Changes to AB-25 Before Judiciary Committee Schedules CCPA Amendment Hearing
AB-25, the proposed CCPA amendment to exclude employee data, has seen a few changes as it awaits a hearing in the California State Senate Judiciary Committee. The changes include moving the employee exclusion from the definition of consumer in Section 1798.140 to Section 1798.145. The latest version would also allow a business to require a consumer to submit their data subject access rights request through an account if the consumer has one.
The privacy bill is one of three where the text has been altered by the author following approval by the Assembly and prior to consideration in the California Senate. The prior version of the bill passed the California Assembly by a vote of 77-0 with three recorded not voting.
AB-25 originally accomplished the employee exclusion from the California Consumer Privacy Act by excluding job applicants, employees, contractors and agents from the definition of a consumer. Under the latest version of the bill, it maintains the original definition of a consumer and instead places the exclusion in a new Section 1798.145(g). The personal information of a natural person acting as a job applicant, employee, owner, director, officer, medical staff member or contractor would be excluded from the CCPA as long as that information is collected and used only within the context of the person’s role or former role. The new text also excludes information collected as an emergency contact or in the administration of benefits.
The change to AB-25 would continue to allow employees (and the others excluded) to bring a lawsuit if there was a data breach involving their personal information and the company had not taken reasonable security measures. The proposed Section 1798.145(g)(3) excludes application of the subdivision to Section 1798.150, which permits the class action lawsuits.
The latest version of AB-25 also made two key changes to consumer verification. First, it allows businesses to require a consumer with an account to login to the account in order to submit the request. The current version of the CCPA says thats a business shall not require a consumer to create an account in order to make a verifiable consumer request.
Second, AB-25 allows a business to vary the authentication method in light of the nature of the personal information requested. This is in line with the guidance from data protection authorities in the European Union concerning how to verify data subject requests made through the General Data Protection Regulation (GDPR).
The AB-25 intent language suggesting the possibility of additional changes specifying how organizations may provide responses in a privacy protective manner to a consumer request for specific pieces of information was pushed to Section 3. This language was added in March when the bill first took shape but has not seen further development.
The CCPA amendments are quickly approaching resolution – they are currently awaiting scheduling of a hearing in the California State Senate Judiciary Committee. The deadline for policy committees to hear and report bills in California is July 12th and the last day for each house to pass bills is September 13th. The last day for the California Governor to sign bills is October 13, 2019.