September 13 was the final day for the California legislature to pass bills amending the California Consumer Privacy Act (CCPA) prior to its January 1, 2020, effective date. After months of speculation and anticipation, we finally have clarity (subject to the Governor’s approval) on the CCPA’s provisions.
Although there were changes – and both business and privacy advocates are claiming victories – the CCPA did not undergo a dramatic change. For businesses, the most notable changes are the addition of limited exemptions for the personal information of employees and business to business contacts as well as changes to the definition of personal information. On the other hand, privacy advocates will point to what did not change, namely, the CCPA retained its core privacy rights.
Below we discuss the changes.
Definition of Personal Information
The CCPA will now provide that information must be “reasonably” capable of being associated with a consumer or household to qualify as personal information subject to the Act. That change may seem slight but business advocates believe it will create a more workable standard. Conversely, privacy advocates have argued that businesses could use it to weaken the CCPA’s application.
The amendments also clarify that deidentified and aggregate information is not personal information. Although there were other provisions of the CCPA that could be relied upon to reach that conclusion, the clarification was welcome news for those interpreting the statute.
Additionally, the amendments modified the CCPA’s definition of publicly available information, which information is excluded from the CCPA’s definition of personal information. The CCPA will no longer require that publicly available information be used for a purpose compatible with the purpose for which it is maintained and made available in government records or for which it is publicly maintained. That qualification substantially restricted what information could be considered publicly available.
On the other hand, Assembly Bill 873, which would have linked the CCPA’s definition of “deidentified” to FTC guidance, did not pass. The CCPA’s definition of deidentified is considered to be more stringent than the FTC guidance, potentially creating compliance headaches for businesses.
Employee Information Exemption
One of the more significant amendments was the inclusion of an exemption for employee information. The premise for the change is that the CCPA is intended to cover consumer, not employee, information and that the potential unintended consequences of the CCPA applying to employee information were undesirable.
The new language exempts personal information that is collected by a business about a California resident in the course of the person acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor of the business subject to the business only using the personal information in that same context. The exemption also applies to certain emergency contact information and information necessary to administer benefits.
Of note, the exemption does not apply to § 1798.100(b), which requires businesses to inform California residents, at or before the point of collection, of the categories of personal information to be collected and the purposes for which the information will be used. It also does not apply to the CCPA’s private right of action. Thus, a business still has obligations to employees under the CCPA to provide notice of what information is collected and to use reasonable data security measures to store such employee data. Finally, the provision contains a one year sunset clause, providing that it will become inoperative on January 1, 2021.
Business to Business Exemption
In a last minute (but highly negotiated) change, the CCPA now will exclude personal information collected in the context of certain business to business transactions. The CCPA will not apply to personal information conveyed between a business and a California resident when that California resident is acting as an employee, owner, director, officer, or contractor of an entity, if the communication or transaction occurs solely within the context of the “the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.”
The exemption does not apply to the CCPA’s right to opt-out of sales or anti-discrimination provision. It also does not apply if the business is collecting information from that individual in a non-business context. Finally, the business to business exemption has a one year sunset provision like the employee information exemption.
The legislature also revised the CCPA’s anti-discrimination provision to provide that a business may offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the business by the consumer’s data. The CCPA previously provided that the difference must be directly related to the value provided to the consumer by the consumer’s data. Privacy advocates have argued that the change, while slight, effectively eliminates the anti-discrimination provision as applied in certain contexts.
Children’s Opt-In Procedure
A minor but potentially important change is that the legislature clarified the triggering ages for parental consent under the CCPA’s children’s opt-in to sales provision. Specifically, the CCPA will now provide that “a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information.” This is notable in that it recognizes the legal authority of minors aged 13-16 years of age to provide legally binding consent in a contractual setting.
Private Right of Action
Two important changes were made to the CCPA’s private right of action. First, § 1798.150 was amended to clarify that personal information that is either encrypted or redacted will not be subject to the private right of action. The previous language confusingly required both.
Second, Assembly Bill 1130, while not directly amending the CCPA, expanded the types of personal information covered by California’s data breach notification and information security statutes. Those statutes will now include tax identification numbers, passport numbers, military identification numbers, or unique identification numbers issued on a government document as well as certain types of unique biometric data. Because the CCPA’s private right of action is tied to the definition of personal information in the data breach notification statute (and not the CCPA’s broader definition), the addition of new data elements to the data breach notification statute effectively expands liability under the private right of action.
Notably, SB 561, which would have expanded the private right of action to cover all of the CCPA’s privacy rights, did not make it out of committee.
Authentication of Verifiable Consumer Requests
Businesses subject to the CCPA also will be relieved to learn that modifications were made to the verifiable consumer requests provision. The CCPA was amended to state that a business “may require authentication of the consumer that is reasonable in light of the nature of the personal information requested.” Business advocates argued that the change was necessary to ensure that businesses do not turn over personal information to identity thieves. Conversely, privacy advocates argued that businesses could use the modification to make it more difficult for consumers to exercise their rights such as by requiring that requests be notarized. It is worth noting that the Attorney General must still publish regulations on verifiable consumer requests and we will have further guidance on compliance with this requirement upon the release of the Attorney General’s draft regulations.
Additionally, the CCPA was modified to provide that if “the consumer maintains an account with the business, the business may require the consumer to submit the request through that account.” That provision is notable insofar as it will allow businesses to leverage existing account identity verification procedures in this context.
Another important amendment is that the CCPA will now specifically state that it will not require a business to “collect personal information that it would not otherwise collect in the ordinary course of its business” or “retain personal information for longer than it would otherwise retain such information in the ordinary course of its business.” The CCPA’s prior ambiguity on those issues proved frustrating for entities that sought to minimize their compliance obligations (and class action exposure) by not collecting or not retaining personal information. These changes fall in line with a fundamental tenet of privacy law that you should collect only what you need and dispose of information you no longer need.
Additional Category for Attorney General Guidance
One interesting change is that the Attorney General now is authorized to promulgate regulations on how businesses should “process and comply with verifiable consumer requests for specific pieces of personal information relating to a household in order to address obstacles to implementation and privacy concerns.” That revision was made to § 1798.185(b) and not § 1798.185(a), which section houses the other seven topics for Attorney General regulations. Presumably, this was done to avoid the requirement to “solicit broad public participation” before issuing the regulations.
Right to Be Forgotten
The amendments also slightly modified the CCPA’s right to be forgotten by providing that a business does not need to delete personal information if it is needed to fulfill the terms of a written warranty or product recall conducted in accordance with federal law.
Assembly Bill 1355 also modifies the CCPA’s treatment of personal information used by credit reporting agencies and creates a new exemption for certain types of information shared in the context of motor vehicle transactions. In addition, the amendments made minor changes to the online privacy notice disclosure requirements, training requirements, and fixed a number of grammatical errors and internal cross-references.
Businesses subject to the CCPA will want to closely review the above changes to determine how they may impact their compliance efforts. With the legislative session now closed, businesses will finally have certainty as to the CCPA’s text (pending the Governor’s signature). The next piece of the puzzle will be the Attorney General’s issuance of draft interpretative regulations, which are due to be published this fall.