While privacy laws are proliferating globally, the California Consumer Privacy Act (CCPA) is California’s comprehensive and landmark legislation that seeks to give California consumers expanded rights to learn about and control certain aspects of how a business handles “personal information” collected about its consumers. On Friday the 13th of September 2019—the last day of California’s legislative session—California lawmakers updated, finalized and sent six bills that would amend the CCPA to Governor Gavin Newsom’s desk for signature. Despite months of efforts from various groups, the CCPA made it through the legislative session with relatively fewer changes than expected. However, if the governor signs all six bills, the changes these bills would make to the CCPA are important and should be noted. The governor has until October 13, 2019, to sign or veto the legislation, and the following is a high-level overview of the substantive aspects of the six bills. Because of the breadth of the statute and the relative size of the changes, businesses are and should be working quickly between now and the day the CCPA goes into effect on January 1, 2020, to prepare for compliance.

Methods for Consumers to Submit Requests for Disclosure: The CCPA grants consumers the right to request that a business disclose certain “personal information” that the business has collected about the consumer. AB 1564 modifies the obligation of businesses to create designated methods for consumers to act on this right under 1798.130(a)(1)(A).

• Allows a business that operates exclusively online and has a direct relationship with a consumer from whom it collects “personal information” to provide only an email address to consumers to submit requests for information required to be disclosed, instead of a toll-free number.
• Adds that if a business maintains an internet website, the business is required to make the internet website available to consumers to submit requests for information required to be disclosed pursuant to 1798.110 and 1798.115.

Amendments to the Definition of Personal Information and Public Information: One of the most concerning aspects of the CCPA to businesses is the breadth of its definition of “personal information.” AB 874 narrows the definition of this key term.

• Amends the definition of “personal information” in 1798.140(o)(1) by adding the word “reasonably” in front of “capable of being associated with” a consumer or household.
• Narrows the definition of “personal information” by expanding the scope of the “publicly available information” exemption in 1798.140(o)(2) so that any information that is lawfully made available from federal, state or local government records would be considered “publicly available” and not “personal information,” regardless of how that information is used.

General Exemption for Employment Information—But Businesses Must Still Respond to Employee’s Right to Know Under 1798.100(b): One concern businesses have had surrounding the CCPA is its application to employees. AB 25 provides businesses a temporary reprieve by generally exempting from the scope of the CCPA, until January 1, 2021, “personal information” that is collected by a business about a person in certain employment-related contexts.

• Exempts “personal information” that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of or contractor of that business to the extent that the natural person’s “personal information” is collected and used by the business solely within the context of the natural person’s role or former role as one of the foregoing.
• Exempts emergency contact information of such individuals in certain employment-related contexts and information used to administer benefits for another natural person relating to such individuals.
• Confirms that businesses need to provide notice of the categories of “personal information” to be collected by the business and the purposes for which the categories of “personal information” will be used by the business under 1798.100(b) to individuals covered in the exemptions above. These individuals also retain their right to bring a private action for a data breach under 1798.150.

The Right to Require Reasonable Authentication and Obligation to Respond to Disclosure Right: AB 25 aims to provide clarity on the methods by which consumers can submit requests for disclosure of their “personal information.”

• Amends 1798.130(a)(2) to state that a business may require authentication of a consumer that is reasonable in light of the nature of the “personal information” requested, and if the consumer maintains an account with the business, the business may require the consumer to submit their request through that account.

Clarification of Rights Request, Definition of “Personal Information” and AG Guidance: AB 1355 amends the definition of “personal information,” and provides the AG with a right to adopt additional regulations on compliance with consumer rights requests granted by the CCPA.

• Amends 1798.110(c)(5) to clarify that a consumer has the right to request the specific pieces of information that a business has collected about that consumer.
• Clarifies that “personal information” does not include consumer information that is de-identified or aggregated.
• Provides a clarification to 1798.185(b)(1) whereby the attorney general may adopt additional regulations to establish rules and procedures on how to process and comply with verifiable consumer requests for specific pieces of “personal information” relating to a household in order to address obstacles to implementation and privacy concerns.

Ordinary Course of Business Amendment: AB 1355 addresses the growing concern from businesses on when they should collect, or refrain from collecting, a consumer’s “personal information” under the CCPA.

• AB 1355 provides clarification to 1798.145(i) so that it states that the CCPA does not require a business to (1) collect “personal information” that it would not otherwise collect in the ordinary course of business; or (2) retain “personal information” for longer than it would otherwise retain such information in the ordinary course of business.

Limited B2B Exemption: AB 1355 adds 1798.145(o) to provide a narrow business-to-business (B2B) exemption from the scope of the CCPA, until January 1, 2021, for mergers and acquisitions, due diligence and certain communications between the business and an employee of another company.

• States that the CCPA shall not apply to “personal information” reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency and whose communications or transactions with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from, such entity.
• Specifically, this limited B2B exemption does not apply to the obligation for sale opt-outs under 1798.120 or the rights of consumers to be free from discrimination in prices or quality of goods or services under 1798.125.
• This exemption has no impact on the ability of such individuals to bring a private action for a data breach under 1798.150.

FCRA Exemption Clarified and Expanded: While the CCPA currently exempts information regulated by the Fair Credit Reporting Act (FCRA), AB 1355 amends 1798.145 to provide some clarity on the CCPA’s application to this information.

• Clarifies the existing FCRA exemption, specifically that the CCPA does not apply to activity involving the collection, maintenance, disclosure, sale, communication or use of any “personal information” bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living by a consumer reporting agency, by a furnisher of information, who provides information for use in a consumer report, and by a user of a consumer report.
• The exemption does not affect a consumer’s ability to bring a private action against a business for a data breach involving such information under 1798.150.

Do Not Sell Exception for Vehicle Information: Among other rights (which you can read about here), the CCPA grants consumers the right to direct businesses to stop selling their “personal information”. AB 1146 provides a narrow industry-specific exemption from the “do not sell” requirement under 1798.120.

• Specifically, AB 1146 provides an exemption from the “do not sell” requirement under 1798.120 for vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer, if the vehicle or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share or use that information for any other purpose.

Exception to Right to Delete for Warranty/Product Recall: AB 1146 also provides a new narrow exception to the deletion right under 1798.105(d)(1) if a business needs the information in order to fulfill the terms of a written warranty or product recall conducted in accordance with federal law.

Data Broker Addition: AB 1202 requires certain businesses that sell “personal information,” as defined by the CCPA, to register as “data brokers” with the California attorney general, pay a registration fee and provide certain information concerning the data broker.

• Imposes a penalty of $100 a day for each day the data broker fails to register.
• “Data broker” is defined to mean a business that knowingly collects and sells to third parties the “personal information” of a consumer with whom the business does not have a direct relationship. It does not include entities already regulated by the FCRA, the GLBA or California’s Insurance Information and Privacy Protection Act.
• 99.84 further states that the attorney general shall create a page on its website where the information provided by data brokers shall be available to the public.

[View source.]