- The California State Legislature has passed five bills to amend the state's landmark privacy legislation, the California Consumer Privacy Act (CCPA). Gov. Gavin Newsom has until Oct. 13, 2019, to sign or veto the legislation, and the order in which he enacts bills will determine whether some overlapping provisions of the bills are enacted or not.
- Further complicating companies' efforts to operationalize the CCPA is the fact that regulations are still forthcoming. The state attorney general is expected to release draft regulations sometime this fall.
- In the absence of comprehensive federal privacy legislation, California has moved forward on its own, and the CCPA will come into effect on Jan. 1, 2020, alongside a number of other generally pro-consumer privacy laws.
Five bills to amend California's landmark privacy legislation, the California Consumer Privacy Act (CCPA), passed the California State Legislature last week and now head to Gov. Gavin Newsom's desk. (See Holland & Knight's previous alert, "California Consumer Privacy Act Update: Assembly Approves 12 Amendments," June 6, 2019.)
New Exemptions to Portions of the Act
Employees Are Out of Scope (Partially and at Least for Now). Introduced to address industry concern that employees would be covered by CCPA's broad definitions, AB 25 would exempt from most provisions of the Act personal information collected by a business from "a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business" when the individual is acting in such capacity.
The bill includes two notable exemptions:
- A business would still be required to inform applicants, employees, contractors, etc. as to the categories of personal information to be collected by the business in the course of the individual acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of or contractor of that business
- Applicants, employees, contractors, etc. would still be entitled to bring a private right of action for a data breach under Section 1798.150
Unless the legislature acts next year, the exemption would sunset on Jan. 1, 2021, and applicants, employees, contractors, etc. would be within the scope of the Act for all purposes, meaning such individuals could then make access and deletion requests to prospective, current and former employers.
Some Vehicle Information Exempted. AB 1146 would exempt vehicle information — VIN, make, model, year, odometer reading, and name and contact information of the registered owner — retained or shared between a new motor vehicle dealer and the vehicle's manufacturer, if such information is shared for the purpose of effectuating repairs covered by a warranty or recall, and provided that such information is not used, shared or sold for any other purpose.
Changes to Consumer Rights Request Process
Two bills would make changes to the consumer rights request process.
Online Businesses Need Not Provide Telephone Number for Rights Requests. AB 1564 would reduce the burden on online-only businesses, and permit such businesses to provide only an email address for consumers to submit rights requests.
Reasonable Authentication Measures Acceptable. To address concern about potentially fraudulent or malicious consumer rights requests, AB 25 would authorize a business to require authentication of the consumer that is reasonable in light of the nature of the personal information requested. The bill would also authorize a business to require a consumer/account holder to submit a verifiable consumer request through an account that the consumer maintains with the business. A business would still be prohibited from requiring a consumer to create an account in order to submit a request.
Businesses Need Not Delete Warranty-Related Information. AB 1146 would add a new circumstance where a business need not delete personal information: to fulfill the terms of a written warranty or product recall conducted in accordance with federal law.
Clarification of Non-Discrimination Provision. Current law provides that a business cannot discriminate against a consumer for exercising his or her CCPA rights, except that a business may offer a different price, rate, level or quality of goods or services to the consumer if the differential treatment is reasonably related to the value provided to the consumer by the consumer's data. AB 1355 would revise that language to clarify permissible discrimination must be reasonably related to the value provided to the business by the consumer's data.
Updates to the Definition of Personal Information
Three bills would make a variety of changes to the definition of personal information under the Act.
Information Must Be Reasonably Associated with an Individual. AB 874 would revise the definition of "personal information" to add a reasonable requirement to information that could be associated with a particular individual or household. If signed, personal information would be defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Unrestricted Use of Publicly Available Government Records. While the CCPA excludes from the definition of "personal information" data that is lawfully made available from federal, state or local records, existing law specifies that such information is not "publicly available" if it is used for a purpose that is not compatible with the purpose for which such information is maintained. If signed, AB 874 would delete that use restriction and instead provide that "publicly available" information is simply information that is lawfully made available from federal, state or local records.
Clarification on Use of Deidentified or Aggregate Information. AB 874 and AB 1355 would each correct an apparent typo in the existing law and clarify that deidentified or aggregate consumer information is not "personal information" (rather than not "publicly available" information as stated in the existing law).
Surprise Failure: Bill to Protect Loyalty Programs Doesn't Come Up for Vote
The big surprise last week was that the bill to expressly protect loyalty programs, AB 846, was pulled from consideration and moved to the inactive file.
The bill was introduced to address a concern raised by businesses that a consumer's deletion request could require the deletion of loyalty program data and perks, a result that 1) at least arguably would conflict with the CCPA's anti-discrimination provision and 2) runs contrary to marketing departments' typical desire to keep people enrolled.
Support by companies dwindled, however, after the Senate Judiciary Committee forced an amendment that would have limited how businesses could use data collected in connection with a loyalty program. Privacy advocates never got behind the bill, pointing to the various exemptions from deletion found in the CCPA, and the fact that the Act permits a business to provide a different price or quality of goods if the difference is reasonably related to the value provided to the business by the consumer's data.
What Happens Next?
Gov. Newsom has until Oct. 13, 2019, to sign or veto the legislation, and the order in which he enacts bills will determine whether some overlapping provisions of the bills are enacted or not.
Further complicating companies' efforts to operationalize the CCPA is the fact that regulations are still forthcoming. The state attorney general is expected to release draft regulations sometime this fall.
California Leading the Way on Privacy
In the absence of comprehensive federal privacy legislation, California has moved forward on its own, and the CCPA will come into effect alongside a number of other generally pro-consumer privacy laws.
Data Broker Registry. If signed, AB 1202 would establish a public registry of names, addresses and contact information for data brokers — companies that knowingly collect and sell the personal information of California consumers with whom they do not have a direct relationship. (The bill incorporates the broad definitions of "collect," "sell" and "personal information" as used in CCPA.)
Exempted from the definition of a data broker are:
- a consumer reporting agency to the extent that it is covered by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.)
- a financial institution to the extent that it is covered by the Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations
- an entity to the extent that it is covered by the Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 1791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code)
On or before Jan. 31 following each year in which a business meets the definition of data broker, a business would have to register with the state attorney general's office and pay a fee. A data broker who fails to register would be subject to an injunction and civil penalties ($100 per day), fees and costs in an action brought by the attorney general.
Unlike Vermont's data broker law, the California law does not include standalone information security or computer system security requirements. However, the registry would exist alongside the CCPA, which imposes a general duty on all businesses to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information collected and used. Cal. Civ. Code §1798.150.
Other California privacy laws coming into effect on Jan. 1, 2020, include:
Security of Connected Devices, California Civil Code §§1798.91.04, will ban "default" passwords for connected devices, and require manufacturers to equip such devices with reasonable security features appropriate to the nature of the device and the information collected.
Parent's Accountability and Child Protection Act, California Civil Code §§1798.99 et seq., will require an entity that conducts business in California to take reasonable steps to ensure that the purchaser of select goods or services is of legal age at the time of the purchase.
If signed by Gov. Newsom, AB 1138 would amend the Parent's Accountability and Child Protection Act to require a business that operates a social media website or application to obtain consent from the parent or guardian of its users under age 13, beginning July 1, 2021.