On June 28, 2018, the California governor signed into law AB 375, a sweeping new data privacy bill that will go into effect on January 1, 2020. Known as the California Consumer Privacy Act of 2018 (CCPA), the law was enacted by the California legislature in response to a ballot initiative that would have created a different consumer privacy law that many in the industry viewed as more burdensome. Not long after AB 375 became law, the legislature amended the CCPA by passing SB 1121, which the governor signed into law on September 23, 2018. And the legislature recently amended the CCPA once again. Before adjourning on September 13, 2019, the legislature approved five bills that the California governor must sign or veto by October 13, 2019. The California Attorney General (CA AG) is now expected to take up the rulemaking process in the coming months.

The CCPA applies to companies doing business in California that collect personal information from California residents and satisfy certain thresholds for company revenue or amount of data. The law defines personal information broadly to mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a specific consumer or household. The CCPA also creates new rights for consumers with respect to their personal information, including the right to know about, access, delete, and opt-out of the sharing or selling of the personal information businesses collect about them. The CA AG will enforce the CCPA and may seek injunctive relief and impose civil penalties for violations. The CCPA also contains a private right of action that permits consumers to obtain statutory damages and injunctive relief if their personal information becomes subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business's failure to implement and maintain reasonable security procedures and practices.

Companies subject to the CCPA will likely need to make significant changes to their business practices in order to comply with the law. With the CCPA's January 1 effective date only about 100 days away, companies should ensure they are taking steps to implement any necessary changes by this date. Please see our CCPA Compliance Checklist for more detailed compliance information. The Venable team is here to help guide you through this process and ensure your company is prepared for the January 1 compliance date.

To keep you informed of the latest CCPA developments and preview what to expect in the months ahead, we have provided below more information about (1) the legislature's recent amendments to the CCPA and (2) the CA AG's impending rulemaking process interpreting the law.

California Legislative Update

Before adjourning on September 13, 2019, the California legislature approved five bills to amend the CCPA: AB 25, AB 874, AB 1146, AB 1355, and AB 1564. The legislature declined to pass AB 846, which would have restricted the sale of loyalty program data. California Governor Gavin Newsom must sign or veto each of the bills by October 13, 2019.

A summary of the amendments is provided below.[1] For ease of reference, we have organized the amendments by the type of change they made to the CCPA. These changes include (A) clarifications and technical fixes; (B) changes to definitions; (C) exemptions and exceptions; and (D) new regulatory authority and concepts.

CCPA Amendments

A. Clarifications and Technical Fixes

Summary Bill

Privacy policies and specific pieces of personal information.

  • This change clarifies that a business must disclose in its privacy policy the categories of personal information it has collected about consumers in general, not about the specific consumer who is accessing the privacy policy.
  • The amendment also clarifies that a business need not provide notice in its privacy policy of the specific pieces of personal information it collected about an individual consumer, but instead must note that a consumer has the right to request that specific information.
AB 1355

Reasonable authentication.

  • When receiving a verifiable consumer request, a business may require authentication of the consumer that is reasonable in light of the nature of the personal information requested.
AB 25 AB 1355 AB 1564

Verifiable consumer requests through an established account.

  • A business may require a consumer to submit a verifiable consumer request through an account the consumer maintains with the business if the consumer maintains an account with that business.
AB 25 AB 1355 AB 1564

Required methods of submitting CCPA requests.

  • A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall be required only to provide an email address for submitting access requests. If the business maintains an Internet website, it must make the Internet website available to consumers to submit access requests.
AB 25 AB 1355 AB 1564

Sale disclosure.

  • A consumer may request and a business must disclose the categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each category of third parties to whom the personal information was sold. This change clarifies that businesses do not need to identify specific third parties to whom personal information was sold.
AB 1355

Age limits for opt-in consent to sales for minors aged 13–15.

  • This amendment clarifies that the requirement for teenagers to affirmatively authorize the sale of their personal information applies to consumers aged 13 to 15, while teenagers 16 and older are treated as adults. The relevant provision states that a business may not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer's parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer's personal information.
AB 1355

Nondiscrimination right and the value provided to a business by a consumer's data.

  • A business may offer a different price, rate, level, or quality of goods to a consumer if that price or difference is related to the value provided to the business by the consumer's data. Without this amendment, the CCPA would state that the price or difference must be related to the value provided to the consumer by the consumer's data.
AB 1355

Private right of action.

  • Non-encrypted and nonredacted personal information that is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information is subject to the CCPA's private right of action provision. Without this amendment, the CCPA would state that the private right of action applies to non-encrypted or nonredacted personal information that is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.
AB 1355

Deidentified and aggregate information.

  • The term "personal information" does not include consumer information that is deidentified or aggregate consumer information.
AB 874 AB 1355

Personal information collection and retention.

