Overview
The California Legislature passed several bills amending the forthcoming California Consumer Privacy Act (CCPA). Although the amendments contain some significant changes, outlined here, the most important and groundbreaking aspects of the law will remain intact when the law takes effect in January 2020.
In Depth
In its final day of session for 2019, the California Legislature passed several bills that amend the California Consumer Privacy Act (CCPA). While the amendments contain several noteworthy changes, we can now confirm that the core aspects of the CCPA will remain intact when the law takes effect at the start of 2020.
The bills—AB 25, AB 874, AB 1146, AB 1135, AB 1564 and AB 1202—have been presented to Governor Gavin Newsom, who is expected to sign by the October 13, 2019, deadline for bills to be signed into law. Although guidance from the California Attorney General (AG) is expected later this fall, several of the clarifications and additional exemptions discussed at the AG’s town hall meetings by both consumer groups and business interests have now been incorporated into the CCPA itself, along with a number of technical and drafting corrections. No additional CCPA amendments are expected before the law takes effect on January 1, 2020.
Given the relatively short timeframe between the anticipated signing of the bills and the CCPA’s effective date, businesses subject to the CCPA should take proactive steps to review and understand how these new bills will affect them and implement any appropriate changes.
What passed?
AB 25: Employee Exemption
The most closely watched bill, AB 25, will amend the CCPA to exempt personal information collected by a business about its job applicants, employees, contractors or other staff members from most of the CCPA’s requirements. This will include emergency contact information and personal information for others so long as it is necessary for the administration of benefits for an employee or other person within these categories of individuals.
While businesses will still have an obligation to provide privacy notices to these categories of individuals, they will not have to provide them with access, opt-out or deletion rights. Notably, this exemption will sunset on January 1, 2021, meaning that the California legislature will have to revisit this issue next year to keep the exemption in place or consider more comprehensive employee privacy legislation. Businesses should continue to treat all personal information with the same level of care, and should expect that employment-related information will continue to be an area of focus for the California Legislature.
AB 1355: Several Clarifications and Exemptions
B2B Transactions Exemption: This amendment will exempt personal information related to certain business-to-business communications or transactions in the context of due diligence of, or the provision of products and services to, the business. This exemption applies when personal information is collected during a communication or transaction between a business and a “consumer” who is not acting on behalf of themself, but rather as an employee, owner, director, officer or contractor of another business entity (i.e., a business contact). This amendment exempts the business from the requirement to provide notice, access and deletion rights to business contacts; however, the amendment does not exempt the business from the CCPA’s anti-discrimination obligation or the obligation to provide the right to opt-out of data “sales.” As with the employee exemption in AB 25, this exemption will sunset on January 1, 2021. This exemption will require businesses to be careful about how they construct and share marketing or other contact lists containing business contacts.
Clarification of FCRA Exemption: The amendment clarifies the existing Fair Credit Reporting Act (FCRA) exemption. Specifically, the provisions of the CCPA will not apply to activities authorized by the FCRA that involve the collection, maintenance, disclosure, sale, communication or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living by a consumer reporting agency (CRA), by furnishers of information to CRAs and by users of consumer reports.
Clarification to Business Retention Obligation: The amendment clarifies that businesses are not required to collect or retain personal information that they would not otherwise collect or retain in the ordinary course of business solely for purposes of complying with the CCPA. This clarification aligns with the next clarification, which addresses concerns raised by many businesses relating to verifying consumer requests.
Clarification of Consumer Authentication: Businesses are required to honor consumer requests once the business is able to verify the consumer’s identify. The amendment clarifies that in verifying a consumer’s identity, the verification should be reasonable in light of the nature of the personal information requested, including requiring a consumer who already maintains an account with the business to submit their request through that account. While the amendment grants flexibility to businesses in creating verification procedures, we expect further guidance on verification procedures to be part of the AG’s rulemaking process. Consumer requests, particularly for access and deletion, introduce privacy concerns where an individual’s personal information may be inadvertently subject to requests from household members or subject to unauthorized requests from others using the individual’s identity. They also raise security concerns resulting from the possibility that fraudsters might try to exploit weaknesses in the authentication procedures to obtain personal information of potential victims. Businesses will need to carefully consider how to best verify a consumer’s identity in light of the sensitivity of the information requested and the impact of the request itself.
