The long anticipated amendments to the CCPA were passed by the California Legislature in early September and now await Governor Newsom’s signature. Some of the changes were “clean up” amendments to update cross references, standardize language, and generally address issues of drafting. What follows is a summary of the most significant and substantive amendments:
- The CCPA will exempt the collection of personal information from job applicants, employees, business owners, directors, officers, medical staff, or contractors, for one year, provided that the information is collected and used “solely within the person’s role” or former role as a job applicant, etc. Businesses must still provide a notice to these individuals when personal information is collected. (1798.145(h))
- The CCPA includes a new one year exemption related to personal information collected in the business-to-business context. Specifically this exemption provides:
The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, providing, or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency. (1798.145(n))
Note that this data is still subject to the “do-not-sell” requirements in Section 1798.120 and the private right of action for data breaches in Section 1798.150.
- Upon receipt of a consumer request regarding sale of data to third parties, a business must disclose only the category of third parties with whom the information is shared rather than identifying each third party. (1798.115(a)) While the CCPA does not contain a definition of “categories” of third parties, this change eliminates the obligation to identify specific third parties.
- The definition of personal information has been modified to include a reasonableness standard with respect to the prong of the definition that states that information that is capable of being associated with a particular consumer or household is personal information. That is, “Personal information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household”. (1798.140(o)(1))
- The amendments clarify the carve-out from the definition of “personal information” for “publicly available” information by deleting the difficult-to-apply standard that required interpretation of the “purpose” for which records were released by the government. (1798.140(o)(2))
- The Fair Credit Reporting Act (FCRA) exemption has been expanded to cover FCRA data rather than just data furnished to consumer reporting agencies for an FCRA purpose. (1798.145(d))
- A new exemption was created for vehicle information or ownership information if such information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive of Title 49 of the United States Code, provided that the vehicle dealer or manufacturer with whom the information is shared does not sell, share, or use that information for any other purpose. (1798.145(g))
- The consumer’s right not to be subject to discrimination removes the difficult-to-apply requirement that incentives be related to the value of consumer data to the consumer and replaces it with the value to the business (1798.125). There are parallel and conforming changes made elsewhere in this amended section.
- The section addressing the mechanisms for consumers to exercise their rights has been clarified in two ways. First, a business that operates exclusively online and has a direct relationship with a consumer is required to provide only an email address for the consumer to submit requests. Second, businesses that maintain an internet website must make the website available to consumers to submit their requests. (1798.130(a)). For businesses with a brick and mortar facility, a toll free number will continue to be required. In addition, this section also provides that a business may require authentication of the consumer that is reasonable in light of the nature of the personal information requested and that if the consumer maintains an account, the business may require the consumer to submit the request through that account.
- The consumer access provision makes clear that a consumer has the right to request the specific pieces of personal information a business has collected about the consumer. (1798.110(c).) This change clarifies a consumer’s right to request specific pieces of information and a business’s requirement to disclose such information upon request.
- The private right of action has been narrowed by clarifying that information that is either encrypted or redacted is outside the scope of the right to sue for data breaches. (1798.150(a))
In addition to waiting for the California Governor’s signature on these amendments, the business community eagerly awaits Attorney General proposed regulations addressing what qualifies as a “verifiable consumer request” and requirements for do-not-sell mechanisms. It will be a busy fall.