On September 13, the California legislature passed six bills that would amend the California Consumer Privacy Act (CCPA). Governor Gavin Newsom has one month to decide whether to sign them into law. The Governor has not taken an official position on any of the bills, but has repeatedly signaled that data privacy is an important issue to him, so it is likely that he will amend the CCPA by signing the legislation next month.
The amendments would not change the fundamentals of the CCPA, but could have a significant impact on businesses’ compliance efforts regarding employee data. They also alter compliance obligations for businesses conducting due diligence on other companies or that collect personal information from representatives of other companies in the context of providing or receiving goods or services to or from other companies.
The bills would make new industry-specific changes of interest to car manufacturers and dealers, credit reporting agencies, and companies that operate exclusively online. In addition, one bill would impose new registration obligations on data brokers, which the bill defines broadly as companies that collect and sell the personal information of California residents with whom they do not have a direct relationship.
As if the CCPA were not enough to deal with in 2020, more changes to the law could be coming soon.
Alastair Mactaggart, the founder and board chair of Californians for Consumer Privacy, who also filed the ballot initiative that led to the enactment of the CCPA, announced a new ballot initiative for November 2020. That law would govern the collection of health and financial data and impose penalties for sharing and selling data about children.
Potential Changes to the CCPA
The amendments would make the following changes to the CCPA, if Governor Newsom signs them into law:
Businesses would be exempt for one year – until January 1, 2021 – from the requirement to respond to consumers’ requests for access to or deletion of their employment-related data the business collects and uses solely in an employment context.
This amendment is limited in scope, as it would not relieve businesses of the requirement to provide a privacy notice to employees, contractors and others who have a work-related relationship with the business at or before the point in time such information is collected. Businesses still would be required to comply with the data breach notification requirements with respect to such work-related information and would be subject to potential class action lawsuits for failure to do so.
Legislators hope to develop a permanent solution to the treatment of employee data in 2020, but they may not be able to reach consensus next year. If legislators are unable to reach consensus on separate employee privacy legislation, this exemption will expire on December 31, 2020, and the CCPA will apply to such data beginning January 1, 2021.
Limited Exemption for Personal Information Collected in a B2B Context
Similarly, businesses would be exempt for one year – until January 1, 2021 – from the requirements to provide notice or extend other CCPA rights to consumers who act in their capacity as representatives of another business in certain contexts.
Businesses that “operate exclusively online” would not be required to provide consumers a toll-free number they could call to opt-out of the sale of their personal information, and instead would offer an email address to which California residents could submit requests.
The amendment does not define what it means to operate “exclusively” online, however, so it remains somewhat unclear how much impact this amendment would actually have.
The current exemption for data regulated by FCRA would be clarified. The amendments would remove the previous reference to the “sale” of consumer report information and make it clear that any “activity” subject to the FCRA would be exempt from the CCPA. Those exemptions would apply regardless of whether the entity conducting that activity is a consumer reporting agency, an information furnisher, or a user of consumer reports.
While this would be good news for institutions dealing with credit reports, such companies should still be aware that they would not be entirely outside the reach of the CCPA: the personal information that they hold is still subject to the CCPA when it is collected or used for purposes not regulated by the FCRA.
Furthermore, as with employment-related personal information, FCRA-covered information will still be subject to the CCPA’s data breach provisions.
Consumers would not have the right to opt-out of the sale of personal information relating to vehicle or ownership information shared between a dealership and a car manufacturer for warranty or recall purposes.
Other amendments would fix typos, confusing language, and make the following other changes:
- Qualify the definition of “personal information” by adding the word “reasonably” before the phrase “capable of being associated with a consumer or household”;
- Clarify that consumers may bring a private right of action for a data breach only when the breached information is neither encrypted nor redacted (the CCPA currently exempts personal information if it is encrypted and redacted);
- Make clear that a business may offer a financial incentive – or charge a different price or offer a different quality of service – to consumers in exchange for the collection, sale, or deletion of personal information, when the incentive or difference is reasonably related to the value of the personal information to the business (not to the consumer);
- Explicitly exclude aggregated and de-identified information from the definition of “personal information”;
- Make clear that nothing in the statute requires businesses to collect personal information they would not otherwise collect – or retain personal information for longer than they would do so – in the ordinary course of business;
- Exempt information in public government records from the definition of “personal information” regardless of the purpose for which the government maintained such information; and
- Permit businesses to authenticate a person’s identity in a way that is “reasonable in light of the personal information requested.”
New Data Broker Law
Perhaps the biggest and most surprising change brought by this slate of bills is the addition of new requirements for “data brokers.” Under AB 1202, pending the Governor’s signature, any California business that sells personal information of a California consumer with whom the business does not have a direct relationship is a “data broker.”
Because the definition of “sale” under the CCPA is so broad, this new law would capture a wide range of businesses that collect and share personal information about California consumers. These businesses would have to register with the California attorney general annually and pay a registration fee, and the attorney general’s website would publish the registration information.
AB1202 is somewhat similar to Vermont’s first-in-the-nation 2018 law, which regulates data brokers, but it is both broader and narrower in certain ways. As noted above, the California bill would capture a much broader range of companies under its definition of “data broker,” but the information that each data broker would have to provide in California is limited to contact information and “any additional information or explanation the data broker chooses to provide concerning its data collection practices.”
The Vermont law, on the other hand, requires much more fulsome disclosures. The first registration deadline for California data brokers would be January 31, 2020. Failure to register is punishable by civil penalties.
Although we (probably) now know what the final version of the CCPA will look like on January 1, 2020 (the compliance deadline), the law also directs California Attorney General Xavier Becerra to issue regulations to implement and clarify the statute.
The recently passed amendments even prod (but do not require) the attorney general to issue regulations governing responses to requests for information on households—an issue that has vexed businesses since the CCPA’s passage. Attorney General Becerra reportedly expects to release a draft version of these regulations this October and hopes to publish the finalized regulations by the time the CCPA goes into effect at the beginning of next year (well before the beginning of CCPA enforcement on July 1, 2020).
This is all further complicated by a new measure that could be on the November 2020 ballot as a 51-page state constitutional amendment known as the California Consumer Privacy Act of 2020, which would take effect on January 1, 2021.
While details “could be refined in the coming weeks,” CalMatters blog reports that the initiative as currently drafted would:
- “Allow for triple damages if a company violates the privacy of children, and require specific permission from a parent or guardian to use a child’s data”;
- “Require greater disclosure so people can know when their information is being used to influence their opinions in a variety of ways including in politics and commerce”;
- “Require corporations to disclose more about how they use personal information to influence elections”; and
- “Establish a new California Privacy Protection Agency, overseen by a five-member board appointed by the governor, legislative leaders and state attorney general.” The California legislature would be able to amend the law by a simple majority vote, “so long as the action is taken in furtherance of the right to privacy.”