On the last day of its 2019 session, the California legislature passed six bills that amend and clarify key provisions of the California Consumer Privacy Act (the “CCPA”), the state’s landmark 2018 data privacy law. The CCPA, as amended by these bills, will take effect on January 1, 2020.
The 2018 CCPA
The California Consumer Privacy Act was signed into law on June 28, 2018, after being rushed through the California legislature only a few days earlier. The legislature acted quickly in order to prevent California voters from voting directly on a data privacy referendum that was scheduled to appear on the ballot in the November 2018 general election.
Consumer Data Privacy Rights
The CCPA codified a set of consumer rights with respect to the privacy and security of their personal information. For this purpose, “personal information” is defined broadly to include records of purchases and other consumer tendencies, Internet browsing and search histories, and any other information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Specifically, the CCPA provides that California consumers have the following basic rights in relation to their personal information, and requires covered businesses to provide these rights:
- Right to Know: Consumers have the right to learn what personal information has been collected about them, or sold or otherwise disclosed about them, by submitting a “verifiable consumer request” to a covered business. The CCPA establishes procedures that businesses must follow in responding to qualifying consumer requests.
- Right to Opt Out: Consumers have the right to opt out of the sale or transfer of their personal information. Covered businesses must notify consumers of this right and make available prescribed channels for opt-out elections, including a website address and a toll-free telephone number.
- Right to Delete: Consumers have the right to request that their collected personal information be deleted. Covered businesses must honor most requests to delete consumer personal information, with some exceptions – for example, a business can retain personal information that is required to complete a transaction or provide a good or service.
- Right Not to Be Discriminated Against for Exercising Consumer Rights: Covered businesses are prohibited from discriminating against a consumer for having exercised any right under the CCPA (for example, opting out of data transfers). Specifically, a covered business cannot refuse to sell goods or services, or charge different prices for such goods or services, because a consumer exercised any CCPA right.
Private Right of Action
The CCPA also provides that consumers have the right to sue covered businesses for damages in the event of a data breach or other improper disclosure of their personal information.
The CCPA applies to any for-profit business that collects and controls California residents’ personal information, does business in the state of California, and:
- has annual gross revenues of $25 million or more, or
- buys, receives, sells or discloses the personal information of 50,000 or more California residents, households or devices on an annual basis, or
- derives 50 percent or more of its annual revenues from selling California residents’ personal information.
The CCPA also applies to corporate affiliates of covered businesses that share the same branding.
The 2019 Amendments
The six bills passed late in the 2019 legislative session, and signed into law by Governor Newsom, amend and clarify the CCPA in several important respects.
AB 25 – Employment-Related Information and Verifiable Consumer Requests
Assembly Bill 25 provides a one-year exemption (until January 1, 2021) from most of the law’s requirements for information concerning a business’ employee, job applicant, director, officer or contractor, if this information relates solely to the work relationship. Emergency contact information and information required in order to administer benefit plans and programs are specifically covered by this temporary exemption. However, AB 25 does not relieve employers of the obligation to inform employees of the categories of their personal information that can be collected (see “The 2018 CCPA – Right to Know”, above), nor does the bill affect a worker’s right to sue for damages in the event of a breach of his or her personal information (see “The 2018 CCPA – Private Right of Action”, above). AB 25 includes a one-year sunset provision, so that the exemption of work-related information will no longer apply beginning January 1, 2021.
In addition to the employment-related provisions, AB 25 clarifies that a business may require reasonable authentication or verification of a consumer’s identity in connection with a consumer request, and that a business may also require a consumer to use an existing account with the business to submit a verifiable consumer request.
AB 1355 – Miscellaneous Provisions
Assembly Bill 1355 includes a number of miscellaneous clarifications and amendments:
- Clarification Regarding the Nondiscrimination Provisions. The bill makes an important clarification regarding the nondiscrimination provisions (see “The 2018 CCPA – Right Not to Be Discriminated Against for Exercising Consumer Rights”, above) by providing that differing prices or services can be offered based on the value of the data to the business. (Under the original CCPA, a business could only offer different prices or services based on the value of a consumer’s data to the consumer.) This change should make it easier for businesses to base loyalty incentives on the value of collected consumer data.
- Deidentified or Aggregated Information. The bill clarifies that personal information does not include deidentified or aggregated consumer information.
- One-Year Exemption for Certain B2B Data. AB 1355 creates a one-year exemption for personal information collected in certain business-to-business transactions. Specifically, the bill exempts personal information that reflects a communication or transaction between or among a business and the employees or contractors of another business for the purpose of conducting due diligence or providing or receiving a product or service. Importantly, the bill does not exempt businesses from the opt-out or data breach provisions, including the consumer’s right to sue for damages for an unauthorized breach.
AB 874 – Definition of Personal Information to Include Reasonableness
Assembly Bill 874 somewhat narrows the definition of “personal information” by clarifying that personal information must “reasonably” be capable of being associated with a particular consumer or household.
AB 1146 – Exemption for Vehicle Information
Assembly Bill 1146 establishes a narrow exemption under which the CCPA’s opt-out and deletion rights (see “The 2018 CCPA – Right to Opt Out” and “Right to Delete”, above) do not apply if a business or service provider needs the personal information to fulfill the terms of a warranty or product recall that is conducted in accordance with federal vehicle safety laws. The bill specifically permits automobile manufacturers and dealers to retain and share a consumer’s vehicle or ownership information in order to complete warranty repairs or conduct a recall.
AB 1564 – No Phone Number Required for Online Only Businesses
Assembly Bill 1564 amends the designated methods by which consumers can opt of data collection or request deletion of collected data (see “The 2018 CCPA – Right to Opt Out” and “Right to Delete”, above) to state that businesses that operate exclusively online do not have to provide a toll-free telephone number for these purposes.
AB 1202 – Registration Required for Data Brokers
Assembly Bill 1202 requires that data brokers register annually with the California Attorney General’s Office. “Data broker” is defined broadly as any business that knowingly collects and sells personal information of consumers with whom the business does not have a direct relationship, with limited exceptions. Credit reporting agencies and financial institutions are exempted. The Attorney General will set registration fees and post information about the data brokers on its website. Failure to register will expose the data broker to civil penalties, injunctive relief, fees and costs.
Any business that is subject to the CCPA (see “The 2018 CCPA – Covered Businesses”, above) should take immediate steps to fully comply with the CCPA, if it has not already done so. Businesses that have begun compliance efforts should take note of the 2019 amendments and their impact.