Countdown to the CCPA: Failed Bill Means Stricter Personal Data Definition

Less than six months before the California Consumer Privacy Act takes effect, compliance with the landmark regulation just become more challenging.

Assembly Bill 873 was struck down during a July 9 meeting of the California State Senate’s Judiciary Committee. The proposed amendment would have revised the CCPA’s definition of “de-identified” personal data to mean “information that does not identify, and is not reasonably linkable, directly or indirectly, to a particular consumer.” This would have aligned the CCPA with Federal Trade Commission (FTC) standards for de-identification. Instead, the law’s current form retains a higher bar for claiming that data has been de-identified.

The bill’s failure is a win for privacy advocates, who were concerned that the change would have created too much leeway for the use of certain types of information that could still be linked to an individual. For businesses, on the other hand, it means that abiding by the FTC’s guidelines — a longstanding industry standard — will no longer be sufficient.

More Amendments Moving Forward

Last week’s legislative hearing gave a green light to other proposed amendments, including AB 25, which would ease burdens on employers by exempting information collected solely in the context of employment. This amendment, however, has been modified in three ways; under the revised proposal:

• Employers would be obliged to notify employees of the specific information that is being collected.
• A private right of action would apply in cases of employee information breaches.
• The exemption would only be valid for one year from the CCPA’s enactment, coming to an end on January 1, 2021.

The committee also moved forward AB 846, which would clarify that consumer loyalty programs do not violate the CCPA’s nondiscrimination protections, but would prohibit the sale of data to third parties. While this amendment would seem like a win for businesses that depend on customer loyalty programs, it would not completely resolve the ambiguity surrounding the CCPA’s language on this issue.

Despite Continuing Uncertainty, Action is Required

Although AB 25 and AB 846 are moving forward, a final determination of their outcomes and other amendments pending hearing won’t be made until the fall. Businesses, however, cannot wait for more clarity before starting to make decisions and determine required changes to their operations in order to comply with the CCPA, which is set to become the most stringent and comprehensive data protection law in the US.

In addition to revising their security procedures, businesses must consider the potential implications for their insurance programs. Like any other new regulation, the CCPA will result in greater exposure to enforcement actions, as has been seen with the European Union’s General Data Protection Regulation. Organizations should consult with their insurance advisors and analyze their coverage terms and program limits in view of potential fines and penalties that may be assessed under the CCPA.

The CCPA’s final language is still in flux, but businesses have less than six months before it takes effect. Now’s the time to get ready.