Clarity for the California Consumer Privacy Act? California lawmakers work to fix some ambiguities in the landmark legislation

We’ve previously discussed the ambiguities throughout California’s landmark privacy legislation, the California Consumer Privacy Act (the “CCPA”). The CCPA, passed in June 2018, creates several privacy rights for Californians. However, as the January 1, 2020 effective date looms ahead, many hoped that the California Assembly Privacy and Consumer Protection Committee (the “Committee”) would clarify several compliance provisions. Fortunately, this past Tuesday, April 23, the Committee did just that. Significantly, the Committee clarified the following:

  • Employees are not “consumers” for purposes of the CCPA, as long as the personal data is collected and used only in the employment context. In the case of contractors, a written agreement must be in place.
  • Personal Information does not include all “information that is … capable of being associated” with a particular individual or household, but just information that is “reasonably capable” of being associated.
  • Information found in the public record is exempted from the definition of “personal information.”
  • De-identified data means data that does not identify and is not reasonably linkable, directly or indirectly, to a specific consumer, so long as the business makes no attempt to re-identify the data and takes reasonable measures to: (1) ensure that the data remains de-identified; (2) publicly commit to maintain and use the data in its de-identified form; and (3) require by contract that any recipients of the data maintain the de-identified form. This clarification will likely motivate businesses to maintain data in a de-identified form to limit liability under the CCPA.
  • Loyalty programs are exempt from the CCPA’s “non-discrimination” restrictions.

These bills now must be considered by the Senate Judiciary Committee before they become law and are incorporated into the CCPA.