Companies doing business in California have been watching to see if the state’s legislature would water down a wide-reaching data privacy statute. As the legislative session adjourned earlier this month, it might have left those companies disappointed.
The California Consumer Privacy Act, enacted last year, will give California’s 40 million residents unprecedented rights over their data that companies collect, store and use. Effective Jan. 1, Californians will require notification from many businesses on how their data is used and may request access to their personal data or even have that data deleted. The CCPA’s consumer data protections are set to be the most robust of any state and go beyond what most U.S. businesses have been prepared to comply with.
On Sept. 13, the last day of its session, the California State Legislature approved five amendments to the CCPA. Some of the amendments would make business-friendly tweaks to the data privacy law but leave the core obligations, like consumers’ right to have their data deleted on request, mostly intact.
Even as the session adjourns and the CCPA’s language is set — assuming California Gov. Gavin Newsom signs each passed amendment — the data privacy community is still waiting for the California Attorney General’s Office to issue its regulations on the CCPA.
The most significant approved amendments include a limited, temporary carveout for the data businesses collect for employment purposes and a slightly narrower definition of “personal information” as it intersects with “publicly available information.” While the amendments are minor, “some of them provide some common-sense clarity where the law really lacked it before,” said Greg Szewczyk, a commercial litigator at Ballard Spahr’s Denver office who has a data privacy and security counseling practice.
Assembly Bill 25 will mostly exclude from the CCPA personal information that a business collects from someone who is acting as an applicant, employee, contractor or owner. Businesses will still need to give job candidates notice, for example, on what personal data they’re collecting from candidates and how it may be used. Another caveat is that the bill will sunset on Jan. 1, 2021.
While AB 25 is less business-friendly than when it was introduced, Szewczyk said, it’s a necessary change that should better enable employment functions like HR and benefits under the CCPA. Employees shouldn’t expect to have the “right to be forgotten” or opt out of information-sharing in those contexts, like they would as consumers, he added.
But the CCPA still gives employees a private right of action to sue in the event their data is compromised, “and I think that’s still very significant,” Szewczyk said. Businesses already face a heightened risk of data breaches involving their employees’ data, one example being the increased phishing attempts on employers for their W-2s, he added.
Another notable amendment that passed was AB 1355, which exempts certain business-to-business data transfers from most CCPA requirements. Data transfers between a company and third party’s employees or managers when they’re conducting due diligence or providing a product or service wouldn’t fall under the CCPA’s personal information definition.
Szewczyk said an example of this scenario are food manufacturers who sell their products to grocery stores and don’t engage in any consumer transactions, yet when they come into contact with store employees’ data through email or other communications, they might have been subject to CCPA obligations.
Like AB 25, AB 1355 and its B2B carveouts would only be effective until Jan. 1, 2021.
Earlier in the session, California lawmakers weighed amendments to exclude loyalty programs and targeted advertising campaigns from the personal information requirements, but those measures failed. Some amendments, in some form, might return in future sessions.
“I expect to see some of the more business-friendly amendments pushed by the tech organizations to come back,” Szewczyk said. Success will depend on the political climate, which currently seems unfavorable toward watering down privacy restrictions and requirements, he added.
Preparedness for the CCPA “really varies” among companies right now, Szewczyk said. He has some clients who have been working on CCPA compliance since 2018, with plans to do a soft launch in November to test run certain compliance systems. Other companies have been reluctant to take firm steps before seeing what changes came out of the California legislative session that just wrapped up; some might have seen their risk profile change significantly from the amendments, such as the B2B carveout in AB 1355, he said.
But companies’ attention will turn to the California Attorney General’s Office, which is tasked with enforcing the CCPA. The office is reviewing public comments and is expected to release draft regulations on CCPA enforcement this fall.
So far, the office hasn’t given much indication as to what those regulations might look like, or how it will apply the widely varied public comments it’s received, Szewczyk said. “It’s pretty opaque at this point.” He added, however, the California Attorney General’s Office is scaling up in size in preparation to enforce the CCPA.
— Doug Chartier