As you may have heard, five amendments to the California Consumer Privacy Act (AB-25; AB-874; AB-1146; AB-1355; and AB-1564) passed the California legislature last Friday—the deadline for any amendments this year. (The one amendment not passing that had made it through the Senate Appropriations Committee was AB-846, which would have protected certain customer loyalty programs.) Taken together, here are some of the significant areas where the five amendments that passed impact the final form of the CCPA:
Section 1798.145 (listing various exemptions) is where many of the most critical changes occurred:
- Under the amendments, CCPA does not apply to most employment information—at least for 2020. Personal information collected about a natural person relating to a job application, employment, ownership, or role as director, officer, medical staff member, or contractor of the business is exempt so long as it is collected and used solely within the context of the person’s role or former role as such. This also includes information relating to emergency contacts and benefit information as well as due diligence about a potential contractor, employee, owner, etc.
- “Ownership” information is also excluded, but on about an owner who controls the business. General shareholder information for any shareholder not controlling the business (e.g., less than or equal to 50% ownership) is still covered by CCPA. Of course, the statute only covers “consumers” who are natural persons—information about businesses are not covered.
- Note that this exemption expires January 1, 2021—in other words, if the legislature does nothing, employee information will be covered by CCPA on that date. In the interim, the legislature may consider additional protections for employees. For now, we are recommending that during this period when businesses are mapping data and implementing CCPA compliance that they at least note where employee information is housed so that they can go back to it later, if needed.
- Also exempted from CCPA are activities relating to consumer credit reports from or to a consumer reporting agency. This exemption covers the reporting agencies themselves as well as users of a consumer report. This exemption only applies to the extent that the information is subject to regulation under the FCRA and the use/disclosure is allowed under FCRA. There have been concerns that certain information included in credit reports may not actually be subject to FCRA, and therefore would be covered by CCPA. The result could be that portions of a credit report are not subject to CCPA, but other sections are. As such, our hope is that future regulations will clarify CCPA coverage and will exclude from CCPA all information typically included in credit reports. For now, this remains an area of uncertainty. Also note that if information included in a credit report is breached (e.g., by a hack), breach notification is still required.
- The amendments clarify that the CCPA does not require a business to collect personal information that it would not otherwise collect in the ordinary course, retain information longer than it would otherwise retain it, or reidentify or link information not otherwise maintained. This is an important revision, as many companies will hold information about a single individual on separate systems, or within various departments, and the information may be identifiable on one system but not another. CCPA, pending further clarification under regulations, does not appear to require that a business find every instance of the individual’s information where it would not otherwise be identifiable. For example, a management report may include general information about many individual customers, none of whom are specifically identified. Such a management report, so long as it doesn’t identify any individual, would not be subject to CCPA (though information about how information is used generally may still need to be disclosed, e.g., a listing of uses of personal information on the business’ website).
- The consumer’s right to direct a business not to sell the consumer’s personal information (right to “opt-out”) does not apply to vehicle information (VIN, make, model, year or odometer reading) or ownership information (name and contact information of the owner(s)) shared between a new motor vehicle dealer and the manufacturer so long as the information is shared for purposes of vehicle repairs (current or potential) covered by a warranty or a recall, and so long as the information is not further shared or sold for any other purpose.
Section 1798.130 (generally addressing business obligations) was revised regarding how to request information:
- If a business operates exclusively online and has a direct relationship with a consumer from whom it collects personal information, the business is not required to maintain a toll-free consumer line, but is only required to provide an email address for submitting requests for information. All other businesses will still need to have two or more designated methods for submitting requests, including a toll-free number.
- If a business maintains a website, consumers must be able to use the website to submit requests for certain information. That information includes items like the categories and sources of personal information, to whom information is disclosed, and specific pieces of information collected about the consumer.
- The definition of “personal information” is revised to limit it to information that identifies, relates to, describes, or is reasonably capable of being associated with a particular consumer or household.
- The exclusion for publicly available information is revised. While it’s still limited to information made available from governmental units, the amendment removed the requirement that the information be used in a manner “compatible” with the purpose for which data is maintained in government records. In other words, if information is in a public record, businesses may use the information for any legal purpose.
Further clarification on the statute is expected in the form of regulations promulgated by the Attorney General. The latest timeline suggests that regulations may be released this month or in early October, though such releases are often pushed back.