The California legislature passed six amendments to the California Consumer Privacy Act (CCPA) that are on their way to Governor Gavin Newsom’s desk. The Governor has until October 13, 2019, to act on the amendments. With the end of the legislative session on September 13, this means that should the Governor sign all the amendments, the CCPA will take effect on January 1, 2020, as planned, with a few changes.
What do the amendments mean for businesses and consumers? Probably the most significant changes are those with respect to the exclusion of employee information and B2B communications and transactions for one year, until January 1, 2021. Another important change would eliminate the requirement of a toll-free number as one of the two methods for consumers to submit requests for businesses that operate exclusively online. The legislature also made a couple of changes regarding verifiable consumer requests; notably, adding the requirement that if a consumer already has an account with a business, the consumer request must be made through that account, and adding additional language giving the California Attorney General (AG) additional rulemaking authority with respect to verifiable consumer requests.
Here is a summary of the highlights of the bills that passed:
1. AB 25 – Job applicant/employee personal information – one-year exemption
This bill exempts from the CCPA personal information (PI) collected by a business in certain employment related situations until January 1, 2021. PI collected by a business about a natural person acting as a job applicant to, employee of, owner of, officer of, medical staff member of, or contractor of the business to the extent the PI is collected and used solely in those contexts would be exempt from the CCPA.
This bill also clarifies that a business must require reasonable verification of consumers in connection to their CCPA requests, and requires a consumer to use their existing account, (if they have one) to make consumer requests. A business still may not ask a consumer to create an account simply in order to make the request.
2. AB 1355 – B2B communications – one-year exemption
This bill exempts from the CCPA B2B communications or transactions until January 1, 2021. B2B communications or transactions are exempt in instances in which the consumer is a natural person who is an employee, owner, director, officer, or contractor of a government agency or business whose communications or transactions with the business occur solely within the context of the business conducting due diligence regarding or providing or receiving a product or service to or from that business or government agency.
This bill also provides additional clarifications and other technical amendments to a variety of provisions:
- clarifies the Fair Credit Reporting Act (FCRA) exemption;
- specifies that businesses do not need to collect PI that they would not normally collect or retain it for longer than they otherwise would retain PI;
- provides additional rulemaking authority to the AG regarding compliance with verifiable consumer requests; and
- clarifies that a consumer’s private right of action is for data breaches of nonencrypted and nonredacted PI.
3. AB 1564 – Eliminates requirement for toll-free number for businesses that operate exclusively online
Currently, the CCPA requires businesses to have two or more designated methods for consumers to contact a business to make requests under the law, including a toll-free number and an internet website address. This bill changes the requirement to have a toll-free number if a business operates exclusively online and has a direct relationship with a consumer. In that instance, a business will only be required to provide an email address for consumers to submit their requests.
4. AB 874 – Clarifies the definition of Personal Information and what is “publicly available” information
This bill removes confusing language in the existing CCPA regarding what constitutes publicly available information and removes language regarding the purpose of the data in government records. Publicly available information would be defined as information that is lawfully made available from government records. This bill also clarifies that PI does not include consumer information that is de-identified and aggregate consumer information. The bill also adds that PI includes information that is “reasonably” capable of being associated with a particular consumer or household, as opposed to “capable” of being associated.
5. AB 1146 – Exempts a consumer’s PI if it is necessary for the business to retain for vehicle warranty or recall in accordance with federal law
This bill also includes an exemption from the consumer’s right to opt out of the sale of their PI with respect to vehicle ownership information shared between a new car dealer and the vehicle manufacturer for repairs covered under warranty or recall, provided that the dealer or manufacturer with which the information is shared does not sell, share or use that information for any other purpose.
6. AB 1202 – Requires data brokers to register with the California Attorney General (AG) This bill requires the AG to create a publicly available registry of data brokers on its website. A data broker is defined as a business that knowingly collects and sells to third parties the PI of a consumer with whom the business does not have a direct relationship. This provision adds transparency for consumers to be able to understand how their data are used and who is collecting their data.