This is Squire Patton Boggs’ Data Privacy and Cybersecurity Group’s second client alert regarding the recent amendments to the California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020. For information about the CCPA amendment requiring data brokers to register with the California Attorney General, see our prior post. Please also check out our prior posts regarding CCPA applicability and gap assessments, and please remember to register for our upcoming webinar covering the final requirements of the law on October 17, 2019. Stay tuned for additional posts and information about CCPA.
The enactment of the California Consumer Privacy Act (CCPA) in 2018, which will be one of the most stringent state privacy rules in the U.S., has sparked intense focus on privacy regulation at the State level. The California legislature alone introduced over one hundred privacy bills in 2019, many proposing changes to CCPA. September 13, 2019 marked the deadline for CCPA amendments to be approved by both houses. Only six such bills, summarized below, made it to the finish line. By October 13, 2019, the Governor will either sign or veto the bills that passed.
CCPA: What has changed?
The bills modifying CCPA that passed are: consolidated bills A.B. 1355 (clarifies breach provision and makes changes to definitions), A.B. 25 (partially excludes employee information), and A.B. 1146 (exempts vehicle and ownership information); A.B. 1564 (toll-free number alternative); and A.B. 874 (clarifies exemptions from the definition of “personal information”).
The substantive obligations are largely unchanged as the amendments mainly clarify definitions, create one-year partial moratoriums for employee and B2B data, and clarify other exemptions. Except for the mandated registration for data brokers (see our prior alert here), and the limited moratorium for B2B communications, all the amendments were expected. Finally, it is important to mention that the proposed amendment to clarify how the anti-discrimination provision of CCPA affects loyalty programs (A.B. 846) failed for 2019 even though it had been expected to pass.
In sum, the 2019 CCPA changes are as follows:
- Job Applicants, Employees, Contractors, and Agents Moratorium: Civ. Code § 1798.145(h) was added to include a moratorium on the applicability of CCPA to personal information related to job applicants, employees, contractors, and agents, which will expire on January 1, 2021. Under the moratorium, businesses do not have to honor requests for access, erasure, or opt-out from job applicants, employees, contractors, and agents, but will need to provide a privacy notice and potentially face class-action litigation in the event of a breach. Importantly, however, the partial moratorium only applies to the extent such data is used “solely” in the context of the employee relationship, which raises several complex questions, such as whether letting third party service providers use such employee data for their own purposes means the exemption no longer applies. Either way, this amendment settles the debate on whether applicant, employee, contractor, or agent data is subject to CCPA: it clearly is.
- Business-to-Business (B2B) Information Moratorium: Civ. Code § 1798.145(n) was added to include a moratorium on the applicability of CCPA to certain B2B information, which will expire on January 1, 2021. The exception is limited to communications and transactions occurring solely within the context of due diligence and situations where a product or service is provided or received. Thus, this amendment does not appear to reach B2B cold-calling or other marketing communications. Under the moratorium, businesses will not have to comply with their obligation to inform, provide access, or honor deletion requests with respect to B2B information. Businesses will still have to comply with opt-out and non-discrimination obligations.
- Definition of “Personal Information”: The definition of “personal information” was modified to add “reasonable” before “capable of being associated with” a particular consumer or household. In addition, de-identified and aggregated information are now explicitly excluded from the definition of personal information (previously de-identified and aggregated information were carved out under Cal. Civ. Code § 1798.140(o)(2) – the definition of “publicly available” information – which was somewhat confusing.
The definition of “publicly available” information (which is excluded from the definition of “personal information” and therefore from the CCPA) was also revised. Publicly available information is now simply all information that is “lawfully made available from federal, state, or local government records.” The amendment removed previous language that specified conditions under which information was not deemed “publicly available” (i.e., if the information was used for a purpose incompatible with the purpose for which it was maintained and kept in government records and made publicly available). In other words, once data has been made available by the government, it can be used for any purpose without becoming “personal information” subject to the CCPA.
- Narrow New Exemption for Vehicle or Ownership Information: A new section, Cal. Civ. Code § 1798.145(g), was added to exempt (from the opt-out requirements under Cal. Civ. Code § 1798.120) vehicle and ownership information shared between a motor vehicle dealer (as defined in Section 426 of the Vehicle Code) and the vehicle’s manufacturer (as defined in Section 672 of the Vehicle Code) for the purpose of effectuating a repair covered by a warranty or a recall. The dealer or manufacturer must not “sell, share, or use that information for any other purpose.”
- Toll-Free Number Alternative: A modest modification to Cal. Civ. Code § 1798.130(a)(1), deemed non-controversial by some commentators, now allows businesses that operate exclusively online and have a direct relationship with the consumer to provide only an email address for submitting access requests (as opposed to also requiring a toll-free number).
- Fair Credit Reporting Act (FCRA) Exemption: The FCRA exemption under Cal. Civ. Code § 1798.145(d) now applies more broadly to any activity involving the collection, maintenance, disclosure, sale, communication, or use of personal information by a consumer reporting agency, a furnisher of data, or a user of a consumer report, so long as the activity is “authorized by” the FCRA. The data breach provisions will still apply to FCRA data.
- Data Broker Registry: Businesses that meet the definition of “data broker” (see our previous post here) are now required to register on an annual basis with the Attorney General of California. Failure to register may result in injunction, civil penalties, and costs related to any action brought by the Attorney General, including a civil penalty of $100 for each day that the data broker fails to register.
- Other: A number of other minor changes and clarifications were included in the amendments. For example, Cal. Civ. Code § 1798.125(a)(2) was modified to clarify that businesses may offer a different pricing or quality of service if such difference is reasonably related to the value of the consumer’s data to the business (as opposed to the consumer).
A needed clarification was also added to Cal. Civ. Code § 1798.150 regarding the private right of action. The original provision contained a double negative that resulted in a safe harbor only being available in the event of a data breach of personal information that is both encrypted and redacted. The amendment clarifies that either encryption or redaction is sufficient to avoid potential class-action liability.
Lastly, a minor amendment to Cal. Civ. Code § 1798.130(a)(2), provides that businesses may require reasonable authentication “in light of the nature of the personal information requested” and that consumers that maintain an account with a business may be required to submit verifiable consumer requests through that account. The California AG is still required to issue regulations but this change provides at least some guidance for businesses working on developing authentication processes prior to the January 1, 2020 deadline without the benefit of the AG’s guidance.