Among many practical challenges, the CCPA often includes inconsistent or ambiguous requirements that have been an obstacle to implementing clear compliance strategies. Businesses, some academics, and various legislators thought that further amendments were needed to make the CCPA work effectively and accomplish its objectives. Over the past several months, the California legislature debated several amendments, eventually passing five bills, which now sit on the Governor’s desk. These bills collectively do not provide the sweeping changes sought by businesses. Instead amendments make minor tweaks and postpone for a year some of the more challenging requirements.
The passed bills address a range of topics that include among other things:
- providing for a partial, temporary one-year exception for applicant and employee data;
- providing for a partial, temporary one-year exception for certain business-to-business personal information;
- broadening the Fair Credit Reporting Act (FCRA) exception;
- changing the manner in which businesses can accept consumer requests, including allowing businesses to require use of existing consumer accounts to make CCPA requests, permitting companies that operate online to offer only an email address to their customers to make requests, and requiring businesses with a website to allow consumers to submit CCPA requests through the website;
- clarifying that deidentified and aggregate data are not personal information;
- modifying the definition of personal information to add “reasonably” in front of “capable of being associated with”;
- clarifying that a business is not obligated to collect personal information that it would not otherwise collect in the ordinary course of its business or retain personal information for longer than it would otherwise retain such information in the ordinary course of its business;
- excepting from deletion rights data necessary to fulfill warranty or product recall;
- creating an exception for vehicle information shared between manufacturers and dealers for purposes of vehicle repair covered by warranty or a recall; and
- making numerous technical changes to correct errors or clarify typos.
Collectively, the bills make modest or temporary adjustments. Each of the five passed bills are now with the Governor. If the Governor signs the bills or takes no action to veto them by October 13, 2019 they will become law. The following contains more information about the five bills that passed the legislature. Please note that some of the five bills have duplicative content. We do not point out those instances.
AB-25 (Human Resources Data Exception)
AB-25 provides a temporary exception for personal information of applicants, employees, contractors and some other roles from some, but not all CCPA requirements. The exception would sunset after one year, at which point the CCPA would apply fully to employee personal information. Not excepted under this provision and effective January 1, 2020, is the requirement for businesses to provide notice at or before the point of collection of the categories of personal information to be collected and the purposes for which those categories of personal information will be used, as well as the requirement to reasonably protect specified categories of sensitive personal information, the failure of which is subject to a private right of action if a data breach occurs.
The temporary delay of full CCPA applicability was inserted to encourage the legislature to consider an employee privacy bill in 2020, not to exclude employee data from California privacy law entirely. The exception applies in the employment context—if an employee makes a purchase from their employer in a consumer role, the data associated with that transaction could still be subject to the entirety of the CCPA.
AB-25 also addresses the process for authenticating consumer requests. It allows businesses to scale their authentication requirements to the sensitivity of the personal information. When a consumer making a request has an account with the business, the consumer may be required to use that account to make a request. If a consumer does not have an account, the CCPA prohibits a business from requiring that consumer to create an account as a condition of exercising their rights.
AB-874 (Edits to Personal Information)
AB-874 clarifies that deidentified and aggregate data are not within the definition of personal information. It also modifies the definition of personal information by adding the word “reasonably” in front of “capable of being associated with” in the definition of personal information. While broad language about information “relat[ing] to” or “describ[ing]” a particular consumer persists, the reasonableness qualifier and the clarifying recognition that information about consumers can be in deidentified or aggregate forms, is helpful for companies seeking to use deidentification and aggregation approaches to avoid various CCPA requirements. AB-874 also simplifies the “publicly available information” exception to personal information by clarifying that it applies to information lawfully available from federal, state or local government records. Following collection by a business, the use of the personal information does not have to be consistent with the purposes for which the public records were maintained or made available by a governmental entity.
AB-1146 (Limited Expansion of Deletion and Sales Opt-Out Exceptions for Specific Activities)
AB-1146 modifies the deletion right to except data necessary to fulfill warranty or product recalls conducted in accordance with federal law. It excepts from the CCPA certain types of owner and vehicle information shared by a vehicle dealer and the manufacturer for vehicle repairs associated with warranties or recalls. This exception allows such sharing without triggering consumer sale opt-out rights.
AB-1355 (Business to Business Exception; Expansion of FCRA Exception)
AB-1355 creates a limited one-year exception for numerous CCPA requirements relating to certain Business-to-Business communications and transactions. Specifically, personal information reflecting communications or transactions between a business and a consumer who is acting on behalf of another business or government agency, such as an employee or contractor of such an entity, will not be subject to many of the CCPA’s requirements until January 2021. This Business-to-Business personal information, however, will still be subject to some CCPA provisions, which will go into effect on January 1, 2020, including the private right of action for data breaches resulting from unreasonable security and anti-discrimination and financial incentive provisions. The scope of the exception will also need careful analysis to determine what data qualifies for the additional one year compliance period. For example, the communications or transactions need to occur “solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such [other entity].”
AB-1355 also modified the FCRA exception. Previously, the CCPA did not apply to the “sale” of personal information to or from a consumer reporting agency for use in a consumer report, as defined by FCRA. This bill modifies the statute to expand the range of activities that the exception covers beyond sale, adding collection, maintenance, disclosure, communication, and use. However, such activity is covered by the exception “to the extent that such activity… is subject to regulation under” FCRA and is not “used, communicated, disclosed, or sold except” as permitted by FCRA. The private right of action for data breaches based on unreasonable security does apply to FCRA-covered information if it includes data elements that trigger notification under California’s breach notification law.
AB-1564 (Addressing Consumer Requests)
For businesses that operate exclusively online and have a direct relationship with the consumers from whom they collect personal information, AB-1564 removes the requirement to provide a toll-free number and allows such businesses to only provide an email address for access requests. If a business has a website, it is now required to allow consumers to submit access requests via the website. Businesses can require reasonable authentication tailored to the type of personal information requested. Businesses can also require consumers that maintain an account with the business to make access requests through the account.
With the close of the legislative session, there will be no further CCPA amendments prior to January 1, 2020. We anticipate that the Governor will sign the package of bills. The next significant anticipated action is the Attorney General’s release of draft CCPA regulations for public comment, which could occur at any time.
Authored by Timothy Tobin, Mark Brennan, Scott Loughlin and Jonathan Hirsch