California’s Governor Gavin Newsom has several legislative bills awaiting his signature which will impact the upcoming California Consumer Privacy Act set to go into effect January 2020. In this six part series, we will break down each of the proposed amendments and what this means for businesses as they get ready for compliance by the end of 2019.
In a few short months, on January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) will go into effect. This law has been implemented to protect the use, sharing and selling of consumers’ personal information, amongst numerous other requirements. To date, the CCPA had previously only been amended once, with Senate Bill 1121 (signed into law in September 2018), for clarification and to address various technical issues. However, in a flurry of activity on the last day of the California legislative session, a total of six amendments to the CCPA were recently passed.
One such recent amendment, Assembly Bill 874 (AB 874), was introduced earlier this year and made mostly minor clarifications to the CCPA, such as providing that personal information must now be reasonably capable of being associated with a particular consumer or household. It also made two other significant modifications, including the following:
Small Yet Important Distinctions
These changes may not appear that notable at first. However, when compared to the prior provisions, these revisions expand the publicly available information exception and create another exception to “personal information” subject to the CCPA.
Publicly Available Information
The CCPA has always contained an exception for publicly available information including information available from federal, state, or local government records. Pursuant to the California Government Code (California Government Code §6250 et. seq.), public records are broadly defined to include “any writing containing information relating to the conduct of the public’s business prepared, owned, used, or retained by any state or local agency regardless of physical form or characteristics.”
AB 874 eliminated a previous requirement that information would not be considered “publicly available” if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained. While this could have been made clearer, this appears to have been an attempt to show some relationship between the personal information obtained from records with the source of the records. For instance, if a consumer’s name, postal address or e-mail address may be obtainable through the real estate records maintained by a local County recorder’s office, would it then have to be established that such data be used for real estate purposes or some other plausible purpose the County recorder maintains such information?
AB 874 now makes clear that any “publicly available” information is now excluded regardless of the source of the public records used to obtain the information.
Deidentified or Aggregate Consumer Information
Prior to AB 874, deidentified or aggregate consumer information was part of the definition of “publicly available.” Now, it is clear that deidentified or aggregate consumer information is expressly excluded from the definition of “personal information.”
It should be noted that any business that may need to use deidentified information must further comply with additional requirements to implement technical safeguards and business processes to prevent any reidentification of the information.
Ultimately, both AB 874’s small updates make it easier to argue that information at issue may not fall within the scope of personal information subject to the CCPA.
How Can I Comply With A Moving Target?
In light of all the recent amendments to the CCPA, and the fact that the CCPA will more than likely continue to develop for years following its enactment, it still remains critical for all businesses subject to the CCPA to assess all forms of personal information currently being maintained within your organization, and to develop a strategy for compliance with respect to such information. The affirmative duty to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information” in order to protect consumers’ personal information remains regardless of these updates.