AB 874: Redefining ‘Personal Information’
This amendment will modify the definition of “personal information” to mean information that is “reasonably” capable of being associated with a consumer or household. The amendment will also explicitly exclude de-identified or aggregate consumer information, and information obtained from public government records (regardless of the purpose of using the information) from the definition of “personal information.” Businesses that intend to rely on the exclusion of de-identified or aggregate consumer information will need to carefully examine the CCPA’s definitions of these terms and ensure that any process used to de-identify or aggregate personal information is in line with those definitions.
AB 1146: Vehicle Information Exemption
This amendment will exempt vehicle information or ownership information retained or shared between a new motor dealer and the vehicle’s manufacturer from the right to opt out. This exemption applies only if the personal information is shared for the purpose of effectuating a vehicle repair covered by a vehicle warranty or a recall. The amendment also exempts personal information necessary for the business to maintain in order to fulfill the terms of a written warranty or product recall from the right of deletion.
AB 1564: Methods for Consumer Information Requests
This amendment clarifies that business are generally required to provide to consumers at least two methods for submitting requests for information, including a toll-free telephone number. However, if the business operates exclusively online and has a direct relationship with a consumer, the business will only need to provide an email address for submitting requests for information. If the business maintains an internet website, the business is required to provide a website for consumers to submit requests for information.
AB 1202: New Obligations for “Data Brokers”
Although not technically part of the CCPA, this bill relates directly to consumer rights and business obligations under the CCPA. This entirely new set of rules will apply to entities deemed to be “data brokers,” a term that is defined as businesses that collect and “sell” personal information about consumers with whom the business does not have a direct relationship. “Direct relationship” is not specifically defined by the bill, but the bill suggests that direct relationships can be formed when consumers visit a business’s premises or internet website, intentionally interact with a business’s online advertisements, or have some level of knowledge or control over the business’s collection of their data.
Data brokers will be required to register with the AG, the process for which will include a fee and disclosure of the contact information and information regarding its data collection practices. This information will be published in a public database by the AG. Failure to register could subject the data broker to AG enforcement, including injunctions and penalties of $100 per day.
What did not pass?
AB 846 Regarding Customer Loyalty Programs
This proposed but failed amendment would have clarified that the CCPA would not prohibit businesses from offering different prices, rates, level, or quality of goods or services to consumers if the offer is related to the consumer’s voluntary participation in a loyalty or rewards program. It would have also prohibited businesses from “selling” personal information collected as part of the loyalty or rewards program to third parties unless the consumer provided express consent and the third party only used the information of the purpose of identifying the consumer as an eligible member of the loyalty or rewards program.
Conclusion
The AG has until July 1, 2020 (six months after the effective date), to complete its rulemaking process and create regulations to further the purpose of the CCPA. Based on the text of the CCPA, these regulations will include, but not necessarily be limited to, updating definitions and categories of personal information, establishing additional exemptions, and establishing additional rules and procedures related to consumer information requests, opt-out requests and compliance with notice requirements.
The CCPA authorizes the AG to begin enforcement of the CCPA no sooner than six months after the publication of the regulations implemented through rulemaking or July 1, 2020—whichever comes first. Enforcement actions will most likely be retroactive to the effective date of January 1, 2020. Therefore, with the expectation that Governor Newsom will sign these bills into law, it would be prudent for businesses to evaluate carefully the new bills’ application to their operations and implement any necessary changes sooner rather than later.
For further data and privacy insight and perspective, see our recent report on the current state of GDPR—a regulation that in many ways shaped the CCPA—compliance across more than 1,000 organizations in the United States, Europe, China and Japan.