On Friday, September 13th, the California legislature passed several amendments to the California Consumer Privacy Act (“CCPA”), and created a new "data broker" registration law that deserves its own blog post and heightened level of irony. Several significant bills were changed during the legislative session’s finals weeks and therefore may be different than what many companies anticipated. All of the bills currently await the governor’s signature.
The most significant and generally applicable legislative changes to the CCPA include removing employee data from most of the law’s scope, narrowing the definition of personal information, mostly removing information collected incidental to a business-to-business transaction, and, for some businesses, removing the requirement to receive access requests through a toll-free phone number. Other changes include clarifying that deidentified and aggregate information are not within the law’s scope and including a significant exemption for consumer reporting agencies’ activity that is the subject to the Fair Credit Reporting Act.
1. Employee Data
The Change: Employee data is mostly excluded but still subject to limited regulation.
AB 25 mostly excludes employee data from the CCPA’s scope until January 1, 2021 (although the legislature plans to revisit this issue next year to work out a long term solution). However, employee data remains subject to two CCPA provisions. As such, employers must provide employees with a list of the categories of personal information that they will collect and must note how it will use such data. Also, employee data remains subject to the private right of action related to security breaches. The exemption helpfully also covers emergency contact and beneficiary data, not strictly the employee’s personal information. However, the bill does not clarify whether third party HR vendors’ use of such information is also excluded when the vendor receives and uses consumers’ personal information solely related to their role as employees.
The Takeaway: Draft a simple employee privacy notice if you have not done so already.
2. Personal Information Definition
The Change: Adding reasonable to the definition of personal information.
AB 874 added “reasonable” to the definition of personal information in a very specific but important way. The definition of personal information lists what level of connection data must have with a consumer to qualify as personal information. Within that list, “capable of being associated with” a consumer was changed to “reasonably capable of being associated with” a consumer. That addition is a helpful clarification since “capable of being associated with” was the most tenuous way that data could connect to a consumer such that the data qualifies as personal information.
The Takeaway: If you were unsure whether data qualified as personal information given the breadth of the prior definition, you can revisit your analysis and/or data mapping with added clarity.
3. Business Persons’ Information
The Change: Limited exception for personal information reflected in a business transaction. Although many refer to the language provided in AB 1355 as the “B2B” exemption, the exemption’s scope is actually much narrower. The exemption does not cover the personal information exchanged pursuant to a transaction, but rather the personal information of the consumer(s) effectuating or otherwise involved in the transaction. There are also significant limitations to the exemption, for example, as it does not apply to consumers’ right to opt-out of sales.
The Takeaway: Make sure that you do not sell personal information collected while conducting a business-to-business transaction to eliminate such information completely from the scope of CCPA rights.
4. Access Request Methods
The Change: A toll-free telephone number is required for some businesses. Under the prior version of the CCPA, all businesses were required to allow consumers to submit access requests through a toll-free phone number. Under AB 1564, businesses that operate exclusively online are required to have an email address and website for receiving consumer requests.
The Takeaway: Determine whether your business operates “exclusively online” and establish methods for receiving access requests accordingly.