UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK | Norton Rose Fulbright

In a 12-hour marathon hearing, the California Senate Judiciary Committee on July 9, 2019, debated, struck down, scaled back and put back on the negotiating table key amendments to the California Consumer Privacy Act (“CCPA”). Read below to find out what happened to the much-anticipated “employee exception” bill, “customer loyalty program” bill, and the bill to remove the toll-free number requirement.

“Employee Exception” Amendment Moves Forward With a More Narrow Exemption That Expires in 2021

Responding to the recent opposition registered by organized labor, the closely-watched “employee exception” bill, AB25, was modified by the Senate Judiciary Committee to include certain rights for employees. Here are the key changes:

  • Under the current draft, employers will not be exempt from providing a privacy notice to employees – employers must provide employees with notice at or before the point their personal information is collected as to the categories of personal information to be collected and why.
  • Other consumer rights, including access, deletion and opt-out, however, will not apply to employees. This means employers would not need to go through the burdensome exercise of having to figure out what “specific pieces” of information it has collected about its employees.
  • The private right of action for data breaches, however, will continue to apply to employee data.
  • This employee exception now has a sunset provision and will expire on January 1, 2021, committing the stakeholders to discuss more comprehensive employee privacy legislation in 2020.

Takeaway: This debate made it clear that employees are intended to be considered in-scope for the CCPA. If this amendment is not passed before the California legislature adjourns on September 13, businesses will need to address how the full set of CCPA obligations apply to employee data. At a minimum, businesses should review and amend their employee privacy policy and notice to meet CCPA’s requirements. Employers should also review their incident response plan to ensure that the information security program and data breach response procedures include employee data. Because this bill was significantly modified in the Senate, it will need to go back to the Assembly for further debate, meaning we will still need to monitor how employee data will be treated under the CCPA. The key takeaway, however, is that employee data, in one form or another will be covered under CCPA, bringing into scope organizations that are B2B but have California employees.

“Customer Loyalty Program” Bill Amended

AB846, which expands incentives and differential treatment related to value of data, was amended for the first time since it was passed from the Assembly. The bill had previously permitted a business to offer a “different price, rate, level, or quality of goods or services” if either (a) the offering was in connection with a consumer’s voluntary participation in a loyalty/reward/discount/club car program, or (b) “the offering was for a specific good or service whose functionality was directly related to the collection, use, or sale of the consumer’s data.” Under the amended bill provision (b) has been deleted.

In addition, the amended bill now prohibits a business from “selling” the consumers’ personal information collected as part of those loyalty programs. Finally, the bill adds a provision that this section does not affect the consumers right to direct a business not to sell the consumer’s personal information.

Takeaway: While businesses may no longer have to tie the value of a consumer’s data to goods or services, they will be prohibited from selling data collected in connection with customer loyalty programs.

Consumer Request for Disclosure Methods Amended Again

AB1564 would change the methods businesses must offer consumers to submit requests for information. The CCPA currently requires that a business make available to consumers two or more designated methods for submitting requests, including “at a minimum, a toll-free number and, if the business maintains an Internet Web site, a Web site address.”

The amended bill would retain the requirement for two or more designated methods of contact, including a toll-free number, but would create an exception. “A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address” for submitting those requests.

Takeaway: Businesses with a brick-and-mortar presence in California, or businesses which do not have a direct relationship with a consumer, will need to maintain a toll-free number for those consumer requests.

Changes to Definition of Personal Information Bill Fails But Is Held for Reconsideration

The Committee deadlocked on proposed changes to AB873 after consumer watchdogs mobilized against the amendment. This amendment, if it passes in its current form, would expand the definition of “deidentified” data and narrow definition of “personal information” to remove “household.” This bill remains in the Senate Judiciary Committee for reconsideration.

Takeaway: The strict deidentification standard remains in CCPA for now. Businesses should consider how they deidentify personal information and whether that deidentified data meets the CCPA standard. Further, business should begin crafting guidelines for identifying household data.

What’s Next:

The California Senate is scheduled for its summer recess after July 12. The Senate is scheduled to resume on Monday, August 12. Any bill that has been amended in the Senate would need to go back to the Assembly for a vote and possible reconciliation.

The last day for bills to be voted into law this term is Friday, September 13 and the Governor will have 30 days to sign or veto bills that have been voted out by the legislature.

Our Take:

Practically speaking, businesses should expect that employees will be in scope for CCPA. Also, an amendment with a more favorable definition of deidentified information may not pass or we may not get more clarity around the definition of personal information.

Businesses should continue to monitor the amendments but should also consider the possibility that the CCPA may not be significantly changed before it goes into effect on January 1, 2020 if none of the amendments pass this year. That may mean the only meaningful guidance between now and CCPA’s effective date will be the California Attorney General’s rulemaking.

Our other CCPA articles:

Article 1: Summary of CCPA’s major provisions

Article 2: CCPA covered entities

Article 3: CCPA definition of personal information

Article 4: CCPA disclosure requirements

Article 5: CCPA “Right to Deletion”

Article 6: California Attorney General’s Office begins CCPA rulemaking process with first public hearing while Congress debates new federal privacy law

Article 7: Comments at CCPA public forum in Los Angeles highlight tensions between businesses and consumer rights groups

Article 8: GDPR, CCPA and beyond: Changes in data privacy laws and enforcement risks to monitor in 2019

Article 9: CCPA: “Attorney General Amendment” Likely Dead

Article 10: Nevada, New York and other states follow California’s CCPA

Article 11: “What’s cooking” in Sacramento: CCPA’s “employee exception” bill is amended; “publicly available information” exception is broadened, and consumer access rights are clarified