While the approved amendments did not significantly overhaul the CCPA, several notable changes were made.
September 13, 2019, marked the final day for the California Legislature to vote on amendments intended to clarify the terms and scope of the California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020. The bills are now on Governor Gavin Newsom’s desk for approval, and he has until October 13, 2019, to sign or veto them.
Of the CCPA amendment bills that were in consideration, the following were passed:
- AB 25, regarding employee exemption
- AB 874, regarding the definition of “personal information”
- AB 1146, regarding warranty and vehicle repairs
- AB 1355, regarding the B2B exemption and other clarifying amendments
- AB 1564, regarding toll-free telephone number exceptions
While not an exhaustive list of the bills that stalled during the legislative process, the following bills of note failed to pass the legislature:
- AB 873, regarding the definition of “de-identified”
- AB 846, regarding customer loyalty programs
- AB 981, regarding exemption for certain insurance transactions
Notable Changes
While the approved amendments did not significantly overhaul the CCPA, several notable changes were made.
Amended Definition of Personal Information (PI) and Expansion of “Publicly Available Information”
PI now includes information that is “reasonably” capable of being associated with, directly or indirectly, a particular consumer or household. This slightly narrows the definition of PI by creating a reasonableness element in making the determination for what information is capable of being associated with a particular consumer or household. Notably, “household” was left in the definition of PI it remains uncertain how this word will be interpreted by courts and regulators going forward.
De-identified and aggregate consumer information is now explicitly excluded from the definition of PI.
Employee Exemption (until January 1, 2021)
PI that is collected from job applicants, employees, business owners, directors, officers, medical staff or contractors, including emergency contact information and information regarding beneficiaries, will generally not be covered by the CCPA for the first year of the law’s implementation. The PI must be collected and used solely for employment purposes. As such, employees will not have the right under the CCPA to access or request deletion of their personnel records. A business remains obligated to inform employees, at or before the point of collection, the categories of PI to be collected and the purposes for which the categories of PI shall be used.
The exemption does not apply to the CCPA’s private right of action that may be brought in the event of a data breach.
The employee exception has a sunset provision, ending on January 1, 2021.
Business-to-Business (B2B) Exemption (until January 1, 2021)
PI reflecting a written or verbal communication or a transaction between a business and an employee, owner, director, officer or contractor will be exempted for the first year of the law’s implementation―provided that the communication or transaction occurs solely within the context of the business conducting due diligence regarding, providing or receiving a product or service to or from a company, partnership, sole proprietorship, nonprofit or government agency. The exemption does not apply to the private right of action for data breaches, the right to opt-out of the sales of PI and right to be free from discrimination.
The B2B exception has a sunset provision, ending on January 1, 2021.
Toll-Free Telephone Number Exemption
Generally, businesses will be required to provide consumers with two methods for the submission of privacy requests, including a toll-free telephone number. And, if a business maintains a website, it must make the website available to consumers to submit requests for information.
However, under the amended CCPA, businesses operating exclusively online will not be required to provide a toll-free number, if the company has a direct relationship with a consumer from whom it collects PI. Direct relationship is not defined in the CCPA, but guidance is provided in the data broker registry requirements discussed below. Such online-only companies must provide an email address for submitting privacy requests.
“Verifiable Consumer Request” Authentication
For purposes of verifying the identity of a consumer making a request, a business may now require any authentication of the consumer that is reasonable in light of the nature of the PI requested.
If applicable, a business may require the consumer to submit the request through an account the consumer already maintains with the business.
Anti-Discrimination Provision
This allows businesses to charge a consumer a different amount or provide a different level or quality of goods or services if that difference is reasonably related to the value provided to the business (rather than to consumers, as previously written) by the consumer’s data. This change would appear to allow a business to charge consumers who opt-out of the sale of their PI more for goods or services, or provide a different level or quality of those goods or services, based on the value the business would have received from selling the PI.
Warranty and Vehicle Repairs
This exempts vehicle information retained or shared for purposes of a warranty or recall-related vehicle repair and provides a clearer description of vehicle recalls.
Additional Developments
Breach Notification Amendment
Also of note, AB 1130―a bill that does not specifically amend the CCPA―also passed. This bill expands the categories of PI covered by California’s data breach notification laws, which will now include tax identification numbers, passport numbers, military identification numbers and unique identification numbers issued on a government document, as well as certain types of specified unique biometric data. This expansion is expected to impact liability under the CCPA’s private right of action.
The first set of proposed regulations from California Attorney General Xavier Becerra are expected to be released in the coming months. The attorney general’s draft regulations are anticipated to clarify and interpret the CCPA’s requirements and will be subject to public comment before they are published in final form.
“Data Brokers” Registration
While not codified within the CCPA, AB 1202 creates a new data broker registry for the sale of PI meeting certain conditions will be created. Data brokers will be required to register with the California attorney general on or before January 31 of each year.
“Data broker” is defined as a “business that knowingly collects and sells to third parties the PI of a consumer with whom the business does not have a direct relationship.” (Emphasis added.) According to the introductory language in the bill, a direct relationship may be formed in a variety of ways such as by visiting a business’ premises or website, or by affirmatively and intentionally interacting with a business’ online advertisements.
The attorney general will make information provided by data brokers accessible to the public on its website.
Stay tuned to the Duane Morris TechLaw blog for updates regarding the CCPA and its implementation.
For Further Information
If you have any questions about this Alert, please contact Michelle Hon Donovan, Brandi A. Taylor, Angelica A. Zabanal, one of the attorneys in our Privacy and Data Protection Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.