Lawmakers in California last week amended the landmark California Consumer Privacy Act (CCPA or the Act), which confers significant new privacy rights to California consumers concerning the collection, use, disclosure, and sale of their personal information by covered businesses, service providers, and third parties. While the amendments, which California Governor Gavin Newsom must sign by October 13, leave the majority of the consumer's rights intact, certain provisions were clarified -- including the definition of "personal information" -- while other exemptions were added or clarified regarding the collection of certain data that have a bearing on financial services companies.
This Special Alert provides an overview and status update of CCPA-related and other privacy bills that were recently considered by the California legislature.
Status of CCPA amendments considered by the California Legislature
The following is a summary of the major revisions to the CCPA that passed the California Legislature:
- "Personal information" definition. The definition of "personal information" was amended to exclude consumer information that is deidentified or aggregate consumer information. In addition, the amendments add certain qualifications to the definition of "personal information" (i.e., that the information "is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."). (AB 874, AB 1355).
- FCRA exemption. The Fair Credit Reporting Act (FCRA) exemption was amended to clarify that the exemption applies to any "activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by" a consumer reporting agency, a furnisher of information who provides information for use in a consumer report, or by a user of a consumer report. This exemption applies only if the activity is subject to the FCRA, and the information is not used, communicated, disclosed, or sold except as authorized by the FCRA. The FCRA exemption will not apply to the data breach private right of action. (AB 1146, AB 25, AB 1355).
- Employee exemption. The CCPA was amended to largely exclude, for one year (until January 1, 2021), personal information collected about a natural person and the natural person's emergency contact information in the course of such person acting as a job applicant, an employee, an owner, a director, an officer, a medical staff member, or a contractor, when the information is collected and used by the business solely within the context of the natural person's role or former role. Personal information that is necessary for the business to retain to administer benefits for another natural person is also exempt from the CCPA. However, certain notice requirements and the data breach private right of action still apply to such natural persons. (AB 1146, AB 25, AB 1355).
- Business individual exemption. The CCPA was also amended to provide that, for one year (until January 1, 2021), certain obligations imposed on businesses (e.g., certain notice requirements, Right to Access, Right to Deletion) will not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such entities or agencies. (AB 1146, AB 25, AB 1355).
- Verification and delivery requirements. The amendments provide that a business that operates exclusively online and has a direct relationship with the consumer is only required to provide an email address for submitting certain requests for information instead of a toll-free number. In addition, the amendments note that if the business maintains an internet website, the website must be made available to consumers to submit certain requests for information. The amendments also clarify that a business may require authentication of the consumer that is reasonable in light of the nature of the personal information requested and that if the consumer maintains an account with the business, the business may require the consumer to submit the consumer request for certain personal information through the account. (AB 1564, AB 25, AB 1355).
- Collection of information. The amendments clarify that the CCPA does not require a business to collect personal information that it would not otherwise collect in the ordinary course of its business, or retain personal information for longer than it would otherwise retain in the ordinary course of its business. (AB 1146, AB 25, AB 1355).
- Vehicle/ownership information exemption. The amendments provide that certain vehicle information or ownership information that is retained or shared between a new motor vehicle dealer and the vehicle's manufacturer to facilitate warranty or recall-related vehicle repair will be exempt from the CCPA's opt-out requirements in Section 1798.120, provided certain conditions are met. (AB 1146, AB 25, AB 1355).
We note that additional revisions to the amendments may arise depending upon whether the governor signs the various bills and the order in which the bills are signed. Specifically, three of the bills that passed (AB 25, AB 1146, and AB 1355) contain waterfall provisions, i.e., provisions that set forth which version of the amendment is ultimately enacted, which depends upon whether the governor signs all three bills, or only some of the bills. Additionally, the order in which the bills are enacted may further impact the version of the amendments that are ultimately passed into law.
The following CCPA amendments failed to pass prior to the legislative deadline:
- Loyalty/rewards exemption. An amendment that would have clarified that a business may sell a consumer's personal information collected as part of a loyalty, rewards, premium features, discounts, or club card program to a third party in order for the third party to provide the consumer with a financial incentive, sale, or other discount when certain conditions are met (e.g., express consent is received, limited use of the information). (AB 846).
- Insurance transaction exemption. An amendment that would have eliminated a consumer's right to request a business to delete or not sell the consumer's personal information if it was necessary to retain or share such information to complete an insurance transaction requested by the consumer. (AB 981).
- "Deidentified" definition. An amendment that would have revised the definition of "deidentified" to provide that the term means information that "does not identify and is not reasonably linkable," directly or indirectly, to a particular consumer, provided that the business makes no attempt to reidentify the information, and takes reasonable technical and administrative measures designed to: (i) ensure that the data is deidentified; (ii) publicly commit to maintain and use the data in a deidentified form; and (iii) contractually prohibit recipients of the data from trying to reidentify the data. (AB 873).
- Additional exemptions. AB 1416 would have created an exception (until January 1, 2024) for sharing information with a government agency solely for the purposes of carrying out a government program, including providing government services in furtherance of a government program, provided certain requirements were met. It also would have permitted a business to sell the personal information of a consumer who had opted out of the sale to another person for the sole purpose of detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity. (AB 1416).
Status of additional privacy-related bills considered by the California Legislature
In addition to the flurry of CCPA amendments, the California legislature considered a number of other privacy-related bills. However, of these bills, only the bill related to data broker registration passed. Specifically, AB 1202 requires "data brokers" to register with the California Attorney General (Attorney General), which must create a public registry of data brokers. A "data broker" means a party that meets the definition of a "business" under the CCPA and that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. The term "data broker" will not include (i) a consumer reporting agency to the extent that it is covered by the FCRA, (ii) a financial institution to the extent that it is covered by the Gramm-Leach-Bliley Act and implementing regulations, and (iii) an entity to the extent that it is covered by the California Insurance Information and Privacy Protection Act. On the other hand, a number of privacy-related bills failed to pass prior to the legislative deadline, including bills that addressed use of social media websites by minors, facial recognition technology, and smart speaker devices. See AB 1138, AB 1281, and AB 1395, respectively.
With the January 1, 2020 effective date of the CCPA fast approaching, entities should be evaluating the applicability of the CCPA to their data-collection practices and considering how recent amendments to the CCPA affect their obligations. The following are some steps entities could take as they work through their CCPA-compliance obligations:
- CCPA gap analysis. Entities should conduct an enterprise-wide analysis to identify areas in which enhancements may be needed to comply with the CCPA.
- Data-mapping. Entities should conduct an enterprise-wide data inventory and mapping exercises to identify the types of personal information the business collects about consumers, the reasons for collection, and the entity's information-sharing practices.
- Vendor/service provider review. Entities should review their vendor management compliance program to ensure that personal information of consumers is appropriately shared and restricted.
- Operational implementation. Entities should consider how to operationalize certain of the CCPA's requirements, including by drafting policies and procedures for handling consumers' requests to receive information, opt out of the sale of their personal information, and delete their personal information, and by training key personnel on CCPA compliance.
We also note that the CCPA directs the Attorney General to issue regulations pursuant to the CCPA by July 1, 2020. The Attorney General's Office has indicated that it anticipates publishing a Notice of Proposed Action in the fall of 2019. These regulations have the potential to significantly impact the scope of the CCPA, given the breadth of areas delegated to the Attorney General. Once those regulations are issued, entities should review their proposed compliance practices with those regulations.