Skip to main content

#CCPA Legislative Update: “And the days dwindle down … to a precious few….” (September Song, Kurt Weill)

The California 2019 legislative session closes on Friday, and thus all bills must be finalized to move to the Governor’s desk for signature.  That means that all CCPA pending amendments have a few more days.   Last Friday marked the last day on the legislative calendar that changes could be made from the floor to pending amendments, and the California Senate did just that with several of the CCPA Assembly bills.   These amendments changed the procedural position of the amendments, which now require an up or down vote of both Senate and Assembly before they can move to the Governor. 

Let’s look at the substantive amendments first:

AB-846 (non-discrimination in customer loyalty programs) is amended to restrict the manner in which personal information collected through loyalty programs may be sold.  The business must obtain express consent of the consumer to sell the information to a specific third party after the business discloses the “terms” of the sale, and the third party must only use the information “for the purposes of identifying the consumer as an eligible member of the [loyalty program].”   The third party is also restricted from retaining or otherwise using or disclosing the personal information.  

AB-1355 (a collection of clarifying amendments and exemptions) now adds a new one-year exemption (until January 1, 2021) for personal information collected by a business through B2B transactions, with specific limitations:  (a) information is collected in the context of the business conducting due diligence regarding a company, nonprofit, or government agency, or (b) the information is collected in the provision or receipt of a product or service to or from a company, nonprofit, or government agency.   It is unclear from the amendment what the purpose is of the one-year “grace period.”   New language also revises the exemption for compliance with the Fair Credit Reporting Act (FCRA), clarifying that use or disclosure of personal information by a consumer reporting agency, furnisher of information, or user of a consumer report (such as, an employer), is exempt from the CCPA, so long as that activity is regulated by the FCRA.  Like other exemptions, this exemption does not apply in the event of a data breach that would be actionable under the CCPA’s private right of action.

The Senate made some technical changes to the amendments below, confirming that the amendments are “compatible” and setting the order of enactment to avoid unintended legal impacts. 

AB-25 carves out employee and certain business information from the definition of “consumer” and has been narrowed to include a notice requirement for employers.  It also sunsets on January 1, 2020, thus committing the Legislature and interested parties to take up more comprehensive employee privacy legislation in 2020. No substantive changes.

AB-874 excludes information lawfully obtained from government records from the definition of “personal information” and it clarifies that de-identified or aggregate information is not “personal information.” No substantive changes.

AB-1146 excludes the sharing of vehicle information or ownership information as between a new motor vehicle dealer and the OEM from the right to opt-out if that sharing is for warranty repair or recall purposes.  No substantive changes.

AB-1564 requires that businesses provide two methods for consumers to exercise their CCPA rights, including, at a minimum, a toll-free telephone number.   The bill also adds an exception to the method of contact that permits “a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information” to only provide an email address for submitting requests to exercise various CCPA rights.  No substantive changes.

We will continue to follow the status as the legislative process winds down.  Check back here for #CCPA Updates.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.