September 13, 2019 marked the last day of California’s 2019 legislative session and, importantly, the last call for any 2019 amendments to the landmark California Consumer Privacy Act (CCPA). In the end, the legislature passed bills that largely seek to clarify application of the CCPA and to set the stage for the California Attorney General to release his draft regulations. Given the potential impacts from the CCPA and some of its lack of clarity when applying it to business operations, businesses nationwide had focused their attention on Sacramento hoping and expecting to receive news that the legislature actually clarified impactful aspects of the CCPA. The amendments, which are outlined below, now head to Governor Gavin Newsom for consideration and possible approval by October 13, 2019. If they are signed into law, the amendments will go into effect on January 1, 2020. While none of the rumored major structural changes to the CCPA came to pass, moderately helpful clarifications should be considered as businesses roll out their readiness programs in advance of impending deadlines in 2020.
Here are the legislative amendments that currently await the Governor’s review and approval:
AB 25 (Chau)—Employment-Related Information Granted One-Year Exemption with Sunset
Perhaps the most highly anticipated amendment, AB 25 exempts employment-related information with a one-year sunset until January 1, 2021. Certain limited requirements remain: businesses must disclose categories of employment-related personal information collected and the purposes for its use, and employment-related information is still subject to the CCPA’s private right of action for data breaches. In addition to the employment-related provisions, AB 25 clarifies verifiable consumer request procedures, specifying that a business “may require authentication of the consumer that is reasonable in light of the nature of the personal information requested.” Businesses may further require consumers to use preexisting accounts with the business to submit a CCPA verifiable consumer request.
AB 1355 (Chau)—Miscellaneous Fixes
This bill received a number of revisions over the past few weeks regarding unrelated modifications. The salient changes are:
- One-year exemption for certain B2B data. This amendment exempts personal information that reflects a communication or transaction with a business and the employees (or similar) of a third-party entity in the context of conducting due diligence or in connection with the provision or receipt of a product or service, albeit with a one-year sunset on January 1, 2021. The effect appears to remove from the scope of the CCPA B2B contact information and other related information directly collected from business’ employees or personnel, if the information can be said to “reflect” the communication or transaction. Notably, the amendment does not exempt businesses from the “do not sell” or data breach provisions, including the private right of action, which B2B employees or personnel may seek to exercise.
- Clarification to the nondiscrimination provisions. The amendment makes an important revision to the exemptions to the nondiscrimination provisions by clarifying that differing prices or services can be provided based upon the value of the provided data to the business, not the consumer. These revisions would make it easier for businesses to tie their loyalty incentives to the value of provided data. It should be noted that AB 846 (Burke), which would have exempted customer loyalty programs outright from the CCPA’s nondiscrimination provisions and limited sales of personal information collected through such programs, did not pass.
- Support for a data minimization approach. AB 1355 clarifies that the CCPA should not be construed to require a business to “collect personal information that it would not otherwise collect in the ordinary course of its business, retain personal information for longer than it would otherwise retain such information in the ordinary course of its business, or reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.” This clarification provides support for businesses wishing to minimize their data intake for verification purposes, but should nonetheless be weighed against the interest in protecting sensitive personal information from unauthorized requestors.
AB 874 (Irwin)—Definition of Personal Information to Include Reasonableness
In a modest narrowing of the definition of “personal information,” AB 874 clarifies that personal information must “reasonably” be “capable of being associated with” a particular consumer or household.
AB 1130 (Levine)—Additional Data Types Will Trigger Data Breach Provisions
This amendment adds new types of data to the list that triggers the CCPA’s data breach provision as well as California’s existing data breach notification requirement. The new data types enumerated are unique biometric data, tax identification numbers, passport numbers, military identification numbers, and other unique identification numbers issued on a government document.
AB 1146 (Berman)—Exemption for Vehicle Information
This bill provides a narrow exemption, clarifying that the CCPA’s right of deletion and right to “opt out” of the sale of personal information do not apply if a business or service provider needs the personal information to fulfill the terms of a warranty or product recall that is conducted in accordance with federal vehicle safety law. The bill specifically enables the retention and sharing of a consumer’s vehicle or ownership information between automobile manufacturers and dealers for effectuating repairs covered by a vehicle’s warranty or pertaining to a manufacturer’s recall.
AB 1202 (Chau)—Registration Required for Data Brokers
Businesses engaged in “data sales,” as defined by the CCPA, that involve personal information of consumers with whom they do not have a direct relationship must now register with the California Attorney General’s Office. Credit reporting agencies and financial institutions are exempted. The Attorney General will set registration fees and post information about the data brokers on its website. Failure to register exposes the business to civil penalties, injunctive relief, fees and costs.
AB 1564 (Berman)—No Phone Number Required for Online Only Businesses
This amendment updates the designated consumer request methods provision for businesses that operate exclusively online by removing the obligation to provide a toll-free phone number to exercise a rights request.
Why It Matters
As we have previously written, the amendments passed offer a mixed bag. While certain fixes are helpful (for example, the nondiscrimination provision), others provide only modest assistance to businesses racing to comply with the law, including those providing only momentary clarity via one-year sunset provisions, leaving long-term solutions still to be negotiated (for example, B2B exemptions). With the compliance deadlines nearing, we will continue to closely monitor all CCPA developments and provide stakeholders with meaningful updates as the bills head to Governor Newsom’s desk and any draft regulations are published.
Additional Resources: