Over the past year, nearly twenty amendments were introduced to modify the California Consumer Privacy Act of 2018 (“CCPA”). Now that the deadline to introduce new amendments has passed, we can start to visualize what the CCPA will look like in its effective form. Despite many attempts to dramatically modify the scope, application, and enforcement authority of the CCPA, for the most part, the CCPA will remain the same. However, many of the changes that will likely take effect, subject to the governor’s approval, will impact organizations’ CCPA compliance efforts.

The following is a recap of the amendments that are likely to be signed into law, along with comments stemming from the legislative history for context. Note that the section headings provided below do not appear in the official text of the bills but are added here in this discussion for ease of reference. For those interested in learning more about the bills that did not make it out of the Legislature, Troutman Sanders is finalizing its “CCPA Amendments Monitor,” which will provide a thorough review of all CCPA amendments that have passed and failed to date. We will publish the CCPA Amendments Monitor here on the CFS Law Monitor.

AB 25 – Personal Information Collected in the Employment Context

  • Temporarily excludes, until January 1, 2021, personal information collected in the employment context from the scope of the CCPA, except with respect to the CCPA’s private right of action relating to data breaches and notice obligations pursuant to Section 1798.100.
  • The private right of action (breach) and notice obligations under Section 1798.100 will continue to take effect on January 1, 2020 with respect to personal information collected in the employment context (and personal information collected otherwise).
  • Expressly specifies an exemption for PI collected and used solely for emergency contact purposes and where the PI is necessary to be retained for the administration of benefits.
  • Clarifies the authority that a business has to require reasonable authentication of a consumer and to use existing account of consumers to convey CCPA requests.

Notably, as provided in the bill’s legislative history, the one-year sunset period is intended to provide the Legislature time to more broadly consider what privacy protections should apply in employment-based contexts and whether to repeal, revise, and/or make the exemptions permanent in whole or in part in moving forward.

AB 874 – Redefining PI and “Publicly Available” Information

  • Expands the scope of “publicly available” information that is exempted from the PI definition to ensure that “publicly available” includes any information that is lawfully made available from government records. In other words, it removes the conditions previously associated with “publicly available” information.
  • Amends the PI definition to: (1) correct a drafting error in order to clarify that PI (as opposed to “publicly available” information) does not include deidentified or aggregate consumer information; and (2) specifies, in relevant part, that PI includes information that is “reasonably capable” of being associated with a particular consumer or household, as opposed to “capable” of being associated.

According to the authors, the limitation previously imposed on “publicly available” was “confusing and unworkable.” The authors indicated that it is unlikely that businesses would be able to determine the purpose for which a government entity made information available to the public. Even assuming a business could ascertain this rationale, the authors found it unlikely that there would be any instances where a business would be deemed to use such information for the same purpose that the government made it public.

AB 1138 – Social Media: The Parent’s Accountability and Child Protection Act

  • On and after July 1, 2021, CCPA will prohibit a business that operates a social media website or application from allowing children, who the business actually knows is under 13 years of age, from creating an account unless the business first obtains the consent of the child’s parent or guardian.
  • The bill would deem a business to have actual knowledge of the consumer’s age if it willfully disregards the consumer’s age.
  • Allows businesses to obtain parental consent in various ways including, for example, by signing a consent form and sending it to the business via fax, U.S. mail, or electronic scan or, alternatively, providing consent that complies with the Children’s Online Privacy Protection Act of 1998 (“COPPA”).
  • Prohibits businesses from retaining or using personal information collected in order to obtain the necessary consent except as necessary for the purpose of the bill.

According to the authors, this bill “align[s] state and federal law [(i.e., COPPA)], closes the loopholes, and standardizes compliance mechanisms by requiring social media providers to receive parental consent before allowing minors under the age of 13 to create social media accounts.” Those in support of the law noted that, “[b]y ensuring that parents have the opportunity to discuss the potential dangers of social media, AB 1138 will help proactively inform minors about safe social media use.”

AB 1146 – Vehicle Warranties, Repairs, and Recalls

  • Creates an exception to the right to opt out for vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer, if the information is shared for the purpose of a vehicle repair covered by warranty or a recall.
  • Creates an exception to the right to deletion for personal information that is necessary to maintain in order to fulfill the terms of a written warranty or a product recall in accordance with federal law.

AB 1202 – Data Broker Registry

  • Requires data brokers to register with and provide certain information to the California Attorney General and requires the AG to create a publicly available registry of data brokers on its website.
  • Makes data brokers that fail to register subject to injunction and liability for civil penalties, fees, and costs in an action brought by the AG.
  • Defines a “data broker” as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. “Data brokers” does not include any of the following:

(1) a consumer reporting agency covered by the Fair Credit Reporting Act (“FCRA”);

(2) a financial institution covered by the Gramm-Leach-Bliley Act (“GLBA”); and

(3) an entity governed by the Insurance Information and Privacy Protection Act.

  • Provides that the bill shall not be construed to supersede or interfere with the CCPA.

According to the legislative history, the purpose of this bill is to create a registry of data brokers so that California consumers may better know what businesses to contact in order to opt-out of the sale of their personal information.

AB 1281 – Facial Recognition Technology Disclosures

  • Requires businesses in California that use facial recognition technology to disclose that usage in a physical sign that is clear and conspicuous at the entrance of every location that uses facial recognition technology.
  • The sign must be displayed in a manner that ensures an individual can read the sign before the business captures a digital image or video of the individual that can be analyzed using facial recognition technology.
  • Operative on July 1, 2020.

It will be interesting to see how the law develops in this area as opponents of this bill argued that “[p]osting a sign is little or no protection against the use of this powerful and intrusive technology. Such signs would likely become as ubiquitous and ignored as Prop. 65 notices are now [which requires businesses to provide warnings to Californians abut significant exposures to chemicals that cause cancer, birth defects or other reproductive harm], particularly when consumers have no effective way to guard against the dangers. A physical sign – no matter how prominent – is no substitute for consent.”

AB 1355 – The Clarification Amendment

  • Refines the existing FCRA exemption so that it applies to any activity involving collection, maintenance, disclosure, sale, communication, or use of any PI bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, only to the extent such activity is subject to the FCRA, but prevents application of this exception to the CCPA’s private right of action.
  • Specifies that, until January 1, 2021, certain CCPA obligations do not apply to PI reflecting a communication or transaction between the business and the consumer, where the consumer is a natural person: (1) who is an employee, owner, director, officer, or contractor of a government agency or a business; and (2) whose communications or transactions with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from that business or government agency (i.e., “business-to-business” communications or transactions).
  • Revises the section establishing a data breach private right of action to clarify that it applies to any consumer whose “nonencrypted and nonredacted” PI is subject to an unauthorized access and exfiltration, theft, or disclosure.
  • Adds express authority for the AG to establish additional rules and procedures on how to comply with verifiable consumer requests for specific pieces of PI relating to a household.
  • Clarifies an existing CCPA exemption to specify that businesses do not need to collect PI that they would not otherwise collect in the ordinary course of their business or retain PI for longer than they would otherwise retain in the ordinary course of their business.
  • Revises Section 1798.110(c)(5) to clarify that a business need not disclose the specific pieces of personal information collected about a particular consumer in an online privacy policy.
  • Clarifies that consumers at least 13 years of age and less than 16 years of age (as opposed to “between 13 and 16 years of age”) must affirmatively authorize the sale of the consumers’ personal information prior to such information being sold by businesses.
  • Corrects a likely drafting error in the non-discrimination provision, namely in Section 1798.125(b)(1) (“A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer business by the consumer’s data.”).
  • Addresses various other non-substantive drafting errors.

As noted in the legislative history, the one-year sunset provision specific to B2B/employee transactions is to “enable the Legislature to revisit the issue at the same time it is anticipated to more broadly reexamine the application of CCPA rights to a consumer in the context of the consumer acting as an employee (or similarly situated position) of a business, as envisioned by AB 25 . . .”

AB 1564 – Designated Methods to Submit Certain Information Requests

  • Updates the designated methods to submit consumer requests to no longer require a telephone number in all instances. Specifically, if a business operates exclusively online and has a direct relationship with consumers, it is only required to provide an email address for submitting certain requests.
  • Requires businesses that maintain an internet website to make the website available to consumers to submit certain requests.

As noted in the legislative history, “the CCPA applies to both online and brick-and-mortar businesses that meet certain thresholds. As such, the law requires that business provide certain mechanisms, at least one of which is not internet-based, by which consumers can relay their requests [i.e., telephone numbers].” “Recognizing that some businesses may operate exclusively online and not have toll-free numbers available, this bill, sponsored by the Internet Association, seeks to provide those online-only businesses additional flexibility by, instead, only requiring them to make available an email address for purpose of submitting their requests pursuant to specified ‘right to know’ provisions of the CCPA. Further, consistent with what the CCPA already requires, if the business maintains an internet website, they must make that website available for consumers to submit their requests pursuant to those ‘right to know’ provisions.”