And then there were five: CCPA amendments pass legislature

Norton Rose Fulbright - Data Protection Report blog

Executive Summary

The wait is over: Only five CCPA amendments made it through the California legislature. The amendments are limited in scope, which means the CCPA will go into effect, largely intact, on January 1, 2020.

The California legislative session for 2019 ended on September 13 and the following five amendments to the California Consumer Privacy Act (CCPA) were passed: AB 25, 874, 1146, 1355, and 1564. They now move to the Governor’s desk, where he has 30 days to sign or veto them.

The bills change almost every section of CCPA. Rather than examine the changes of each bill, we thought it would be more useful to see how each section of CCPA will change once the Governor signs all five bills. This will be the version that will go into effect on January 1, 2020. Changes range from clarifications to definitions and new exemptions to technical corrections.

Summary of CCPA Amendments

– § 1798.100. Minor stylistic and editorial changes only. No substantive changes in terms of requirements or obligations for businesses.

– § 1798.105. Subsection (d)(1) now adds an exception to the deletion right. A business may refuse to comply with a consumer’s deletion request if the personal information is needed in order to “fulfill the terms of a written warranty or product recall conducted in accordance with federal law.” There are also a few editorial changes.

– § 1798.110. Subsection (c)(5) is clarified to read that a business’ obligation is to disclose in an online privacy policy “that a consumer has the right to request” the specific pieces of personal information that the business has collected about consumers in general, not about a specific consumer. The way it was phrased in its current form, it could have been read to mean businesses must disclose the specific pieces of personal information that was collected in the privacy policy itself, which did not make sense.

– § 1798.115. Section (a)(2) is amended to permit the consumer to request that the business notifies a consumer of the categories of personal information sold for “each category of third party”, rather than “each third party.” This means businesses no longer will be required to disclose the specific names of the third parties to whom personal information is sold.

– § 1798.120. Subsection (c) now resolves an ambiguity relating to the ages for the opt-in consent requirement. The clarification states that businesses must obtain opt-in consent from minors who are 13 to 15 years old before “selling” the minors’ personal information. Previously, there was a question of whether opt-in consent would be required for 16-year-olds. “(Of course, under-13 still requires opt-in parental consent.)

– § 1798.125. The amendments correct a few errors in this non-discrimination section. In subsections (a)(2) and (b)(12), businesses can offer different prices, rates, quality, etc. for goods and services if the differences are reasonably related to the value provided to the business – not to the consumer – by the consumer’s data. The amendment also includes a technical fix to correct the cross-reference for notification of financial incentives from § 1798.135 to § 1798.130.

– § 1798.130. The amendments change and clarify a business’ obligation to permit consumers to submit requests to exercise their CCPA rights. The requirement for a toll-free number remains intact, with a notable exception: a business that operates solely online and has a direct relationship with the consumer need only provide an email address for such requests. Otherwise, in addition to the toll-free number, if the business maintains a website, the business must also make the site available to consumer to submit their requests. In addition, although businesses cannot require consumers to create an account in order to exercise their CCPA rights, if the consumer already has such an account, the business can require the consumer to submit the request through the account. Finally, the amendments added that the online privacy policy must also describe the consumer’s rights under § 1798.100 and § 1798.105.

– § 1798.140. The definitions underwent some editorial changes, and a technical fix to correctly cross-reference the definition of “Homepage” (for notices required by § 1798.135, rather than §1798.145). The substantive changes appear in the definition of “personal information.” The amendments include the limitation that “personal information” is not “publicly available” if the data was used for a purpose not compatible with the purpose for which the government maintained it has been deleted. As a result, information legally made available from federal, state or local governments is not “personal information.” The definition of “personal information” has been amended to begin “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The amendments also now expressly state that “personal information” does not include de-identified or aggregate consumer information. Finally, consistent with the changes in 179.130 above, a business need not comply with a request under 1798.100 or 1798.105 if the business cannot verify the consumer making the request—based on the criteria in the forthcoming regulations from the Attorney General.

– § 1798.145. The most significant substantive amendments create new exemptions to CCPA, removing certain personal information from the scope of CCPA — although two of the exemptions exist only during calendar year 2020.

