At the close of its legislative session on September 13, the California legislature passed five bills to amend and clarify the scope of the landmark California Consumer Privacy Act, which establishes new statutory privacy rights and business obligations for the collection and use of “personal information.”
California Governor Gavin Newsom has until October 13, 2019, to act on the proposed amendments to the California Consumer Privacy Act (CCPA); if the amendments are signed, they will become part of the CCPA, which takes effect January 1, 2020. We summarized the primary features of the CCPA in our previous LawFlash, California Enacts Sweeping GDPR-Like Privacy Law.
The proposed amendments include a few changes favorable to businesses preparing for CCPA compliance, most notably with regard to the new exemptions applicable to employee data and business-to-business communications. However, the CCPA’s new consumer privacy rights and security breach private right of action remain largely unchanged.
The following highlights key proposals in each amendment.
AB 25 amends the CCPA to exempt certain personal information collected from job applicants, employees, owners, directors, staff, officers, and contractors of a business from most requirements of the CCPA for one year, until January 1, 2021. This information includes (1) personal information collected about a person as a job applicant, employee, owner, director, officer, medical staff member, or contractor of that business; (2) personal information collected and used solely for the purpose of maintaining emergency contact information; and (3) personal information collected and used solely to administer benefits to an individual’s dependents.
This information will be exempted from most of the CCPA’s requirements, including the requirements that businesses offer consumers opt-out, access, and deletion rights. However, AB 25 does not alter (1) the requirement that businesses provide a CCPA-compliant privacy notice to job applicants, employees, owners, directors, staff, officers, and contractors, or (2) the right of job applicants, employees, owners, directors, staff, officers, and contractors to bring a private civil action for data breaches. The California legislature is expected to consider more comprehensive employee privacy legislation next year before the employee-specific exemptions created by AB 25 expire on January 1, 2021.
AB 25 also adds language regarding consumer requests, stating that a business “may require authentication of the consumer that is reasonable in light of the nature of the personal information requested,” without requiring “the consumer to create an account with the business in order to make a verifiable consumer request.” However, “[i]f the consumer maintains an account with the business, the business may require the consumer to submit the request through that account.”
AB 874 clarifies the definitions of “personal information” and “publicly available information.” The amendment removes from the definition of “publicly available information” a carve-out for information “used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.” The removal of this qualification substantially broadens the scope of information considered publicly available. Under the amendment, “publicly available information” is now defined as information that “is lawfully made available from federal, state, or local government records.”
The amendment also clarifies that “personal information” includes information “that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The reasonableness standard now applies both to information that “is reasonably capable of being associated with . . . a particular consumer or household” and to information that “could reasonably be linked, directly or indirectly, with a particular consumer or household.” (Emphasis added.)
AB 1146 provides further clarification on the definition of “personal information” by exempting vehicle information and vehicle ownership information that is retained or shared by dealers and vehicle manufacturers for purposes of a warranty repair or recall-related vehicle repair. The dealer or vehicle manufacturer receiving such information cannot sell, share, or use that information for any other purpose.
As the amendment’s author explained, the amendment makes it “clear that a new motor vehicle dealer may retain vehicle and ownership information in order to share it with an automobile manufacturer for the purpose of enabling either warranty work or a manufacturer’s recall. While the bill would provide this narrowly tailored authority for recalls and warranty work, it would preserve a consumer’s right to access their personal information and know what has been collected and shared, as well as maintain consumer remedies.” See AB 1146, Senate Floor Analyses, at 4 (Aug. 14, 2019).
The amendment also adds definitions for “vehicle information” and “ownership information.” “Vehicle information” includes “the vehicle information number, make, model, year, and odometer reading.” “Ownership information” is defined as “the name or names of the registered owner or owners and the contact information for the owner or owners.”
AB 1355 creates a one-year exemption from CCPA coverage for certain business-to-business (B2B) communications or transactions. Similar to the employee personal information exemption, this exemption created by AB 1355 sunsets on January 1, 2021, with the expectation that the California legislature will determine a more permanent approach next year. As amended by AB 1355, personal information about an employee, owner, director, officer or contractor of a business or government agency collected by a business within the context of the business conducting due diligence or providing or receiving a product or service would be exempt from certain CCPA requirements. Moreover, the amendment clarifies that a business is not required to “collect personal information that it would not otherwise collect in the ordinary course of its business” or to “retain personal information for longer than it would otherwise retain such information in the ordinary course of its business.”
AB 1355 also broadens the existing Fair Credit Reporting Act (FCRA) exemption, clarifying that the exemption applies to any FCRA “activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.”
AB 1355 further clarifies that “deidentified or aggregate consumer information” is excluded from the definition of “personal information.”
AB 1355 also amends the CCPA private right of action to apply only to “personal information” that is “nonencrypted and nonredacted.” Previously, the consumer private right of action applied to “nonencrypted or nonredacted” personal information that “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” The amendment narrows the scope of the consumer private right of action.
Finally, the amendment provides the California attorney general with additional authority to adopt regulations to “establish rules and procedures on how to process and comply with verifiable consumer requests relating to” household information “in order to address obstacles to implementation and privacy concerns.” The CCPA already authorizes the California attorney general to issue regulations in other specified areas and as necessary.
AB 1564 modifies the methods by which consumers may submit requests for information regarding the use of their personal information. The CCPA required businesses to provide at least two methods to submit such requests, including, at a minimum, a toll-free number and, if the business maintains a website, a website address. However, AB 1564 added a narrow exception: A business that operates exclusively online and has a direct relationship with a consumer is only required to provide an email address for submitting such requests. The amendment also added that if a business maintains an internet website, consumers must be able to submit requests through the business’s website.
An amendment, along with other proposals, to expand the private right of action was not approved by the California legislature. The scope of the private right of action will likely be revisited in the future and will remain a subject of debate.
One amendment, AB 846, which would have clarified the application of certain nondiscrimination provisions to loyalty programs, passed through the Senate Appropriations Committee with the bills discussed above, but did not pass the California legislature.
The five amendment bills contain some additional modifications to the CCPA that we will explore in an additional LawFlash once they have been signed into law by Governor Newsom.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
San Francisco
Reece Hirsch
Philadelphia
Ezra Church
Gregory Parks
Kristin Hadgis
Terese Schireson