This week marks the final opportunity for California lawmakers to amend the CCPA before the legislative session closes on Friday, September 13th. The legislative posture of the amendments changed last Friday, when the Senate made changes to all of the active amendments. These bills still require an affirmative vote of both houses this week before they can head to the Governor’s desk for a signature. The Governor then has until October 13th to sign the bills into law.
Substantive changes were made to the following three amendments, AB 846, AB 1355, and AB 1202, as follows:
- AB 846 (loyalty programs) now only would permit the sale of personal information collected through loyalty programs in very limited circumstances, and limits the third party purchaser’s retention and use of such data other than for eligibility purposes.
- AB 1355 (clarifying amendments & exemptions) now adds a one-year exemption under the CCPA for personal information obtained by a business through B2B communications or transactions, specifically in the context of (a) the business conducting due diligence regarding a company, nonprofit, or government agency, or (b) the provision or receipt of a product or service to or from a company, nonprofit, or government agency.
- AB 1202 (data broker registration) removed a provision that would have satisfied the compliance obligations of registered data brokers through website notices.
Otherwise, the Senate made technical changes to the amendments, confirming that the amendments are compatible and that their order of enactment will not have an unintended legal impact. Procedurally, these changes mean that the amendments must be approved not only by the California Senate but also by the California Assembly.
Here’s the full list of pending amendments, as of September 9th:
- LOYALTY PROGRAMS: Assembly Bill 846 would remove loyalty/rewards programs from the discrimination provisions of the CCPA but under very limited circumstances that are likely to materially affect how and if such programs are offered to California residents.
- What’s New? The new language in the amendment would permit the limited sale of personal information to a third party that is collected as part of a loyalty, rewards, premium features, discounts, or club card program “in order for the third party to provide the consumer with a financial incentive, sale, or other discount” but only when: (1) the business obtains the consumer’s express consent to sell the information to the specific third party (and where the consumer has the option to participate in the program on equal terms with other participants without providing consent); and (2) the third party can only use the personal information to identify the consumer’s discount eligibility, and does not otherwise retain, use, or disclose the personal information separate from such eligibility determination.
- CLARIFYING AMENDMENTS & EXEMPTIONS: Assembly Bill 1355 exempts deidentified or aggregate consumer information from the definition of personal information; creates a new, one-year exemption for certain B2B communications or transactions; and broadens the existing exemption for compliance with the federal Fair Credit Reporting Act (FCRA).
- What’s New? AB 1355 adds a limited, one-year exemption from the notice and rights provisions of the CCPA for personal information obtained from representatives of a business who communicate or transact with another business. The exemption applies when a consumer is a “natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency.”
The amendment would enable a business to claim the exemption with regard to “personal information reflecting a written or verbal communication or a transaction between the business and the consumer.” Importantly, such communications or transaction with the business must occur solely within the context of the business either (a) “conducting due diligence regarding” such company, partnership, sole proprietorship, nonprofit, or government agency, or (b) “providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.”
In addition, new language in AB 1355 revises the exemption for compliance with the FCRA, clarifying that activity involving the disclosure or use of personal information by a consumer reporting agency, furnisher of information, or user of a consumer report is exempt from the CCPA as long as that activity is regulated by the FCRA. The exemption does not apply in the case of a data breach actionable under the CCPA’s private right of action.
- DATA BROKER REGISTRATION: Assembly Bill 1202 requires data brokers to register with the California Attorney General.
- What’s New? Earlier versions of the amendment included a provision that would have enabled data brokers to satisfy their obligation under California law to inform consumers about personal information collected and the purposes of collecting such information by posting that information on the data broker’s website. The latest version of the amendment removes this language.
The following amendments moved forward without substantive changes.
- EMPLOYEE EXEMPTION: Assembly Bill 25 changes the CCPA so that the law would not cover collection of personal information from job applicants, employees, business owners, directors, officers, medical staff, or contractors for one year.
- CONSUMER REQUEST FOR DISCLOSURE METHODS: Assembly Bill 1564 would require businesses to provide two methods for consumers to submit requests for information, including, at a minimum, a toll-free telephone number. A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information would only be required to provide an email address for submitting CCPA requests.
- VEHICLE WARRANTIES & RECALLS:Assembly Bill 1146 would exempt vehicle information retained or shared for purposes of a warranty or recall-related vehicle repair.
- PUBLICLY AVAILABLE INFORMATION: Assembly Bill 874 streamlines the definition of “publicly available” to mean information that is lawfully made available from federal, state, or local government records. The bill also would amend the definition of “personal information” to exclude deidentified or aggregate consumer information.