On October 11, California Governor Newsom signed five amendments into law that modify the text of the California Consumer Privacy Act of 2018 (“CCPA”). These amendments were signed just one day after California Attorney General, Xavier Becerra, released the draft of the proposed regulations to the CCPA, a summary of which can be found here.
A high-level overview of the changes these amendments make to the CCPA is provided below.
- Temporarily excludes, until January 1, 2021, personal information collected in the employment context from the scope of the CCPA, except with respect to the CCPA’s private right of action relating to data breaches and notice obligations pursuant to Section 1798.100.
- The private right of action (breach) and notice obligations under Section 1798.100 will continue to take effect on January 1, 2020 with respect to personal information collected in the employment context (and personal information collected otherwise).
- Expressly specifies an exemption for PI collected and used solely for emergency contact purposes and where the PI is necessary to be retained for the administration of benefits.
- Clarifies the authority that a business has to require reasonable authentication of a consumer and to use existing account of consumers to convey CCPA requests.
Notably, as provided in the bill’s legislative history, the one-year sunset period is intended to provide the Legislature time to more broadly consider what privacy protections should apply in employment-based contexts and whether to repeal, revise, and/or make the exemptions permanent in whole or in part in moving forward.
- Expands the scope of “publicly available” information that is exempted from the PI definition to ensure that “publicly available” includes any information that is lawfully made available from government records. In other words, it removes the conditions previously associated with “publicly available” information.
- Amends the PI definition to: (1) correct a drafting error in order to clarify that PI (as opposed to “publicly available” information) does not include deidentified or aggregate consumer information; and (2) specifies, in relevant part, that PI includes information that is “reasonably capable” of being associated with a particular consumer or household, as opposed to “capable” of being associated.
According to the authors, the limitation previously imposed on “publicly available” was “confusing and unworkable.” The authors indicated that it is unlikely that businesses would be able to determine the purpose for which a government entity made information available to the public. Even assuming a business could ascertain this rationale, the authors found it unlikely that there would be any instances where a business would be deemed to use such information for the same purpose that the government made it public.
- Creates an exception to the right to opt out for vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer, if the information is shared for the purpose of a vehicle repair covered by warranty or a recall.
- Creates an exception to the right to deletion for personal information that is necessary to maintain in order to fulfill the terms of a written warranty or a product recall in accordance with federal law.
- Refines the existing FCRA exemption so that it applies to any activity involving collection, maintenance, disclosure, sale, communication, or use of any PI bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, only to the extent such activity is subject to the FCRA, but prevents application of this exception to the CCPA’s private right of action.
- Specifies that, until January 1, 2021, certain CCPA obligations do not apply to PI reflecting a communication or transaction between the business and the consumer, where the consumer is a natural person: (1) who is an employee, owner, director, officer, or contractor of a government agency or a business; and (2) whose communications or transactions with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from that business or government agency (i.e., “business-to-business” communications or transactions).
- Revises the section establishing a data breach private right of action to clarify that it applies to any consumer whose “nonencrypted and nonredacted” PI is subject to an unauthorized access and exfiltration, theft, or disclosure.
- Adds express authority for the AG to establish additional rules and procedures on how to comply with verifiable consumer requests for specific pieces of PI relating to a household.
- Clarifies an existing CCPA exemption to specify that businesses do not need to collect PI that they would not otherwise collect in the ordinary course of their business or retain PI for longer than they would otherwise retain in the ordinary course of their business.
- Clarifies that consumers at least 13 years of age and less than 16 years of age (as opposed to “between 13 and 16 years of age”) must affirmatively authorize the sale of the consumers’ personal information prior to such information being sold by businesses.
- Corrects a likely drafting error in the non-discrimination provision, namely in Section 1798.125(b)(1) (“A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer business by the consumer’s data.”).
- Addresses various other non-substantive drafting errors.
As noted in the legislative history, the one-year sunset provision specific to B2B/employee transactions is to “enable the Legislature to revisit the issue at the same time it is anticipated to more broadly reexamine the application of CCPA rights to a consumer in the context of the consumer acting as an employee (or similarly situated position) of a business, as envisioned by AB 25 . . .”
- Updates the designated methods to submit consumer requests to no longer require a telephone number in all instances. Specifically, if a business operates exclusively online and has a direct relationship with consumers, it is only required to provide an email address for submitting certain requests.
- Requires businesses that maintain an internet website to make the website available to consumers to submit certain requests.
As noted in the legislative history, “the CCPA applies to both online and brick-and-mortar businesses that meet certain thresholds. As such, the law requires that business provide certain mechanisms, at least one of which is not internet-based, by which consumers can relay their requests [i.e., telephone numbers].” “Recognizing that some businesses may operate exclusively online and not have toll-free numbers available, this bill, sponsored by the Internet Association, seeks to provide those online-only businesses additional flexibility by, instead, only requiring them to make available an email address for purpose of submitting their requests pursuant to specified ‘right to know’ provisions of the CCPA. Further, consistent with what the CCPA already requires, if the business maintains an internet website, they must make that website available for consumers to submit their requests pursuant to those ‘right to know’ provisions.”
Notably, AB-1202 was also signed into law, which requires “data brokers” to register with and provide certain information to the California Attorney General and requires to AG to create a publicly available registry of data brokers on its website. According to the legislative history, the purpose of this bill is to create a registry of data brokers so that California consumers may better know what businesses to contact in order to opt-out of the sale of their personal information.