Cybersecurity and Privacy Alert

The dust has finally settled in the California State Legislature and the big winner for amendments to the CCPA is AB-25, which started out as carving out employees from the definition of consumer for the purpose of CCPA. The bill ended up narrower with respect to employees but broader in other respects by absorbing a few other proposed bills as well. The status of AB-25 is that it passed unanimously in both chambers and will become law when signed by the governor, who has a deadline of October 13 to sign.

With regard to employees and others including job applicants, owners, directors, officers, medical staff members, and contractors, AB-25 defers the issue for one year for everything but a requirement to make point of collection disclosures of “categories of personal information to be collected and the purposes for which the categories of personal information shall be used,” as required by Section 1798.100. The data breach provision, Section 1798.150, will also apply to these individuals, meaning that they may be able to avail themselves of the private right of action assuming other prerequisites for the private right of action are met.

In addition to this employee exception, AB-25 was amended to include the substance of a few other bills. One provides an exception for vehicle recall information, another cleaned up some inconsistencies and mistakes with the original bill, and a third clarified issues around how verified consumer requests should be made. A couple of highlights of those additions include:

  • Adding an exception to the opt-out of selling Section 1798.120 for information provided from a dealer to a manufacturer for recall or warranty repairs, meaning that an individual cannot opt-out of this sharing provided the information shared is only used for this purpose.
  • Adding that a business can “may require authentication of the consumer that is reasonable in light of the nature of the personal information requested” in Section 1798.130(a)(2).
  • Broadening the exception for Consumer Credit Report information in Section 1798.145(d) for everything except the data breach provisions.

Finally, in the last two weeks a provision was added that has significant implications but has not been discussed much and was not a focal point of prior proposed amendments. The provision would become Section 1798.145(n)(1) and read:

The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, non-profit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, non-profit, or government agency.

This provision should settle an open question of what a business needs to do about information it receives from individuals who work for other companies such as vendors. This provision creates an exception for those individuals, not only for the verified consumer requests but for all disclosures. It should be noted, however, that it still allows for the possibility that these individuals can avail themselves of the private right of action under Section 1798.150 relating to data breaches. Another caveat is that like the employee exception this one expires on January 1, 2021.

An honorable mention is AB-874, which also passed unanimously. AB-874 cleaned up some mistakes such as the fact that the CCPA currently says “‘Publicly available’ does not include consumer information that is deidentified or aggregate consumer information.” What was presumably intended was that “‘Personal information’ does not include consumer information that is deidentified or aggregate consumer information,” which is how AB-874 reads. Another significant change is that AB-874 added a qualifier so that “Personal information” includes information that is “reasonably” capable of being associated with a particular consumer or household. This reasonableness qualifier matches the existing qualifier for whether the information can be “reasonably linked.”

With less than four months to go, these amendments give companies a better understanding of the statutory requirements that will need to be implemented prior to January 1st. Companies should now focus on applying these statutory requirements, including ensuring that there is a company-wide understanding of how the statutory requirements align with practical implementation.