Companies across the country are waging one last battle in Sacramento to carve out a few exemptions before California’s tough data privacy law is approved by the state’s lawmakers, who will adjourn for the year by the end of this week.
Retailers, online advertisers, small businesses and groups representing employers are all seeking either exemptions or amendments to the California Consumer Privacy Act, or CCPA, which has set the stage for a national debate on how companies should safeguard users’ personal information online.
The state’s constitution requires that all amendments and bills for the legislature’s consideration be filed and printed 72 hours before the end of the session, making Monday the deadline for proposing changes to the law. The assembly ends its session for the year on Friday.
The law was passed in 2018, and signed by the governor, but until it goes into effect on Jan. 1, 2020, the legislature can amend it.
“As a coalition we are trying to find compromise solutions to the problems we have raised last year,” Sarah Boot, policy advocate on privacy issues at the California Chamber of Commerce, told CQ Roll Call in an interview, referring to concerns the group has voiced since the law was passed last July. “Businesses want to comply with the law but we want to see more fixes.”
In the absence of a federal data privacy bill, the California statute could eventually become the default national standard much like how the state’s auto emission standards became the benchmark for U.S. gasoline mileage requirements. Lawmakers in Congress are still discussing options for a national bill on data privacy but it’s unclear if a proposal will clear both the chambers and become law by December.
The International Association of Privacy Professionals is tracking all the proposed changes to the California law and lists 10 different amendments that are still in consideration, while listing eight other proposals as “presumed dead.”
Of the several changes sought by companies in California, one of the main ones that has gained traction is an amendment that would grant a one-year exemption for companies collecting data on employees and job applicants from being considered “consumers” under the law. The amendment has cleared the state’s Senate Judiciary Committee and now awaits passage in the full upper chamber before being approved by the assembly and heading to the governor’s desk.
Under the expansive definition of personal information in the law, several scenarios that have nothing to do with consumers could be affected, including data collected by employers on employees, Boot said.
Left unaddressed, the law would have covered all employee emails, internal discussions on projects, and potentially employees’ internet search history on a company’s computers, Boot said. Without the amendment, the law would also have allowed employees to demand that employers delete all their emails, potentially destroying any evidence in cases involving sexual harassment and other workplace misbehavior, she said.
The amendment would allow employee data to be exempt from the law for one year, while companies and labor unions work to come up with a compromise on what data can be collected by employers and how it should be stored and used, Boot said.
Stricter than Europe’s law
The California law in some cases is tougher than the European Union’s General Data Protection Regulation, or GDPR, that went into force last year.
The GDPR and California privacy laws offer affirmative rights to consumers with respect to data being collected on them by online companies. These include: the right to know what is being collected, access to the data, and the right to delete, correct, or erase data, carry one’s data from one company to another, and in California’s case, the right to opt-out of one’s information being sold to other entities.
While GDPR considers personal information as anything that is directly or indirectly identified or identifiable with an individual, the California law goes further, covering not only an individual but also data belonging to a household.
The CCPA also includes under “personal information” inferences that can be drawn from disparate data sets using artificial intelligence algorithms.
CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Although the Chamber of Commerce tried to remove the household as a unit from the definition of personal information in the law, it fell short of its goal in the California legislature.
Customer loyalty programs
Another proposed change that is unlikely to survive is a push by retailers and advertisers to exempt customer loyalty programs from the law’s provisions. Companies tried to argue that consumers would stand to lose if a grocery chain is not allowed to share customer details with say a gas station chain or similar arrangements among airlines, hotels and car rental companies.
Nevertheless, retailers and lobbyists are pushing to exclude loyalty programs from CCPA’s purview, said Dan Jaffe, executive vice president at the Association of National Advertisers. “A vast number of American consumers are part of loyalty programs and if the California law disallows companies from selling any consumer data it would undermine all loyalty programs,” he said.
The chamber also is pursuing two other major changes to the law that would clarify what’s included under the umbrella of personal information.
The chamber is now seeking to modify information “capable of being associated with a person” by adding the word “reasonably” to the clause, Boot said. Without a reasonableness standard, the definition would have been too broad and forced companies to search for such information “on the margins” including personal device-level information, Boot said.
The chamber also is seeking to clarify the exemption granted under the law to publicly available information put out by units of government. The law says companies can use that data, too, so long as such information is made available lawfully by federal, state, or local governments, and is used for purposes that are “compatible with the purpose for which the data is maintained” by governments.
In other words, if businesses use government data for purposes that are not compatible with the original intent of the governments then such information could be covered by the law, and that is confusing, Boot said.
“It’s hard to imagine what the government’s intent is and why would a business’s intent be the same as the government?” Boot said.