With the California legislative session having ended on Friday, September 13, 2019, we finally have some idea what the final version of the California Consumer Privacy Act (CCPA) will look like when it takes effect on January 1, 2020. Still, much ambiguity remains, with many businesses hoping that the state Attorney General’s forthcoming regulations provide some much-needed clarity.
The CCPA, since its passage in the summer of 2018, has sent shockwaves through the business community by providing California residents with groundbreaking and unprecedented control over their personal information held by businesses. Specifically, the CCPA provides California residents with the right to request the deletion of their personal information, the right to restrict the sale of their personal information, and the right to request information regarding companies’ collection, sale, and disclosure of their personal information. Businesses covered by the CCPA must also make certain disclosures regarding their information practices at or before the “point of collection” and in their privacy policies. The hastily crafted bill is plagued with critical ambiguities and inconsistencies, which companies have struggled to address.
In the final days of the legislative session, the California legislature voted to send several amendments to the CCPA to Governor Gavin Newsom’s desk, including industry-backed bills that exempt employee data from CCPA requirements for one year, somewhat clarify obligations regarding de-identified data and data that is otherwise publicly available, and make other changes regarding companies’ obligation to respond to consumer requests for information. Governor Newsom has until October 13, 2019 to sign the bills. No further amendments are expected before the law’s January 1, 2020 start date.
The following amendments await the governor’s signature:
- AB 25, Chau: Excludes employee and related personal information until January 1, 2021. Amends the CCPA to exclude personal information collected about job applicants, employees, business owners, directors, officers, medical staff, or contractors. The amendment also carves-out emergency contact information for the above categories of individuals associated with a business and personal information necessary for the administration of benefits to dependents of such categories of individuals. Importantly, for the exclusion to apply, the personal information must be collected and used by the business solely within the context of the individual’s role at the business, having an emergency contact on file, or administering benefits to dependents. AB 25’s carve-outs do not apply to a consumer’s private right of action for data breaches or the requirement that consumers receive a CCPA compliant notice at the point of collection of personal information. AB 25’s amendments expire on January 1, 2021, meaning the carved-out personal information will then be fully subject to the CCPA unless further amendments are enacted.
- AB 874, Irwin: Clarifies definition of “personal information.” Restricts the definition of “publicly available” to include only information lawfully made available from federal, state, or local government records; removes the following language from the definition: “Information is not ‘publicly available’ if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.” AB 874 would also clarify that “deidentified” and “aggregate” consumer information are not “personal information” under the CCPA. The Senate amended AB 874 to state that personal information must be “reasonably capable” of being associated with a particular consumer or household—as opposed to just “capable”—to be subject to the law’s disclosure requirements.
- AB 1146, Berman: Revises definition of personal information. Exempts from CCPA’s opt-out and deletion rights certain vehicle information (such as VIN numbers) necessary to facilitate vehicle recalls and warranty work.
- AB 1355, Chau: Corrects drafting errors. Corrects various cross-references and drafting errors in the CCPA. Amended to include a one-year exemption for business-to-business communications and transactions from certain disclosure provisions, with specific limitations. The amended version of the bill also broadens the existing exemption for compliance with the federal Fair Credit Reporting Act (FCRA). Includes several changes concerning consumer requests: allows business to vary its method of authenticating a consumer based on nature of the personal information requested; allows businesses to require consumers to submit access requests through established accounts; incorporates AB 1564’s changes to channels for receiving requests (see below); and adds methods of verification of consumer requests to list of topics for AG to consider for rulemaking.
- AB 1564, Berman: Modifies methods to accept consumer requests. Amends the methods businesses must make available to consumers for submitting verified requests for information regarding the use of their personal information. Companies that operate exclusively online and have a direct relationship with a consumer from whom they collect personal information would only be required to provide an email address for submitting requests (as opposed to the “two or more designated methods” required by the law in its current form).
Notably absent from this list is AB 846 (Burke), which would have amended the law’s non-discrimination provision to expressly provide that it does not prohibit businesses from offering goods or services to consumers through the consumers’ voluntary participation in loyalty, rewards, premium features, discount, or club card programs. AB 846 passed the Assembly without much opposition, but ran into a roadblock in the Senate Judiciary Committee, where the bill was amended in multiple ways, including to require “express consent” before selling personal information collected through loyalty programs. As a result, industry groups withdrew support for the bill, which is now being held until 2020.
It’s the Final Countdown
With January 1, 2020 right around the corner, businesses should be taking concrete steps to comply with the CCPA, including crafting disclosures required under the CCPA and implementing internal processes to address requests made by California residents. Steptoe’s privacy team is working with numerous retailers and e-commerce companies to prepare for the CCPA, and for similar laws that are being considered in statehouses across the country.