In a flurry of activity on the last day of the legislative session, on September 13, 2019, California passed several amendments to the California Consumer Privacy Act of 2018 (CCPA). While these amendments provide some important exemptions and clarifications, the legislature did not drastically change the CCPA by adopting any significant industry-backed exemptions (e.g., SB-753, which, if passed, would have exempted certain data sharing related to targeted advertising from the CCPA “do-not-sell” compliance requirements). In addition, the legislature did not act on a proposed bill to allow companies to sell personal information gathered in loyalty programs.
The CCPA grants California consumers broad rights to control their personal information. While not as strict as Europe’s General Data Protection Regulation (GDPR), California’s law will be the strictest in the nation and will impose significant new obligations on companies doing business in California with respect to personal information of California residents. Assuming these amendments are approved by Governor Newsom, the final step is for the California Attorney General to issue regulations relating to the CCPA. The law takes effect on January 1, 2020, with enforcement delayed until six months after issuance of the Attorney General’s regulations, or July 1, 2020, whichever is sooner.
The five amendments – Assembly Bills 25, 874, 1146, 1355, and 1564 – will affect different aspects of the CCPA. In addition, the legislature passed AB 1202, which requires the registration of data brokers.
AB 25 - Temporary Exception for Employees and Contractors
AB 25 exempts, until January 1, 2021, personal information collected from a natural person by a business in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business, as specified, from most provisions of the CCPA. It also exempts emergency contact information or personal information necessary to administer benefits for another natural person relating to the employee, owner, director, officer, medical staff member or contractor. However, these individuals retain their rights to be informed of the categories of personal information collected and the purposes for which these categories of personal information shall be used by the business. Additionally, they retain their right to bring a private action for a data breach.
AB 25 - Exemption for Certain Business-to-Business Information
AB 25 exempts, until January 1, 2021, personal information reflecting a written or verbal communication or a transaction between the business and a person acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency if the communications or transaction occurs solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency, from most provisions of the CCPA. This exemption would appear to provide that most email communications between individuals in their roles as employees of businesses are not subject to CCPA requests.
AB 25 - Reasonable Authentication Requests from Consumers
The CCPA grants consumers the right to request that a business disclose specific pieces of personal information it has collected and to have information held by that business deleted. The act requires the business to disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable consumer request from the consumer. Additionally, the act prohibits a business from requiring a consumer to create an account with the business in order to make a verifiable consumer request.
AB 25 allows a business to require authentication of the consumer that is reasonable in light of the nature of the personal information requested in order to make a verifiable consumer request. It also provides that if the consumer maintains an account with the business, the business may require the consumer to submit the request through that account.
AB 874 - Exclusions from the Definition of Personal Information
AB 874 limits the definition of “personal information” in certain cases, so that:
- “Personal information” does not include consumer information that is de-identified or aggregate consumer information.
- “Personal information” does not include publicly available information (“publicly available” means information that is lawfully made available from federal, state, or local government records). This amendment eliminated the requirement that publicly available information be used for the same purpose as the public record. Note that “publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.
- “Personal information” is now defined as: “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” (the word “reasonably” was added to the definition).
AB 1146 - No Opt-Out Right For Sharing of Information for Vehicle Recall or Warranty Repairs
The CCPA grants a consumer the right to direct a business not to sell, as defined, personal information about the consumer to third parties, as defined (the “opt-out right”). A consumer also has the right to request that a business delete personal information about the consumer that the business has collected from the consumer, subject to certain conditions.
AB 1146 provides that the consumer’s opt-out right does not apply to vehicle information (VIN, make, model, year and odometer reading) or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer, if the vehicle or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.
The bill also exempts from the right to request a business to delete personal information about the consumer the personal information that is necessary for the business to fulfill the terms of a written warranty or product recall conducted in accordance with federal law.
AB 1202 - Creates “Data Broker” Registry with the California Attorney General
AB 1202 requires data brokers to register with and provide certain information to the Attorney General. The bill defines a data broker as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions. The bill requires the Attorney General to make the information provided by data brokers accessible on its internet website. The bill makes data brokers that fail to register subject to injunction and liability for civil penalties, fees, and costs in an action brought by the Attorney General, with any recovery to be deposited in the Consumer Privacy Fund, as specified.
AB 1355 - Differential Treatment of Consumers
The CCPA prohibits a business from discriminating against a consumer for exercising any of the consumer’s rights under the act.
AB 1355 changes the previous exception to this prohibition, and allowing differential treatment if it is reasonably related to the value provided to the business by the consumer’s data.
AB 846, which would have exempted loyalty programs from the differential treatment provisions, was deferred and not approved.
AB 1355 - Clarification that the Attorney General May Adopt Additional Regulations
AB 1355 clarifies that the Attorney General may adopt additional regulations to establish rules and procedures on how to process and comply with consumer requests for specific pieces of personal information relating to a household (to address obstacles to implementation and privacy concerns).
AB 1355 - Information Not Usually Collected in the Ordinary Course of Business
AB 1355 clarifies that the law does not require a business to collect personal information that it would not otherwise collect in the ordinary course of its business. Similarly, a business need not retain personal information for longer than it would otherwise retain such information in the ordinary course of its business.
AB 1355 - Clarification of FCRA Exemption
The CCPA had provided an exemption for the sale of personal information to and from a consumer reporting agency under the Fair Credit Reporting Act (FCRA). AB 1355 amends and broadens the exemption to apply to the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency in a consumer report, as those terms are defined in the FCRA. The exemption only applies if the personal information is used as permitted under the FCRA. The exemption does not seem to impact a consumer’s ability to bring a private action against a business for a data breach involving such information.
AB 1135 - Clarification Regarding the Consumer’s Disclosure Right
AB 1135 clarifies that consumers have the right to request specific pieces of information that a business has collected about them. However, they do not have the right to automatically obtain such information (they only have the right to request it).
AB 1564 - Consumers Information Requests from an Exclusively Online Business
The CCPA provides that a business is required to make available to consumers at least two designated methods for submitting requests for specified information required to be disclosed.
AB 1564 provides that a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information is only required to provide an email address for submitting requests for information required to be disclosed. If the business maintains an internet website, it should make the website available to consumers to submit requests for information required to be disclosed.
October 13, 2019 will be the final day for the governor to sign or veto these bills.