In the run-up to January 1, 2020, the California legislature and Attorney General are rushing to provide clarity to the California Consumer Privacy Act of 2018 (CCPA)—and businesses are rushing to interpret and implement these new changes and guidelines.
With less than two months to go, we wanted to provide an additional overview and analysis of the key amendments the California legislature passed, in addition to our analysis of the draft California Attorney General Proposed Regulations.
On October 11, 2019, the Governor signed seven assembly bills, five of which amend the CCPA and two of which have indirect effects on the CCPA. In these bills lie: (a) limited reprieves from the January 1, 2020 deadline; (b) further clarity on what businesses must do to verify or authenticate a consumer request; and (c) further requirements on what businesses must include in their privacy notices—and what they can exclude.
A Quick CCPA Refresher
At a high level, the CCPA provides California consumers the following rights:
- Data Transparency – Businesses have to provide detailed information in their privacy policies about what they do with personal information, including the collection, processing, and transfer or sale of that data;
- Right of Access and Deletion – Businesses have to provide the consumer with a right to request access to their personal information and to request the business delete that information (even if businesses don’t always have to grant the request). Importantly, businesses must have the means to operationalize these rights and verify the identity of the person making the request;
- Right to Opt-Out – Businesses that sell personal information have to inform customers of that practice and provide them with an opt-out; and
- Data Security & Breach Disclosure – Businesses have to implement and maintain reasonable security procedures and practices to safeguard personal information, and they are liable both before the CA Attorney General and before courts if they violate that right.
The CCPA applies to all for-profit businesses that do business in California, whether located in California or not, and meet any of the following conditions: a) have annual gross revenues in excess of $25 million or more; b) collect, sell or share for commercial purposes the personal information of at least 50,000 consumers, households or devices; or c) derive at least 50 percent of its annual revenues from selling consumers’ personal information.
The October 2019 CCPA Amendments
The amendments have added some additional clarity to the CCPA and afforded businesses some temporary relief.
- Procedures for verifying a consumer request: While the CCPA still prohibits businesses from requiring consumers to create an account with the business to make a verifiable consumer request, AB-25 amends 1798.130(a)(2) to allow businesses to require a consumer who maintains an account with the business to submit the request through the account. It also clarifies that businesses may require authentication of the consumer that is “reasonable in light of the nature of the personal information requested.” The CA Attorney General also provided guidance in the proposed regulations on how businesses can verify an individual; but, at the end of the day, there is no check-the-box approach. Businesses will be challenged to make reasonable, risk-based judgments on how to authenticate individuals relative to the sensitivity of the data requested to ensure appropriate privacy and cybersecurity, without creating an undue burden on the consumer.
- Limited exemption for employees: AB-25 adds new 1798.145(g) to exempt businesses from having to grant access and deletion rights to employees, job applicants, medical staff members or contractors, as well as business owners, directors or officers, until January 2021, including personal information retained to administer benefits for another person relating to such persons. Not exempted are (a) the right of employees, job applicants and contractors to receive a “Notice of Collection” at or before January 1, 2020; and (b) their right to sue the business for breaches of such data. In other words, companies still need to provide detailed employee privacy policies by the end of the year, and protect that information with reasonable safeguards upon penalty of potential class action, even if they don’t have to grant other rights—as a matter of law—until the start of 2021.
- “Personal information” redefined: AB-874 explicitly excludes “deidentified or aggregate consumer information” from the definition of “personal information.” This clarification will reduce the strain of CCPA compliance on the secondary data market that leverages deidentified or aggregate data for business purposes. For example, a business that purchases IP and geolocation data will not need to comply with the CCPA so long as that data is deidentified or aggregated within the meaning of the CCPA. The amendment also removed the requirement that “publicly available information” must be “compatible with the purpose for which the data is maintained and made available in public records.”
