As we have discussed before, the California Consumer Privacy Act (“CCPA”) is forcing entities doing business in California to critically examine their information collection and sharing practices. Although California signed it into law last year, the CCPA does not go into effect until January 1, 2020. Last month, the California Legislature passed six amendments to the CCPA that will affect how businesses operate, while also affording California residents their newfound rights.
I. Limiting Personal information & Publicly Available Information (AB-874).
The CCPA, before this amendment, defined “personal information” as any information that “is capable of being associated with… a particular consumer or household.” This amendment changes that language to any information that “is reasonably capable of being associated with… a particular consumer or household.” This is an attempt to clarify and limit the scope of personal information and what information is “capable of being associated with” a consumer. Much like other areas of the law, we expect contentious debate over what is “reasonable” when anticipating association with a particular consumer or household. Additionally, the definition of “personal information” will now exclude de-identified or aggregated consumer information. This amendment also removes restricting language on what information is treated as “publicly available” and simply states that it is information made available by federal, state, or local governments.
II. Employee Personal Information is Temporarily Exempt (AB-25).
This amendment exempts certain personal information from the CCPA, until January 1, 2021, when personal information is collected from a natural person in the course of that “natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business.” This exemption also applies to personal information of such persons in a business-to-business relationship. Additionally, if a consumer has an existing account with a business, this amendment requires that consumer to use that existing account when exercising her right to request information about the personal information held by the business. However, this amendment continues to prohibit businesses from asking a consumer to create an account for the purpose of making a request about their data.
III. Submission of Data Subject Requests for Online Businesses (AB-1564).
Before this amendment, the CCPA required businesses to make available to consumers two (2) or more designated methods for submitting requests, such as an email address and a toll-free number. This amendment changes this requirement for businesses that operate exclusively online and have a direct relationship with consumers. These businesses are only required to provide an email address for submitting requests. Lastly, if a business maintains an internet website, the business must make the website available to consumers to submit requests.
IV. Failure to Safeguard Personal Information (AB-1355).
If their personal information was subject to unauthorized access and exfiltration or theft, Consumers have the ability to commence a civil action against a business that fails to implement or maintain reasonable security procedures and practices. However, this amendment exempts personal information that was collected or used for a “consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by specified parties, including a consumer reporting agency.” Additionally, personal information pertaining to a written or verbal communication or transaction between a business and a consumer, for the purpose of conducting due diligence or providing a product or service, is exempt from the CCPA until January 1, 2021.
V. Vehicle Warranty or Recall Pursuant to Federal Law (AB-1146).
Generally, a business may sell a consumer’s data to a third party unless the consumer opts out of such a sale. However, this amendment prohibits a consumer from opting out of vehicle information or ownership information that is retained or shared between a new motor vehicle dealer and the manufacturer when the information is used for the purpose of a repair covered by a warranty or recall. Lastly, information necessary for the business to maintain or fulfill the terms of a written warranty or product recall in accordance to federal law is not subject to a consumer’s deletion request.
VI. Data Brokers Must Register with California Attorney General (AB-1202).
This amendment requires data brokers to register with the Attorney General (“AG”), in which the AG would make the information provided by the data brokers available on its website. A data broker is a business that has no direct relationship to consumers, but knowingly sells consumers’ personal information to third parties. Data brokers that fail to register are subject to injunction and civil penalties in an action brought by the AG.
Although this is the last batch of amendments prior to the January 1, 2020 effective date, the reality is that the California Legislature will likely continue to amend the CCPA as the courts and Attorney General’s office face questions over implementation and enforcement. And while the CCPA may be subject to change, it is never too early to begin preparing your company to address CCPA or its requirements. In truth, whether your business is subject to the CCPA or not, we emphasize the importance of identifying how the requirements of laws like the CCPA, GDPR and others affect your business and the way you use data. Strategizing now about how your company will achieve and maintain compliance is more critical than ever as more states adopt their own laws targeted at protecting privacy and getting accountability from businesses. Indeed, a good privacy and security program is the cost of doing business today.
To review Taft’s previous analysis of the CCPA, check out the Privacy and Data Security Insight archives for the first, second, and third part of our ongoing series on the CCPA. For more information on the CCPA or other privacy matters, please contact Taft’s Privacy and Data Security Team.