Friday, September 13, 2019, marked the last day for legislative activity in the state of California, and with the effective date of the California Consumer Privacy Act (CCPA or the Act) looming on January 1, 2020, many businesses were waiting hopefully for some clarity and relief. The California legislature did act, passing five bills amending the Act, but the outcome represents minimal real relief for businesses affected by this sweeping law. Key questions lingered: Would employee data be excluded? Would relief from potential limitations on customer loyalty programs pass? How would measures sought by business to provide certainty and some relief fare? Overall, with the exception of provisions related to employee data, which provide some comfort, it appears that the breadth and complexity of the CCPA remains largely unchanged.
Significant impacts of the amendments that were passed
- Employee data. The amendments clarify that at least for 2020, this consumer privacy law will apply to personal information of employees, job applicants, and contractors and personal information collected through certain business-to-business (B2B) interactions, but only in certain respects.
- Data breaches and encryption. The amendments clarify how encryption and redaction may play into the private right of action for data breaches.
- Verified requests clarifications. The amendments add flexibility to the processes that businesses may use for receiving and verifying consumer access and deletion requests.
- Fair Credit Reporting Act exception amendment. The amendments exclude from CCPA applicability certain processing of consumer report data that is already governed by the federal Fair Credit Reporting Act (FCRA).
- Deidentification and aggregate data refinements. The amendments confirm that properly deidentified or aggregate data is not personal information under the Act.
Information about selected components of the CCPA amendments that passed
Employees and independent contractors (AB 25).
- Employment relationships remain in scope. AB 25 reduces CCPA obligations for businesses with respect to the personal information of employees, job applicants, contractors, and those with similar roles – but only to the extent that the data is collected for purposes of those relationships (and not, for example, by the company store), and only until January 1, 2021 (at which point this aspect of the amendment sunsets). Notably, the amendment only removes part of the CCPA from coverage for employee/contractor data. The notice requirements and the private right of action for data breaches still apply beginning January 1, 2020.
- Verification procedure clarification. From a housekeeping point of view, this amendment clarifies that businesses only need to employ “reasonable” verification procedures when addressing a consumer request, taking into account the nature of the request and the sensitivity of the information to be provided.
- Account creation and verifications. A business can require a customer to use an existing account (and its associated authentication measures) to submit requests. While convenient, this clarification does not change the fact that consumers without accounts do not have to open an account and still must be permitted to exercise access and deletion requests and other rights.
Public records and reasonable association (AB 874).
- Usage clarification. This amendment provides that publicly available information from government records is not personal information under the Act, regardless of the purpose for which the information is used. This broad-brush exemption for personal data from public records highlights an important distinction – as between data collected directly from the data subjects and data collected from other sources – that may be significant in the implementation of various statutory provisions, even as to nonpublic data. It may be of key significance in certain adtech and related use cases.
- “Personal Information” narrowing. This amendment also added the word “reasonably” to the definition of personal information so that the information must be reasonably capable of being associated with a particular consumer or household. This is a significant clarification and may justify the exclusion from compliance obligations of information that is not typically thought of as “personal” by consumers or certain industries.
Motor vehicle repairs (AB 1146).
This amendment provides that consumers do not have a right to opt out of the sharing of certain personal information between new motor vehicle dealers and vehicle manufacturers in connection with vehicle repairs made pursuant to warranties and recalls, as long as the sharing is for no other purpose.
Consumer reports, B2B data, and encryption (AB 1355)
- This amendment affects consumer reporting agencies and furnishers and users of consumer reports. Under the amendment, the CCPA does not apply to businesses when they process personal information associated with consumer reports in the course of activities that are regulated by the FCRA. Notwithstanding this broad exemption, the CCPA’s data breach private right of action provision still applies with respect to personal information otherwise regulated by the FCRA.
- AB 1355 reduces the Act’s obligations regarding personal information collected during B2B interactions, but only to the extent the data reflects “a written or verbal communication or a transaction” between a business and an organization (for example, corporate contact names and business cards). As with AB 25’s changes regarding employee data, this exclusion sunsets on January 1, 2021, at which point, barring further amendment, B2B contact data will again be considered personal information for all CCPA purposes. Also, as with AB 25, this amendment only removes B2B data from part of the CCPA. Specifically, three consumers' rights will still apply to B2B personal information:
- The right to opt out of the “sale” of personal information;
- The antidiscrimination right; and
- The private right of action for data breaches.
- This amendment clears up statutory language to remove any doubt that the consumer private right of action is only available when a data breach involves personal information that is unencrypted (as defined by the California data breach statute).
- AB 1355 also clarifies that deidentified or aggregate consumer information is not personal information, provided that certain protections are implemented to prevent reidentification.
Online-only businesses consumer rights requests procedures (AB 1564).
A business that “operates exclusively online and has a direct relationship with a consumer,” is only required to maintain an email address, and not a toll-free telephone number, to receive consumer rights requests.
What about loyalty programs?
Notably, the California legislature did not pass AB 846, which would have clarified the CCPA’s applicability to businesses’ customer loyalty programs. Originally intended to expressly remove customer loyalty programs from the CCPA’s nondiscrimination provisions, the bill was changed significantly in legislative committee to include language that could have been interpreted to be more restrictive on loyalty programs than the current statutory language. A new version of this bill is expected to be introduced during the next session (in 2020). Many business interests felt that as amended in committee, the proposed amendment would actually broaden potential CCPA restrictions, thwarting the sponsors’ purpose in providing some clarity and relief to marketers using these important programs.
Governor’s signature. The governor is expected to sign the bills into law before the October 13, 2019, deadline and, if signed, they will go into effect on January 1, 2020, along with the rest of the CCPA.
Attorney general notice and comment rulemaking proceeding. Although the legislative process for 2019 is now complete, the attorney general of California is required to provide CCPA guidance in the coming months. The AG has indicated it will promulgate regulations to establish procedures to facilitate consumers’ rights under the CCPA and provide guidance to businesses for how to comply with some of the related CCPA provisions. Hopefully, the attorney general will continue to provide guidance on various unclear issues thereafter.
More amendments? In 2020, we expect the California legislature and attorney general, companies, industry groups, academics, and professionals to continue to debate how and whether the CCPA should apply to employee/contractor information and B2B information. For example, the legislature may support a new bill that focuses on human resources data rather than trying to protect such data through an ill-fitting consumer protection law.
As we wait for the AG’s regulations and guidance, businesses, service providers, and third parties regulated by the CCPA will need to take steps to comply with the CCPA using the amended statutory language. Companies should continue to develop a robust understanding of the personal information they maintain, the purposes for using and sharing the personal information, and the recipients of the personal information. This understanding is important even for employee personal data to the extent necessary to provide proper notice and effectuate reasonable and appropriate information security measures. Companies should also prepare for responding to consumer access and deletion requests, and must think about how they want to address their contractual relationships with service providers and third parties under the Act. While the California legislature’s decisions regarding employee data, the definition of personal information, and a few other items may have provided businesses with a little extra breathing room, there is still plenty of work to be done before the January effective date. Most important, in terms of immediate financial liability, the private right of action with broad statutory damages remains in effect. This provision alone, beyond compliance, creates dramatic new financial risks that could be material for many businesses. Many businesses will continue to be forced to prepare for the worst while they hope for the best.