The CCPA Comes Close to Its Final Form
Almost immediately after the passage of the California Consumer Privacy Act ("CCPA"), lawmakers proposed both large and small amendments to it. On September 13, 2019, California's legislative session came to a close and with it the last chance for the California legislature to pass amendments to the CCPA before it comes into effect on January 1, 2020. This legislative session saw a wide range of over 30 proposed amendments to the CCPA, but by September, most of these proposed amendments were presumed dead, leaving six amendments still live in Committee. The dust has now settled and five amendments have made it through to the final round: Governor Gavin Newsom's desk. While the amendments do not make drastic changes to the CCPA, they do include important tweaks and clarifications that should be relevant to all covered businesses preparing for compliance.
Here, we outline the most significant changes made to the CCPA by those amendments:
EMPLOYEE INFORMATION EXEMPTION One of the most closely watched amendments to the CCPA, Assembly Bill ("AB") 25 creates an exemption for employee information. The definition of "personal information" in the CCPA, confusingly, refers to "employment-
related information" even though by its title the CCPA would seem to be limited to consumers. This amendment provides a limited carve-out for employee data. Specifically, this amendment states that the CCPA will not apply to personal information:
Collected by a business "in the course of a natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent" the information is collected in the context of the person's role as such.
Of an emergency contact of that person when used solely within the context of having an emergency contact on file.
Collected to retain or administer benefits to someone related to that person (e.g., a dependent or spouse) when used solely within the context of administering those benefits.
However, this amendment does not apply to:
A business's requirement to, at or before the point of collection, provide applicants, employees, owners, directors, officers, medical staff members, or contractors with disclosures about the categories of personal information to be collected and the purposes for which that information will be used.
The private right of action granted to consumers and employees alike whose nonencrypted and nonredacted personal information is subject to unauthorized access in the event the business fails to live up to its duty to implement and maintain reasonable security procedures and practices.
In sum, employers must still provide their employees and job applicants with notice of what information is collected and why. This limited carve out for employee data ends January 1, 2021, at which time this limited exemption related to employee data will expire, unless further action is taken by the legislature.
AMENDED DEFINITION OF PERSONAL INFORMATION AB 874 and AB 1355 clarify that "personal information":
Includes information that is "reasonably" capable of being associated with or linked with a consumer or household.
Does not include deidentified or aggregate consumer information.
Does not include "publicly available" information, the definition of which is clarified to no longer exclude information used "for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records...." The amended definition removes this limitation.
BUSINESS-TO-BUSINESS PERSONAL INFORMATION EXEMPTION Personal information collected during certain business-to-business transactions is now exempted from the CCPA according to AB 1355. Specifically, personal information transmitted between a consumer and a business under certain circumstances will not be subject to the CCPA when the consumer is "acting as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency." For the carve-out to apply, the transaction or
communication between the consumer and business must occur solely within the context of the business "conducting due diligence regarding, or providing or receiving a product or service to or from" the entity.
Similar to the exemption for employee data, this limited carve out for business-to-business personal information also expires January 1, 2021, at which time this limited exemption related to personal information provided in a businessto-business context will expire, unless further action is taken by the legislature.
IDENTITY VERIFICATION AND VERIFIABLE CONSUMER REQUESTS
In addition to excluding business-to-business data, AB 1355 also provides more clarity on how to verify consumer requests under the CCPA. After receiving a consumer request, a business may "require authentication of the consumer that is reasonable in light of the nature of the personal information requested...." In addition, the definition of "verifiable consumer request" has been amended to state that businesses are not required to provide information in response to any of the statutory consumer requests (not just a request for disclosure, as the CCPA previously stated) if they are unable to verify the identity of the consumer making the request (or to verify that the requestor is authorized to act on the consumer's behalf). Further, the CCPA has been amended to require that the Attorney General adopt a regulation "[t]o establish rules and procedures on how to process and comply with verifiable consumer requests for specific pieces of personal information relating to a household in order to address obstacles to implementation and privacy concerns."
MOTOR VEHICLE TRANSACTIONS
AB 1146 clarifies the "vehicle information" exemption. Consumers generally have the right to direct businesses not to sell their personal information. However, under this amendment, this right to opt out will not apply to:
2 Mayer Brown | The CCPA Comes Close to Its Final Form
vehicle information or ownership information retained or shared between a new motor vehicle dealer...and the vehicle's manufacturer...if the vehicle or ownership information is shared for the purpose of effectuating...a vehicle repair covered by a vehicle warranty or a recall...provided that the new motor vehicle dealer or vehicle manufacturer...does not sell, share, or use that information for any other purpose.
Under this exemption, "vehicle information" includes the vehicle information number, make, model, year and odometer reading, and "ownership information" includes the name or names of the registered owner or owners and the contact information for the owner or owners.
DELETION EXCEPTION FOR WARRANTY/RECALLS Pursuant to AB 1146, businesses now will not need to delete a consumer's personal information if that information is needed in order to fulfill the terms of a written warranty or product recall.
SUBMISSION OF CONSUMER REQUESTS FOR ONLINE-ONLY BUSINESSES For businesses that operate exclusively online and have a relationship with the consumer, AB 1564 exempts them from maintaining a toll-free number for consumers to submit their CCPArelated requests. Instead, these businesses need only provide an email address for consumers to submit these requests.
MISCELLANEOUS PROVISIONS AB 1355 also clarifies several CCPA provisions and corrects a few drafting errors. The most significant changes include:
Clarifying language suggesting that a business must publicly disclose specific pieces of information about a specific consumer. The amendment clarifies that a covered entity will only need to publicly disclose the categories of personal information collected about consumers (not
a particular consumer) and that a consumer has the right to request the specific pieces of information collected about him or her.
