Friday, September 13th marked the last day that the California state legislature could make changes to the California Consumer Privacy Act (“CCPA”) before it takes full effect on January 1, 2020. In the days prior, the legislature met regularly in efforts to reach consensus over the shape of the much-anticipated privacy legislation.
After marathon hearings in July, mid-August and early September, California lawmakers finally passed five amendments to the CCPA that leave intact fundamental consumer protections regarding transparency over data collection and dissemination, while making significant changes to certain key definitions and exemptions.
The next step is for the amendments to be signed into law by California Governor Gavin Newsom, which is expected to happen before October 13, 2019.
While these amendments paint a clearer picture of the CCPA, the CCPA could still undergo significant changes. Businesses should closely watch the California Attorney General as he readies to issue the CCPA’s implementing regulations. Even after the CCPA enters into force, the California State legislature could reconvene in January 2020 to seek to pass further amendments.
The CCPA, discussed in our primer here, is often compared to the comprehensive General Data Protection Regulation (“GDPR”), in that it applies extraterritorially and gives consumers both the right to know what type of consumer personal information businesses collect about them and the right to request that such data be deleted. Importantly for California consumers, their right to know what information is collected about them remains strong after this latest round of amendments: consumers can still request to learn the categories of personal information collected, the specific pieces of information collected, as well as the categories sold to third parties or otherwise disclosed to third parties for a business purpose.
The six amendments in detail
Below is an overview of the bills recently passed, all of which must be signed by Governor Newsom to become law on January 1, 2020, the CCPA’s effective date:
1. One-year exemption for employee information (Assembly Bill 25)
This amendment would change the CCPA so that the CCPA would not cover the collection of personal information from job applicants, employees, business owners, directors, officers, medical staff, or contractors of a business for one year.
In practice, this would mean that if an employee asks their employer what personal information is collected about them, the employer will not be obliged under the CCPA to share any information. Moreover, employees would not be able to exercise any of the rights otherwise afforded under the CCPA, such as the right to opt out of the sale of their personal information and the right to request that their personal information be deleted. This exemption, however, would sunset January 1, 2021, and unless amended further by the State legislature, such employee information would revert to being covered under the CCPA.
2. Definition of personal information narrowed slightly (Assembly Bill 874)
This bill would change the definition of personal information by inserting additional qualifications using the word “reasonably.” If signed into law, the definition of “Personal information” would be “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
In addition, the amendment would clarify that “Personal information” does not include consumer information that is “deidentified” or is considered “aggregate consumer information.” Notably, “household” was not omitted from the definition of personal information, which is a key distinction in how the CCPA and the GDPR each defines personal data. Whether the definition continues to include “consumer or household” is likely to see more debate once the State legislature reconvenes in January 2020.
3. Amendments to the definition of data broker (Assembly Bill 1202)
This bill would require “data brokers” to register with the California Attorney General’s Office on an annual basis. Under the amendment, a “data broker” is now defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”
The bill exempts from the registration requirement consumer reporting agencies covered by the Fair Credit Reporting Act (“FCRA”), financial institutions covered by the Gramm-Leach-Bliley Act (“GLBA”), and entities covered by the Insurance Information and Privacy Protection Act (“IIPPA”).
4. Financial incentive programs and tiered pricing (Assembly Bill 1355)
This bill, if signed into law, would, on its own, implement many of the amendments provided for by the other bills described above, including changes to the definition of personal information, elimination of the toll-free number requirement, and exempting employee information for one year.
The bill also contains provisions relating to financial incentive programs and tiered pricing tied to the collection, sale or deletion of personal information. A consumer still has the right to opt-out of the sale of their personal information and—subject to many exceptions—the right to delete their personal information. Further, a business is prohibited from discriminating against consumers for exercising their rights.
However, this bill clarifies that a business may offer a financial incentive program for the collection, sale or deletion of personal information based on the value of that information to the business. If a consumer does not opt-in to the financial incentive program, or requests that a business not sell or delete their personal information, a business “may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the business by the consumer’s data.”
5. Exemptions for vehicle information (Assembly Bill 1146)
This bill would add an exemption for certain vehicle information from the right to opt-out for information that is shared for “a vehicle repair covered by a vehicle warranty or a recall . . . provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.”
In practice, then, this amendment to the CCPA would allow auto dealers to use information about car warranties and recalls without facing the risk of consumers requesting that data to be deleted.
6. Elimination of the Toll-Free Number Requirement for Online Businesses (Assembly Bill 1564)
This amendment would eliminate the “toll-free number requirement” requirement for businesses that operate “exclusively online and have a direct relationship with a consumer.” If the bill is signed into law, these businesses would need to only provide an email address for consumers to request information.
What stays the same?
Just as significant is what provisions the State legislature left unchanged. Specifically, the legislature either rejected or failed to act on several proposed amendments that many industry supporters and commercial businesses had been lobbying for—amendments that would have even further limited the consumer protections contained in the CCPA.
For example, the legislature rejected the following proposals thus preventing:
- businesses from collecting consumer data to use in targeted advertisements;
- the expansion of the types of information that could be considered “deidentified”; and
- the expansion of certain exemptions for the sale of information collected for purposes of detecting fraud.
However, because it is a two-year legislative calendar, the legislature could reconsider these bills when they reconvene in January.
The legislature also failed to act on the loyalty program provision (Assembly Bill 846[19), shelving it until next year. That proposed bill would have created an exemption to the CCPA’s notice and rights provisions for loyalty card programs and sought to limit businesses’ ability to deny access to loyalty programs if a consumer opted out. Senate amendments to the bill effectively rendered it moot—they had clarified that a business that collects personal information as part of a loyalty program could sell that information if it obtains the opt-in consent of the consumer, but the consumer could withdraw such consent while continuing to enjoy the loyalty program’s benefits.
Get ready for 2020
While the CCPA will take full effect on January 1, 2020, its enforcement by the State Attorney General will not begin until either July 1, 2020 or six months after final regulations are issued by the Attorney General—whichever comes first.
California Attorney General Xavier Becerra is expected to issue preliminary guidance on compliance with the CCPA this fall. Additionally, Assembly Bill 1355 (amending section 1798.185 of the CCPA) authorizes Attorney General Becerra to issue additional regulations “to establish rules and procedures on how to process and comply with verifiable consumer requests for specific pieces of personal information relating to a household in order to address obstacles to implementation and privacy concerns.”
Certain more onerous compliance provisions in the CCPA were diluted with the passing of the recent amendments (assuming the Governor signs them into law)—but their key objectives to protect consumer privacy remain intact for now. How onerous the CCPA compliance is for companies doing business in California will depend on the implementing regulations and guidance from the Attorney General, whether the legislature can pass further amendments when it reconvenes, and ultimately, how the Attorney General approaches enforcement. Our firm will continue to monitor notable developments in the legislation and have compiled the below tracker of the final 2019 amendments.