After months of wrangling, the California legislature has finally passed a set of significant amendments to the California Consumer Privacy Act (CCPA), a sweeping data privacy and security law commonly referred to as “California’s GDPR” (Europe’s General Data Protection Regulation). Employee personal information and personal information obtained in business-to-business (B2B) interactions are now mostly out of scope. Personal information in credit reports and other data covered by the Fair Credit Reporting Act is also largely exempt. Only personal information that is “reasonably” capable of being associated with a consumer or household is subject to the act. And aggregate or deidentified information definitively does not qualify as CCPA personal information.
These and several other amendments that passed represent significant changes to the CCPA. They should substantially ease compliance burdens and correct some — but not all — of the drafting anomalies and other aspects of the act that have been the source of uncertainty.
California legislators also passed the state’s first data broker registry law. Businesses that no one typically thinks of as traditional “data brokers” may now be required to register with the California Attorney General, disclose “any additional information or explanation the data broker chooses to provide concerning its data collection practices” and pay annual registration fees. California’s law tracks the Vermont Attorney General’s interpretation of that state’s data registry law, which similarly views “sale” as including not just traditional sales but the exchange of personal information for nonmonetary consideration.
Below we discuss both of these developments and the state of both laws as they await final action (or inaction) from Gov. Gavin Newsom.
CCPA Amendments — What They Are and What They Mean for Compliance Efforts
- Employee Personal Information Is (Mostly) Out of Scope. What began as an attempt to completely exclude employee personal information morphed into a compromise amendment that significantly reduces — but does not completely eliminate — CCPA obligations with respect to the personal information of employees. A business must now provide notice “at or before the point of collection” about the types of information collected from employees and the reasons for the collection. Businesses will also continue to be subject to the private right of action if employee personal information is compromised as a result of the breach of a business’s duty to provide reasonable security measures. But at least until the provision sunsets in 2021, far-reaching access and deletion rights do not apply to employee personal information, which will significantly reduce the compliance burden on employers. Among other things, privacy policies do not need to address employee information collection, and businesses do not have an obligation to respond to requests for copies of employee personal information. Critically, this amendment has a January 1, 2021, sunset clause, paving the way for further debate about how the data of employees and others should be treated under the CCPA.
- B2B Personal Information Excluded. At the 11th hour, legislators agreed to limit the scope of the law by excluding personal information collected in the context of certain B2B transactions. Under the bill, the name, emails, phone numbers and other personal information provided by individuals when communicating or transacting with a business while acting in their professional capacity as an employee or representative of another company will no longer be subject to CCPA notice, access and deletion rights. In the event a business sells this type of personal information, the business is required to respond to opt-out requests, but it does not need to display the “do not sell” link on its webpage. As with the limitation on employee information, this B2B exception expires on January 1, 2021, and B2B personal information remains subject to the private right of action. This B2B exception could significantly limit CCPA compliance burdens for businesses that primarily collect personal information that is subject to other consumer privacy laws, such as nonpublic personal information subject to the Gramm-Leach-Bliley Act (GLBA), for which the CCPA provides a limited exemption. Personal information collected by a financial institution for its individual “consumer” customers is likely governed by GLBA and remains out of scope of the majority of the CCPA obligations, and now, the personal information collected in connection with institutional customers may fall under the new exemption — at least for one year.
- Redefining “Personal Information.” Several amendments have helpfully modified the statute’s far-reaching definition of personal information and clarified drafting ambiguities. A “reasonableness” requirement has been added so that personal information now means information that is “reasonably capable of being associated with … a consumer or household.” Another amendment clarifies that personal information does not include deidentified or aggregate consumer information. Additionally, the “public records” exemption has been simplified so that personal information lawfully available from governmental records is not subject to the law, regardless of how that information is used.
- Expanding Fair Credit Reporting Act Exemption. Personal information subject to and processed in compliance with the Fair Credit Reporting Act (FCRA) has been largely excluded from the CCPA. Previously, the FCRA exemption applied only to the sale of such personal information. Now it also covers the collection, maintenance, disclosure, communication and use of FCRA-covered information. This should provide welcome relief to businesses that must evaluate customers’ creditworthiness. There are no notice, access or deletion rights under the CCPA with respect to FCRA consumer reports; the only CCPA right that applies is the availability of a private right of action in the event of a data breach.