In subsection (d), the amendments revised the Fair Credit Reporting Act (FCRA) “consumer report” exemption to clarify that most of CCPA does not apply to the sale or reporting of consumer information by a consumer reporting agency under FCRA. That information cannot be used, communicated, disclosed, or sold except as authorized by FCRA. Note that CCPA § 1798.150 – the consumer private right of action for certain security breaches and the requirement for reasonable security – continues to apply.
New subsection (g) is the exemption relating to vehicle information, which affects the CCPA “opt out” right. Under this new exemption, vehicle and ownership information can be shared between new motor vehicle dealers and the manufacturer if the information is shared “for the purpose of effectuating, or in anticipation of effectuation, a vehicle repair covered by a vehicle warranty or recall” and for no other purpose.
New subsection (h) is the much-publicized “employee exemption,” which has a one-year duration, which gives the California legislature a one-year deadline to pass a separate employee privacy bill. Once this amendment is signed into law, which we expect, much of CCPA’s requirements will not apply to personal data of the following categories of persons:
- Job applicant
- Employee
- Owner
- Director
- Officer
- Medical staff member
- Individual contractor
This employee exemption will only apply if the personal information is collected and used by the business, solely in the context of the person’s role or former role in that business. Also excluded from CCPA’s scope is emergency contact information that is collected by the business, as well as information necessary to administer benefits, again limited when such information is used solely for that purpose. This exemption, however does not remove the notice requirement under 1798.100(b) or exempt the data from consumer private right of action under Section 1798.150. Employers will still need to conduct the due diligence necessary to revise the employee privacy notices and have them revised before January 1.
What is now subsection (k) has been expanded to state that when a business is verifying the consumer, it is not required to collect or retain information it would not otherwise collect or retain in the ordinary course of business.
New subsection (n) is a new exemption that is set to expire in one-year. Under this new exemption, personal information that a business collects in a business-to-business transaction would be exempted from most of CCPA’s requirements, when such data is collected when a California resident makes a written or verbal communication or transaction with a business “within the context of the business conducting due diligence regarding, or provision or receiving a product or service to or from such company, partnership, sole proprietorship, non-profit, or government agency.” Note that § 1798.150 (consumer private right of action for breach) continues to apply so if a Social Security Number was collected from a sole proprietor, for example, in a B2B context, private litigation may still be available to that individual whose information was accessed or used improperly. Also, opt-out and non-discrimination rights still apply so your business contacts may still opt-out from having their information “sold” to third parties and you may not deny goods or services or charge different prices to business customers because they have opted out. As it is currently written, this B2B exemption also does not appear to include B2B cold-calling or other marketing communications not initiated by the other entity, which means a business must comply with all CCPA requirements such as notice, access, deletion, opt-out and deletion if the personal information belonging to potential business/customer contacts were obtained from a third party, such as a marketing list provider, until a communication or transaction occurs with the business “within the context of the business conducting due diligence regarding, or provision or receiving a product or service to or from” such business.

– § 1798.150. This private right of action section has one change in the beginning of subsection (a)(1): it now limits private right of action to any consumer “whose non-encrypted AND non-redacted personal information” has been breached, which means private litigation under CCPA will no longer be available to persons whose information was either encrypted or redacted. This is a significant improvement as this will be a simple defense to liability and easier to establish than having to demonstrate that the business had “reasonable security.”

– § 1798.185. Finally, the amendments make a few changes to the forthcoming regulations from the Attorney General. Subsection (a)(4)(A) corrected the cross-reference to the opt-out provision to 1798.120 and there was a minor correction in (a)(7). Subsection (b) was amended to add that the Attorney General may adopt regulations on how to process and comply with verifiable consumer requests for specific pieces of personal information.

What’s next

The Governor has until October 13 to sign or veto any or all of the five bills. Regardless of what action he takes, we are still anticipating the draft regulations to be issued from the Attorney General this fall. Looking a bit further into the future, if the two one-year exceptions get signed into law, we should expect additional CCPA amendments in 2020 by the California legislature.

Takeaways

Employees and business-to-business contact information are largely out of scope for CCPA, at least for 2020.
There were no substantive changes to CCPA’s basic requirements: notice, access, deletion, opt-out, and non-discrimination.
There were no changes to the effective date (January 1, 2020) or to the Attorney General enforcement date (July 1, 2020).
Industry-backed amendments relating to loyalty programs, targeted ads, or the expanded definition of de-identified data did not pass.