Many Business-Supported Changes to California’s Privacy and Data Security Law Fail to Reach the Governor

By Brett Johnson
Sept. 23, 2019

With the impending January 1, 2020 effective date of the California Consumer Privacy Act (CCPA), the California State Legislature considered multiple bills this year that sought to clarify the law’s requirements and facilitate businesses’ compliance. Given that the CCPA was drafted, passed and enacted all within a one-week span last year, the need for further clarification and “fixes” to address implementation concerns were widely acknowledged by legislators and stakeholders on both sides, but, thus far this year, doing so has often been a contentious process.

Multiple bills were introduced this session containing critical clarifying amendments that were urged by the business community. Most of these measures passed relatively easily out of the State Assembly. Many of them, however, were met with staunch resistance in the Senate, particularly the Senate Judiciary Committee where Senator Hannah-Beth Jackson is Chair, and either died or were substantially narrowed. Media attention near the end of this year’s legislative session painted these business-supported bills as undermining consumer rights and demonstrated how contentious the privacy debate has become, as well as making it increasingly difficult to obtain aye votes.

CCPA legislation of note that reached the Governor’s desk:

  • AB 25 (Chau) Employee data:

AB 25 is the bill by Assembly Privacy Committee Chair and CCPA author Ed Chau that exempts information collected by employers from employees in the employment context until January 1, 2021. It also requires employers to disclose the categories of and purpose for the data they collect from employees. The bill also includes a fix to the account authentication language in the CCPA, authorizing businesses to require authentication of a consumer that is reasonable in the context of the nature of the personal information requested. The one-year sunset on the employee data exemption and the privacy notice to employees were added to the bill so that labor would drop its opposition. Next year, a more permanent fix will be the subject of legislation. It will likely have language addressing employee surveillance, since labor has stated that such surveillance makes them uneasy.

  • AB 874 (Irwin) Publicly available information:

This bill modifies the definition of personal information in the CCPA to add “reasonably” before “capable of being associated with.” The full definition now reads “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” AB 874 also clarifies the definition of “publicly available” information in the CCPA to address potential First Amendment issues.

  • AB 1355 (Chau) Business-to-business fix; Credit reporting fix:

Until recently, AB 1355 contained only minor, very technical fixes to the CCPA. The business community had success in the last weeks of session amending the bill to contain a business-to-business (B2B) exemption. Unfortunately, the B2B fix ended up narrower than the business community would like and there is a one-year sunset on it, so discussions will continue next year. AB 1355 also addresses inconsistencies between the CCPA and the Fair Credit Reporting Act (FCRA) by including a clarifying amendment that is meant to help protect consumers, government agencies, law enforcement, businesses and others that rely on the FCRA to operate.

Although it dominated the headlines, the CCPA was not the only focus of legislators in the privacy space this year. Assembly Republicans introduced their #YourDataYourWay legislative package this spring, which would have given consumers additional data deletion and breach notification rights while more tightly regulating smart speakers and social media. They also introduced an unsuccessful “Big Tech” antitrust resolution that would have urged the state Attorney General to explore legal options against the “monopolistic powers of giant tech companies.” Bills to enhance restrictions on facial recognition technology, geolocation information, and digital health feedback systems were also in play.

Any CLSA members who would like to provide input or would like further information on privacy and data security legislation and regulation in California are asked to reach out to Oliver Rocroi, CLSA’s Vice President, State Government Affairs ( or Brett Johnson, CLSA’s Senior Director, Policy & Regulatory Affairs (