Although there certainly will be more bills proposed to amend the California Consumer Privacy Act (CCPA), there already are a significant number of bills that have been working their way through the legislative process. One of these bills – SB561, which would expand the CCPA’s private right of action – received widespread attention when it was introduced in February. However, SB561 is one of only 18 bills that would amend or supplement the CCPA. Many of these bills deal with important amendments to the CCPA that privacy law experts have been requesting since it was first enacted last summer.
In the below post, we identify and analyze these bills. In doing so, we first provide a summary of the most significant proposed changes and takeaways. We then provide a table linking to each bill, identifying the issue to which it is directed, and providing an analysis of the bill’s proposed changes.
Over the next few months, Husch Blackwell’s privacy and data security blog will periodically update our work as new bills are proposed. Register here to stay up-to-date on these changes.
No Reason to Delay Compliance Efforts: Entities that are delaying compliance efforts in the expectation of widespread changes to the CCPA will be disappointed. None of the proposed bills seeks to remove the CCPA’s core privacy rights (i.e., right to access, right to be forgotten, right to opt-out) or make a change to the CCPA’s terms that would justify taking a “wait-and-see” approach.
Fixing the Deidentification Exemption: A number of the bills seek to fix the CCPA’s treatment of deidentified and aggregate data by fixing a typo in the last sentence of the CCPA’s definition of “personal information.” The statute incorrectly states that “publicly available” does not include deidentified or aggregate consumer information when it should state that “personal information” does not include such information. One of the bills also would modify the definition of “deidentified.” That change is presumably in response to criticism from privacy experts that the CCPA’s definition is out of alignment with other privacy laws.
Employment Information: AB25 would modify the definition of “consumer” to exclude certain employment-related information. Those who have closely-monitored the CCPA have anticipated that the legislature would likely remove employment-related information from its coverage. Notably, however, the current draft of the bill does not remove professional or employment-related information from the definition of “personal information.”
Removal of Household: AB873 would delete the word “household” and the phrase “is capable of being associated with” from the definition of “personal information.” The CCPA does not define “household,” which has added to the ambiguity of the definition of personal information. Notably, the bill does not remove the term “household” from other places in the CCPA, such as the definition of “business.”
Private Right of Action: As noted, SB561, which is backed by the Attorney General’s office, would expand the private right of action to cover the CCPA’s privacy-related rights.
Tag Along Bills: A number of bills seek to add new statutory provisions that would supplement the CCPA. This includes bills on data brokers, facial recognition technology, social networking services, and providing disclosures regarding the monetary value of consumer data.
|AB25||Exclusion of Certain Employment Information from Definition of Consumer||The bill would exclude from the definition of “consumer” “a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant or as an employee, contractor, or agent, on behalf of the business, to the extent their personal information is used for purposes compatible with the context of the person’s activities for the business as a job applicant, employee, contractor, or agent of the business.”|
|AB288||Social Networking Service||The bill would require a social networking service to provide users that close their accounts the option of having their personally identifiable information permanently removed from the company’s database and records. Users also would be able to prohibit the service from selling that information to, or exchanging that information with, a third party in the future, subject to certain exceptions. The bill would authorize a consumer to sue the service for a violation. The bill would supplement the CCPA by adding §§ 1798.90.7 and .75 to the Civil Code.|
|AB846||Non-discrimination Provision||The bill would amend § 1798.125, which currently prohibits a business from discriminating against a consumer if the consumer exercises any of their CCPA rights. The current version of the amendment would provide that businesses could offer gift cards, discounts, payments, or other benefits associated with a loyalty or rewards program as compensation for the collection, sale, or retention of personal information. A business would be required to provide a notice that clearly describes the material terms of the incentive program, the consumer would have to give opt-in consent prior to entering into the incentive program, and the consent could be revoked at any time.|
|AB873||Deidentification / Removal of Household from Definition of Personal Information||
The bill would amend the CCPA’s much-criticized definition of “deidentified” to be “information that does not reasonably identify or link, directly or indirectly, to a particular consumer, provided that the business makes no attempt to reidentify the information, and takes reasonable technical and administrative measures designed to: (1) Ensure that the data is deidentified. (2) Publicly commit to maintain and use the data in a deidentified form. (3) Contractually prohibit recipients of the data from trying to reidentify the data.”
