Uncertainty Remains in Key Provisions and Rules of California Consumer Privacy Act
Though the CCPA comes into force in only six months, several important aspects of the law remain unsettled, including whether the definition of “consumers” will include “employees” and whether the California Attorney General will provide guidance or a safe harbor for consumer authentication. A series of potential amendments passed the California Assembly in May and are now awaiting action by the Senate Committee on Judiciary.
With no hearings on these amendments scheduled and only 11 weeks until the deadline, the prospect for passage remains uncertain. Meanwhile, the California legislature has scheduled hearings for July 2 and 9 regarding several other unrelated data privacy bills: proposed changes to the data breach notification law (July 2), registration for data brokers (July 2), and the smart TV privacy bill (July 9). The California Legislature’s deadline to pass any bill is September 13, 2019, with the Governor’s deadline to sign or veto bills a month later, October 13.
| Bill | Brief Explanation | Status |
| AB 25 | Excludes employees from definition of consumer | Passed Assembly, currently before Committee on Judiciary |
| AB 846 | Amends the text of the exception to the CCPA’s anti-discrimination clause | Passed Assembly/Committee on Rules, currently in Committee on Judiciary |
| AB 873 | Clarifies that “personal information” does not cover all “information that is…capable of being associated” with a particular individual or household, but instead information that is “reasonably capable of being [so] associated”; revises the definition of “deidentified” | Passed Assembly/Committee on Rules, currently in Committee on Judiciary |
| AB 874 | Amends the definition of “personal information” to exclude deidentified or aggregated consumer data and amends the definition of “publicly available information” to mean information lawfully made available from federal, state, or local government records | Passed Assembly/Committee on Rules, currently in Committee on Judiciary |
| AB 981 | Eliminates a consumer’s right to request a business to delete or not sell the consumer’s personal information under the CCPA if it is necessary to retain or share the consumer’s personal information to complete an insurance transaction requested by the consumer | Passed Assembly, referred to Committee on Judiciary and Committee on Insurance |
| AB 1355 |
Cleans up the wording of a number of provisions to clarify that the CCPA:
|
Passed Assembly/Committee on Rules, currently in Committee on Judiciary |
| AB 1564 |
Changes the designated method to submit information requests to no longer require a toll-free number in all instances. Specifically, businesses would have to offer:
|
Passed Assembly, amended and re-referred to Committee on Judiciary |
The following additional bills related to privacy and security are also pending:
| Bill | Brief Explanation | Status |
| AB 1130 | Expands data breach requirements to include notifying customers if their passport and government ID numbers, along with biometric data, such as retina scans and fingerprints have been wrongfully acquired and authorizes notifying other entities that use the same type of biometric data as an authenticator to no longer rely on such data for authentication purposes | Passed Assembly, set for hearing before the Committee on Judiciary on July 2, 2019 |
| AB 1202 | Requires data brokers to register with the Attorney General (AG), requires the AG to create a publicly available registry of data brokers, and grants AG enforcement authority | Passed Assembly, set for hearing before the Committee on Judiciary on July 2, 2019 |
| AB 1395 | Expands smart TV privacy bill to apply to any connected device with a voice recognition feature. Generally, prohibits a company from remotely storing voice recordings obtained from a “smart speaker device” without consent, the sharing or sale of such recordings, and the use of recordings for advertising purposes. | Passed Assembly, set for hearing before the Committee on Judiciary on July 9, 2019 |
California Attorney General Xavier Becerra is set to release the first draft of CCPA regulations via a Notice of Proposed Regulatory Action in early fall 2019. The AG will hold public hearings to address public comments and is required to adopt formal regulations by July 1, 2020. Notably, however, the AG is not required to issue regulations regarding what constitutes a verifiable consumer request. Companies therefore must do their best to work with the current and somewhat vague language to determine what constitutes a verifiable request as they prepare to comply with that provision of the statute.
Attorney General Becerra and Senator Hannah-Beth Jackson introduced a bill (Senate Bill 561) earlier this year that would have changed the enforcement scheme to include a private right of action for any violation of the statute, not just those stemming from a data breach. The Senate Appropriation Committee took the bill under submission, on May 16, effectively preventing it from passing out of the Senate this session.