In keeping with the hurried passage of the California Consumer Privacy Act (CCPA) at inception, the California legislature passed a flurry of amendments to the embattled privacy law just hours before the deadline of the legislative session. Six amendments were signed into law by Governor Newsom before the October 13 deadline, and will be effective with the rest of the CCPA on January 1, 2020.
There is a lot to digest, but if the CCPA applies to you (see here to review threshold qualifiers), the highlights are:
- There is a one-year exemption for the CCPA’s application to Personal Information used for Human Resources purposes and certain business transactions, and the CCPA will not apply to data that is subject to the Fair Credit Reporting Act.
- “Personal Information” will include information that is reasonably capable of identifying a Consumer, but will not include aggregate or de-identified data.
- Companies that sell data of Consumers with whom they do not have a “direct relationship” are deemed data brokers and are subject to annual registration, reporting, and fees.
- In order to assert a private right of action under the CCPA, an aggrieved Consumer must show that the Business did not encrypt his or her personal data, AND ALSO that the Business failed to redact it.
- Businesses that operate exclusively online no longer have to provide an 800 number so that Consumers can assert their rights, but can instead use an email address.
The HR Exemption Amendment (AB 25). For one year, the application of the CCPA does not apply to the data of California residents that are employees, or applicants, or their respective emergency contact designees, of a Business, but the exemption only applies when the data is being used for human resources purposes or for administering benefits. The Business must still make the normal disclosure that it would make to any other Consumer, and the applicant/employee/emergency contact will still be able to assert the private right of action (which underwent a change as well). This exception will end on January 1, 2021.
Changed definition of “Personal Information” (AB 874). This definition was broadened to include information that could “reasonably” be capable of being associated with a particular Consumer. Simultaneously, the amendment clarifies that de-identified or aggregate data will not be considered Personal Information for purposes of the CCPA.
The “Warranty/Recall” exception (AB 1146). When the CCPA takes effect on January 1, 2020, the Consumer’s right to deletion and to opt out of sale of his or her data is limited when a new car dealer is providing information to a car manufacturer for purposes of administering a warranty program or a recall. This was limited because physical safety outweighs a Consumer’s interest in deleting or stopping the sale of his or her data.
Data Brokers (AB 1202). Sacramento passed a bill that has the look, feel, and timing of an amendment, and borrows several of the CCPA’s concepts and definitions, but is not a true CCPA amendment. This bill created the concept of a data broker, which it defines as a company that sells a Consumer’s Personal Information without having a direct relationship with that individual. Unfortunately, “direct relationship” is not defined here, nor in the recently proposed regulations issued by the Attorney General of California. According to a recently passed data broker law in Vermont, a “direct relationship” exists where the Consumer is a customer/client/subscriber/user of the Business’s goods or services; an employee/contractor/agent of the Business; an investor in the Business; or a donor to the Business. While the Vermont definition is not binding on California, it may prove a good place to start for companies seeking to avoid the data broker designation. Data brokers will have to complete annual registrations with the Attorney General, and each registration will include a disclosure and fee. Importantly, this bill does not require data brokers to honor a Consumer’s right to opt out of the sale of his or her information.
The “Omnibus Amendment” (AB 1355) changes several things. Similar to the HR Exemption, this bill will exclude Personal Information collected as a part of diligence for a business-to-business transaction. In that instance, the Personal Information in question will be that of an employee of a company involved in the business transaction, and that is disclosed for purposes of facilitating the transaction and contact between the companies. This exemption will also end on January 1, 2021, but the Consumer will be able to opt out of sale and bring a private action against the Business in the meantime.
While the CCPA is preempted when the Gramm-Leech-Bliley Act (and certain other laws) applies to Personal Information, the Omnibus Amendment adds the Fair Credit Reporting Act to the list of laws that will preempt application of the CCPA. This will occur primarily when the Personal Information relates to a Consumer’s credit, character, or mode of living. Important to note here is that while the CCPA may not apply broadly to these situations, the Consumer will retain his or her CCPA private right of action against the Business.
This bill goes on to change part of the Consumer’s right to request information. Previously, a Consumer could request that a Business that collects his or her Personal Information disclose the particular pieces of data that the Business collected. Now, the Business need only disclose to the Consumer that the Consumer has a right to request certain pieces of data. The Omnibus Amendment goes on to narrow the application of the private right of action. Now, in order for a Consumer to have a private right of action against the Business, the Business must not have encrypted the Personal Information AND the Personal Information must be un-redacted; the original text allowed for the private right of action under either circumstance.
Means of Contact Changes (AB 1564). The final amendment revises the required methods of allowing Consumers to submit requests, and should allow smaller Businesses to breathe a sigh of relief. It is no longer required that every Business maintain an 800 number to allow Consumers to exercise their rights under the CCPA. For Businesses that operate exclusively online, an email address may be used instead.
Still to Come (AB 846)? One notable absence from the list of approved bills was an amendment that would have exempted Consumer loyalty and rewards programs from the nondiscrimination right under Section 125 of the CCPA, and would have allowed a Business to sell Personal Information collected as part of a loyalty program. This amendment, however, will now have to wait until the next legislative cycle in California if it is to become part of the CCPA.
While many aspects of the CCPA have been changed in this gaggle of amendments, one thing has not changed, and that is the effective date of the CCPA, which is still January 1, 2020. If you meet one of the threshold criteria for CCPA applicability, we would be happy to help you navigate these amendments along with your other CCPA implementation needs.