The California Consumer Privacy Act (CCPA), set to become the most comprehensive privacy law in the country, has industries concerned over just how drastically it may upend their practices.
"Every business has data — not just the tech industry, which is what a lot of people think," said Sarah Boot, a policy advocate for issues of privacy and technology with the California Chamber of Commerce (CalChamber).
CalChamber, which has been a prominent voice in the new law's internal policy fights, has consistently advocated on behalf of measures that would ease industry restrictions. Some privacy advocates, however, see these as attempts to undermine consumer protections.
Sept. 13 being the last day that amendments could be approved this year, those still seeking changes to the CCPA will now have to wait to broach those changes when session reconvenes in January 2020. Amendments approved this week will still need to garner the governor's signature before Oct. 13. Potential for further changes will come, too, when the attorney general drafts regulations to go with the new law.
Most of the amendments to make it through the process represent relatively small modifications, while consensus was harder to achieve on loftier proposals.
One of the larger changes to make it out alive comes from Assembly Bill 25, which exempts businesses from almost all provisions of the law as they relate to employment purposes — such as workers and job applicants — until 2021. This makes sense, industry leaders argued in a letter to the Senate, because "the costs for businesses of all sizes to operationalize the CCPA for employees and job applicants would be exorbitant," and such data access requests would be largely unfeasible according to the current law.
Meanwhile, AB 874 seeks to clarify the definitions of "de-identified data," and would bar the CCPA from limiting businesses' collection of information deemed "publicly available," or "information that is lawfully made available from federal, state, or local government records" — such as real estate and credit reporting data.
Another bill, AB 1355, creates a one-year exemption for certain forms of business-to-business communications, something appealing to companies because without it "businesses of all sizes and across every industry would be subject to significant, unnecessary compliance costs as well as unintended consequences," as a CalChamber letter reads. It also fixes a drafting error in the original CCPA by making a clear distinction between de-identified data and personal information, exempting aggregate consumer information from the CCPA mandate.
Another amendment to make it through created an exemption for vehicle ownership information that is shared between a car dealer and the car manufacturer, while another provides alternatives for businesses that do not want to operate the previously mandated 1-800 phone number for consumer responses and requests.
Though this handful of measures was successful, twice as many proposals floundered in session.
One of the failed amendments, AB 846, would have clarified language within CCPA to protect consumer rewards programs which, under current law, may run into legal confusion once the law takes effect.
AB1416 also failed and would have created an exemption that allowed for the sale or resale of consumer data for the purposes of detecting a "security incident," or to protect against "malicious, deceptive, fraudulent, or illegal activity," and also allow a business to provide "a consumer’s personal information to a government agency solely for the purposes of carrying out a government program." At Senate hearings, civil liberties advocates argued that the bill would undermine the consumer control within CCPA.
Similarly, a failed volley had sought to convince lawmakers that an exemption was necessary for advertising technology. Attempts to re-word language within the CCPA relative to such a loophole are still allegedly in play.
Behind many of these new changes and attempted changes have been industry lobbyists. Staff with the office of Senate Majority Leader Bob Hertzberg — who co-sponsored the CCPA — said they were courted by representatives from over a dozen different industries throughout the year, as corporate leaders looked to sway the amendment process.
The tech lobby in particular made a concerted push to influence the direction of the new law, with groups like the Internet Association — which represents tech giants like Google, Facebook, Amazon, and Microsoft — repeatedly pushing for exemptions to loosen restrictions.
With this many pro-business attempts having floundered, companies are worried they are not prepared to accommodate the new law. Still, privacy rights activists see the law's resilience as a win.
"Obviously there [are] very motivated people who have been fighting to weaken this bill all year," said Hayley Tsukayama, legislative activist with the Electronic Frontier Foundation, adding that a number of proposed amendments would have "completely undermined the intent of the whole act."
Conversely, Boot worries about the time and resources that companies of varying sizes will have to expend to comply with CCPA. She also said that digital advertising is an important aspect of modern commerce and that the affect the law will have on businesses whose revenue model is built around advertising is concerning.
"This law is 33 pages, over 10,000 words, it was thrown together in like a week," she said. "They slapped in the right to delete and the right to access specific pieces of information — the data portability part of the law — there are a lot of aspects of this law that just do not work."
