Reed Smith Client Alerts

On April 23, 2019, the California Assembly’s Committee on Privacy and Consumer Protection, which exercises jurisdiction over privacy and personal information protection matters, approved several amendment bills intended to clarify and narrow the scope of the California Consumer Privacy Act (CCPA or the Act). The CCPA, which is set to take effect in January 2020, will impose landmark burdens and obligations on businesses that in many respects go beyond those required by the EU’s General Data Protection Regulation (GDPR). Businesses nationwide will be challenged with reconciling the ambiguities in the Act, which is presently expected to look back on data collection and processing activities from as early as January 2019. Further complicating the matter is the fact that the law has been amended once and requires implementation of regulations by the California Attorney General that are not expected to be finalized until at least the end of this year.

The amendments approved by the Committee include three key clarifications of the CCPA:

(i)Employees are not “consumers” for the purposes of the CCPA;

(ii)“Personal information” will no longer include information that is merely “capable of being associated” with a particular individual and will exclude “household”-level information; and

(iii)The definition of “Deidentified” information will exclude information “capable of being associated with” a particular individual.

Six other amendment bills were also approved at the hearing, while two bills, including the expansive Privacy for All Act, were withdrawn. The approved amendment bills will now be reviewed by the Assembly’s Appropriations Committee before advancing to a full Assembly vote and, ultimately, to the California Senate. This timely movement suggests California legislators are beginning to appreciate the magnitude and business consequences of this sweeping new law.

Employee data exempted

The current text of the CCPA has been widely interpreted to cover the personal information of covered businesses’ California employees because “consumer” is broadly defined to mean any “natural person who is a California resident … however identified, including by unique identifier” and because “personal information” is defined to include both “professional and employment-related information.” Such an interpretation aligns with past consumer protection enforcement activity by other agencies, including the Federal Trade Commission, which has previously taken the positon that “employees” are “consumers.” AB 25, proposed by Committee Chairman Ed Chau, excludes employees from “consumers”:

“Consumer” does not include a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, or as an employee, an employee of, contractor, a contractor of, or agent, an agent on behalf of  of, the business, to the extent their  the person’s personal information is collected and used solely for purposes compatible with within the context of the person’s activities for the business as a job applicant, employee, contractor, role as a job applicant to, an employee of, a contractor of, or an agent on behalf of of, the business. For purposes of this subdivision, “contractor” means a natural person who provides services to a business pursuant to a written contract.

Notably, this would exempt personal information of California employees, job applicants, and some contractors collected in the normal business context, providing considerable relief for many covered entities. However, the inclusion of the limitation “solely” calls into immediate question whether the exception would apply to employee benefits and affinity programs. In any event, the change would be a dramatic narrowing of a costly area of compliance that critics have suggested would do little to improve privacy protections.