- Fair Credit Reporting Act (FCRA) exemption expanded. AB-1355 broadens the exemption in 1798.145(d) for FCRA information so that the exemption applies to a broad range of activities performed by consumer reporting agencies, by furnishers of information used in consumer reports and by users of a consumer report, to the extent such activity is subject to regulation by the FCRA and the information is not used, communicated, disclosed or sold, except as authorized by the FCRA. As with the other exemptions in 1798.145, FCRA data is subject to the private right of action for data breaches.
- Data breach liability narrowed to data that is not encrypted AND not redacted. AB-1355 modifies 1798.150 to permit a private civil action to be instituted only for personal data that is “nonencrypted and nonredacted.” Many companies will interpret this requirement as an incentive to incorporate encryption and redactions into their “reasonable” safeguards.
- Limited Business-to-Business (B2B) exemption that expires in one year. AB-1355 excludes from the CCPA until January 2021 all personal information collected by a business where it is communicating or transacting with a consumer who is acting for another organization and the communication or transaction occurs solely within the context of the business providing or receiving a product or service to or from such organization. Like job applicants and employees, a person whose personal information is gathered in the B2B context has the right to sue if there is a security breach involving his/her personal information.
- Anti-discrimination. AB-1355 retains the prohibition on a business from discriminating against the consumer for exercising any of the consumer’s rights under the CCPA. Yet, where the CCPA makes an exception if the differential treatment is reasonably related to the value provided to the consumer by the consumer’s data, AB-1355 modifies the exception to read the value provided to the business by the consumer’s data. The California Attorney General Regulations provide some helpful examples:
- "A music streaming business offers a free service and a premium service that costs $5 a month. If only the consumers who pay for the music streaming service are allowed to opt-out of the sale of their personal information, then the practice is discriminatory, unless the $5 per month is reasonably related to the value of the consumer's data to the business."
- "A retail store offers discounted prices to consumers who sign up to be on their mailing list. If the consumer on the mailing list can continue to receive discounted prices even after they have made a request to know, request to delete, and/or request to opt-out, the differing price level is not discriminatory."
The key is: businesses that offer variable pricing, premiums or coverage have to make sure that those differences are made for the right reasons, and not for the wrong reasons. To the list of wrong reasons, the CCPA now adds consumer choices with respect to their personal information.
- Vehicle warrantees: AB-1146 carves out a specific exception from the “right to deletion” for vehicle information or ownership information between a manufacturer and a dealer, for purposes of a vehicle repair relating to a warranty or recall. This amendment paves the way for other industries to carve out exceptions to “personal information” for data that may be required to meet continuing contractual obligations, document retention requirements, or may otherwise be in the public interest.
- Online businesses: AB-1564 exempts businesses that operate exclusively online and have a direct relationship with a consumer from the requirement to provide consumers two or more methods for submitting requests. Online-only businesses are only required to provide an email address for submitting requests, and, if the business maintains an internet website, the business must also make the internet website address available to consumers to submit requests.
- Data broker registration: AB-1202 requires “data brokers” to register with the California Attorney General and to be listed on the Attorney General’s website. The bill defines a data broker as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. This amendment, and the corresponding list that will be created, will likely have a significant effect on the data brokerage market by providing transparency, and the additional scrutiny that comes with it. Consumer reporting agencies covered by the FCRA, financial institutions subject to the Gramm-Leach-Bliley Act, and entities subject to the Insurance Information and Privacy Protection Act are exempted from the data broker registration requirements. The bill does not require data brokers to provide information on how consumers may exercise their CCPA right to opt-out of the sale of their personal information.
- Expanded data breach notification requirements: AB-1130 amends California’s Data Breach Notification Law (Civ. Code § 1798.29) to expand the definition of personal information—which is the definition used for the Private Right of Action in the CCPA—to include: (a) unique biometric data; and (b) government-issued identification numbers including passport numbers. AB-1130 also provides guidance on how during a breach companies could notify other entities that use the same biometric data as an authenticator to no longer rely on it for authentication purposes.