On July 9, 2019, the California Senate Judiciary Committee advanced a number of proposed amendments to the California Consumer Privacy Act (“CCPA” or the “Act”), including changes that would significantly impact the treatment of employee data, customer loyalty programs, and consumer request methods.
Turning first to employee data, AB 25 would largely remove employees (and job applicants, as well as owners, directors, officers, contractors, and medical staff members) from the definition of “consumer” under the CCPA. Information that is uniquely collected and used within the employment context would be temporarily exempted from the CCPA’s stable of consumer rights, including, for example, rights of access and deletion.
Importantly, however, the newly negotiated amendments to the bill would still require employers to notify employees (at or before the point of collection) of the categories of personal information being collected about them, and the purpose underlying any such collection. Employers will retain discretion regarding the manner in which such notification can be delivered, which could include email, an updated employee handbook, or another employee communication method. Significantly, the employee exemption will not apply to the private right of action authorized by the CCPA in the event of a data breach resulting from a business’ failure to maintain reasonable security practices and procedures. Thus, employees can still state a claim occasioned by the breach of their nonencrypted or nonredacted personal information, compensable in the greater of $100-$750 per consumer per incident or actual damages.
Perhaps most importantly, however, all of the employee exemptions in AB 25 will expire on January 1, 2021, and are only placeholders designed to provide temporary relief and allow more time for additional negotiations regarding the treatment of employee data under the CCPA.
The amended AB 25 also clarifies to some degree how businesses responding to consumer requests (excluding “do not sell” requests) are allowed to verify the identity of the consumer requesting the information, and authorizes businesses to “require authentication of the consumer that is reasonable in light of the nature of the personal information requested. . . .” While a business may require a consumer to submit such a request through his account with the business, to the extent he already maintains one, a business may not otherwise require a consumer to create an account in order to submit a request.
Another bill, AB 846, also provides some clarification to the anti-discrimination provisions of the CCPA, allowing businesses to offer consumers a “different price, rate, level, or quality of goods or services,” provided the difference is connected to a consumer’s “voluntarily participation in a loyalty, rewards, premium features, discounts, or club card program.” The Assembly bill, which carved out customer loyalty programs from the CCPA’s protections prohibiting discrimination against consumers exercising their rights under the Act, was amended in the Senate to, among other things, prohibit a business from selling the personal information of consumers collected pursuant to a customer loyalty program. Furthermore, the amended bill preserves the absolute right to opt out of the sale of personal information, requiring that businesses that offer customer loyalty programs must make them available even to those consumers who have opted out of the sale of their personal information.
Finally, AB 1564 modifies the CCPA’s original requirement to provide two or more methods, including, at minimum, a toll-free telephone number, for submitting requests for information, to allow an online-only business to make available merely an email address for the purposes of submitting requests.
While these measures provide much-needed clarifications and refinements, it is important to keep in mind that these Senate changes must return to the Assembly for confirmation, and must be signed by the Governor to become law. Therefore, the closing weeks of the session might still have further changes, and potentially surprises, in store. Dorsey’s CCPA Team will continue to monitor developments closely, and provide timely updates as appropriate.