On October 11, 2019, California Governor Gavin Newsom signed into law five bills amending the California Consumer Privacy Act (CCPA). The CCPA is currently the most robust privacy law in the United States. With an effective date of January 1, 2020, all eyes have been on the California legislature for anticipated amendments that would provide much clarification on the scope of the CCPA. This legal update reviews those amendments signed by Governor Newsom.
Employer Exemption (AB-25)
AB 25 amended the CCPA to add Sec. 1798.145(g). For a period of one year, the amendment exempts from the CCPA any Personal Information collected by a business from a job applicant, owner, director, officer, medical staff member or contractor (hereinafter referred to as an employee), to the extent that the information was collected solely in the employment context. Specifically, the business would be exempt from complying with a consumer’s right to access, delete, and opt out until January 1, 2021. The amendment also applies to Personal Information collected by a business that is emergency contact information of an employee or information retained to administer benefits to a person related to employee.
The amendment does not exempt businesses from informing employees of the categories of Personal Information to be collected and the purposes for which the Personal Information shall be used prior to the point of collection under Section 1798.100(b). Moreover, the exemption does not apply to Section 1798.150 of the CCPA; employees may institute a civil action against the business if an employee’s Personal Information is compromised in a data breach.
Although AB 25 relieves much pressure for businesses when it comes to employee’s rights under the CCPA, businesses must continue to perform data mapping of employee information to adequately inform employees of how their Personal Information may be used by the business. The sunset provision opens the door for further discussions on whether employee data should be treated as Personal Information that needs to be protected like under the European Union’s General Data Protection Regulation (GDPR), or if it should be excluded under the CCPA.
Publicly Available Information (AB 874)
AB 874 amends the definition of Personal Information. The CCPA excludes publicly available information from the definition of Personal Information. The amendment removes the condition that the publicly available information must be used for a purpose that is compatible with the purpose for which the data was maintained in the government records.
Vehicle Information Exemption (AB 1146)
AB 1146 clarifies the right to opt-out of sharing Personal Information associated with a vehicle. Specifically, vehicle ownership information shared between a dealer and manufacturer is excluded from the opt-out right provided when the information is shared for the purpose of effectuating a vehicle repair covered under a vehicle warranty or a vehicle recall, and the dealer and the manufacturer cannot sell, share or use such information for any other purpose. Furthermore, AB 1146 limits the right to delete Personal Information about the consumer if the Personal Information is necessary for the business to fulfill the terms of a warranty or a product recall.
Business to Business Exemption & Additional Clarifications (AB 1355)
AB 1355 added a one-year exemption for Personal Information collected through business-to-business transactions when that information is either collected (1) in the context of due diligence; or (2) through the provision or receipt of a product or service, except for the rights to opt-out of the sale of one’s personal information, non-discrimination and private right of action for data breaches. The exemption expires on January 1, 2021.
This amendment also clarifies that:
- The use or disclosure of Personal Information by a consumer reporting agency, furnisher of information, or user of a consumer report is exempt from the CCPA so long as the use or disclosure is permissible under Fair Credit Reporting Act (“FCRA”). This exemption will not apply, however, under the CCPA’s private right of action for data breaches.
- A class action lawsuit may not be brought with Personal Information implicated in a data breach encrypted or redacted.
- The definition of Personal Information excludes de-identified or aggregated Personal Information.
- Businesses are not required to collect personal information that it would not otherwise collect in the ordinary course of its business, or retain personal information for longer than it would otherwise retain such information in the ordinary course of its business.
- Under the anti-discrimination provision, the reasonableness of charging a different price or rate providing a different level or quality of goods or services is based on the value provided to the business, as opposed to the consumer.
Toll-Free Telephone Number Exemption (AB 1564)
This amendment adds an exception for those businesses that operate exclusively online and have a direct relationship with the consumer to only provide an email address for submitting requests to exercise individual rights under CCPA. Currently, the CCPA requires businesses provide two methods for consumers to exercise their rights which include a toll-free telephone number and an email address. Those businesses operating exclusively online will no longer be required to provide a toll-free telephone number.
The anticipated CCPA amendments provide much needed clarification of the scope of the CCPA. Since the California Legislature finished its session on September 13, there will be no additional changes to the Act before its January 1, 2020, effective date. Additional guidance on how to comply with the Act is expected from the California Attorney General. On October 10, 2019, the Attorney General released proposed implementing regulations and, before issuing final regulations, will hold four public hearings regarding the proposed rulemaking, with the first hearing scheduled for December 2, 2019.