Amendments to the California Consumer Privacy Act Signed Into Law
As we near the January 1, 2020 effective date of the California Consumer Privacy Act (CCPA), the California legislature has passed seven amendments to the expansive privacy statute: AB 25, 874, 1130, 1146, 1202, 1355, and 1564. Notably, the amendments modify the definition of personal information, and alleviate some business concerns by expanding a business’ ability to verify consumer requests under the CCPA. Additionally, the amendments provide a limited exception relating to the collection and retention of human resources information, though the exemption is effective only until January 1, 2021.
Importantly, a “business-to-business” exception was also added, similarly effective until January 1, 2021. However, it is important to note that both temporary exceptions would not provide a safe harbor to a private right of action under the CCPA if the human resources or business-to business information was subject to unauthorized access due to an information security incident. Lastly, the Attorney General’s rulemaking and guidance powers under the CCPA have been significantly expanded.
Below is a synopsis of the significant changes to the CCPA, which were passed by the legislature on September 20, 2019, and signed by Governor Newsom on October 11, 2019, the same day the California Attorney General released the much-anticipated draft CCPA regulations.
The Definition of What Is and What Is Not “Personal Information”
The definition of “personal information” in the CCPA has been amended to add the word “reasonably” in two additional places:
“Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household… (emphasis added)
The definition of “publicly available” has also been amended. Publicly available information is not personal information under the CCPA. However, the definition of “publicly available” has been broadened by removing language exempting information from the “publicly available” definition.
Specifically, under the CCPA as amended, data used for a purpose that is not compatible with the purpose for which it is maintained and made public in government records, and consumer information that is deidentified or aggregated now falls within the definition of “publicly available,” and, therefore, falls outside the definition of personal information.
The Human Resources Information Exception
Effective until January 1, 2021, the amendment limits the extent to which the CCPA is applicable to personal information collected by a business about a person in the course of that person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business, to the extent that the information is collected and/or used solely within the context of that person’s role with the business.
Collection of emergency contact information and personal information necessary to retain or administer benefits for third persons relating to persons acting in the above roles is also excepted. However, the exception does not apply to: 1) a business’ obligation to inform consumers as to the categories of personal information to be collected, and the purposes for which the information is used; and 2) the private right of action that the CCPA creates for consumers whose personal information is subject to unauthorized access, exfiltration, theft, or disclosure as a result of a business’ failure to maintain reasonable security to protect the information.
The Business–to-Business Exception
Effective until January 1, 2021, the CCPA does not apply where the subject personal information is received from a consumer who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency, and where the communication or transaction occurs within the context of the business conducting due diligence regarding the receipt or provision of a product or service.
This “business-to-business” exception does not exempt businesses from the private right of action granted to consumers whose personal information is subject to unauthorized access, exfiltration, theft, or disclosure as a result of a business’ failure to maintain reasonable security to protect the information.
Verification of Consumer Requests/Methods of Request Submission
Under the law as amended, businesses may require verification of the consumer’s identity that is reasonable in light of the information requested. Although a business cannot require a consumer to create an account to submit a CCPA request, the statute has been amended to allow businesses to require submission of requests through an account if the consumer already maintains an account with the business.
The amendments also provide the state’s attorney general with authority to establish rules and procedures on how to process and comply with verifiable consumer requests for specific pieces of personal information in order to address obstacles to implementation, privacy concerns, and as necessary in furtherance of the CCPA’s objectives.
For exclusively e-commerce businesses, the amendments remove the requirement that the business maintains at least two methods for submission of consumer requests for information under the Cal. Civ. Code 1798.110 (consumer right to information regarding collection of personal information and purpose for collection), and Cal. Civ. Code 1798.115 (consumer right to information regarding sale of personal information, including categories of third parties to whom information was sold.).
Instead, the CCPA allows businesses that operate exclusively online and have direct relationships with the consumers from which they collect information to only provide an email address for submitting requests for information. Other businesses must still maintain at least two methods for receiving CCPA information requests including a toll-free phone number. Additionally, the CCPA has been amended to require that all businesses that maintain an internet website maintain a portal on the website for consumer information requests.
CCPA Disclosure Clarifications
The CCPA provides consumers the right to request the categories of personal information that a business has sold about the consumer, and the categories of third parties to whom the personal information has been sold. The previous version of the CCPA required businesses to list this information by category of personal information for each specific third party to whom the information has been sold. The CCPA now requires disclosure of the categories of personal information sold listed by category (or type) of third party to whom the information was sold. This amendment has the practical effect of no longer requiring a business to disclose the names of third parties to whom it has sold a consumer’s personal information in response to a consumer request under Section 1798.115.
Changes to the CCPA’s Anti-Discrimination Requirements
The CCPA previously allowed a business to charge a consumer a different price or offer a different level or quality of goods or services to a consumer, if the difference was reasonably related to the value provided to the consumer by the business’ collection of the consumer’s personal information. Now, conversely, the calculation is based upon the value that the collection of information provides to the business.
The Motor Vehicle and Warranty Exceptions
The amendments provide additional exceptions to a consumer’s rights under the CCPA to: 1) request that a business delete any personal information about the consumer that the business has collected, and 2) opt out of the sale of their personal information.
First, there now exists an exception to the right of deletion if maintenance of the personal information collected by a business is necessary to fulfill the terms of a written warranty or product recall conducted in accordance with federal law. Second, the consumer’s right to opt out of the sale of personal information does not apply to vehicle or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer if that information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or recall.
The exception does not apply to vehicle or ownership information sold, shared, or used for any other purpose.
The Fair Credit Reporting Act Exception
The amendments clarify the inapplicability of the CCPA to any activity related to the collection, sale, communication, or use of consumer reports to the extent that the activity is regulated by the Fair Credit Reporting Act.
General Scope of the CCPA
The scope of the CCPA has been amended to clarify that a business’ obligations to honor consumer requests do not require a business to collect personal information it would not otherwise collect in the ordinary course of its business, or maintain personal information for longer than it would otherwise.