Amendments to the California Consumer Privacy Act: Six Clarifications

As readers of the Data Security Blog will know, the California Consumer Privacy Act (“CCPA”) becomes operative on January 1, 2020.  The CCPA is the most sweeping consumer privacy law in the United States, covering most for-profit businesses that do business in California and collect the personal information of “consumers,” meaning California residents. 

The deadline for the California Legislature to update amendments to the CCPA was September 13, 2019.  All told, six amendments passed, though many more were proposed.  Some of the amendments clarify issues that critics have worried about since the CCPA was enacted in 2018, but other amendments that would have done more to help businesses and consumers understand the scope of the law stalled or died in committee.  The following amendments passed: 

1. AB 25:  This amendment would delay for one year, until January 1, 2021, all CCPA requirements, with the exception of the notice requirement, with regard to personal information of employees, owners, directors, contractors, and job applicants collected and used by the business in the context of performing those roles. This amendment also allows businesses to require reasonable authentication of consumer requests. 
2. AB 1355:  This amendment is broad, and contains several exemptions, including (i) the business-to-business transactions exemption, which exempts some personal information transferred between a business and a consumer acting on behalf of another business entity; and (ii) the business retention exemption, which exempts businesses that would not otherwise collect or retain information in the ordinary course from doing so just to comply with the CCPA.  The business to business exemption is important because at present, any email sent from California contains personal information as defined under the CCPA, i.e., email addresses and information contained in an e-mail signature.  This amendment also contains a clarification of the private right of action for data breaches. 
3. AB 1564: This amendment exempts a business that only operates online from the requirement of creating a toll-free number for consumers to make requests under the CCPA.  Those businesses must provide an email address for consumers to make requests. 
4. AB 874: This amendment clarifies language in the CCPA about what constitutes “publicly available information,” which is excluded from the definition of “personal information” under the CCPA, as well as de-identified or aggregate consumer information.
5. AB 1146: This amendment exempts vehicle and ownership data from the consumer’s right to “opt out” of the sale of that information in connection with vehicle repair or recall.
6. AB 1202: This amendment requires the Attorney General to create a publicly available registry of data brokers (a business that knowingly collects and sells personal information to third parties) on its website. 

We are still waiting for guidance from the California Attorney General, specifically on the process of consumer verification and other open issues, and will provide additional updates as new information becomes available.