The California Consumer Privacy Act (CCPA) passed on June 28, 2018, and even before arriving at its January 1, 2020 effective date, it has undergone amendment, additional proposed amendments, and amendments to the proposed amendments. So, it is not ready to be written in stone.
In May of this year, the California Assembly proposed several revisions to the CCPA, among these, most notably:
- an exclusion of employees from the definition of consumer
- a more flexible definition of “deidentified” consumer information and a narrower definition of “personal information”
- a clarification that certain prohibitions do not apply to customer loyalty programs
This month, the proposed amendments came before the California Senate Judiciary Committee and some underwent additional revision.
Just when we thought employees were out, they pull them back in. Now, the new proposed language would subject information collected from “a job applicant, employee, owner of, director of, officer of, medical staff member of, or contractor of that business” to the CCPA’s private civil action provision relating to data breach and its requirement to inform the consumer/employee as to the categories of personal information to be collected. The exclusion of employee personal information from the remaining parts of CCPA continues until January 1, 2021, at which time, presumably employee personal information becomes subject to all of the CCPA’s provisions absent any further amendment.
The Senate Committee rejected the proposed relaxed definition of “deidentified” information and narrower definition of “personal information.” Thus, those terms will remain largely unchanged. The amendment relating to loyalty programs survived with minor changes, maintaining the proscription on the CCPA “being construed to prohibit a business from offering different price, rate, level, or quality of goods or services to a consumer if the offering is in connection with a consumer’s voluntary participation in a loyalty, reward, premium features, discount, or club card program….” The Committee, however, inserted language to ensure that this prohibition would not be construed to allow the selling of personal information, adding that the CCPA “would prohibit a business from selling the personal information of consumers collected as part of loyalty, rewards, premium features, discounts, or club card program.”
We are likely not done. Further changes to these amendments and new proposals could further alter CCPA as some of these need to go back to the Assembly and others continue on to the Senate Appropriations Committee before hitting the Governor’s desk. In the meantime, businesses must begin taking steps to comply with CCPA in order to meet its January 1, 2020 effective date. Despite the lingering uncertainty, there are foundational steps businesses can take to better understand the personal information they process and to improve their information security programs to ready themselves for CCPA compliance.
For more information, please contact the Michael Best Privacy & Cybersecurity Team.