UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK | Norton Rose Fulbright

This is the Data Protection Report’s eleventh blog post in a series of CCPA blog posts. Stay tuned for additional posts on the CCPA.

As America prepares for the Fourth of July holiday weekend, the California legislature continues to work on amending the California Consumer Privacy Act (“CCPA”), as it races to get modifications passed through the state legislature before it adjourns for the 2019 calendar year. On June 28, one of those bills, AB 25, the “employee exception” bill was significantly amended by the Senate Judiciary Committee and appears to move forward, despite a recent political setback last month when the California Labor Federations announced its opposition. Three other proposed amendments are set for a hearing on July 9, including AB 1355, which will hopefully clean up several drafting errors. See below for a brief summary of the latest on “what’s cooking” in Sacramento.

AB 25:” employee exception”

AB 25 that passed the California Assembly would have excluded employees, agents, and

individual contractors from the CCPA definition of “consumers.” The bill was referred to the Senate Committee on the Judiciary on June 12 and was amended on June 28.

Essentially, the amendment would broaden what is out of scope for CCPA to include not only employee, applicant or contractor information, but also directors, officers, and medical staff members, plus emergency contact information as well as benefits administration information that businesses collect for those limited purposes. Note that the new exceptions would NOT apply to the private right of action for breaches.

More specifically, the new exception section would read:

(g) (1) This title shall not apply to any of the following:

(A)       Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business.

(B)       Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.

(C)       Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of administering those benefits.

(2) For purposes of this subdivision:

(A)       “Contractor” means a natural person who provides any service to a business pursuant to a written contract.

(B)       “Director” means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.

(C)       “Medical staff member” means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.

(D)       “Officer” means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.

(E)       “Owner” means a natural person who meets one of the following:

(i)         Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.

(ii)        Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.

(iii)       Has the power to exercise a controlling influence over the management of a company.

(3) This subdivision shall not apply to Section 1798.150.

Because this bill differs significantly from the version that passed the Assembly, even if the new version passed the Senate, it would need to go back to the Assembly for consideration.

AB 25, as amended, was re-referred for consideration by the Senate Judiciary Committee. The bill’s author, Assemblyman Ed Chau, said, “To receive new opposition this far into the process complicates things, especially when we have spent months working with stakeholders on AB 25,” responding to the news that the labor group has now registered its position to the bill. We will continue to monitor developments relating to this bill.

AB 874: “publicly available information” exception

CCPA, as it currently reads, excludes “publicly available information” from the definition of “personal information” In its current form, “publicly available information” must be both (1) information that is lawfully made available from federal, state, or local government records, and (2) data that is used for a purpose that is compatible with the purpose for which the data is maintained. Practically speaking, this means social media postings, even if it appears to be publicly available in the traditional sense of the word, would not be considered publicly available under the CCPA. Also, driver’s license data that is purchased from local government records databases would not be exempted from CCPA protections if it is used for a purpose that is not compatible with the purpose for which the data is maintained (e.g. by a data broker).

AB 874 would remove the second condition so that the “publicly available information” exception would apply to all federal, state, or local government records, regardless of whether the data is used for a purpose that is compatible with the purpose for which the data is maintained. This bill is set for a hearing on July 9 by the Senate Judiciary Committee.

AB 1355: the “clean up” bill

For those of us that are scratching our heads at certain parts of the CCPA, many of the drafting errors that are causing confusion are proposed to be cleaned up by AB 1355, which is also scheduled for a hearing on July 9. Notably, the amendment would:

  • Clarify in Section 110(c) (“Access Rights” for businesses that collect personal information) that the consumer has the right to request the specific pieces of personal information the business has collected. In its current form, it appeared to read that actual “specific pieces of personal information” needed to be disclosed in an online privacy policy;
  • Clarify in Section 115(a)(2) (“Access Rights” for businesses that sell personal information) that the consumer has the right to know the category or categories of personal information that is sold for each category of third parties. In its current form, it appeared to read that businesses would need to disclose to consumers the actual list of third parties to whom the category or categories of personal information is sold;
  • Clarify in Section 120(c) (“Opt-in Requirement” for minors) that a business must obtain affirmative consent to the sale of personal information if the consumer is at least 13 years of age and less than 16 years of age. In the case of consumers who are less than 13 years of age, an authorization from the parent would be needed. In its current form, it was confusing if the business would need to obtain the minor’s affirmative consent or the parent’s, or both.

Note that the California legislature is in session for one more week through Friday, July 12 and will then be in summer recess until Monday, August 12. The last day for bills to be voted into law this term is Friday, September 13 and the Governor will have 30 days to sign or veto bills that have been voted out by the legislature.

If you have any questions or would like additional information regarding CCPA or other US legislative proposals, please contact a member of our Data Protection, Privacy and Cybersecurity team.

Our other CCPA articles:

Article 1: Summary of CCPA’s major provisions

Article 2: CCPA covered entities

Article 3: CCPA definition of personal information

Article 4: CCPA disclosure requirements

Article 5: CCPA “Right to Deletion”

Article 6: California Attorney General’s Office begins CCPA rulemaking process with first public hearing while Congress debates new federal privacy law

Article 7: Comments at CCPA public forum in Los Angeles highlight tensions between businesses and consumer rights groups

Article 8: GDPR, CCPA and beyond: Changes in data privacy laws and enforcement risks to monitor in 2019

Article 9: CCPA: “Attorney General Amendment” Likely Dead

Article 10: Nevada, New York and other states follow California’s CCPA