  • The CCPA shall not be construed to require a business to collect personal information that it would not otherwise collect in the ordinary course of its business or retain personal information for longer than it would otherwise retain such information in the ordinary course of its business.
AB 25 AB 1146 AB 1355

 

B. Changes to Definitions

Summary Bill

Addition of reasonableness modifier to definition of personal information.

  • Personal information is information that is reasonably capable of being associated with a particular consumer or household or could reasonably be linked, directly or indirectly, with a particular consumer or household.
AB 874 AB 1355

Publicly available information.

  • The CCPA's definition of "publicly available" information (which is not considered "personal information") is no longer limited to data that is used for a purpose that is compatible with the purpose for which the data is maintained and made available in a government record.
AB 874 AB 1355

 

C. Exemptions and Exceptions

Summary Bill

Employee data exemption.

  • Until January 1, 2021, information collected from a natural person by a business in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business is exempt from certain provisions of the CCPA.
AB 25 AB 1146 AB 1355

Business-to-business data exemption.

  • Until January 1, 2021, the CCPA's consumer access and deletion rights do not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company (or certain other types of entities) and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such entities.
AB 25 AB 1146 AB 1355

Fair Credit Reporting Act (FCRA) exception.

  • The FCRA exemption has been modified to state that the CCPA shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, a furnisher of consumer report information, or a user of a consumer report.
AB 25 AB 1146 AB 1355

 

D. New Regulatory Authority and Concepts

Summary Bill

Household data.

  • The CA AG has authority to establish rules and procedures on how to process and comply with verifiable consumer requests for specific pieces of personal information relating to a household in order to address obstacles to implementation and privacy concerns.
AB 1355

Written warranty deletion exception.

  • A business or service provider shall not be required to comply with a deletion request if it is necessary to maintain the consumer's personal information in order to fulfill the terms of a written warranty or product recall conducted in accordance with federal law.
AB 1146

Vehicle information.

  • The CCPA opt-out right shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle's manufacturer if the vehicle or ownership information is shared solely for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall.
AB 25 AB 1146 AB 1355

The California legislature declined to pass AB 846, a bill that would have limited the sale of personal information collected through loyalty programs to instances when the consumer expressly consented to the sale of such data to a specific third party. AB 846 also would have required businesses to give consumers the option to participate in the loyalty program, on equal terms with other participants, without consenting to the sale of the consumer's personal information to any third parties. Finally, the bill would have required any third-party recipients of loyalty program data to use the information only for the purposes of identifying the consumer as an eligible member of the business's loyalty, rewards, premium features, discounts, or club card program; third parties would not have been permitted to retain, use, or disclose the personal information for any other purpose.

CCPA Rulemaking Process

With the California legislature having adjourned, the focus now turns to the rulemaking process. The CCPA requires the CA AG to promulgate regulations furthering the purposes of the CCPA, including regulations on specific topics identified in the law.2 Among the topics slated to be addressed are the following:

  • updated categories of personal information subject to the CCPA
  • the definition of unique identifiers
  • exceptions to the CCPA that are necessary to comply with state or federal law
  • submitting and complying with consumer requests
  • the development and use of a uniform opt-out logo/button
  • notices and information to be provided to the consumer, including financial incentive offerings
  • verification of a consumer's request, and
  • household data

The rulemaking process will commence when the CA AG promulgates the proposed regulations.3 As the following chart illustrates, the public comment phase will then begin and may last anywhere from 60 days to 90 days or longer depending on the nature and extent of any changes the CA AG makes in response to comments:

CCPA Rulemaking Timeline

CA AG promulgates proposed regulations implementing the CCPA

45-day period to comment on the content of the regulations

CA AG makes changes to proposed regulations constituting "substantial and sufficiently related changes," i.e., changes that are reasonably foreseeable based on the notice of proposed action CA AG makes changes to proposed regulations constituting "substantial, but not sufficiently related changes," i.e., "major" changes that are not reasonably foreseeable based on the notice of proposed action
15-day period for additional comments CA AG must issue new notice in the California Regulatory Notice Register and provide for new comment period of at least 45 days
60 days 90 days or longer

The CCPA's regulatory enforcement date ultimately depends on this regulatory process, as the CCPA becomes enforceable on the earlier of July 1, 2020, or six months after the CA AG publishes its final rules implementing the law.4

Our CCPA Compliance Checklist offers detailed information to help your company be prepared and in compliance.

Regardless of the date regulatory enforcement begins, however, the CCPA becomes operative on January 1, 2020. For this reason, as indicated above, companies should be ready for CCPA compliance by this date. Moreover, the regulatory enforcement trigger does not apply to the CCPA's private right of action for certain data security breaches. That private right of action will become effective on January 1, 2020.