The California Legislature recently passed several bills that amend the CCPA (California Consumer Privacy Act) going into effect on January 1, 2020. Among those is AB 1146 which creates an important exception for businesses who keep consumer information for warranty purposes. This amendment identifies certain situations where a business does not have to comply with a consumer’s request to delete information. Understanding these changes are important so your business is CCPA compliant, but does not face additional liability by failing to comply with other obligations pursuant to contracts or federal law.
Specifics of the Amendment
AB 1146 says that businesses do not have to comply with a consumer’s request to delete personal information in the following categories:
- If the information is necessary for a business to be able to fulfill the terms of a written warranty or product recall conducted in accordance with federal law;
- If personal information collected by a business about job applicants and/or employees is used within the context of that role; and,
- If the information relates to emergency contact information collected for people in those roles or for the information necessary to administer benefits to a person related to an employee.
The amendment also clarifies that a new motor vehicle dealer does not have to delete information that would be used to deal with a vehicle warranty or recall. However, there is a caveat that the dealer cannot share, sell, or use that data for any other purpose. This means if you are in the automotive business, you can retain consumer information in the event there is a recall.
Finally, AB 1146 modifies the existing CCPA to make it clear that it does not apply to an “activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency…” This means that a credit reporting agency does not have to delete information that it collects about consumers. This protects credit reporting agencies (and any business that relies on reports generated by those agencies) by preventing consumers with nefarious purposes from requesting their information be deleted to create a different impression of them that does not mesh with reality.