On October 11, 2019, California Governor Gavin Newsom signed five bills to amend the California Consumer Privacy Act (CCPA): AB 25, AB 874, AB 1146, AB 1355, and AB 1564. The governor’s office announced his signing of these bills one day after the California attorney general issued proposed regulations under the CCPA.
The five bills provide some regulatory relief, but certain key amendments expire on January 1, 2021. Unless the California legislature ultimately decides to extend or modify these amendments, in 2020 or beyond, businesses will need to prepare for the strictest privacy rule in the United States. The amendments providing regulatory relief include the following:
- Employee Information Exemption. The amendments provide an exemption from the CCPA for personal information that is collected in the course of business about a job applicant to the business, or about an employee, owner, director, officer, medical staff member, or contractor of that business, so long as the information is collected and used by the business solely within the context of such relationship. This amendment also exempts personal information that is emergency contact information of these individuals or that is necessary for the business to retain to administer benefits for such individuals, again to the extent that the personal information is collected and used solely in these respective contexts. These exemptions do not apply to the obligation of a business that collects personal information to inform the consumer, at or before the point of collection, as to the categories of personal information collected and the purposes for which such information will be used. They also do not override a consumer’s right to recover damages for information security breaches.
These exemptions expire on January 1, 2021.
- Business-to-Business Exemption. The amendments add an exemption from many of the CCPA’s provisions for personal information reflecting a communication or transaction between a business and a consumer where the consumer is a natural person acting as an employee, owner, director, officer, or contractor of a business (including non-profits) or government agency, and whose communications or transactions with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from, such business or government agency. The exemption does not apply to the rule prohibiting discrimination based on the exercise by consumers of their rights, and does not override the CCPA’s civil money penalty provisions or the rights of consumers to recover damages for information security breaches. This exemption also does not apply to the rule allowing consumers to opt-out from the sale of their personal information or to the opt-in requirement applicable to sales of information regarding consumers who are less than 16 years of age. It appears, however, that businesses would not be required to disclose those opt-out or opt-in rights to consumers given that the section of the CCPA requiring such notices (1798.135) is specifically exempted.
This exemption also expires on January 1, 2021.
- Deletion Exception for Certain Warranty or Product Recall Purposes. The amendments add an exception to the requirement to delete consumers’ personal information upon a consumer’s request when retention of the information is necessary for the business to fulfill the terms of a written warranty or product recall conducted in accordance with federal law.
- Expanded Fair Credit Reporting Act Exemption. The exemption from the CCPA for the sale of certain personal information that is reported in or used to generate a consumer report under the federal Fair Credit Reporting Act (FCRA) is expanded by the amendments. The CCPA now will not apply to “an activity involving the collection, maintenance, disclosure, sale, communication or use of any personal information” bearing on a consumer’s credit worthiness or other characteristics covered by the FCRA definition of consumer report. This exemption covers the foregoing activities by consumer reporting agencies, furnishers of information for use in a consumer report, and users of such consumer reports. This exemption does not apply to the rights of consumers to recover damages for information security breaches.
- Exclusive Online Businesses. A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information will only be required to provide an email address for consumers to submit requests for information regarding personal information that is collected or sold.
- Motor Vehicle Dealer and Manufacturer Exception. A limited exception from consumers’ rights to opt-out of the sale of personal information is added by the amendments with respect to vehicle information or ownership information. The consumers’ opt-out rights (or opt-in rights in the case of consumers who are younger than 16 years of age) do not apply to vehicle information or ownership information that is shared between a new motor vehicle dealer and the vehicle’s manufacturer if the information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to federal law. However, the new motor vehicle dealer or vehicle manufacturer may not sell, share, or use such information for any other purpose.
The enacted bills also correct a number of drafting errors and clarify certain issues. With respect to clarifications:
- As part of determining that a consumer’s request for information is a “verifiable consumer request,” a business may require authentication of the consumer that is “reasonable in light of the nature of the personal information requested.”
- The definition of “personal information” is amended to clarify that it includes specified information when it is “reasonably capable of being associated with” a particular consumer or household, as opposed to simply “capable of being associated with” a particular consumer or household.
- The definition of “personal information” also is amended to clarify that it does not include consumer information that is de-identified or aggregate consumer information.
- Whether one characterizes it as a clarification or a new exception, the CCPA as amended specifically provides that it shall not be construed to require a business to collect personal information that it would not otherwise collect in the ordinary course of business, or to retain personal information for longer than it would otherwise retain such information in the ordinary course of business.
The amendments direct the California attorney general to establish rules and procedures on how to process and comply with verifiable consumer requests for specific pieces of personal information relating to a household in order to address obstacles of implementation and privacy concerns. Given that the governor signed these amendments one day after the attorney general proposed regulations, it seems reasonable to assume that additional regulations will be proposed.
The CCPA takes effect in just a few months, on January 1, 2020. While the California attorney general may not bring an enforcement action under the CCPA until six months after the publication of final regulations or July 1, 2020, whichever is sooner, businesses that will be subject to the CCPA need to prepare for the January 1, 2020 effective date.
As a first step, a business should identify all of the covered “personal information” that it “collects,” “sells,” or discloses for business purposes. Businesses also will need to coordinate with their vendors and other third parties with which they share consumers’ personal information, or from which they obtain personal information, and in many cases adjustments to existing contracts with these third parties might be needed. In addition, covered businesses will need to develop systems to store the covered information in ways that allow the business to address consumers’ rights, implement systems to respond to consumers’ requests for information or deletion of their personal information, develop the required disclosures, and begin training of relevant staff. Finally, every business will need to make certain decisions, including whether to treat all information about individuals the same way for storage and similar purposes whether or not relating to a covered “consumer” (which depends on the individual’s residency) and whether to extend CCPA rights to all individuals regardless of their California residency.
We are assisting our clients with all of these preparatory steps. Their individual issues depend on their type of business and business model, among other things. Companies with a significant online presence, and especially those that market their products or services online, face more challenges than certain other businesses due to the ability to collect covered personal information in passive as well as active ways. Certain institutions can benefit from the CCPA exemption for information that is collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, but this exemption will rarely cover all personal information that these institutions obtain.
For more updates on CCPA, visit our California Privacy Law Center.