While the approved amendments did not significantly overhaul the CCPA, several notable changes were made.

September 13, 2019, marked the final day for the California Legislature to vote on amendments intended to clarify the terms and scope of the California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020. The bills are now on Governor Gavin Newsom’s desk for approval, and he has until October 13, 2019, to sign or veto them.

Of the CCPA amendment bills that were in consideration, the following were passed:

  • AB 25, regarding employee exemption
  • AB 874, regarding the definition of “personal information”
  • AB 1146, regarding warranty and vehicle repairs
  • AB 1355, regarding the B2B exemption and other clarifying amendments
  • AB 1564, regarding toll-free telephone number exceptions

While not an exhaustive list of the bills that stalled during the legislative process, the following bills of note failed to pass the legislature:

  • AB 873, regarding the definition of “de-identified”
  • AB 846, regarding customer loyalty programs
  • AB 981, regarding exemption for certain insurance transactions

Notable Changes

While the approved amendments did not significantly overhaul the CCPA, several notable changes were made.

Amended Definition of Personal Information (PI) and Expansion of “Publicly Available Information”

PI now includes information that is “reasonably” capable of being associated with, directly or indirectly, a particular consumer or household. This slightly narrows the definition of PI by creating a reasonableness element in making the determination for what information is capable of being associated with a particular consumer or household. Notably, “household” was left in the definition of PI it remains uncertain how this word will be interpreted by courts and regulators going forward.

De-identified and aggregate consumer information is now explicitly excluded from the definition of PI.

Employee Exemption (until January 1, 2021)

PI that is collected from job applicants, employees, business owners, directors, officers, medical staff or contractors, including emergency contact information and information regarding beneficiaries, will generally not be covered by the CCPA for the first year of the law’s implementation. The PI must be collected and used solely for employment purposes. As such, employees will not have the right under the CCPA to access or request deletion of their personnel records. A business remains obligated to inform employees, at or before the point of collection, the categories of PI to be collected and the purposes for which the categories of PI shall be used.

The exemption does not apply to the CCPA’s private right of action that may be brought in the event of a data breach.

The employee exception has a sunset provision, ending on January 1, 2021.

Business-to-Business (B2B) Exemption (until January 1, 2021)

PI reflecting a written or verbal communication or a transaction between a business and an employee, owner, director, officer or contractor will be exempted for the first year of the law’s implementation―provided that the communication or transaction occurs solely within the context of the business conducting due diligence regarding, providing or receiving a product or service to or from a company, partnership, sole proprietorship, nonprofit or government agency. The exemption does not apply to the private right of action for data breaches, the right to opt-out of the sales of PI and right to be free from discrimination.

The B2B exception has a sunset provision, ending on January 1, 2021.

Toll-Free Telephone Number Exemption

Generally, businesses will be required to provide consumers with two methods for the submission of privacy requests, including a toll-free telephone number. And, if a business maintains a website, it must make the website available to consumers to submit requests for information.

However, under the amended CCPA, businesses operating exclusively online will not be required to provide a toll-free number, if the company has a direct relationship with a consumer from whom it collects PI. Direct relationship is not defined in the CCPA, but guidance is provided in the data broker registry requirements discussed above. Such online-only companies must provide an email address for submitting privacy requests.

“Verifiable Consumer Request” Authentication

For purposes of verifying the identity of a consumer making a request, a business may now require any authentication of the consumer that is reasonable in light of the nature of the PI requested.

If applicable, a business may require the consumer to submit the request through an account the consumer already maintains with the business.

Anti-Discrimination Provision

This allows businesses to charge a consumer a different amount or provide a different level or quality of goods or services if that difference is reasonably related to the value provided to the business (rather than to consumers, as previously written) by the consumer’s data. This change would appear to allow a business to charge consumers who opt-out of the sale of their PI more for goods or services, or provide a different level or quality of those goods or services, based on the value the business would have received from selling the PI.

Warranty and Vehicle Repairs

This exempts vehicle information retained or shared for purposes of a warranty or recall-related vehicle repair and provides a clearer description of vehicle recalls.

Additional Developments

Breach Notification Amendment

Also of note, AB 1130―a bill that does not specifically amend the CCPA―also passed. This bill expands the categories of PI covered by California’s data breach notification laws, which will now include tax identification numbers, passport numbers, military identification numbers and unique identification numbers issued on a government document, as well as certain types of specified unique biometric data. This expansion is expected to impact liability under the CCPA’s private right of action.

The first set of proposed regulations from California Attorney General Xavier Becerra are expected to be released in the coming months. The attorney general’s draft regulations are anticipated to clarify and interpret the CCPA’s requirements and will be subject to public comment before they are published in final form.

“Data Brokers” Registration

While not codified within the CCPA, AB 1202 creates a new data broker registry for the sale of PI meeting certain conditions will be created. Data brokers will be required to register with the California attorney general on or before January 31 of each year.

“Data broker” is defined as a “business that knowingly collects and sells to third parties the PI of a consumer with whom the business does not have a direct relationship.” (Emphasis added.) According to the introductory language in the bill, a direct relationship may be formed in a variety of ways such as by visiting a business’ premises or website, or by affirmatively and intentionally interacting with a business’ online advertisements.

The attorney general will make information provided by data brokers accessible to the public on its website.