailing address (unless the business is online only); and
  3. A website where requests can be submitted, if it maintains a website.  
 Passed Assembly, amended and re-referred to Committee on Judiciary 

The following additional bills related to privacy and security are also pending:

Bill  Brief Explanation Status
AB 1130  Expands data breach requirements to include notifying customers if their passport and government ID numbers, along with biometric data, such as retina scans and fingerprints have been wrongfully acquired and authorizes notifying other entities that use the same type of biometric data as an authenticator to no longer rely on such data for authentication purposes  Passed Assembly, set for hearing before the Committee on Judiciary on July 2, 2019 
AB 1202  Requires data brokers to register with the Attorney General (AG), requires the AG to create a publicly available registry of data brokers, and grants AG enforcement authority  Passed Assembly, set for hearing before the Committee on Judiciary on July 2, 2019  
AB 1395  Expands smart TV privacy bill to apply to any connected device with a voice recognition feature. Generally, prohibits a company from remotely storing voice recordings obtained from a “smart speaker device” without consent, the sharing or sale of such recordings, and the use of recordings for advertising purposes.   Passed Assembly, set for hearing before the Committee on Judiciary on July 9, 2019 

California Attorney General Xavier Becerra is set to release the first draft of CCPA regulations via a Notice of Proposed Regulatory Action in early fall 2019. The AG will hold public hearings to address public comments and is required to adopt formal regulations by July 1, 2020. Notably, however, the AG is not required to issue regulations regarding what constitutes a verifiable consumer request. Companies therefore must do their best to work with the current and somewhat vague language to determine what constitutes a verifiable request as they prepare to comply with that provision of the statute.

Attorney General Becerra and Senator Hannah-Beth Jackson introduced a bill (Senate Bill 561) earlier this year that would have changed the enforcement scheme to include a private right of action for any violation of the statute, not just those stemming from a data breach. The Senate Appropriation Committee took the bill under submission, on May 16, effectively preventing it from passing out of the Senate this session.

Related Insights