Data Protection Report - Norton Rose Fulbright

On August 12, the California legislature returns after its summer recess. Starting with the Senate Appropriations Committee Hearing today, the legislature will now have approximately a month to continue the markups and send California Consumer Privacy Act (CCPA) amendments to the Governor’s desk for signature before the September 13 deadline.  As previously reported, any amendment that passes from the Senate will likely need to go back to the Assembly since many of them have been marked up significantly by the Senate. Below is a summary of the seven amendments that are moving forward and what they mean for businesses who are working on implementing a CCPA program.  Click here for our previous coverage of AB 25 (employee exception), AB 846 (customer loyalty program), and AB 1564 (consumer request methods).

8/13 UPDATE: All amendments listed below except for AB 1281 were pulled from the hearing agenda last-minute and appear to be heading straight to the Senate floor for a vote without any new changes.  AB 1281, on the other hand, appears to be suspended and not moving forward. Stay tuned for updates on this blog.

AB 25 (employee exception) has been narrowed to now include a notice requirement for employers.  It also includes a one-year expiration date, committing the California legislature to discuss more comprehensive employee privacy legislation in 2020. 

Key issues:

(1) Will employers need to give revised privacy notices to employees under CCPA?;

(2) Will employers be exempted from other CCPA requirements, such as access, deletion and opt out?;

(3) Will California add the one-year expiration date on this employee exemption so that they can tackle a more comprehensive employee privacy legislation in 2020?

AB 846 (customer loyalty program), as amended, no longer includes an exception if the customer loyalty program offer was for a specific good or service whose functionality was “directly related to the collection, use, or sale of the consumer’s data.”  The amended bill now also prohibits a business from “selling” the consumers’ personal information collected as part of those loyalty programs. 

Key issues:

(1) Will CCPA allow customer loyalty programs where the good or service’s functionality is directly related to the collection, use, or sale of the consumer’s data, such as members sharing recipes for a new kitchen appliance?

(2) Will CCPA prohibit the sale of the consumers’ personal information collected as part of loyalty programs?

Next, AB 874 would redefine “personal information” to exclude information from government records.

Key issues:

(1) Will CCPA place any conditions on information that is publicly available from government records, such as limiting its use only to the purpose for which the information is publicly maintained?

(2) Is deidentified or aggregate consumer information “personal information” for CCPA purposes?

AB 1146 would exclude from the “opt out” right vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer, if shared for warranty repair or recall purposes. 

Key issues:

(1) Will CCPA permit consumers to “opt out” of sharing information by the dealer to the manufacturer?

(2) Will CCPA permit consumers to require both the dealer and the manufacturer to delete the consumer’s personal information?

The fifth bill is AB 1355, which narrows the disclosure requirement to categories of third parties to which information was sold, rather than requiring disclosure on a specific third-party-by-third party basis. 

Key issues:

(1) Will CCPA require businesses to list each and every third party to which personal information was sold?

(2) Will CCPA permit a business to offer different prices, different levels or different qualities of goods or services if the difference is based upon the value provided to the consumer by the consumer’s data, or based upon the value provided to the business by the consumer’s data?

AB 1564 retains the toll-free number requirement but was amended to add an exception:   “A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address” for submitting those requests. 

Key issues:

(1) How can Internet-only businesses determine if they have a “direct relationship” with a consumer for CCPA purposes?  For example, if the consumer purchases goods from ABC’s website, does the consumer have a “direct relationship” with ABC?  If ABC is a reseller or offers a platform for sales, is the “direct relationship” with the manufacturer, with ABC, or both?  If the consumer pays via a credit card, is that a “direct relationship”?

Finally, AB 1281 would require physical signs at business locations that use facial recognition technology that “ensures that an individual can read the sign before the business captures a digital image or video of the individual.”

Key issue:

(1) How can a business “ensure” that an individual can read the sign regarding facial recognition technology usage “before the business captures a digital image or video of the individual”?

(2) If the sign needs to include information regarding where an individual can obtain more information about the purposes for the use of facial recognition technology, how large would the type have to be in order to “ensure” that an individual can read the sign regarding facial recognition technology usage “before the business captures a digital image or video of the individual”?

Our other CCPA articles:

Article 1: Summary of CCPA’s major provisions

Article 2: CCPA covered entities

Article 3: CCPA definition of personal information

Article 4: CCPA disclosure requirements

Article 5: CCPA “Right to Deletion”

Article 6: California Attorney General’s Office begins CCPA rulemaking process with first public hearing while Congress debates new federal privacy law

Article 7: Comments at CCPA public forum in Los Angeles highlight tensions between businesses and consumer rights groups

Article 8: GDPR, CCPA and beyond: Changes in data privacy laws and enforcement risks to monitor in 2019

Article 9: CCPA: “Attorney General Amendment” Likely Dead

Article 10: Nevada, New York and other states follow California’s CCPA

Article 11: “What’s cooking” in Sacramento: CCPA’s “employee exception” bill is amended; “publicly available information” exception is broadened, and consumer access rights are clarified 

Article 12: Back At The Negotiating Table: CCPA Amendments Debate Continues