Clarifying California's anti-discrimination provision. This amendment swaps the word "consumer" out for "business" and states: "Nothing in this subdivision prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the business by the consumer's data" (emphasis added). Thus, the law now considers the value of the personal information to the business instead of to the consumer.
Clarifying that the right to opt in applies to consumers who are "at least 13 years of age and less than 16 years of age." The CCPA previously stated that the right to opt in applied to consumers "between 13 and 16 years of age" and parental consent was triggered for consumers "who are less than 13 years of age." Though a minor change, the amendment eliminates confusion regarding the age at which requisite parental consent is no longer required. In the original text, it was unclear whether the right to opt-in to the sale of personal information extended to 16year-olds.
Clarifying disclosures in privacy policies. Previously, a business was only required to provide a description of the consumer's rights under Sections 1798.110, 1798.115, and 1798.125 (i.e., the right to request information the business collects about consumers in general, the right to request information about the category of third party to which personal information is sold and the right to non-discrimination, respectively) in their privacy policies. Now, a business must also provide a description of the consumer's rights under Sections 1798.100 and 1798.105 (i.e., the right to request information about
3 Mayer Brown | The CCPA Comes Close to Its Final Form
the type of data collected from all consumers and the right to deletion).
Narrowing data collection and retention obligations. A business is not required to "collect personal information that it would not otherwise collect in the ordinary course of its business" nor is it required to "retain personal information for longer than it would otherwise retain such information in the ordinary course of its business...."
Clarifying the private right of action. This modification is the shortest of those listed, yet one of the most impactful. The amendment clarifies that consumers may institute lawsuits for data breaches when personal information is "nonencrypted and nonredacted" (rather than nonencrypted or nonredacted). Thus, consumers may not initiate litigation if their information was either encrypted or redacted.
Broadening the existing exemption for compliance with the federal Fair Credit Reporting Act. This amendment clarifies that the CCPA does not apply to activities involving the "collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency" by a person or entity furnishing information for use in a credit report and by a user of a credit report. This exemption only applies to the extent these activities or use of this information is subject to the Fair Credit Reporting Act. This exemption does not apply to the CCPA's private right of action provision.
Though not an amendment to the CCPA, AB 1202, which requires the registration of data brokers, similarly promotes consumer privacy rights:
DATA BROKER REGISTRY
AB 1202 requires that data brokers register with the California Attorney General's office on an annual basis and pay a registration fee. AB 1202 is intended to promote consumer privacy rights by identifying companies that collect and process their personal information and with whom consumers otherwise lack a direct relationship. Once companies are registered, their physical addresses, email addresses, and website information will be posted to an online registry accessible by consumers. Data brokers must honor consumers' requests to opt out of the sale of their personal data. Failure to register may result in penalties and fines, and there is a carve-out for entities who comply with GLBA, HIPAA and FCRA.
Vermont is currently the only other state with a data broker registration law. AB 1202 defines "data broker" as "a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship" is comparatively broader than the corresponding definition under the Vermont law, which defines it as "a business...that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship" (emphasis added). Given the breadth of the AB 1202 definition of "data broker", it will arguably cover more companies who will need to satisfy the new registration obligations.
While overall these amendments do not change the core tenets of the CCPA, covered businesses should review them carefully to understand how they may impact their compliance strategies. Importantly, businesses can expect
4 Mayer Brown | The CCPA Comes Close to Its Final Form
to receive more clarifications to the law, as the Attorney General's proposed regulations are expected as early as October 2019.
For more information about the topics raised in this Legal Update please contact:
Kendall C. Burman +1 202 263 3210 firstname.lastname@example.org
Rajesh De +1 202 263 3366 email@example.com
Stephanie Duchene +1 213 229 5176 firstname.lastname@example.org
Philip R. Recht +1 213 229 9512 email@example.com
Lei Shen +1 312 701 8852 firstname.lastname@example.org
Jeffrey P. Taft +1 202 263 3293 email@example.com
Amber C. Thomson +1 202 263 3456 firstname.lastname@example.org
Lisa V. Zivkovic +1 212 506 2482 email@example.com
Mayer Brown is a distinctively global law firm, uniquely positioned to advise the world's leading companies and financial institutions on their most complex deals and disputes. With extensive reach across four continents, we are the only integrated law firm in the world with approximately 200 lawyers in each of the world's three largest financial centers--New York, London and Hong Kong--the backbone of the global economy. We have deep experience in high-stakes litigation and complex transactions across industry sectors, including our signature strength, the global financial services industry. Our diverse teams of lawyers are recognized by our clients as strategic partners with deep commercial instincts and a commitment to creatively anticipating their needs and delivering excellence in everything we do. Our "one-firm" culture--seamless and integrated across all practices and regions--ensures that our clients receive the best of our knowledge and experience.
Please visit mayerbrown.com for comprehensive contact information for all Mayer Brown offices.
Any tax advice expressed above by Mayer Brown LLP was not intended or written to be used, and cannot be used, by any taxpayer to avoid U.S. federal tax penalties. If such advice was written or used to support the promotion or marketing of the matter addressed above, then each offeree should seek advice from an independent tax advisor.
This Mayer Brown publication provides information and comments on legal issues and developments of interest to our clients and friends. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek legal advice before taking any action with respect to the matters discussed herein.
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) (collectively the "Mayer Brown Practices") and non-legal service providers, which provide consultancy services (the "Mayer Brown Consultancies"). The Mayer Brown Practices and Mayer Brown Consultancies are established in various jurisdictions and may be a legal person or a partnership. Details of the individual Mayer Brown Practices and Mayer Brown Consultancies can be found in the Legal Notices section of our website.
"Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
2019 Mayer Brown. All rights reserved.
5 Mayer Brown | The CCPA Comes Close to Its Final Form