The California legislature passed five bills on September 13 to amend and clarify the scope of the California Consumer Privacy Act (CCPA). If the amendments are signed by the California governor by the October 13 deadline, they will become part of the CCPA, set to take effect on January 1, 2020. A LawFlash by Morgan Lewis partner Reese Hirsch and associates Kristin Hadgis, Lauren Groebe, and Terese Schireson discusses the key proposals in each amendment, such as:

  • The proposed one-year exemption from most of the CCPA’s requirements for certain employee and prospective employee data
  • The creation of a one-year exemption from CCPA compliance for certain business-to-business (B2B) communications or transactions
  • Proposed clarifications to the definitions of “personal information” and “publicly available information”
  • The proposed exemption from the definition of “personal information” for certain “vehicle information” and “ownership information” that is retained or shared by dealers and manufacturers for purposes of warranty repair or recall-related repair
  • The proposed clarification that “deidentified or aggregate consumer information” is excluded from the definition of “personal information”
  • The proposed narrowing of the consumer private right of action to apply to personal information that is “nonencrypted and nonredacted” rather than “nonencrypted or nonredacted”
  • The proposed online business exception for consumer request methods, which allows an email address in lieu of the previously required minimum of two methods

As our colleagues note, the proposals include a few amendments that are favorable to businesses preparing for compliance with the CCPA, especially with regard to the new exemptions applicable to employee data and B2B communications. However, the CCPA’s new consumer privacy rights and private right of action for a security breach remain largely unchanged.