State lawmakers on Tuesday advanced eight industry-backed bills aimed at limiting the reach of the California Consumer Privacy Act, signaling that in the Assembly at least the 2018 law giving customers more control over their data will likely be a ceiling for privacy changes, not a floor.

The Assembly Committee on Privacy and Consumer Protection approved measures allowing retailers to continue collecting customers’ information through loyalty card programs and authorizing businesses to maintain records about their workers. Other bills granted carve-outs to the insurance industry and dropped restrictions on gathering “de-identified” or aggregate customer data.

The legislative amendments to the Consumer Privacy Act include many of the changes sought by business groups, the tech lobby and the law firms representing them. Each of the bills easily cleared the committee. Chairman Ed Chau, D-Monterey Park, who helped shepherd the privacy act through the Legislature last year, called the changes narrowly tailored and necessary to address flaws in what was a hastily drafted bill.

“My objective is to hold the line,” Chau said Tuesday. “I don’t want to see [the law] get weakened.”

The bills’ success follows the decision by an East Bay assemblywoman Monday night to shelve AB 1760. The legislation, backed by consumer groups and privacy advocates would have required customers to “opt in” to sharing their data rather than allowing companies to ask site users if they want to “opt out” of data collection. Advocates said Assemblywoman Buffy Wicks, D-Berkeley, pulled her bill from the hearing rather than having it defeated in a committee vote.

“It’s a sad statement that the only bills to be heard by the ‘Privacy’ Committee are the ones industry interests are pushing to undermine the privacy protections Californians want,” Jacob Snow, a technology and civil liberties attorney at the American Civil Liberties Union of Northern California, said in an email to The Recorder.

The bills must still pass a full Assembly vote before moving to the Senate. Waiting there is legislation, sponsored by Attorney General Xavier Becerra, that would maintain the privacy act’s provisions while expanding a consumer’s authority to sue for damages over violations.The bill would also remove a 30-day “cure” period for businesses seeking to avoid sanctions.

Becerra is scheduled to roll out proposed regulations later this year that will guide the Consumer Privacy Act’s enforcement in 2020.


Read more:

What Big Law, Tech Leaders Say About California’s New Data-Privacy Law

Groupon’s Privacy Lawyer Dishes on CCPA, GDPR Compliance

Orrick’s CCPA Compliance Tool Joins Crowded Field

Dazed and Confused: Gray Areas in the Golden State’s New Privacy Law