CCPA Legislative Update: What’s Next

Ever since the California Consumer Privacy Act (the “CCPA”) was adopted in 2018, various constituencies have lobbied for revisions. While multiple proposals were considered in the California legislature, only a few have a chance for passage and enactment. Last month, the California Senate Judiciary Committee passed several amendments to the CCPA, and we now have a better idea as to what amendments are likely to be adopted. The bills head now to the Appropriations Committee and then to the full state Senate. Here are the important highlights:

  • Employee Exemption: With AB25, lawmakers weakened the employee exception, which now sunsets on Jan. 1, 2021. The current exemption means CCPA does not cover collection of personal information from job applicants, employees and certain others, but only for one year. Afterward, employers will be required to tell employees what type of information they are collecting, and why.
  • Loyalty Programs: AB 846 clarifies and modifies CCPA application to loyalty and reward programs. Businesses would still be prohibited from selling consumer information gathered as part of these programs.
  • Phone Access: AB 1564 requires businesses to provide a toll-free phone number for customers to request access to their personal information. On-line only businesses are only required to provide an email address.

Three bills, AB 873, AB 1416 and AB 981 failed. They would have changed the definition of “personal information” and “de-identified information,” weakening the privacy protections.

These and several related bills will head to the full Senate, which must vote by Sept. 13, 2019. Governor Newsom then has a month to consider signing them (along with another 1,000 or so bills), and any bill that is signed will go into effect Jan. 1, 2020.

Bottom Line: The law’s strong consumer protections withstood challenges, though observers anticipate there will continue to be debate and negotiations with unions as to how CCPA affects employees. Companies should continue apace with their plans for implementation.  Companies that haven’t yet begun to comply should start now!

See our recent blogs on the CCPA below.

Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps:

 Part 1 – the Data Map
 Part 2 – the Breach Response Plan
 Part 3 – the Privacy Policy

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.