As we have discussed before, the California Consumer Privacy Act (“CCPA”) is forcing entities doing business in California to critically examine their information collection and sharing practices. Although California signed it into law last year, the CCPA does not go into effect until January 1, 2020. Last month, the California Legislature passed six amendments to the CCPA that will affect how businesses operate, while also affording California residents their newfound rights.

I. Limiting Personal information & Publicly Available Information (AB-874).
The CCPA, before this amendment, defined “personal information” as any information that “is capable of being associated with… a particular consumer or household.” This amendment changes that language to any information that “is reasonably capable of being associated with… a particular consumer or household.” This is an attempt to clarify and limit the scope of personal information and what information is “capable of being associated with” a consumer. Much like other areas of the law, we expect contentious debate over what is “reasonable” when anticipating association with a particular consumer or household. Additionally, the definition of “personal information” will now exclude de-identified or aggregated consumer information. This amendment also removes restricting language on what information is treated as “publicly available” and simply states that it is information made available by federal, state, or local governments.

II. Employee Personal Information is Temporarily Exempt (AB-25).
This amendment exempts certain personal information from the CCPA, until January 1, 2021, when personal information is collected from a natural person in the course of that “natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business.” This exemption also applies to personal information of such persons in a business-to-business relationship. Additionally, if a consumer has an existing account with a business, this amendment requires that consumer to use that existing account when exercising her right to request information about the personal information held by the business. However, this amendment continues to prohibit businesses from asking a consumer to create an account for the purpose of making a request about their data.

III. Submission of Data Subject Requests for Online Businesses (AB-1564).
Before this amendment, the CCPA required businesses to make available to consumers two (2) or more designated methods for submitting requests, such as an email address and a toll-free number. This amendment changes this requirement for businesses that operate exclusively online and have a direct relationship with consumers. These businesses are only required to provide an email address for submitting requests. Lastly, if a business maintains an internet website, the business must make the website available to consumers to submit requests.

IV. Failure to Safeguard Personal Information (AB-1355).
If their personal information was subject to unauthorized access and exfiltration or theft, Consumers have the ability to commence a civil action against a business that fails to implement or maintain reasonable security procedures and practices. However, this amendment exempts personal information that was collected or used for a “consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by specified parties, including a consumer reporting agency.” Additionally, personal information pertaining to a written or verbal communication or transaction between a business and a consumer, for the purpose of conducting due diligence or providing a product or service, is exempt from the CCPA until January 1, 2021.

V. Vehicle Warranty or Recall Pursuant to Federal Law (AB-1146).
Generally, a business may sell a consumer’s data to a third party unless the consumer opts out of such a sale. However, this amendment prohibits a consumer from opting out of vehicle information or ownership information that is retained or shared between a new motor vehicle dealer and the manufacturer when the information is used for the purpose of a repair covered by a warranty or recall. Lastly, information necessary for the business to maintain or fulfill the terms of a written warranty or product recall in accordance to federal law is not subject to a consumer’s deletion request.

VI. Data Brokers Must Register with California Attorney General (AB-1202).
This amendment requires data brokers to register with the Attorney General (“AG”), in which the AG would make the information provided by the data brokers available on its website. A data broker is a business that has no direct relationship to consumers, but knowingly sells consumers’ personal information to third parties. Data brokers that fail to register are subject to injunction and civil penalties in an action brought by the AG.

Although this is the last batch of amendments prior to the January 1, 2020 effective date, the reality is that the California Legislature will likely continue to amend the CCPA as the courts and Attorney General’s office face questions over implementation and enforcement. And while the CCPA may be subject to change, it is never too early to begin preparing your company to address CCPA or its requirements. In truth, whether your business is subject to the CCPA or not, we emphasize the importance of identifying how the requirements of laws like the CCPA, GDPR and others affect your business and the way you use data. Strategizing now about how your company will achieve and maintain compliance is more critical than ever as more states adopt their own laws targeted at protecting privacy and getting accountability from businesses. Indeed, a good privacy and security program is the cost of doing business today.

To review Taft’s previous analysis of the CCPA, check out the Privacy and Data Security Insight archives for the first, second, and third part of our ongoing series on the CCPA. For more information on the CCPA or other privacy matters, please contact Taft’s Privacy and Data Security Team.

Tags: California Attorney General, California legislature, CCPA, data brokers, The California Consumer Privacy Act
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Zachary Heck Zachary Heck

Zach’s practice focuses on privacy, data security and artificial intelligence (“AI”) counseling. Specifically, Zach assists clients in the areas of privacy compliance, data governance, and guidance in the aftermath of an information security incident. He regularly advises organizations on the responsible development, deployment…

Zach’s practice focuses on privacy, data security and artificial intelligence (“AI”) counseling. Specifically, Zach assists clients in the areas of privacy compliance, data governance, and guidance in the aftermath of an information security incident. He regularly advises organizations on the responsible development, deployment, and governance of artificial intelligence systems, including compliance with emerging state, federal, and international AI regulations. In addition, he counsels technology providers on the regulatory, security, and governance considerations associated with FinTech innovations, including blockchain, digital assets, and AI-driven financial tools.

Read more about Zachary HeckZachary's Linkedin Profile
Show more Show less
Photo of Zenus Franklin Zenus Franklin

Zenus has wide-ranging experience with data governance and information technology, which brings a unique and vital perspective to his practice. He advises clients on data privacy matters, such as risk management, policy development, training, audits, website privacy policies and terms of use, website…

Zenus has wide-ranging experience with data governance and information technology, which brings a unique and vital perspective to his practice. He advises clients on data privacy matters, such as risk management, policy development, training, audits, website privacy policies and terms of use, website cookies, M&A due diligence, and data breach and incident response management. His expertise spans federal privacy regulations such as HIPAA, GLBA, FCRA, TCPA, FERPA, and COPPA, along with state laws governing the processing of personal information, such as the California Consumer Privacy Act and state Data Broker laws.  Additionally, Zenus provides guidance to clients on global data privacy matters, including the GDPR.

Read more about Zenus FranklinZenus's Linkedin Profile
Show more Show less
Photo of Scot Ganow Scot Ganow

Scot is a partner at Taft and is chair of the firm’s Privacy, Security, and Artificial Intelligence Practice.  As a former chief privacy officer leveraging more than 10 years of management and compliance experience in Fortune 500 companies prior to law school, Scot…

Scot is a partner at Taft and is chair of the firm’s Privacy, Security, and Artificial Intelligence Practice.  As a former chief privacy officer leveraging more than 10 years of management and compliance experience in Fortune 500 companies prior to law school, Scot brings a diverse business background to his practice at Taft.  Scot represents clients in a variety of sectors, including consumer reporting, construction, healthcare, broadband services, and manufacturing.

Read more about Scot GanowScot's Linkedin Profile
Show more Show less
Related Posts
Don’t Forget! CCPA Enforcement Commences July 1, 2020
June 26, 2020
California: Shore to Please Consumer Privacy Rights Advocates
March 27, 2019
Change is in the California Air as Legislature Amends New Privacy Law
October 22, 2018