Last week, the nearly yearlong process of amending the California Consumer Privacy Act of 2018 (CCPA) was finalized. The amendments to the CCPA were previously approved by California legislators, and, on Friday, October 11, 2019, the changes were signed into law by Governor Gavin Newsom. The bills amend the CCPA and become part of the law, which takes effect on January 1, 2020.
The CCPA serves as the most comprehensive consumer data privacy legislation in the United States, echoing many of the foundational principles mandated in the European Union’s General Data Protection Regulation, and following a global movement to better protect consumers’ data from unregulated exploitation, as was seen in Facebook’s Cambridge Analytica scandal that surfaced early last year.
This final round of amendments loosened some of the law’s standards, but the underlying structure of the CCPA remained largely intact. For a more detailed summary of the pre-amendment CCPA, please see this recent McNees Client Alert. Below is a brief overview of the most impactful changes to the legislation.
Definition of Personal Information
The definition of “personal information” was amended by AB 874 to include a reasonableness qualifier, meaning that the law will now only apply to personal information that is reasonably capable of being associated with a California consumer or household. This addition, promoted by business advocates, foreshadows future battles defining the scope of the reasonableness standard, which may result in court action for interpretation.
Exemption for Employees
AB 25 exempts employee information from most aspects of the law. With this amendment, the CCPA does not apply to personal information of a California resident that was collected by a business in the course of the individual acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor of the business. This change means that employees are not afforded certain rights to access or delete their data that the business collected about the employee in their capacity as an employee, but the employees will still possess these rights related to any data collected by the business in their capacity as a consumer. Nevertheless, this amendment will only remain in effect for one year and will sunset on January 1, 2021, unless legislators further extend the amendment in 2020.
Business-to-Business Exemption
Personal information collected in B2B transactions will also be exempt from most of the CCPA requirements (for now). Added by AB 1355, personal information conveyed during a transaction between a business and a consumer shall not apply to the law where the consumer is acting as an employee, owner, director, officer, or contractor of another organization, and whose communications with the business occur solely within the context of the business “conducting due diligence regarding, or providing or receiving a product or service to or from such [other entity].” Like the employee information exemption, this B2B exemption sunsets on January 1, 2021.
Private Right of Action
The last notable amendment does not change the actual CCPA itself, but will affect consumers’ right to sue in the event of a data breach. The CCPA’s private right of action for a data breach is tied to the definition of personal information under California’s separate breach notification statute (not the CCPA’s personal information definition discussed above).
The amendment to the breach notification statute expands the types of personal information that may be used as the premise for a private action against the business if that information is accessed through a data breach. This amendment, known as AB 1130, adds tax ID numbers, passport numbers, military ID numbers, unique ID numbers on government-issued documents, and certain types of unique biometric data, such as fingerprints and retinal scans, to the definition of personal information. Therefore, businesses that collect or retain any of these expanded identifiers may be subject to a lawsuit in the event of a breach caused by their failure to maintain reasonable security procedures.
Other Amendments
The CCPA was amended by several other bills that were signed by the governor. The McNees Privacy & Data Security Group will continue to monitor these amendments and can assist your business, domestically and abroad, in preparing for their impact.
