Hospitality Industry Prepares for Slate of New Consumer Privacy Protections
Highlights
- The California State Legislature has passed five bills to amend the state's landmark privacy legislation, the California Consumer Privacy Act (CCPA). Gov. Gavin Newsom has until Oct. 13, 2019, to sign or veto the legislation, and the order in which he enacts bills will determine whether some overlapping provisions of the bills are enacted or not.
- Further complicating the hospitality industry's effort to operationalize the CCPA is the fact that regulations are still forthcoming. The California attorney general is expected to release draft regulations later this month.
- In the absence of comprehensive federal privacy legislation, California has moved forward on its own, and the CCPA will come into effect on Jan. 1, 2020, alongside a number of other generally pro-consumer privacy laws. Against this background, advocates have announced a new privacy ballot initiative that they intend to put before California voters in November 2020.
Five bills to amend California's landmark privacy legislation, the California Consumer Privacy Act (CCPA), have passed the California State Legislature and now head to Gov. Gavin Newsom's desk. (See Holland & Knight's previous alert, "California Consumer Privacy Act Update: Assembly Approves 12 Amendments," June 6, 2019.) The expectation from industry is that he will sign the bills and set off a final compliance push before the Act goes into effect on Jan. 1, 2020. The biggest surprise, as discussed further below, was the failure of the California Legislature to protect loyalty programs, an issue critical to the hospitality industry.
New Exemptions to Portions of the Act
Employees Are Out of Scope (Partially and at Least for Now). Introduced to address concern that employees would be covered by CCPA's broad definitions, AB 25 would exempt from most provisions of the Act personal information collected by a business from "a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business" when the individual is acting in such capacity.
The bill contains two notable exemptions:
- A business would still be required to inform applicants, employees, contractors, etc., as to the categories of personal information to be collected while the individual is acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of or contractor of that business. This is most likely handled with a privacy notice during the application process, and a second notice to new hires and current employees.
- Applicants, employees, contractors, etc., would still be entitled to bring a private right of action for violation of a business' duty to implement and maintain reasonable security procedures and practices, where such breach results in unauthorized access and exfiltration, theft or disclosure of the individual's nonencrypted and nonredacted personal information.
Unless the legislature acts next year, the exemption would sunset on Jan. 1, 2021, and applicants, employees, contractors, etc., would be within the scope of the Act for all purposes. The one-year exemption is nonetheless an important reprieve for the hospitality industry, which relies heavily on a large customer service staff, from front desk agents to kitchen staff to call center employees. It will allow companies time to build out an employee rights request process and prepare for access and deletion requests from prospective, current and former employees. Employees, of course, already enjoy broad access rights under existing California employment law, potentially supplemented by collective bargaining agreements. But under CCPA, the population of individuals entitled to access the information collected by an employer would be greatly expanded, as would the breadth of data elements that a business would be obligated to provide.
Some Business Communications Exempted. AB 1355 would exempt from all provisions of CCPA — except the data breach provision in Section 1798.150 — any activity involving the collection, use or disclosure of personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living by specified parties, including a consumer reporting agency, if such activity is subject to the Fair Credit Reporting Act.
Until Jan. 1, 2021, AB 1355 would also exempt personal information obtained by a business from a consumer where that consumer is acting as an employee, owner, director, officer or contractor of a company, nonprofit or government agency doing business with the CCPA-covered business. Specifically, the bill would delay a business' obligation to provide notice under Section 1798.100(b), to respond to access requests under Section 1798.100(a) and (d) or deletion requests under Section 1798.105, and to provide transparency under Sections 1798.110 and 115. Notably, the bill would not delay application of the "Do Not Sell" or non-discrimination rights found in Sections 1798.120 and 1798.125. The likelihood those provisions would come into play in a business relationship, however,seem quite limited.
Some Vehicle Information Exempted. AB 1146 would exempt vehicle information — vehicle identification number, make, model, year, odometer reading, and name and contact information of the registered owner — retained or shared between a new motor vehicle dealer and the vehicle's manufacturer, if such information is shared for the purpose of effectuating repairs covered by a warranty or recall, and provided that such information is not used, shared or sold for any other purpose.
Changes to Consumer Rights Request Process
Several bills would make changes to the consumer rights request process.
Online Businesses Need Not Provide Telephone Number for Rights Requests. AB 1564 would reduce the burden on online-only businesses, and permit such businesses to provide only an email address for consumers to submit rights requests. Brick-and-mortar businesses, such as hotels serving California residents, would still need to offer two methods for consumers to submit requests, including a telephone number.
Reasonable Authentication Measures Acceptable. To address concern about potentially fraudulent or malicious consumer requests — the suspicious husband seeking information about his partner's hotel stays was a frequent example raised during the legislative process — AB 25 would authorize a business to require authentication of the requester that is reasonable in light of the nature of the personal information sought. The bill would also authorize a business to require a consumer/account holder to submit a verifiable request through an account that the consumer maintains with the business. A business would still be prohibited from requiring a consumer to create an account in order to submit a request.
Businesses Need Not Delete Warranty-Related Information. AB 1146 would add a new circumstance where a business need not delete personal information: to fulfill the terms of a written warranty or product recall conducted in accordance with federal law.
Clarification of Non-Discrimination Provision. Current law provides that a business cannot discriminate against a consumer for exercising his or her CCPA rights, except that a business may offer a different price, rate, level or quality of goods or services to the consumer if the differential treatment is reasonably related to the value provided to the consumer by the consumer's data. AB 1355 would revise that language to clarify permissible discrimination must be reasonably related to the value provided to the business by the consumer's data.
