With the close of the California legislative session on September 13, 2019, the final amendments to the California Consumer Protection Act ("CCPA") have been submitted to California Governor Gavin Newsom for his signature. Five amendments made it through the 2019 legislative session, along with two separate CCPA-related privacy bills. Governor Newsom has until October 13, 2019, to sign the legislation. Should he do so, the key changes to the CCPA will consist of several new exemptions for certain types of data and processing activities, and clarifications to definitions, the right to equal service and price, and obligations surrounding procedures to receive and authenticate consumer requests.
As a practical matter, the limited nature of the exemptions, including in some cases, their short tenure, demonstrates the strong desire and resolve of the California legislature to avoid any actual or perceived weakening of the CCPA. The next step in the process of CCPA implementation is the release for public comment of proposed rules by the Attorney General’s office, which have been promised to be published in October. We will continue to monitor developments in this area.
The amendments create several new exemptions which will impact business-to-business (“B2B”) communications, employer-employee relationships, processing activities regulated by the Fair Credit Reporting Act (“FCRA”), and motor vehicle dealers.
Until January 1, 2021, the personal information of employees and contractors collected by a business during B2B transactions will be exempted from most of the CCPA’s compliance obligations. This exemption is limited to (a) information collected in the context of conducting due diligence of a business, nonprofit, or government agency; or (b) information collected through the provision or receipt of a product or service from a business, nonprofit, or government agency. In practice, this exemption will be narrow, applying only to information collected in order to provide or receive services, such as an employee’s email address associated with a user account and related communications between two businesses. Notwithstanding the limited scope of the exemption, the legislature concluded that it should be time-limited.
Similarly, the legislature exempted personal information collected by a business about job applicants, employees, owners, directors, officers, and contractors from almost all provisions of the Act. The exemption does not apply, however, to the private right of action in the event of a data breach, or to the obligation to inform the individual of the categories of personal information collected. Thus, businesses will still be required to provide CCPA privacy notices to their California employees and job applicants. Importantly, the legislature limited the duration of this exemption as well, and it expires January 1, 2021.
The legislature further exempted activities regulated by FCRA, such as the use or disclosure of personal information by a consumer reporting agency, furnisher of information, or user of a consumer report, from most provisions in the CCPA. Like the exemption for employee information, the FCRA exemption does not apply to the private right of action in the event of a data breach. This exemption is not unlike that already provided for activities covered by the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act.
Perhaps the most targeted exemption applies to certain information necessary for vehicle warranty repairs or recalls. The legislature indicated a consumer could not opt out of the sharing of vehicle or ownership information between a new motor vehicle dealer and the vehicle’s manufacturer if the information is shared to effectuate a warranty repair or recall. Similarly, though not limited to the auto dealer industry, information necessary to fulfill the terms of a written warranty or product recall is exempt from the CCPA’s deletion right.
Definitions and Clarifications to Obligations
The amendments also clarify many inconsistencies in the law’s definitions.
The amendments revise the definition of “publicly available” to mean information lawfully made available from federal, state, or local government records. Most significantly, this amendment removes use restrictions on publicly available information that were likely unconstitutional. For example, the CCPA’s current definition of “publicly available” provides that information is not “publicly available” if used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained. In addition, the amendments narrow the definition of “personal information” by correcting a significant drafting error to properly exempt deidentified or aggregated consumer information from the definition of “personal information.” The definition is further narrowed to apply to information that is “reasonably [emphasis added] capable of being associated with” a consumer or household. Without this revision, the definition of “personal information” encompasses all information that is “capable of being associated with” a consumer or household. “Capable of being associated” was not defined and could have theoretically covered every type of data or data element.
Receiving and Authenticating Consumer Requests
A persistent source of confusion for businesses has been how to properly receive and authenticate consumer requests for access or deletion under CCPA. While the California Attorney General is set to draft implementing rules and procedures on how businesses will receive and verify consumer requests, the amendments provide additional clarity.
As drafted, the CCPA requires businesses to make available at least two methods—a toll-free number and a web address (if the business maintains a website)—for consumers to submit requests or otherwise exercise their rights under the Act. The amendments create an exception for businesses that operate “exclusively online” and have a “direct relationship with a consumer from whom it collects personal information,” permitting them to provide an email address in lieu of a toll-free number for submitting CCPA requests. Businesses that maintain a website are still required to provide a web address for consumers to submit requests. As a practical matter, this exemption will likely mean that many small or medium businesses may need to obtain toll-free numbers; there are likely many small to medium-sized brick and mortar businesses that have a website in addition to their physical locations but have not had the need to obtain a toll-free number.
With regard to authenticating requests, the amendments authorize businesses to require authentication of a consumer that is reasonable in light of the information requested in order to make a verifiable request. This allows businesses to require a consumer to submit requests through an account if the consumer maintains an account with that business, but businesses still are not permitted to require a consumer to create an account to make a verifiable request.
CCPA-Related Privacy Bills
In addition to the amendments described above, the legislature also passed two CCPA-related privacy bills.
One of the most significant consumer rights conferred by the CCPA is a private right of action for the breach of nonencrypted and nonredacted personal information, as defined in California’s data breach law. AB-1130 amends California’s data breach law by revising the definition of “personal information” for the purposes of data breach notification to add unique biometric data and tax identification numbers, passport numbers, military identification numbers, and unique identification numbers issued on certain government documents. While AB-1130 does not directly amend the CCPA, it expands upon the data elements for which a consumer may seek a private right of action under the CCPA, if breached.
Pertinent to data brokers, AB-1202 creates a reporting obligation for data brokers, requiring them to register annually with the California Attorney general by paying a fee and providing their contact information. Under the new law, a data broker is defined as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a “direct relationship,” subject to specified exceptions. The Attorney General is then required to make the information provided by data brokers accessible on its website. Data brokers that fail to register are subject to injunction and liability for civil penalties of $100 per day, fees, and costs in an action brought by the Attorney General.
With the limited exemptions for employee and B2B data expiring January 1, 2021, the expectation is that the California legislature will reassess these exemptions in the next legislative session. While there will be no further amendments to the CCPA prior to its coming into effect on January 1, 2020, the Attorney General will still need to issue implementing regulations. The Attorney General has indicated his office will focus on the following areas in its rulemaking proceeding: (1) Adding categories of personal information; (2) updating the definition of unique identifiers; (3) establishing exceptions necessary to comply with state or federal law; (4) establishing rules and procedures for submitting and complying with consumer requests; (5) developing a uniform opt-out logo or button; (6) establishing rules and procedures regarding notices and information provided to consumers, including around financial incentive offerings; and (7) establishing rules and procedures for verifying consumer requests.
Representatives from the Attorney General’s office have recently stated that they expect draft regulations to be released in October. WSGR will continue to monitor developments and provide updates.