As required by the California Consumer Privacy Act of 2018 (the “CCPA”), the California Attorney General’s Office (the “AG”) is hard at work crafting regulations related to the CCPA to be implemented by July 1, 2020. The CCPA will go into effect on January 1, 2020, but the AG’s enforcement will not be initiated until later that year. In the meantime, consumers and businesses alike are anxiously awaiting the AG’s first draft of the regulations. The AG’s regulations are intended to clarify certain ambiguities in the CCPA and outline and implement rules for businesses to follow. To date, the AG has hosted and participated in several public hearings regarding the CCPA in order to solicit feedback from consumer advocate groups, business groups, and lawyers, among others, all in a concerted effort to help guide the AG in drafting the CCPA regulations. So far the AG has received more than 1,300 pages of written comments on its CCPA rulemaking. The first draft of the AG’s regulations is expected to be released in October of 2019. Once the AG publishes its first draft of the CCPA regulations, there will be additional public comment and hearings. After gathering this additional input, the AG will revise the draft regulations and then publish the final version thereafter.
However, the AG is not the only governing body working on refining the CCPA. The California Senate Judiciary Committee had a hearing on July 9th to debate several amendments to the CCPA. As a result of those hearings, the committee passed six proposed CCPA amendments. Below is a brief overview of each proposed amendment including potential implications for businesses who must comply with the CCPA, as amended.
(1) The “Employee Exemption”
Businesses that (i) gross more than $25 million, generate more than 50% of their revenue from selling personal information, or sell personal information of at least 50,000 consumers; and (ii) collect personal information from California consumers are all required to strictly comply with the CCPA. I shall refer to these businesses as “Covered Entities.”
Assembly Bill (“A.B.”) 25, known as the “employee exemption” bill, is one of the most closely watched proposed amendments to the CCPA. A.B. 25 states that employees and job applicants would not qualify as, and shall not be considered, “consumers” under the CCPA. This amendment would effectively prevent employees of Covered Entities from either asking for a copy of all of the personal information their employer has collected from them or requesting that such employer delete all such personal information.
Under A.B. 25, this “employee exemption” would end on January 1, 2021. In the meantime, however, Covered Entities that are also employers will nonetheless need to provide their employees with a privacy notice informing such employees of the employer’s personal information collection practices as well as the purposes for such collection practices. Moreover, employees of such Covered Entities will also have a private right of action to sue over any data breaches involving their personal information.
Implication: Covered Entities are now required to consider employee data while preparing to comply with the CCPA. Although such companies do not need to worry about the more burdensome “right to access” and “right of deletion” obligations with regards to employees, they should still update and circulate employee privacy policies to their employees, accordingly, to ensure transparency and compliance regarding their personal information collection practices. Moreover, Covered Entities must also develop and implement procedures for responding to data breaches so that personal information of employees is covered in their incident response as well.
(2) “Consumer Loyalty Program” and Discrimination
Covered Entities may not discriminate against consumers for exercising their rights under the CCPA. However, A.B. 846 allows Covered Entities to offer a different price, rate, level, or quality of goods or services to consumers and avoid claims of discrimination as long as the different price, rate, level, or quality of such goods or services is directly connected to a voluntary loyalty rewards program. However, Covered Entities utilizing such loyalty programs are still prohibited from selling the personal information collected through these loyalty rewards program.
Implication: Covered Entities will not be required to closely connect the value of consumers data to a good or service in order to avoid claims of discrimination under the CCPA wherein voluntary loyalty rewards programs are concerned. However, Covered Entities should be aware that they will not be permitted to sell personal information collected from such consumer loyalty programs, unless they explicitly comply with the other requirements under the CCPA governing such conduct.
(3) Facilitating Communications from Consumers
A.B. 1564 addresses the various methods that consumers have available to them under the CCPA for submitting requests and exercising their rights thereunder. Although Covered Entities are required to have at least two designated methods for consumers to submit requests under the CCPA (including, at a minimum, a toll-free number), this amendment would allow certain Covered Entities to avoid the two-method minimum by providing consumers with a designated e-mail address for submitting such CCPA requests. However, this exception would only apply to Covered Entities that “operate exclusively online” and have a direct relationship with a consumer whose personal information they collect.
Implication: Covered Entities with brick-and-mortar operations or Covered Entities that do not have a “direct relationship” with a consumer would still be required to have, at a minimum, a toll-free number and at least one other method for receiving and processing consumer requests under the CCPA.
(4) Broader Definition of “Publicly Available” Information
Certain “publicly available” information is exempted from the restrictions imposed on Covered Entities related to personal information collected by them under the CCPA that is not publicly available. A.B. 874 expands the definition of “publicly available” information to include any information that is lawfully available from federal, state, or local government records.
(5) Opt-In Clarification
In an effort to correct drafting errors, A.B. 1355 clarifies that consumers over 13 years of age but younger than 16 years of age are required to opt-in before a Covered Entity can sell their personal information. In addition, Covered Entities need a parent to authorize consent only for consumers who are younger than 13 years of age.
(6) Car Dealers and Car Manufacturers
A.B. 1146 exempts information obtained by Covered Entities that are car dealers and car manufacturers regarding car or car ownership data if the information is shared by such Covered Entities in connection with car repairs relating to a warranty or recall.
The California Senate has until September 13, 2019 to vote on amendments to the CCPA. Even though several of the above listed proposed amendments slightly alter and refine various aspects of the CCPA, the core provisions of the CCPA are likely to remain the same. As a result, Covered Entities should continue to prepare for compliance by creating a data map and inventory of all the personal information they collect, use, and sell.