As the Legislature reconvenes from its summer recess, all eyes are on a handful of bills related to the California Consumer Privacy Act (“CCPA”). Will any of them be passed by September 13, 2019? If so and signed by Governor Newsom by October 13, 2019, the statutes will take effect on January 1, 2020. There are over ten California privacy-related bills, but AB 25 is particularly significant. If passed, AB 25 may provide an exception for employee data held by employers subject to the CCPA. The current version of AB 25 contains a rather limited exception for certain employment-related data from the general requirements of the CCPA. However, AB 25 does not limit the private right of action (thus individuals can still bring civil actions for data security breaches against employers), employers would still have to provide notices to employees, job applicants, and contractors of the data categories to be collected and purposes for collection, and the exception will sunset on January 1, 2021. Other CCPA-related bills involve data collected from loyalty programs, publicly available information, de-identified data, vehicle information, and how consumer requests may be submitted. Additional bills pertain to parental consent for minors’ social media accounts, facial recognition data, and the definition of “personal information.”
Given the CCPA, other state privacy laws, and the recent passage of New York’s SHIELD Act regarding data breach notification and applicable to businesses who hold data on New York residents, companies who collect identifiable information about consumers need to start looking at their data collection practices and policies, if they have not already. Even if there is eventually some kind of federal privacy law to streamline the consumer privacy requirements throughout the states, the trend is apparent: consumers want to know, and control, what kind of data companies are collecting about them.