On January 1, 2020, the California Consumer Privacy Act ("CCPA") will take effect, but probably not in its current form. On September 13, 2019--the California Legislature's last day to send amendments to the governor's desk for this legislative session-- lawmakers passed five bills to amend, clarify, or expand on the rights and responsibilities enshrined in the CCPA, which was originally enacted on June 28, 2018 and has been through a number of amendments already. If signed by California Governor Gavin Newsom by October 13, 2019, the newly passed bills would make the following changes to the CCPA before it takes effect:
1. Exemption for employee and job applicant data. AB 25 provides a partial, one-year exemption from the CCPA for personal information collected from job applicants, employees, owners, directors, officers, medical staff members, or contractors, as well as their emergency contacts and their beneficiaries. Employers would still be required to provide these individuals with general notice of the types of personal information collected about them and the purposes for which the information is used, but these groups would not have the right to request more specific disclosures, request deletion of their personal data, or opt-out of sales of their personal data. And businesses would remain liable for a breach of employee personal data that results from the business's failure to maintain reasonable security practices and procedures. If the legislature does not take further action next year, employees will have all the same rights as other "consumers" starting January 1, 2021.
2. Exemption for business customer data. AB 1355 now provides a partial, oneyear exemption from the CCPA for personal information of an individual acting as an employee, owner, director, officer, or contractor of a company that is party to a transaction with the covered business. However, those individuals would still have the right to opt-out of sales of their personal information, and businesses would remain liable for a breach of such personal data that results from the business's failure to maintain reasonable security practices and procedures. Here again, these individuals will have the full range of rights available to other "consumers" under the CCPA effective January 1, 2021 unless more changes are enacted next year. (AB 1355 also clarifies that the CCPA' s private right of action does not apply if the personal information breached is either encrypted or redacted, and that de-identified or aggregate consumer information is excluded from the definition of "personal information."
3. Clarifications on the definitions of "personal information" and "publicly available information." AB 874 clarifies the scope of "personal information" regulated under the statute by adding another "reasonably" qualifier to the definition. Under this amendment, personal information would be that which "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." The bill also clarifies that "publicly available information" means information that is lawfully made available from federal, state, or local records, regardless of whether the data is used for a purpose that is compatible with the purpose for which the data was made publicly available.
4. Receiving consumer requests: Currently, the CCPA requires a covered business to provide consumers with two or more reasonably accessible methods for submitting requests to exercise their rights under the CCPA, including, at a minimum, a toll-free telephone number, and, if the business maintains an internet website, a website address. Under AB 1564, this requirement would be amended to provide that a business which (1) operates exclusively online and (2) has a direct relationship with the consumer from whom it collects personal information need only provide an email address. If the business also maintains a website, the bill requires the business to make the website available to consumers to submit requests. Finally, the bill expressly permits a business to require a consumer who maintains an account with the business to submit their request through the account.
5. Exemption for vehicle warranty/recall purposes: Under AB 1146, vehicle or owner information retained or shared between a new motor vehicle dealer and the vehicle's manufacturer for the purposes of vehicle repair covered by a warranty or recall is exempted from the CCPA' s right to opt out and right to delete.