On May 16, Senate Bill 561, an initiative to strengthen and enhance the California Consumer Privacy Act, was basically left for dead in that state’s legislature.
The likely fatal blow to controversial amendments was delivered by the California Senate Appropriations Committee after it held a hearing that failed to garner needed support for the changes.
The proposed bill sought three main changes to the CCPA: expanding consumer’s private right of action from breaches to all violations of CCPA; removing a 30-day allowance for companies to address complaints and violations before intervention by the state attorney general; and authorizing the AG to issue general guidance on compliance with the law as needed.
Multiple other amendments, both generated by privacy advocates and business community alike, are still working their way through the legislation. Among them, according to a client advisory by law firm Manatt, Phelps & Phillips:
- clarifying that employees are not “consumers” for purposes of the CCPA, as long as the personal data is collected and used solely within the context of the employment relationship or a written contract in the case of third-party contractors;
- a qualification that personal information does not encompass all “information that is capable of being associated” with a particular individual or household, and is, instead, limited to information that is “reasonably capable” of being associated;
- exempting voluntary participation in loyalty programs from the CCPA’s non-discrimination restrictions;
- alternatives to the CCPA’s mandate that businesses establish a toll-free number to receive requests under the statute;
- an exemption to the definition of “personal information” for public records; and
- permitting the sharing of motor vehicle warranty information between auto dealers and manufacturers.
The California law, enacted in June 2018 and effective in January 2020, defines a covered “business” as any for-profit entity that either does $24 million in annual revenue; holds the personal data of 50,000 people, households, or devices; or does at least half of its revenue in the sale of personal data.
Among the requirements: granting consumers the right to request deletion of personal information, providing a right to request companies disclose the categories of information that it collects and the identity of third parties to which the information was sold or disclosed, prohibiting a company from discriminating against consumers who opt out of data collection, and allowing businesses to offer financial incentives in exchange for the collection of personal information.
In light of potential confusion facing those covered by the rule, the law firm Ballard Spahr offered some advice in a recent advisory. “Businesses should continue to monitor legislative activity and rulemaking concerning the CCPA, as further amendments and the final implementing regulations are likely forthcoming soon,” it wrote. “Given the approaching effective date and the possibility that it will not be extended by further amendments or the implementing regulations, there may not be a great deal of time in which to comply with revised requirements.”