The bill also would remove “household” and the phrase “is capable of being associated with” from the definition of personal information.
Additionally, the bill would make the following change to 1798.145(i): “This title shall not be construed to require a business to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information. personally identified form.“
|AB874||Correct Definition of Personal Information||The bill would correct the definition of “personal information” to clarify that it does not include deidentified or aggregate consumer information. The bill would also redefine “publicly available” by removing the following sentence: “Information is not ‘publicly available’ if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.”|
|AB950||Disclosure of Monetary Value of Consumer Data||
The bill would also require a business that collects a California resident’s consumer data, and that sells that data, to disclose to the consumer the average price it is paid for a consumer’s data and to disclose to the consumer the actual price it was paid for a consumer’s data upon receipt of a verifiable request for that information from the consumer.
The bill would supplement the CCPA by adding §§ 1798.91.01 and .02 to the Civil Code.
|AB981||Exemption||The bill would exempt insurance institutions, agents, and support organizations to which the Insurance Information and Privacy Protection Act applies from the CCPA.|
|AB1146||Exemption||The bill would make the following change in § 1798.145(g): “This title shall not apply to vehicle information, including ownership information, shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicle’s manufacturer, manufacturer branch, distributor, distributor branch, or affiliate, as defined in Section 672 of the Vehicle Code, if the vehicle information is share shared pursuant to, or in anticipation of, a vehicle repair relating to warranty work or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code.”|
The bill would require “data brokers” to register with, and disclose certain information to, the California Attorney General. A data broker is defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The bill excludes certain entities such as financial institutions subject to the Gramm-Leach-Bliley Act. Data brokers would be required to provide consumers with the right to opt-out of the sale of their personal information and any other rights afforded by the CCPA.
The proposed legislation would supplement the CCPA by adding §§ 1798.99.82 and 84 to the Civil Code.
|AB1281||Facial Recognition Technology||This bill would add § 1798.300 to the Civil Code and require a business in California that uses facial recognition technology to disclose that usage in a physical sign that is clear and conspicuous at the entrance of every location that uses facial recognition technology. The bill would consider a violation of its provisions to be unfair competition within the meaning of the Unfair Competition Law.|
|AB1355||Correct Definition of Personal Information||The bill would correct the definition of personal information to clarify that deidentified and aggregate data is not personal information. The bill also would make a number of grammatical, non-substantive changes.|
|AB1416||Exemption||The bill would amend § 1798.145(a)(4) to provide that the CCPA does not restrict a business’s ability to collect, use, retain, sell, or disclose personal information to (a) exercise, defend, or protect against legal claims, (b) protect against or prevent fraud or unauthorized transactions, (c) protect against or prevent security incidents, or other malicious, deceptive, or illegal activity, or (d) investigate, report, or prosecute those responsible for fraudulent or illegal activity.|
|AB1564||Methods for Receiving Requests||This bill would modify § 1798.130 to provide that a business can make a toll-free number or email address available for submitting requests or a website (if the business has a website).|
|AB1758||Grammatical Change||The bill would make the following grammatical change in § 1798.100(e): “This section shall not require a business to retain any personal information collected for a single, one-time transaction, if such that information is not sold or retained by the business or to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.”|
|AB1760||Grammatical Change||The bill would make the following grammatical change in § 1798.105(a): “A consumer shall have the right to request that a business delete any personal information about the consumer which that the business has collected from the consumer.”|
|SB561||Private Right of Action||The bill would create a private right of action for violations of the CCPA, and eliminate the 30-day cure period. It also would replace the provision allowing businesses or third parties to seek the opinion of the AG’s office with a provision providing that the AG’s office “may publish materials that provide businesses and others with general guidance on how to comply” with the CCPA.|
|SB752||Grammatical Change||The bill would make the following grammatical change in § 1798.125(b)(1): “A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by from the consumer’s data.”|
|SB753||Grammatical Change||The bill would change “Internet” to “internet” and “Internet Web” to “internet web” in § 1798.135(a)(1) and (2).|