Interested parties and privacy professionals have all been anxiously awaiting how legislative activity would shake out before the California Consumer Privacy Act (“CCPA”) is implemented January 1, 2020. Now that the dust has settled inside the golden dome in Sacramento and the state legislature’s 2019 session has come to a close, we can see which bills passed and will be provided to Governor Gavin Newsom, who has until October 13th to either veto these bills or sign them into law.
Overall, the CCPA remains relatively intact, despite intense industry interest. It also seems that the amendments leave a number of unanswered questions about CCPA compliance.
Here is the full list of the amendments awaiting the governor’s signature:
Data Broker Registration: AB-1202 requires data brokers to register with the State Attorney General (“AG”) and provide certain information to the AG. Data brokers are defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” This definition is subject to provided exceptions. The AG will make the information provided by data brokers accessible via its website. The AG is granted certain enforcement powers.
Employee and Business Exemption: AB-25 carves out employee from the definition of “consumer” and has been narrowed to include a notice requirement for employers. This amendment also provides a limited exemption for personal information collected in the context of a business-to-business relationship. To fall in this exemption, the individual must be acting as an employee, owner, director, officer, or contractor of a business, and the personal information exchanged must be in the context of a business relationship. It also sunsets on January 1, 2020, thus committing the Legislature and interested parties to take up more comprehensive privacy legislation on these topics in 2020. These individuals retain the CCPA rights to bring a private action for a data breach. Mintz will present a webinar on October 22nd discussing employer obligations under the CCPA – mark your calendar!
Publicly Available Information: AB-874 excludes information obtained from government records from the definition of “personal information,” regardless of how that information is used. It also clarifies that de-identified or aggregate information is not “personal information.” This amendment also adds the word “reasonably” in front of “capable of being associated with” in the definition of “personal information,” but did not delete or define “household,” as had been hoped.
Vehicle Warranties and Recalls: AB-1146 excludes the sharing of vehicle information or ownership information as between a new motor vehicle dealer and the OEM from the right to opt-out if that sharing is for warranty repair or recall purposes.
Clarifying Amendments & Exemptions: AB-1355 narrows the disclosure requirement to categories of third parties to which information is sold, rather than requiring such disclosure on a specific party-by-party basis and allows for differential treatment of a consumer reasonably related to the value of the consumer’s information to the business. Meanwhile AB 846, which would have excluded loyalty programs from non-discrimination if the loyalty program offer is for a specific good or service whose functionality is “directly related to the collection, use, or sale of the consumer’s data” did not pass.
Consumer Request for Disclosure Methods: AB-1564 adds an exception to the method of contact that permits “a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information” to only provide an email address for submitting requests to exercise various CCPA rights.
The next shoe to drop with respect to the CCPA will be draft regulations or guidance from the California Attorney General’s office, expected later this fall. However, given the scope and impact of the CCPA, businesses should not wait to implement CCPA compliance, as it could require changes to operations. Remember, the CCPA can apply to businesses even they do not have offices or employees in California and can reach activities conducted outside of California.
Watch this space for more #CCPA news, as well as important analysis of how these amendments will affect certain business models and CCPA compliance efforts.