At the close of its legislative session on Sept. 13, the California Legislature passed five bills to amend and clarify the scope of the landmark California Consumer Privacy Act, which establishes new statutory privacy rights and business obligations for the collection and use of “personal information.”
California Gov. Gavin Newsom (D) has until Oct. 13 to act on the proposed amendments to the CCPA; if the amendments are signed, they will become part of the CCPA, which takes effect Jan. 1, 2020.
The proposed amendments include a few changes favorable to businesses preparing for CCPA compliance, most notably with regard to the new exemptions applicable to employee data and business-to-business communications. However, the CCPA’s new consumer privacy rights and security breach private right of action remain largely unchanged.
The following highlights key proposals in each amendment.
Employee Data (AB 25): One-Year Exemption
AB 25 amends the CCPA to exempt certain personal information collected from job applicants, employees, owners, directors, staff, officers, and contractors of a business from most requirements of the CCPA for one year, until Jan. 1, 2021.
This information includes (1) personal information collected about a person as a job applicant, employee, owner, director, officer, medical staff member, or contractor of that business; (2) personal information collected and used solely for the purpose of maintaining emergency contact information; and (3) personal information collected and used solely to administer benefits to an individual.
This information will be exempted from most of the CCPA’s requirements, including the requirements that businesses offer consumers opt-out, access, and deletion rights. However, AB 25 does not alter (1) the requirement that businesses provide a CCPA-compliant privacy notice to job applicants, employees, owners, directors, staff, officers, and contractors, or (2) the right of job applicants, employees, owners, directors, staff, officers, and contractors to bring a private civil action for data breaches.
The California Legislature is expected to consider more comprehensive employee privacy legislation next year before the employee-specific exemptions created by AB 25 expire on Jan. 1, 2021.
AB 25 also adds language regarding consumer requests, stating that a business “may require authentication of the consumer that is reasonable in light of the nature of the personal information requested,” without requiring “the consumer to create an account with the business in order to make a verifiable consumer request.” However, “[i]f the consumer maintains an account with the business, the business may require the consumer to submit the request through that account.”
Definitions of ‘Personal Information’ and ‘Publicly Available Information’ (AB 874)
AB 874 clarifies the definitions of “personal information” and “publicly available information.” The amendment removes from the definition of “publicly available information” a carve-out for information “used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.”
The removal of this qualification substantially broadens the scope of information considered publicly available. Under the amendment, “publicly available information” is now defined as information that “is lawfully made available from federal, state, or local government records.”
The amendment also clarifies that “personal information” includes information “that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The reasonableness standard now applies both to information that “is reasonably capable of being associated with . . . a particular consumer or household” and to information that “could reasonably be linked, directly or indirectly, with a particular consumer or household.” (Emphasis added.)
Vehicle Information (AB 1146)
AB 1146 provides further clarification on the definition of “personal information” by exempting vehicle information and vehicle ownership information that is retained or shared by dealers and vehicle manufacturers for purposes of a warranty repair or recall-related vehicle repair. The dealer or vehicle manufacturer receiving such information cannot sell, share, or use that information for any other purpose.
Business-to-Business Communications (AB 1355): One-Year Exemption
AB 1355 creates a one-year exemption from CCPA coverage for certain business-to-business (B2B) communications or transactions. Similar to the employee personal information exemption, this exemption created by AB 1355 sunsets on Jan. 1, 2021, with the expectation that the California legislature will determine a more permanent approach next year.
As amended by AB 1355, personal information about an employee, owner, director, officer or contractor of a business or government agency collected by a business within the context of the business conducting due diligence or providing or receiving a product or service would be exempt from certain CCPA requirements.
Moreover, the amendment clarifies that a business is not required to “collect personal information that it would not otherwise collect in the ordinary course of its business” or to “retain personal information for longer than it would otherwise retain such information in the ordinary course of its business.”
AB 1355 also broadens the existing Fair Credit Reporting Act (FCRA) exemption, clarifying that the exemption applies to any FCRA “activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.”
AB 1355 further clarifies that “deidentified or aggregate consumer information” is excluded from the definition of “personal information.”
AB 1355 also amends the CCPA private right of action to apply only to “personal information” that is “nonencrypted and nonredacted.” Previously, the consumer private right of action applied to “nonencrypted or nonredacted” personal information that “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” The amendment narrows the scope of the consumer private right of action.
Finally, the amendment provides the California attorney general with additional authority to adopt regulations to “establish rules and procedures on how to process and comply with verifiable consumer requests relating to” household information “in order to address obstacles to implementation and privacy concerns.” The CCPA already authorizes the California attorney general to issue regulations in other specified areas and as necessary.
Methods for Submitting a Consumer Request (AB 1564)
AB 1564 modifies the methods by which consumers may submit requests for information regarding the use of their personal information. The CCPA required businesses to provide at least two methods to submit such requests, including, at a minimum, a toll-free number and, if the business maintains a website, a website address.
However, AB 1564 added a narrow exception: A business that operates exclusively online and has a direct relationship with a consumer is only required to provide an email address for submitting such requests. The amendment also added that if a business maintains an internet website, consumers must be able to submit requests through the business’s website.
Not Passed: Loyalty Programs (AB 846)
One amendment, AB 846, would have clarified the application of certain nondiscrimination provisions to loyalty programs. It passed through the Senate Appropriations Committee with the bills discussed above, but did not pass the California legislature.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Reece Hirsch is a partner in the San Francisco office of Morgan Lewis and co-head of the firm’s Privacy & Cybersecurity practice.
Kristin Hadgis and Terese Schireson are associates in the Morgan Lewis Philadelphia office.
Lauren Groebe is an associate in the Morgan Lewis Chicago office.