At the close of its 2019 legislative session, the California Legislature passed five amendments to the California Consumer Privacy Act (CCPA), which now head to the Governor’s desk for signature by October 13, 2019 to be effective.

The amendments are relevant to all businesses covered by the CCPA as one of the amendments changes a number of fundamental definitions, including, “personal information,” “publicly available” information, and “verifiable consumer request,” which necessarily affect the entire application of the law.

Some of the other amendments, however, are industry specific in seeking to provide a one-year exemption for HR data and B2B customer representative personnel data and limiting exemptions of personal information to fulfill a product warranty or recall, or to make a vehicle repair covered by warranty or recall.

This Client Alert goes through the amendments one by one, but first, here is a quick reminder of which businesses the CCPA will apply to after the law’s January 1, 2020 effective date. To be required to comply with the CCPA, a business must meet just one of the following elements: (1) $25 million in gross annual revenue; (2) collect or otherwise have the data of 50,000 California consumers, households or devices; or (3) earn more than half of its annual revenue by selling consumer personal data. The $25 million in gross annual revenue trigger is the one that seems to be catching the most businesses within the law’s grasp. (For any other reminders about the law’s scope and requirements (outside of the recent amendments) please see our July 2018 article “California’s Data Privacy Law: What It Is and How to Comply (A Step-By-Step Guide)”.) The Amendments

The 3000-foot view of the amendments is that they would do the following:

  • Definitions: Change the definitions of “personal information,” “publicly available” information, and “verifiable consumer request”;
  • HR and B2B Data Exemptions: Provide a one-year exemption for HR data and B2B customer representative personnel data;
  • Automotive Industry Exemptions: Provide limited exemptions for personal information necessary to fulfill a product warranty or recall, or to effectuate a vehicle repair covered by a vehicle warranty or recall;
  • Revise the Anti-Discrimination Right: Allow a business to charge a consumer a difference price or rate, or provide a different level of quality of goods or services, if the difference is reasonably related to the value provided to the business by the consumer’s data; and
  • Clarify the Designated Consumer Request Method: Clarify that a business that operates solely online only needs to provide an email address as a designated consumer request method.

AB-874 Definitions

In the original draft, “personal information” was defined quite broadly to include not only personal identifiers, such as name, address, email address, account information, driver’s license number, and the other usual suspects, but also internet or other electronic network activity information, such as browser history, search history, website interaction information, and other similar information that is usually aggregated or de-identified so not to be associated with an individual person. The potential broad stretch of the law was concerning, especially with the inclusion of aggregated and de-identified data elements, which would have had the scope of the CCPA much more far reaching than the information protected under the General Data Protection Act (GDPR).

As a result, the amendment would narrow the definition of “personal information” to be “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It would exclude “consumer information that is de-identified or aggregate consumer information” significantly narrowing the CCPA’s scope.

The amendment would also clarify the meaning of “publicly available” information to “information that is lawfully made available from federal, state, or local government records.”

AB-25 – Employee Information Exemption / Identification Authentication Employee Information Exemption

If signed into law, AB-25 would provide a huge (though limited) sigh of relief to covered businesses who have California employees.

First, job applicants, employees, owners, directors, officers, medical staff members, and contractors who have their personal information collected and used by a covered business solely within the context of their role (or former) role with the business would not have data subject rights, e.g., the ability to opt-out of the sale of their information, the right to delete, etc. This exemption would be limited to a year and, if left unchanged during the 2020 legislative session, would sunset on January 1, 2021.

Business would still have to provide those persons notice, which would be similar to their website privacy policy, and they would have a private right of action against a business in the event their personal information was improperly disclosed as a “result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” Identification Authentication

With respect to data subject requests, the amendment would also allow businesses to require authentication that is “reasonable in light of the nature of the personal information requested.” Businesses would not be able to require a consumer to first create an account just to submit a verifiable consumer request. If, however, the consumer already had an account with the business, the business could require the consumer to submit a data subject request through that existing account portal. AB-1355 Personal Information in B2B Transactions / Clarification of Notice Requirements / Anti-Discrimination B2B Personal Information

Amendment AB-1355 would provide B2B businesses a significant (though also limited) sigh of relief as it would add a B2B exemption and exempt “personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency.”

The amendment, however, would still allow B2B customer personnel to opt-out of the sale of their information, but the notice requirement would not apply to businesses. This amendment would essentially operate the same way as the employee exemption in that, if left unchanged, would be limited to one year and sunset on January 1, 2021, and B2B customer personnel would still be able to bring a private right of action in the event their personal information was subject to a data breach. Clarification of Notice Requirements

The amendment would also clarify that a business’s privacy policy must disclose: (1) “the categories of personal information it has collected about consumers,” as opposed to “that consumer” and (2) “that a consumer has the right to request the specific pieces of personal information the business has collected about that consumer.” In addition, the consumer rights notice would have to be made available to consumers via: (1) the business’s privacy policy and any California-specific description of consumers’ privacy rights; and (2) communicated to relevant business personnel responsive for CCPA compliance, e.g., employee CCPA compliance training. Anti-Discrimination

The amendment would also clarify the CCPA’s anti-discrimination provision, which would clarify that a business could charge a consumer a difference price or rate, or provide a different level of qualify of goods or services, if the difference is reasonably related to the value provided to the business by the consumer’s data.

AB-1146 – Exemptions: Vehicle Information

As it pertains to the automotive industry in particular, AM-1146 would exempt certain vehicle information from the consumer’s right to opt out of information that is shared by the business for “a vehicle repair covered by a vehicle warranty or a recall…provided that the new motor vehicle dealer or vehicle manufacture with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.” Further, the consumer’s right to delete their data would not include information the business needs to maintain the consumer’s personal information to fulfill the terms of a warranty or recall.

AB-1564 – Consumer Request for Disclosure Methods (Elimination of the Toll-Free Number Requirement) In the initial draft of the CCPA, businesses had to make available to consumers “two or more designated methods” for submitting requests for information including, at minimum, a toll-free telephone number.” The amendments would allow businesses that operate “exclusively online and have a direct relationship with a consumer from whom it collects personal information” to only provide an email address for submitting consumer data subject requests.

What Stays Intact

The amendments had no impact on the right to know requirements. Meaning, as of January 1, 2020, California consumers will have to be provided notice of, or the right to request the following information from covered businesses:

  • The categories and specific pieces of personal information a business collects about them;
  • The categories of personal information a business has sold to third parties; and
  • The categories of personal information a business has to disclose to third parties for business purposes.

Other compliance pieces that remain unaffected include:

  • A consumer will have the right to opt out of the sale of their personal information and there must be a mechanism for choosing “Do Not Sell My Personal Information” on the businesses website;
  • A consumer will have the right to have their personal information deleted, though subject to a lot of exemptions; and
  • Consumers will still be protected from discrimination; however, if a consumer opts in to a financial incentive program, and business may “offer financial incentives including payments ... for the collection…sale, or… deletion of personal information.” If a consumer does not opt in to the program, or requests a business not sell or delete their personal information, a business “may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the business by the consumer’s data.”