Last Friday, California Governor Gavin Newsom signed several last-minute amendments to the California Consumer Privacy Act (CCPA). While many businesses have taken a “wait and see” approach to the CCPA, the law is highly unlikely to be amended before its effective date of January 1, 2020 as the California Legislature will not reconvene until 2020. While many believed the CCPA would undergo seismic legislative changes before its effective date, the law has largely remained intact. This final wave of amendments represents a mixed bag of pro-consumer and pro-business changes:
- Employers will not need to honor employee opt-out or deletion requests until January 1, 2021. Even so, employees are still entitled to a privacy notice from employers and a private right of action in case of a data breach.
- “Publicly available information,” or information from federal, state, or local government records, is not considered “personal information.”
- Deidentified or aggregate consumer information is also expressly excluded from “personal information.”
- “Data brokers” are required to register annually with the California AG or be subject to injunctions and penalties.
- “Data brokers” are all businesses that collect and sell personal information to third parties when they do not have a direct relationship with the consumer.
- “Personal information” requiring notice in case of a data breach now includes:
- Unique biometric data;
- Tax identification numbers;
- Passport numbers;
- Military identification numbers; and
- Unique identification numbers issued on government documents.
- Vehicle and ownership information shared between motor vehicle dealers and third parties for the purposes of vehicle warranty or recall is exempted from consumer opt-out and deletion requests.
- Personal information necessary for certain business-to-business communications is exempt from CCPA notice, access, and deletion rights until January 1, 2021.
- “Personal Information” changes from the expansive definition of personal information that is “capable” of being associated with a particular consumer to the narrower “reasonably”
- The FCRA exception now applies to a broader range of FCRA authorized activity, instead of only to the sale of personal information.
- Businesses that operate exclusively online may substitute an email address for consumer requests instead of the required toll-free telephone number.
While these amendments may not provide the clarity many businesses were hoping for, Attorney General Xavier Becerra has released draft regulations for the CCPA which answer some of the lingering questions surrounding the CCPA. Collectively, these amendments and the draft regulations clarify the law, but do not substantially alter compliance obligations under the law. As we have highlighted in past client alerts, setting up the necessary CCPA compliance framework is a time-consuming and often challenging task. As the law is now in final form, businesses subject to the CCPA should immediately begin compliance efforts if they have not done so already.