- Clarifying Basis for Financial Incentives. Although the bill specifically exempting consumer loyalty programs from the CCPA’s nondiscrimination clause did not pass, the legislature nevertheless provided some clarity about the “financial incentive” exception. Businesses may offer a different price, rate, level or quality of services to a consumer if the difference is directly related to the value provided to the business — not the consumer, as previously stated — by the consumer’s data.
- Addressing Privacy Concerns Created by CCPA. Several amendments begin to address the potential threats to consumer privacy that may arise from the CCPA’s broad data access rights. First, how businesses should process and comply with a consumer’s request for household personal information, when doing so may compromise the privacy of other household members not making the request, has been added to the list of topics that the Attorney General may consider when adopting final regulations. Second, businesses may now enhance privacy protections by calibrating consumer authentication methods to the sensitivity of the information requested. For example, a business might ask for one level of authentication when processing a data deletion request but require additional authentication information when asked to provide copies of billing and geolocation information. Third, privacy-protective data minimization principles have also been codified so that businesses do not need to collect personal information that they would not otherwise collect in the ordinary course of business, or to retain personal information longer than they otherwise would, just to be able to respond to CCPA requests. This is particularly critical for a variety of information that might technically fall under the definition of “personal information” under the CCPA but that the business has no way of linking to a consumer (or verifying their consumer’s identity in connection with that information to respond to a rights request). Finally, the burden of consumer verification has been somewhat eased, as businesses can now require customers with accounts to submit consumer access requests only through those accounts.
- Motor Vehicle Warranty and Recall Communications Are Not Sales. CCPA sales will not include the exchange of personal information between a new motor vehicle dealer and the vehicle’s manufacturer, where the information is shared to provide notice about or effectuate repairs covered by a vehicle warranty or recall.
- Miscellaneous Additions
- The requirement that opt-in consent be required before selling personal information of children applies to children under 16 years of age.
- Businesses that do not operate exclusively online but have a website must provide for the submission of consumer requests through both a toll-free telephone number and its website.
With these amendments in place and not likely to be vetoed by California’s governor, businesses subject to the CCPA can finalize compliance preparations before January 1 and look forward to regulatory guidance, which is expected in the coming months.
Source Documents — Where to Find Them
While several bills were moving through the process, the key bill that contains all of the updates to the law is AB 1355. For reference purposes, the other bills that passed and which embody the amendments in AB-1355 are AB 25, AB 874, AB 1146, and AB 1564.
California’s New Data Broker Registry
With so much attention on the CCPA amendments, few have noticed that the California legislature also passed another important data privacy law (AB 1202), this time establishing a statewide data broker registry. The new law resembles Vermont’s data broker registration law by defining a data broker as a business that collects and sells to third parties the personal information of a consumer with which “the business does not have a direct relationship.” California’s law incorporates the CCPA’s broad definition of “sale,” which encompasses sharing of information for nonmonetary consideration. The broad definition of “sale” as including nonmonetary consideration is consistent with guidance published by Vermont’s Attorney General regarding the scope of that state’s data broker registry.
The upshot of California’s new law is that businesses not traditionally considered to be data brokers may now need to register with the state’s data broker registry. Registration involves providing contact information and paying an annual fee. Data brokers have the option of providing “additional information or explanation” concerning the business’s data collection practices but are not required to do so. The Attorney General will publish registration information provided by data brokers on a publicly available webpage.
What’s Next — Looking Toward the October 13 Deadline
The CCPA amendments and the data broker law are not yet technically a part of California law. Gov. Newsom has until October 13 to sign them into law, allow them to become law without his signature or veto them. The last option — a veto — seems unlikely at least with respect to the CCPA amendments, given the months of negotiations that preceded their passage. With negotiations over the final form of those amendments concluded, eyes now turn in earnest to the Attorney General for what clarity his office’s regulations might bring.