Several key amendments to the California Consumer Privacy Act (CCPA) moved to Governor Gavin Newsom’s desk recently. October 13, 2019 is the deadline for Governor Newsom to sign, veto, or allow the amendments to become law without his signature. These key amendments are summarized below.

Assembly Bill 25: The Employee Exemption

Under the current text of CCPA, personal information that businesses collect about their California resident employees is treated the same as any other personal information.

If signed, Assembly Bill 25 (AB 25) would create a partial exemption for personal information that businesses collect about job applicants, employees, owners, directors, officers, medical staff, and contractors. Specifically, AB 25 exempts from CCPA “[p]ersonal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business.” As drafted, this partial exemption provision is set to expire a year after going into effect (on January 1, 2021).

AB 25 would also exempt emergency contact information collected in the same context to the extent a contact is on file, and personal information necessary to administer employee benefits.

AB 25 would also alter other provisions of CCPA. For example, AB 25 would allow businesses to require that consumers submit their verifiable requests via a consumer account, in cases where the consumer already maintains an account with the business, easing the administrative burden on businesses that already make large-scale use of user accounts.

While the proposed AB 25 exemption is broad, if approved, businesses would still be required to disclose to employees the categories and uses of personal information collected about them. In addition, the exemption would not alter the private right of action available under CCPA in the event of a data breach and failure to implement reasonable security practices and procedures.

Other Amendments

Assembly Bill 874: Updating “Personal Information”

Under current CCPA text, any information that “is capable of being associated” with a consumer or household is “personal information.” If signed, AB 874 would redefine personal information to mean that which is “reasonably capable of being associated with” a particular consumer or household. This change has the potential to substantially narrow the scope of CCPA in practice by creating an objective reasonableness requirement when analyzing whether certain personal information is associated with a particular consumer or household.

AB 874 would make other small but important changes to the definition of personal information, including:

  • Clarifying that neither “publicly available” nor “deidentified” or “aggregate” consumer information is included as “personal information.”
  • Excluding from the definition all information “lawfully made available from federal, state, or local government records”; however, “publicly available information” is limited to information made available and maintained by government records.
  • Clarifying that “personal information does not include consumer information that is deidentified or aggregate consumer information.”
    • CCPA defines “aggregate” and “deidentified” information to mean not reasonably linkable to an individual consumer or household.
      • “Aggregate” records may only relate to a group or category of consumers.
      • “De-identified” records also require internal processes to prevent reidentification of consumers.

Assembly Bill 1146: Warranty and Automobile Exemptions

The current text of the CCPA includes a limited number of grounds that allow a business to refuse a consumer’s request to delete personal information. CCPA also provides consumers the right to direct businesses not to sell their personal information.

If signed, AB 1146 would add another basis for businesses to refuse to delete personal information: fulfilling the terms of a written warranty or complying with a product recall.

AB 1146 would also exempt “vehicle information or ownership information retained or shared between a new motor vehicle dealer…and the vehicle’s manufacturer…if the vehicle or ownership information is shared for the purpose of effectuating or in anticipation of effectuating, a vehicle repair under warranty or a recall…provided that the new motor vehicle dealer or vehicle manufacturer … does not sell, share, or use that information for any other purpose” from consumers’ right to “opt-out” of the sale of their personal information. AB 1146 includes definitions of both “vehicle information” and “ownership information.”

This exemption would ensure that transfers of information between vehicle dealers and manufacturers that might otherwise qualify as sales (and thus be subject to consumers’ opt-out rights) do not necessarily require permission of the automobile owners involved.

Assembly Bill 1355: Business-to-business exemption and language clean-up

Under the current text of the CCPA, personal information acquired in a business-to-business context is treated the same as other personal information.

If signed, AB 1355 would exempt from most CCPA obligations written or verbal communications between a California consumer and a business where the consumer is acting as an employee, owner, director, officer, or contractor of an organization “whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company[.]” The rights of access, deletion, opt-out, and the notice requirements imposed by the CCPA would not apply to personal information gathered under these circumstances, though the basic obligation to implement reasonable security practices and procedures will remain.

If signed, AB 1355 would also make a number of more minor changes to the CCPA’s text:

  • Amending Section 1798.110(c) to clarify that businesses that collect personal information about consumers are obligated to disclose the categories of information collected about “consumers” and “that a consumer has the right to request the specific pieces of personal information the business has collected” in a reasonably accessible form.
    • The CCPA currently states that businesses must disclose “specific pieces of personal information the business has collected” even without a consumer request in an apparent unintentional repetition of Section 1798.110(a), which details what information consumers have the right to receive on request.
  • Adding requirements to the online privacy policies of covered businesses.
    • Under AB 1355 covered businesses’ policies would need to include descriptions of the right to request access to information created by Section 1798.100 and the right to request deletion of information guaranteed by Section 1798.105.
      • By contrast, in the original text, the CCPA only requires an online privacy policy to cite three specific statutory provisions: the right to request access to information collected guaranteed by Section 1798.110, the right to request access to information sold guaranteed by Section 1798.115, and the right not to be discriminated against for exercising any of the other rights under the CCPA guaranteed by Section 1798.125.
    • This would be in addition to any forthcoming regulations and guidance from the California Attorney General.

Assembly Bill 1564: Telephone Number or Email Address

The current text of the CCPA requires that all businesses provide at least two means for a consumer to submit requests, including a toll-free telephone number and a web address if the business maintains a website.

If signed, AB 1564 would require most businesses to provide at least two or more means for a consumer to submit a request, including at least a toll-free telephone number, but allow businesses that operate exclusively online and directly with consumers to provide only an email address. By doing so, AB 1564 would ease the burden on businesses that operate exclusively online by removing the requirement of a toll-free phone number or physical mailing address.