Updates to the Definition of Personal Information
Two bills would make changes to the definition of personal information under the Act.
Information Must Be Reasonably Associated with an Individual. AB 874 would revise the definition of "personal information" to add a reasonable requirement to information that could be associated with a particular individual or household. If signed, personal information would be defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Unrestricted Use of Publicly Available Government Records. While the CCPA excludes from the definition of "personal information" data that is lawfully made available from federal, state or local records, existing law specifies that such information is not "publicly available" if it is used for a purpose that is not compatible with the purpose for which such information is maintained. If signed, AB 874 would delete that use restriction and instead provide that "publicly available" information is simply information that is lawfully made available from federal, state or local records.
Clarification on Use of Deidentified or Aggregate Information. AB 874 and AB 1355 would each clarify that deidentified or aggregate consumer information is not "personal information" (rather than not "publicly available" information as stated in the existing law). This is key to the hospitality industry because it protects the use and sharing of deidentified or aggregate information with vendors and supply chains.
Surprise Failure: Bill to Protect Loyalty Programs Doesn't Come Up for Vote
The biggest surprise during the final week of the legislative session was that the bill to expressly protect loyalty programs, AB 846, was pulled from consideration.
The bill was introduced to address a concern raised by industry that a consumer's deletion request could require the deletion of loyalty program data and perks, a result that 1) at least arguably would conflict with the CCPA's anti-discrimination provision and 2) run contrary to marketing departments' typical desire to keep people enrolled.
Support by some companies dwindled, however, after the Senate Judiciary Committee forced an amendment that would have limited how businesses could use data collected in connection with a loyalty program. Privacy advocates never got behind the bill, pointing to the various exemptions from deletion found in the CCPA, and the fact that the Act permits a business to provide a different price or quality of goods if the difference is reasonably related to the value provided to the business by the consumer's data.
Assembly Member Autumn Burke (D-Marina Del Rey) announced recently that she plans to reintroduce the bill in 2020.
What Happens Next?
Gov. Newsom has until Oct. 13, 2019, to sign or veto legislation, and the order in which he enacts bills will determine whether some overlapping provisions of the bills are enacted or not.
Further complicating companies' efforts to operationalize the CCPA is the fact that regulations are still forthcoming. The state attorney general is expected to release draft regulations later in October, and advocates and the hospitality industry will have the opportunity to weigh in during the 45-day public comment period that follows.
California Leading the Way on Privacy
In the absence of comprehensive federal privacy legislation, California has moved forward on its own, and the CCPA will come into effect alongside a number of other generally pro-consumer privacy laws.
Data Broker Registry. If signed, AB 1202 would establish a public registry of names, addresses and contact information for data brokers — companies that knowingly collect and sell the personal information of California consumers with whom they do not have a direct relationship. (The bill incorporates the broad definitions of "collect," "sell" and "personal information" as used in CCPA.)
Exempted from the definition of a data broker are:
- a consumer reporting agency to the extent that it is covered by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.)
- a financial institution to the extent that it is covered by the Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations
- an entity to the extent that it is covered by the Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 1791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code)
On or before Jan. 31 following each year in which a business meets the definition of data broker, a business would have to register with the state attorney general's office and pay a fee. A data broker who fails to register would be subject to an injunction and civil penalties ($100 per day), fees and costs in an action brought by the attorney general.
Unlike Vermont's data broker law, the California law does not include standalone information security or computer system security requirements. However, the registry would exist alongside the CCPA, which imposes a general duty on all businesses to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information collected and used. Cal. Civ. Code §1798.150.
Other California privacy laws coming into effect on Jan. 1, 2020, include:
Security of Connected Devices, California Civil Code §1798.91.04, will ban "default" passwords for connected devices, and require manufacturers to equip such devices with reasonable security features appropriate to the nature of the device and the information collected.
Parent's Accountability and Child Protection Act, California Civil Code §§1798.99.1, will require an entity that conducts business in California to take reasonable steps to ensure that the purchaser of select goods or services is of legal age at the time of the purchase.
If signed by Gov. Newsom, AB 1138 would amend the Parent's Accountability and Child Protection Act to require a business that operates a social media website or application to obtain consent from the parent or guardian of its users under age 13, beginning July 1, 2021.
New California Privacy Ballot Measure Announced
On Sept. 24, 2019, real estate developer and privacy advocate Alastair Mactaggart announced a new privacy initiative that he is seeking to put before California voters in November 2020. The proposal would:
- create new rights around the use and sale of sensitive personal information, such as health and financial information, racial or ethnic origin, and precise geolocation
- triple CCPA's fines for violations of the law governing collection and sale of children's personal information and would require opt-in consent to collect data from consumers under age 16
- require transparency around automated decision-making and profiling
- establish a new authority to protect consumers' privacy rights, the California Privacy Protection Agency, which would enforce the law and provide guidance to industry and consumers
- revise election disclosure laws and require corporations to disclose whether, and how, they use personal information to influence elections
- enshrine consumer privacy rights by requiring that future amendments be "in furtherance of the law"
Activists must still collect hundreds of thousands of signatures to qualify the proposal for the November 2020 ballot. That process was relatively quick for CCPA, however, and it is expected that the same will hold true this time around.
For additional information regarding the CCPA or the latest developments detailed in this alert, contact the authors.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem. Moreover, the laws of each jurisdiction are different and are constantly changing. If you have specific questions regarding a particular fact situation, we urge you to consult competent legal counsel.